7556d028223bc07715a8ce5655c2af3cdb26999621fb7a22f4ee822b2966f6c0

Analysis

max time kernel
144s
max time network
159s
platform
windows7_x64
resource
win7-20231020-en
resource tags

arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system
submitted
28/10/2023, 20:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.d040b1e8f0100be9aad918d0b0c46c00.exe
Size

66KB
MD5

d040b1e8f0100be9aad918d0b0c46c00
SHA1

65d04f98335f6401e2896e9ec11a4174808f0453
SHA256

7556d028223bc07715a8ce5655c2af3cdb26999621fb7a22f4ee822b2966f6c0
SHA512

ab9045b0276a0d7d30882c0d29d0a348a4ce71ae8429d77bda8245288673ff843ce00548cca0d8b5bc809c605cef55519c962898129838af4e7ee28d5f47d2a0
SSDEEP

1536:UntSuQz2ZJaXl8tpkb6NjL8wM9b6Oes4JRJF0u5O9fPawT:0LrTaujkbKE39N4JRJi2ORPHT

Score

7^/10

Malware Config

Signatures

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svhost.lnk	NEAS.d040b1e8f0100be9aad918d0b0c46c00.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svhost.lnk	NEAS.d040b1e8f0100be9aad918d0b0c46c00.exe

Executes dropped EXE 3 IoCs

pid	Process
1636	svhost.exe
564	svhost.exe
484	svhost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2808	schtasks.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3064	powershell.exe
2704	powershell.exe
2728	powershell.exe
2560	powershell.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeDebugPrivilege	2448	NEAS.d040b1e8f0100be9aad918d0b0c46c00.exe
Token: SeDebugPrivilege	3064	powershell.exe
Token: SeDebugPrivilege	2704	powershell.exe
Token: SeDebugPrivilege	2728	powershell.exe
Token: SeDebugPrivilege	2560	powershell.exe
Token: SeDebugPrivilege	2448	NEAS.d040b1e8f0100be9aad918d0b0c46c00.exe
Token: SeDebugPrivilege	1636	svhost.exe
Token: SeDebugPrivilege	564	svhost.exe
Token: SeDebugPrivilege	484	svhost.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2448 wrote to memory of 3064	2448	NEAS.d040b1e8f0100be9aad918d0b0c46c00.exe	29
PID 2448 wrote to memory of 3064	2448	NEAS.d040b1e8f0100be9aad918d0b0c46c00.exe	29
PID 2448 wrote to memory of 3064	2448	NEAS.d040b1e8f0100be9aad918d0b0c46c00.exe	29
PID 2448 wrote to memory of 2704	2448	NEAS.d040b1e8f0100be9aad918d0b0c46c00.exe	30
PID 2448 wrote to memory of 2704	2448	NEAS.d040b1e8f0100be9aad918d0b0c46c00.exe	30
PID 2448 wrote to memory of 2704	2448	NEAS.d040b1e8f0100be9aad918d0b0c46c00.exe	30
PID 2448 wrote to memory of 2728	2448	NEAS.d040b1e8f0100be9aad918d0b0c46c00.exe	32
PID 2448 wrote to memory of 2728	2448	NEAS.d040b1e8f0100be9aad918d0b0c46c00.exe	32
PID 2448 wrote to memory of 2728	2448	NEAS.d040b1e8f0100be9aad918d0b0c46c00.exe	32
PID 2448 wrote to memory of 2560	2448	NEAS.d040b1e8f0100be9aad918d0b0c46c00.exe	34
PID 2448 wrote to memory of 2560	2448	NEAS.d040b1e8f0100be9aad918d0b0c46c00.exe	34
PID 2448 wrote to memory of 2560	2448	NEAS.d040b1e8f0100be9aad918d0b0c46c00.exe	34
PID 2448 wrote to memory of 2808	2448	NEAS.d040b1e8f0100be9aad918d0b0c46c00.exe	36
PID 2448 wrote to memory of 2808	2448	NEAS.d040b1e8f0100be9aad918d0b0c46c00.exe	36
PID 2448 wrote to memory of 2808	2448	NEAS.d040b1e8f0100be9aad918d0b0c46c00.exe	36
PID 1960 wrote to memory of 1636	1960	taskeng.exe	39
PID 1960 wrote to memory of 1636	1960	taskeng.exe	39
PID 1960 wrote to memory of 1636	1960	taskeng.exe	39
PID 1960 wrote to memory of 564	1960	taskeng.exe	42
PID 1960 wrote to memory of 564	1960	taskeng.exe	42
PID 1960 wrote to memory of 564	1960	taskeng.exe	42
PID 1960 wrote to memory of 484	1960	taskeng.exe	43
PID 1960 wrote to memory of 484	1960	taskeng.exe	43
PID 1960 wrote to memory of 484	1960	taskeng.exe	43

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\NEAS.d040b1e8f0100be9aad918d0b0c46c00.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.d040b1e8f0100be9aad918d0b0c46c00.exe"
1⤵
- Drops startup file
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2448
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\NEAS.d040b1e8f0100be9aad918d0b0c46c00.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3064
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'NEAS.d040b1e8f0100be9aad918d0b0c46c00.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2704
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\svhost.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2728
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svhost.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2560
- C:\Windows\System32\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svhost" /tr "C:\Users\Admin\AppData\Roaming\svhost.exe"
  2⤵
  - Creates scheduled task(s)
  PID:2808

C:\Windows\system32\taskeng.exe
taskeng.exe {8FDD8B8A-FBCD-42D0-942B-4AF589CCA3F2} S-1-5-21-2084844033-2744876406-2053742436-1000:GGPVHMXR\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:1960
- C:\Users\Admin\AppData\Roaming\svhost.exe
  C:\Users\Admin\AppData\Roaming\svhost.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1636
- C:\Users\Admin\AppData\Roaming\svhost.exe
  C:\Users\Admin\AppData\Roaming\svhost.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:564
- C:\Users\Admin\AppData\Roaming\svhost.exe
  C:\Users\Admin\AppData\Roaming\svhost.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:484

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
e22079c92a4b82f4d630a269ebf638b2

SHA1
e8c3f37e8045bdea8b864876668d8bc2fb90a02b

SHA256
8fa46d8fc36592dd8449eedf7ebdd943695aeda5d71c3cdc19dec6ddfbfb9138

SHA512
b9bc5876236ba84688f5433583b5eb720fd073d4ee004725f41a1f820ecd445d58d844df8aa197d093e1b6ccb8521f81476650ff760f23ff057505d36df92cd5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
e22079c92a4b82f4d630a269ebf638b2

SHA1
e8c3f37e8045bdea8b864876668d8bc2fb90a02b

SHA256
8fa46d8fc36592dd8449eedf7ebdd943695aeda5d71c3cdc19dec6ddfbfb9138

SHA512
b9bc5876236ba84688f5433583b5eb720fd073d4ee004725f41a1f820ecd445d58d844df8aa197d093e1b6ccb8521f81476650ff760f23ff057505d36df92cd5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
e22079c92a4b82f4d630a269ebf638b2

SHA1
e8c3f37e8045bdea8b864876668d8bc2fb90a02b

SHA256
8fa46d8fc36592dd8449eedf7ebdd943695aeda5d71c3cdc19dec6ddfbfb9138

SHA512
b9bc5876236ba84688f5433583b5eb720fd073d4ee004725f41a1f820ecd445d58d844df8aa197d093e1b6ccb8521f81476650ff760f23ff057505d36df92cd5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\VUEWZDXHBOU0HY7FTHGL.temp

Filesize
7KB

MD5
e22079c92a4b82f4d630a269ebf638b2

SHA1
e8c3f37e8045bdea8b864876668d8bc2fb90a02b

SHA256
8fa46d8fc36592dd8449eedf7ebdd943695aeda5d71c3cdc19dec6ddfbfb9138

SHA512
b9bc5876236ba84688f5433583b5eb720fd073d4ee004725f41a1f820ecd445d58d844df8aa197d093e1b6ccb8521f81476650ff760f23ff057505d36df92cd5

Download Submit
C:\Users\Admin\AppData\Roaming\svhost.exe

Filesize
66KB

MD5
d040b1e8f0100be9aad918d0b0c46c00

SHA1
65d04f98335f6401e2896e9ec11a4174808f0453

SHA256
7556d028223bc07715a8ce5655c2af3cdb26999621fb7a22f4ee822b2966f6c0

SHA512
ab9045b0276a0d7d30882c0d29d0a348a4ce71ae8429d77bda8245288673ff843ce00548cca0d8b5bc809c605cef55519c962898129838af4e7ee28d5f47d2a0

Download Submit
C:\Users\Admin\AppData\Roaming\svhost.exe

Filesize
66KB

MD5
d040b1e8f0100be9aad918d0b0c46c00

SHA1
65d04f98335f6401e2896e9ec11a4174808f0453

SHA256
7556d028223bc07715a8ce5655c2af3cdb26999621fb7a22f4ee822b2966f6c0

SHA512
ab9045b0276a0d7d30882c0d29d0a348a4ce71ae8429d77bda8245288673ff843ce00548cca0d8b5bc809c605cef55519c962898129838af4e7ee28d5f47d2a0

Download Submit
C:\Users\Admin\AppData\Roaming\svhost.exe

Filesize
66KB

MD5
d040b1e8f0100be9aad918d0b0c46c00

SHA1
65d04f98335f6401e2896e9ec11a4174808f0453

SHA256
7556d028223bc07715a8ce5655c2af3cdb26999621fb7a22f4ee822b2966f6c0

SHA512
ab9045b0276a0d7d30882c0d29d0a348a4ce71ae8429d77bda8245288673ff843ce00548cca0d8b5bc809c605cef55519c962898129838af4e7ee28d5f47d2a0

Download Submit
C:\Users\Admin\AppData\Roaming\svhost.exe

Filesize
66KB

MD5
d040b1e8f0100be9aad918d0b0c46c00

SHA1
65d04f98335f6401e2896e9ec11a4174808f0453

SHA256
7556d028223bc07715a8ce5655c2af3cdb26999621fb7a22f4ee822b2966f6c0

SHA512
ab9045b0276a0d7d30882c0d29d0a348a4ce71ae8429d77bda8245288673ff843ce00548cca0d8b5bc809c605cef55519c962898129838af4e7ee28d5f47d2a0

Download Submit
memory/484-68-0x000007FEF5E00000-0x000007FEF67EC000-memory.dmp

Filesize
9.9MB

Download
memory/484-69-0x000007FEF5E00000-0x000007FEF67EC000-memory.dmp

Filesize
9.9MB

Download
memory/564-64-0x0000000001010000-0x0000000001026000-memory.dmp

Filesize
88KB

Download
memory/564-65-0x000007FEF5E00000-0x000007FEF67EC000-memory.dmp

Filesize
9.9MB

Download
memory/564-66-0x000007FEF5E00000-0x000007FEF67EC000-memory.dmp

Filesize
9.9MB

Download
memory/1636-60-0x000007FEF5E00000-0x000007FEF67EC000-memory.dmp

Filesize
9.9MB

Download
memory/1636-59-0x000007FEF5E00000-0x000007FEF67EC000-memory.dmp

Filesize
9.9MB

Download
memory/1636-58-0x0000000000B90000-0x0000000000BA6000-memory.dmp

Filesize
88KB

Download
memory/2448-0-0x0000000000050000-0x0000000000066000-memory.dmp

Filesize
88KB

Download
memory/2448-61-0x000000001B190000-0x000000001B210000-memory.dmp

Filesize
512KB

Download
memory/2448-54-0x000000001B190000-0x000000001B210000-memory.dmp

Filesize
512KB

Download
memory/2448-26-0x000007FEF5E00000-0x000007FEF67EC000-memory.dmp

Filesize
9.9MB

Download
memory/2448-1-0x000007FEF5E00000-0x000007FEF67EC000-memory.dmp

Filesize
9.9MB

Download
memory/2560-49-0x000007FEEF0A0000-0x000007FEEFA3D000-memory.dmp

Filesize
9.6MB

Download
memory/2560-48-0x0000000002580000-0x0000000002600000-memory.dmp

Filesize
512KB

Download
memory/2560-47-0x0000000002580000-0x0000000002600000-memory.dmp

Filesize
512KB

Download
memory/2560-46-0x000007FEEF0A0000-0x000007FEEFA3D000-memory.dmp

Filesize
9.6MB

Download
memory/2560-45-0x0000000002580000-0x0000000002600000-memory.dmp

Filesize
512KB

Download
memory/2560-44-0x000007FEEF0A0000-0x000007FEEFA3D000-memory.dmp

Filesize
9.6MB

Download
memory/2704-19-0x000000001B3C0000-0x000000001B6A2000-memory.dmp

Filesize
2.9MB

Download
memory/2704-25-0x00000000026B0000-0x0000000002730000-memory.dmp

Filesize
512KB

Download
memory/2704-20-0x0000000001EC0000-0x0000000001EC8000-memory.dmp

Filesize
32KB

Download
memory/2704-21-0x000007FEEF0A0000-0x000007FEEFA3D000-memory.dmp

Filesize
9.6MB

Download
memory/2704-22-0x000007FEEF0A0000-0x000007FEEFA3D000-memory.dmp

Filesize
9.6MB

Download
memory/2704-23-0x00000000026B0000-0x0000000002730000-memory.dmp

Filesize
512KB

Download
memory/2704-24-0x00000000026B0000-0x0000000002730000-memory.dmp

Filesize
512KB

Download
memory/2704-27-0x000007FEEF0A0000-0x000007FEEFA3D000-memory.dmp

Filesize
9.6MB

Download
memory/2728-33-0x000007FEF24F0000-0x000007FEF2E8D000-memory.dmp

Filesize
9.6MB

Download
memory/2728-38-0x000007FEF24F0000-0x000007FEF2E8D000-memory.dmp

Filesize
9.6MB

Download
memory/2728-34-0x0000000002750000-0x00000000027D0000-memory.dmp

Filesize
512KB

Download
memory/2728-35-0x000007FEF24F0000-0x000007FEF2E8D000-memory.dmp

Filesize
9.6MB

Download
memory/2728-36-0x0000000002750000-0x00000000027D0000-memory.dmp

Filesize
512KB

Download
memory/2728-37-0x0000000002750000-0x00000000027D0000-memory.dmp

Filesize
512KB

Download
memory/3064-12-0x0000000002540000-0x00000000025C0000-memory.dmp

Filesize
512KB

Download
memory/3064-13-0x000007FEF24F0000-0x000007FEF2E8D000-memory.dmp

Filesize
9.6MB

Download
memory/3064-11-0x000007FEF24F0000-0x000007FEF2E8D000-memory.dmp

Filesize
9.6MB

Download
memory/3064-10-0x0000000002540000-0x00000000025C0000-memory.dmp

Filesize
512KB

Download
memory/3064-9-0x000007FEF24F0000-0x000007FEF2E8D000-memory.dmp

Filesize
9.6MB

Download
memory/3064-8-0x0000000002050000-0x0000000002058000-memory.dmp

Filesize
32KB

Download
memory/3064-7-0x000000001B1D0000-0x000000001B4B2000-memory.dmp

Filesize
2.9MB

Download
memory/3064-6-0x0000000002540000-0x00000000025C0000-memory.dmp

Filesize
512KB

Download