Overview

overview

10

Static

static

7

NEAS.15359...80.exe

windows7-x64

10

NEAS.15359...80.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    117s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20231020-en
  • resource tags

    arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system
  • submitted
    01/11/2023, 13:53

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    NEAS.153594be9a6c68be3db7022731b4d980.exe

  • Size

    186KB

  • MD5

    153594be9a6c68be3db7022731b4d980

  • SHA1

    8f63bf29f59355964cf4eedc09548b4d5618560b

  • SHA256

    024da0a726387894a279f81b5028369ceec07ac76ef42eaca126d9f5c0b302be

  • SHA512

    2456a6b3125a09d124e330f0ba764533db6896bfed46ced7bf2853f34697dad75c72c6fb74649c2921c5eba00034de501b4a5a840cd6b4dd4ac4304351118342

  • SSDEEP

    3072:2/5F/E7tEf0q+F+tYlpJH7iXQNgggHlxDZiYLK5WpklpoutN3:2hF4c7+UWJH7igNgjdFKs+poS5

Score
10/10
evasionpersistenceupx

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
    persistence
  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
    evasion
  • Disables RegEdit via registry modification 2 IoCs
    evasion
  • Disables use of System Restore points 1 TTPs
    evasion
  • Modifies system executable filetype association 2 TTPs 13 IoCs
    persistence
  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 5 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • Modifies Control Panel 4 IoCs
    evasion
  • Modifies registry class 15 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs
  • System policy modification 1 TTPs 4 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\NEAS.153594be9a6c68be3db7022731b4d980.exe
    "C:\Users\Admin\AppData\Local\Temp\NEAS.153594be9a6c68be3db7022731b4d980.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Modifies visibility of file extensions in Explorer
    • Modifies visiblity of hidden/system files in Explorer
    • Disables RegEdit via registry modification
    • Modifies system executable filetype association
    • Adds Run key to start application
    • Modifies Control Panel
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:2196
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2196 -s 376
      2⤵
      • Program crash
      PID:2560

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • memory/2196-0-0x0000000000400000-0x0000000000430000-memory.dmp

          Filesize

          192KB

          Download

        • memory/2196-3-0x0000000000400000-0x0000000000430000-memory.dmp

          Filesize

          192KB

          Download