Overview

overview

10

Static

static

7

NEAS.15359...80.exe

windows7-x64

10

NEAS.15359...80.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    135s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231023-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01/11/2023, 13:53

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    NEAS.153594be9a6c68be3db7022731b4d980.exe

  • Size

    186KB

  • MD5

    153594be9a6c68be3db7022731b4d980

  • SHA1

    8f63bf29f59355964cf4eedc09548b4d5618560b

  • SHA256

    024da0a726387894a279f81b5028369ceec07ac76ef42eaca126d9f5c0b302be

  • SHA512

    2456a6b3125a09d124e330f0ba764533db6896bfed46ced7bf2853f34697dad75c72c6fb74649c2921c5eba00034de501b4a5a840cd6b4dd4ac4304351118342

  • SSDEEP

    3072:2/5F/E7tEf0q+F+tYlpJH7iXQNgggHlxDZiYLK5WpklpoutN3:2hF4c7+UWJH7igNgjdFKs+poS5

Score
10/10
evasionpersistenceupx

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
    persistence
  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
    evasion
  • Disables RegEdit via registry modification 2 IoCs
    evasion
  • Disables use of System Restore points 1 TTPs
    evasion
  • Executes dropped EXE 9 IoCs
  • Modifies system executable filetype association 2 TTPs 13 IoCs
    persistence
  • UPX packed file 37 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 5 IoCs
    persistence
  • Drops desktop.ini file(s) 4 IoCs
  • Enumerates connected drives 3 TTPs 22 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 6 IoCs
  • Drops file in Windows directory 2 IoCs
  • Program crash 1 IoCs
  • Modifies Control Panel 4 IoCs
    evasion
  • Modifies registry class 15 IoCs
  • Suspicious use of SetWindowsHookEx 9 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs
  • System policy modification 1 TTPs 4 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\NEAS.153594be9a6c68be3db7022731b4d980.exe
    "C:\Users\Admin\AppData\Local\Temp\NEAS.153594be9a6c68be3db7022731b4d980.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Modifies visibility of file extensions in Explorer
    • Modifies visiblity of hidden/system files in Explorer
    • Disables RegEdit via registry modification
    • Modifies system executable filetype association
    • Adds Run key to start application
    • Drops desktop.ini file(s)
    • Enumerates connected drives
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies Control Panel
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:1524
    • C:\Windows\xk.exe
      C:\Windows\xk.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:4664
    • C:\Windows\SysWOW64\IExplorer.exe
      C:\Windows\system32\IExplorer.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:2324
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:3304
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:840
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:3120
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:5016
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:4032
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1524 -s 960
      2⤵
      • Program crash
      PID:1212
      • C:\Windows\SysWOW64\Shell.exe
        "C:\Windows\system32\Shell.exe"
        3⤵
        • Executes dropped EXE
        PID:4412
      • C:\Windows\SysWOW64\Shell.exe
        "C:\Windows\system32\Shell.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:4464
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 364 -p 1524 -ip 1524
    1⤵
      PID:4952

    Network

    MITRE ATT&CK Enterprise v15

    Reconnaissance

    Resource Development

    Initial Access

    Execution

    Persistence

    Boot or Logon Autostart Execution

    2
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Winlogon Helper DLL

    1
    T1547.004

    Event Triggered Execution

    1
    T1546

    Change Default File Association

    1
    T1546.001

    Privilege Escalation

    Boot or Logon Autostart Execution

    2
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Winlogon Helper DLL

    1
    T1547.004

    Event Triggered Execution

    1
    T1546

    Change Default File Association

    1
    T1546.001

    Defense Evasion

    Hide Artifacts

    2
    T1564

    Hidden Files and Directories

    2
    T1564.001

    Modify Registry

    6
    T1112

    Credential Access

    Discovery

    Peripheral Device Discovery

    1
    T1120

    Query Registry

    1
    T1012

    System Information Discovery

    1
    T1082

    Lateral Movement

    Collection

    Command and Control

    Exfiltration

    Impact

    Inhibit System Recovery

    1
    T1490

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\WINDOWS\CSRSS.EXE
      Filesize

      186KB

      MD5

      e8ef8eb7e4486dcfcf8abf230f8a6e1a

      SHA1

      ea556427b3407eeec86284f053a14c872ac306ec

      SHA256

      2e9be3830d301479982386d9e4c5d503e79c9ffb18cbb03410da9395ab75b667

      SHA512

      afdeb2f75fee40a5ea53b343ffd72926c573f463d40d353e6c518408f0108e94922be5bea2c3cc1d6d5fc91e43eb32e5214a765e5e02e0bd5dfdd10542de3bec

      Download Submit

    • C:\Users\Admin\AppData\Local\WINDOWS\LSASS.EXE
      Filesize

      186KB

      MD5

      0c614dcd93853df2061f2abe77273d40

      SHA1

      32d2cb270d8d996059dfc12e0b373822675c5187

      SHA256

      29a997996e856518dd4aa42ad640db765dada6611feb3625a8764f8ee2baf87c

      SHA512

      75f0372f163a151cadb1b8de53a8d420efa586893861369ef40faa89b0a9200429dce556eedb67dd46ba876bd6b61882e5c01fdc8f05c1316acbf966f764b350

      Download Submit

    • C:\Users\Admin\AppData\Local\WINDOWS\SERVICES.EXE
      Filesize

      186KB

      MD5

      ef7b6838ba6124170c78479f2b4f5ca8

      SHA1

      e4b18bc75c4dfd7d243954ba2387a58fb0b945ba

      SHA256

      38073a9f2c94bb48eae4e88457d8b5fcdfccf610d134309b134d3e1bc85853ac

      SHA512

      e8656e5d48c27fb73d61bbadea2572b57038fc63d75f481d60b7fdffc7ad49fe3c20ee942b8ed59b64e06c4d794c9fca1fe6a92b1959ebd03072be3e8c2110e7

      Download Submit

    • C:\Users\Admin\AppData\Local\WINDOWS\SMSS.EXE
      Filesize

      186KB

      MD5

      8d68bd4beff8327842212baef0664100

      SHA1

      be8d1a40865d27f8a124ec711c598997f4734e59

      SHA256

      6c884567fa5c27d9bdce0e08ea171cbf5c6cd1190189860cffceca4a477c906d

      SHA512

      48faba86d091d020d2fd653cf56c6e7869e9f5e31c116bf9b11a7f08ccdb2f3b3a1e7b043a5f0a57c1daaf00a714e8720a1fd88cdf28d8ba046d472047793e77

      Download Submit

    • C:\Users\Admin\AppData\Local\WINDOWS\WINLOGON.EXE
      Filesize

      186KB

      MD5

      cca13104e639caefc364bad2a8a394f6

      SHA1

      b66c85b1b74a906964415b856b29f56133ae5209

      SHA256

      56f7cbc605c5f432921b80c1fee0537c449838448dc4a6ae093c546fdc21f6db

      SHA512

      8a2c626ceff2f8a212a45c6d37f4c871b900855c73cf48532a8f8adcc25c2ff9312821b8d2ddd93502ff4934f99f483057037b578975bba8230d7094cc7001e6

      Download Submit

    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
      Filesize

      186KB

      MD5

      e8ef8eb7e4486dcfcf8abf230f8a6e1a

      SHA1

      ea556427b3407eeec86284f053a14c872ac306ec

      SHA256

      2e9be3830d301479982386d9e4c5d503e79c9ffb18cbb03410da9395ab75b667

      SHA512

      afdeb2f75fee40a5ea53b343ffd72926c573f463d40d353e6c518408f0108e94922be5bea2c3cc1d6d5fc91e43eb32e5214a765e5e02e0bd5dfdd10542de3bec

      Download Submit

    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
      Filesize

      186KB

      MD5

      0c614dcd93853df2061f2abe77273d40

      SHA1

      32d2cb270d8d996059dfc12e0b373822675c5187

      SHA256

      29a997996e856518dd4aa42ad640db765dada6611feb3625a8764f8ee2baf87c

      SHA512

      75f0372f163a151cadb1b8de53a8d420efa586893861369ef40faa89b0a9200429dce556eedb67dd46ba876bd6b61882e5c01fdc8f05c1316acbf966f764b350

      Download Submit

    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
      Filesize

      186KB

      MD5

      ef7b6838ba6124170c78479f2b4f5ca8

      SHA1

      e4b18bc75c4dfd7d243954ba2387a58fb0b945ba

      SHA256

      38073a9f2c94bb48eae4e88457d8b5fcdfccf610d134309b134d3e1bc85853ac

      SHA512

      e8656e5d48c27fb73d61bbadea2572b57038fc63d75f481d60b7fdffc7ad49fe3c20ee942b8ed59b64e06c4d794c9fca1fe6a92b1959ebd03072be3e8c2110e7

      Download Submit

    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
      Filesize

      186KB

      MD5

      8d68bd4beff8327842212baef0664100

      SHA1

      be8d1a40865d27f8a124ec711c598997f4734e59

      SHA256

      6c884567fa5c27d9bdce0e08ea171cbf5c6cd1190189860cffceca4a477c906d

      SHA512

      48faba86d091d020d2fd653cf56c6e7869e9f5e31c116bf9b11a7f08ccdb2f3b3a1e7b043a5f0a57c1daaf00a714e8720a1fd88cdf28d8ba046d472047793e77

      Download Submit

    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
      Filesize

      186KB

      MD5

      cca13104e639caefc364bad2a8a394f6

      SHA1

      b66c85b1b74a906964415b856b29f56133ae5209

      SHA256

      56f7cbc605c5f432921b80c1fee0537c449838448dc4a6ae093c546fdc21f6db

      SHA512

      8a2c626ceff2f8a212a45c6d37f4c871b900855c73cf48532a8f8adcc25c2ff9312821b8d2ddd93502ff4934f99f483057037b578975bba8230d7094cc7001e6

      Download Submit

    • C:\Windows\SysWOW64\IExplorer.exe
      Filesize

      186KB

      MD5

      6e4b9cca570ac6a73a97e1793d6a56f7

      SHA1

      1000e1c10ae1a8209023af82a876ecfeb9e236cf

      SHA256

      42fee03da724edffbca61af635c799e27ca44d9db80afc08d0a0faea023f46ae

      SHA512

      24fc0e50c671443f30e415285de0f704f5449527e0f63dba249def68f95107c698a42f1a17d133dbed9d2df02409e076e7a6abe49e753c93f1c395f1c97fe02f

      Download Submit

    • C:\Windows\SysWOW64\IExplorer.exe
      Filesize

      186KB

      MD5

      6e4b9cca570ac6a73a97e1793d6a56f7

      SHA1

      1000e1c10ae1a8209023af82a876ecfeb9e236cf

      SHA256

      42fee03da724edffbca61af635c799e27ca44d9db80afc08d0a0faea023f46ae

      SHA512

      24fc0e50c671443f30e415285de0f704f5449527e0f63dba249def68f95107c698a42f1a17d133dbed9d2df02409e076e7a6abe49e753c93f1c395f1c97fe02f

      Download Submit

    • C:\Windows\SysWOW64\IExplorer.exe
      Filesize

      186KB

      MD5

      153594be9a6c68be3db7022731b4d980

      SHA1

      8f63bf29f59355964cf4eedc09548b4d5618560b

      SHA256

      024da0a726387894a279f81b5028369ceec07ac76ef42eaca126d9f5c0b302be

      SHA512

      2456a6b3125a09d124e330f0ba764533db6896bfed46ced7bf2853f34697dad75c72c6fb74649c2921c5eba00034de501b4a5a840cd6b4dd4ac4304351118342

      Download Submit

    • C:\Windows\SysWOW64\shell.exe
      Filesize

      186KB

      MD5

      c86f8cb5f33e41bfe29c1415e936dc1b

      SHA1

      4d3112bcb79ac5f9f8b0f818b9c3ff6ee9545518

      SHA256

      d63757c77ff83a02dec11f487b80ebedc3d669892a734718782e9c429df6fc78

      SHA512

      de7d147410070af9ecaebf1a608a4778587b8ca0043acb4e18c0d71ef8f4351ab137fdb408217aad8de88b933831bf24ee1fe91b4d6376e4a1f45335fe15c2a2

      Download Submit

    • C:\Windows\SysWOW64\shell.exe
      Filesize

      186KB

      MD5

      c86f8cb5f33e41bfe29c1415e936dc1b

      SHA1

      4d3112bcb79ac5f9f8b0f818b9c3ff6ee9545518

      SHA256

      d63757c77ff83a02dec11f487b80ebedc3d669892a734718782e9c429df6fc78

      SHA512

      de7d147410070af9ecaebf1a608a4778587b8ca0043acb4e18c0d71ef8f4351ab137fdb408217aad8de88b933831bf24ee1fe91b4d6376e4a1f45335fe15c2a2

      Download Submit

    • C:\Windows\xk.exe
      Filesize

      186KB

      MD5

      d50a8f7904337ca9740e49ea6813ee15

      SHA1

      392062c741b1916e8c7c6fd38891e1cead7e1fbc

      SHA256

      783a0fb5edb0c700f63c92bceb33ec5b8f31e2874d1584e9b112b3281daae158

      SHA512

      ceafa0cb35f978b10bbde5b2a3cb508897fd1ef6c89714272b430bd8627a24f480f38d3c6addc2ae73e8bbaad2b1fad3c1e5b806088d851d0c9cbd9044bea999

      Download Submit

    • C:\Windows\xk.exe
      Filesize

      186KB

      MD5

      d50a8f7904337ca9740e49ea6813ee15

      SHA1

      392062c741b1916e8c7c6fd38891e1cead7e1fbc

      SHA256

      783a0fb5edb0c700f63c92bceb33ec5b8f31e2874d1584e9b112b3281daae158

      SHA512

      ceafa0cb35f978b10bbde5b2a3cb508897fd1ef6c89714272b430bd8627a24f480f38d3c6addc2ae73e8bbaad2b1fad3c1e5b806088d851d0c9cbd9044bea999

      Download Submit

    • memory/840-74-0x0000000000400000-0x0000000000430000-memory.dmp

      Filesize

      192KB

      Download

    • memory/840-70-0x0000000000400000-0x0000000000430000-memory.dmp

      Filesize

      192KB

      Download

    • memory/1524-0-0x0000000000400000-0x0000000000430000-memory.dmp

      Filesize

      192KB

      Download

    • memory/1524-62-0x0000000000400000-0x0000000000430000-memory.dmp

      Filesize

      192KB

      Download

    • memory/1524-129-0x0000000000400000-0x0000000000430000-memory.dmp

      Filesize

      192KB

      Download

    • memory/2324-54-0x0000000000400000-0x0000000000430000-memory.dmp

      Filesize

      192KB

      Download

    • memory/2324-59-0x0000000000400000-0x0000000000430000-memory.dmp

      Filesize

      192KB

      Download

    • memory/3120-77-0x0000000000400000-0x0000000000430000-memory.dmp

      Filesize

      192KB

      Download

    • memory/3120-81-0x0000000000400000-0x0000000000430000-memory.dmp

      Filesize

      192KB

      Download

    • memory/3304-67-0x0000000000400000-0x0000000000430000-memory.dmp

      Filesize

      192KB

      Download

    • memory/3304-64-0x0000000000400000-0x0000000000430000-memory.dmp

      Filesize

      192KB

      Download

    • memory/4032-95-0x0000000000400000-0x0000000000430000-memory.dmp

      Filesize

      192KB

      Download

    • memory/4032-91-0x0000000000400000-0x0000000000430000-memory.dmp

      Filesize

      192KB

      Download

    • memory/4412-123-0x0000000000400000-0x0000000000430000-memory.dmp

      Filesize

      192KB

      Download

    • memory/4412-124-0x0000000000400000-0x0000000000430000-memory.dmp

      Filesize

      192KB

      Download

    • memory/4464-128-0x0000000000400000-0x0000000000430000-memory.dmp

      Filesize

      192KB

      Download

    • memory/4664-56-0x0000000000400000-0x0000000000430000-memory.dmp

      Filesize

      192KB

      Download

    • memory/4664-48-0x0000000000400000-0x0000000000430000-memory.dmp

      Filesize

      192KB

      Download

    • memory/5016-88-0x0000000000400000-0x0000000000430000-memory.dmp

      Filesize

      192KB

      Download

    • memory/5016-84-0x0000000000400000-0x0000000000430000-memory.dmp

      Filesize

      192KB

      Download