354b367615b97c6377d97a152379746a0213fdce0feb4d45bb63f1327eba8866

Analysis

max time kernel
167s
max time network
177s
platform
windows10-2004_x64
resource
win10v2004-20231023-en
resource tags

arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
submitted
31/10/2023, 08:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.bb34700d9f0dd981e2ea45406336cff0.exe
Size

210KB
MD5

bb34700d9f0dd981e2ea45406336cff0
SHA1

83c84a6920a0598f779d54517aab4da76aa9fbc5
SHA256

354b367615b97c6377d97a152379746a0213fdce0feb4d45bb63f1327eba8866
SHA512

6944bd566f00e1d366a4a6e84916a2c93cab473834973569c00df54ad8a26c5ed951ab9dc10c9b41a4752d29a9b7d4ad4bbfb285ae635cc58d42508656078f12
SSDEEP

1536:JsTGQLphzQHUyRPkN2HpuP7WIPe5MQVgd54vkwkg78OL6veRjX86M4VwPDUbXgpC:pQL/bCrZIPe5ML7nwkg7jqeQYu4Xa

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	NEAS.bb34700d9f0dd981e2ea45406336cff0.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cssrs.exe	NEAS.bb34700d9f0dd981e2ea45406336cff0.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cssrs.exe	NEAS.bb34700d9f0dd981e2ea45406336cff0.exe

Executes dropped EXE 2 IoCs

pid	Process
1620	cssrs.exe
4008	cssrs.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\TINTIMG = "C:\\Users\\Admin\\AppData\\Roaming\\cssrs.exe"	NEAS.bb34700d9f0dd981e2ea45406336cff0.exe

Modifies Internet Explorer settings 1 TTPs 10 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\Default_Page_URL = "http://www.114116.info"	NEAS.bb34700d9f0dd981e2ea45406336cff0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AboutURLs\blank = "http://www.114116.info"	NEAS.bb34700d9f0dd981e2ea45406336cff0.exe
Key created	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Software\Microsoft\Internet Explorer\AboutURLs	NEAS.bb34700d9f0dd981e2ea45406336cff0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AboutURLs\Tabs = "http://www.114116.info"	NEAS.bb34700d9f0dd981e2ea45406336cff0.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\SOFTWARE\Microsoft\Internet Explorer\AboutURLs\Tabs = "http://www.114116.info"	NEAS.bb34700d9f0dd981e2ea45406336cff0.exe
Key created	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Software\Microsoft\Internet Explorer\Main	NEAS.bb34700d9f0dd981e2ea45406336cff0.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Default_Page_URL = "http://www.114116.info"	NEAS.bb34700d9f0dd981e2ea45406336cff0.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\AboutURLs	NEAS.bb34700d9f0dd981e2ea45406336cff0.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\SOFTWARE\Microsoft\Internet Explorer\AboutURLs\blank = "http://www.114116.info"	NEAS.bb34700d9f0dd981e2ea45406336cff0.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Main	NEAS.bb34700d9f0dd981e2ea45406336cff0.exe

Modifies Internet Explorer start page 1 TTPs 2 IoCs

stealer

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\Start Page = "http://www.114116.info"	NEAS.bb34700d9f0dd981e2ea45406336cff0.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.114116.info"	NEAS.bb34700d9f0dd981e2ea45406336cff0.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.exe	NEAS.bb34700d9f0dd981e2ea45406336cff0.exe

Suspicious behavior: EnumeratesProcesses 54 IoCs

pid	Process
4560	NEAS.bb34700d9f0dd981e2ea45406336cff0.exe
4560	NEAS.bb34700d9f0dd981e2ea45406336cff0.exe
4560	NEAS.bb34700d9f0dd981e2ea45406336cff0.exe
4560	NEAS.bb34700d9f0dd981e2ea45406336cff0.exe
1620	cssrs.exe
1620	cssrs.exe
4008	cssrs.exe
4008	cssrs.exe
4560	NEAS.bb34700d9f0dd981e2ea45406336cff0.exe
4560	NEAS.bb34700d9f0dd981e2ea45406336cff0.exe
4560	NEAS.bb34700d9f0dd981e2ea45406336cff0.exe
4560	NEAS.bb34700d9f0dd981e2ea45406336cff0.exe
1620	cssrs.exe
1620	cssrs.exe
4560	NEAS.bb34700d9f0dd981e2ea45406336cff0.exe
4560	NEAS.bb34700d9f0dd981e2ea45406336cff0.exe
1620	cssrs.exe
1620	cssrs.exe
4560	NEAS.bb34700d9f0dd981e2ea45406336cff0.exe
4560	NEAS.bb34700d9f0dd981e2ea45406336cff0.exe
1620	cssrs.exe
1620	cssrs.exe
4560	NEAS.bb34700d9f0dd981e2ea45406336cff0.exe
4560	NEAS.bb34700d9f0dd981e2ea45406336cff0.exe
1620	cssrs.exe
1620	cssrs.exe
4560	NEAS.bb34700d9f0dd981e2ea45406336cff0.exe
4560	NEAS.bb34700d9f0dd981e2ea45406336cff0.exe
1620	cssrs.exe
1620	cssrs.exe
4560	NEAS.bb34700d9f0dd981e2ea45406336cff0.exe
4560	NEAS.bb34700d9f0dd981e2ea45406336cff0.exe
1620	cssrs.exe
1620	cssrs.exe
4560	NEAS.bb34700d9f0dd981e2ea45406336cff0.exe
4560	NEAS.bb34700d9f0dd981e2ea45406336cff0.exe
1620	cssrs.exe
1620	cssrs.exe
4560	NEAS.bb34700d9f0dd981e2ea45406336cff0.exe
4560	NEAS.bb34700d9f0dd981e2ea45406336cff0.exe
1620	cssrs.exe
1620	cssrs.exe
4560	NEAS.bb34700d9f0dd981e2ea45406336cff0.exe
4560	NEAS.bb34700d9f0dd981e2ea45406336cff0.exe
1620	cssrs.exe
1620	cssrs.exe
4560	NEAS.bb34700d9f0dd981e2ea45406336cff0.exe
4560	NEAS.bb34700d9f0dd981e2ea45406336cff0.exe
1620	cssrs.exe
1620	cssrs.exe
4560	NEAS.bb34700d9f0dd981e2ea45406336cff0.exe
4560	NEAS.bb34700d9f0dd981e2ea45406336cff0.exe
1620	cssrs.exe
1620	cssrs.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4560 wrote to memory of 1620	4560	NEAS.bb34700d9f0dd981e2ea45406336cff0.exe	90
PID 4560 wrote to memory of 1620	4560	NEAS.bb34700d9f0dd981e2ea45406336cff0.exe	90
PID 4560 wrote to memory of 1620	4560	NEAS.bb34700d9f0dd981e2ea45406336cff0.exe	90
PID 4560 wrote to memory of 4008	4560	NEAS.bb34700d9f0dd981e2ea45406336cff0.exe	91
PID 4560 wrote to memory of 4008	4560	NEAS.bb34700d9f0dd981e2ea45406336cff0.exe	91
PID 4560 wrote to memory of 4008	4560	NEAS.bb34700d9f0dd981e2ea45406336cff0.exe	91

C:\Users\Admin\AppData\Local\Temp\NEAS.bb34700d9f0dd981e2ea45406336cff0.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.bb34700d9f0dd981e2ea45406336cff0.exe"
1⤵
- Modifies visibility of file extensions in Explorer
- Drops startup file
- Adds Run key to start application
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4560
- C:\Users\Admin\AppData\Roaming\cssrs.exe
  C:\Users\Admin\AppData\Roaming\cssrs.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1620
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cssrs.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cssrs.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:4008

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cssrs.exe

Filesize
210KB

MD5
bb34700d9f0dd981e2ea45406336cff0

SHA1
83c84a6920a0598f779d54517aab4da76aa9fbc5

SHA256
354b367615b97c6377d97a152379746a0213fdce0feb4d45bb63f1327eba8866

SHA512
6944bd566f00e1d366a4a6e84916a2c93cab473834973569c00df54ad8a26c5ed951ab9dc10c9b41a4752d29a9b7d4ad4bbfb285ae635cc58d42508656078f12

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cssrs.exe

Filesize
210KB

MD5
bb34700d9f0dd981e2ea45406336cff0

SHA1
83c84a6920a0598f779d54517aab4da76aa9fbc5

SHA256
354b367615b97c6377d97a152379746a0213fdce0feb4d45bb63f1327eba8866

SHA512
6944bd566f00e1d366a4a6e84916a2c93cab473834973569c00df54ad8a26c5ed951ab9dc10c9b41a4752d29a9b7d4ad4bbfb285ae635cc58d42508656078f12

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cssrs.exe

Filesize
210KB

MD5
bb34700d9f0dd981e2ea45406336cff0

SHA1
83c84a6920a0598f779d54517aab4da76aa9fbc5

SHA256
354b367615b97c6377d97a152379746a0213fdce0feb4d45bb63f1327eba8866

SHA512
6944bd566f00e1d366a4a6e84916a2c93cab473834973569c00df54ad8a26c5ed951ab9dc10c9b41a4752d29a9b7d4ad4bbfb285ae635cc58d42508656078f12

Download Submit
C:\Users\Admin\AppData\Roaming\cssrs.exe

Filesize
210KB

MD5
bb34700d9f0dd981e2ea45406336cff0

SHA1
83c84a6920a0598f779d54517aab4da76aa9fbc5

SHA256
354b367615b97c6377d97a152379746a0213fdce0feb4d45bb63f1327eba8866

SHA512
6944bd566f00e1d366a4a6e84916a2c93cab473834973569c00df54ad8a26c5ed951ab9dc10c9b41a4752d29a9b7d4ad4bbfb285ae635cc58d42508656078f12

Download Submit
C:\Users\Admin\AppData\Roaming\cssrs.exe

Filesize
210KB

MD5
bb34700d9f0dd981e2ea45406336cff0

SHA1
83c84a6920a0598f779d54517aab4da76aa9fbc5

SHA256
354b367615b97c6377d97a152379746a0213fdce0feb4d45bb63f1327eba8866

SHA512
6944bd566f00e1d366a4a6e84916a2c93cab473834973569c00df54ad8a26c5ed951ab9dc10c9b41a4752d29a9b7d4ad4bbfb285ae635cc58d42508656078f12

Download Submit
memory/1620-14-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/4008-15-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/4560-0-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/4560-13-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download