Overview

overview

10

Static

static

3

NEAS.5fb4e...b0.exe

windows7-x64

10

NEAS.5fb4e...b0.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    168s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231023-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01-11-2023 14:10

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    NEAS.5fb4e794e2786fbd9d9989ed4c47cfb0.exe

  • Size

    211KB

  • MD5

    5fb4e794e2786fbd9d9989ed4c47cfb0

  • SHA1

    b03f9b31ff9e3941dc883937ec1bc866e0b7151b

  • SHA256

    de3f3f1f6d692289bae0f1d3ed5d9cf12948dc9fe29291ebf9a7026825772445

  • SHA512

    3e2f2bfc8273f9280fbf1c8abe7648f807ec7b79a3e9ddaf32f2788840c40940586acc7df2cf4ad66773d681a54a61266e8ceafe6a8256b7d570a656bb5fe69a

  • SSDEEP

    3072:WD6Xtx68yygRBE52mxkEOHLRMpZ4deth8PEAjAfIbAYGPhz6sPJBInxZqOF:Wh8cBzHLRMpZ4d1ZF

Score
10/10
evasionpersistence

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
    persistence
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
    evasion
  • Modifies Installed Components in the registry 2 TTPs 8 IoCs
    persistence
  • Executes dropped EXE 4 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Drops file in System32 directory 1 IoCs
  • Drops file in Windows directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of SetWindowsHookEx 12 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\NEAS.5fb4e794e2786fbd9d9989ed4c47cfb0.exe
    "C:\Users\Admin\AppData\Local\Temp\NEAS.5fb4e794e2786fbd9d9989ed4c47cfb0.exe"
    1⤵
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1656
    • \??\c:\windows\userinit.exe
      c:\windows\userinit.exe
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visiblity of hidden/system files in Explorer
      • Modifies Installed Components in the registry
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops file in System32 directory
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:876
      • \??\c:\windows\spoolsw.exe
        c:\windows\spoolsw.exe SE
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:3552
        • \??\c:\windows\swchost.exe
          c:\windows\swchost.exe
          4⤵
          • Modifies WinLogon for persistence
          • Modifies visiblity of hidden/system files in Explorer
          • Modifies Installed Components in the registry
          • Executes dropped EXE
          • Adds Run key to start application
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:4644
          • \??\c:\windows\spoolsw.exe
            c:\windows\spoolsw.exe PR
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetWindowsHookEx
            PID:1856

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\mrsys.exe
    Filesize

    211KB

    MD5

    7f706ceac7e0144a6d064c67fb754a31

    SHA1

    c71b26474835006310d3731800096036c032f8c2

    SHA256

    0a543b025480ce4ab7a78c73beee9817468dc2ff0c4f091f816725dd16bba94c

    SHA512

    36ffbd3b889e088eace8a83a5ee43833c53122789927d217abf88ebdc76d79a8ed8c89a725555a8ea1a1fb99d34d62aae26242d463622858808d122e01d130b7

    Download Submit

  • C:\Windows\spoolsw.exe
    Filesize

    211KB

    MD5

    829a26801d0f5a95c278eeab0bbc7505

    SHA1

    b4fbf69c8c3a8ecedea6785ce4cf526ec72a62c4

    SHA256

    f171203821fee1fd2eb8c0152a7f1ea6e95db26e2ee281131993c6684bc3f6b7

    SHA512

    daf4311a317c9a32620a04f4e346af4502418322d2468f8cc03bd3e887df3d358d762d150447a26d53a4160dcbd499fff9d69474555e50d7dab53644701ae18a

    Download Submit

  • C:\Windows\spoolsw.exe
    Filesize

    211KB

    MD5

    829a26801d0f5a95c278eeab0bbc7505

    SHA1

    b4fbf69c8c3a8ecedea6785ce4cf526ec72a62c4

    SHA256

    f171203821fee1fd2eb8c0152a7f1ea6e95db26e2ee281131993c6684bc3f6b7

    SHA512

    daf4311a317c9a32620a04f4e346af4502418322d2468f8cc03bd3e887df3d358d762d150447a26d53a4160dcbd499fff9d69474555e50d7dab53644701ae18a

    Download Submit

  • C:\Windows\spoolsw.exe
    Filesize

    211KB

    MD5

    829a26801d0f5a95c278eeab0bbc7505

    SHA1

    b4fbf69c8c3a8ecedea6785ce4cf526ec72a62c4

    SHA256

    f171203821fee1fd2eb8c0152a7f1ea6e95db26e2ee281131993c6684bc3f6b7

    SHA512

    daf4311a317c9a32620a04f4e346af4502418322d2468f8cc03bd3e887df3d358d762d150447a26d53a4160dcbd499fff9d69474555e50d7dab53644701ae18a

    Download Submit

  • C:\Windows\swchost.exe
    Filesize

    211KB

    MD5

    942b9db8589eec899738c77425e10e9c

    SHA1

    aabcf0e0aa18d975c41f582cbe7b58cfca1e31dc

    SHA256

    c201a19b686b3ceefe874ba3d301610e1d50c6d3b934a183e36417120df3a625

    SHA512

    3e0e53dfe2178081964b872000df0dd6ec5452ba7cec91a5a13707342125e827291be3e46b81580161a4b387744d3578be3a00c68784abe15d47599d70469c69

    Download Submit

  • C:\Windows\userinit.exe
    Filesize

    211KB

    MD5

    9cb246821adc886f469f3325d1a77581

    SHA1

    4fbfb69a3933efc2f50de60dc5ba5565ce674a23

    SHA256

    cddaedf8e7683fedb907bf78b38c230bc6b649c5146f94b89ba7e350d11a611a

    SHA512

    ef075b7f289cc24fac1f15b386efe6becbf2e1a087d26dc8ba10c1858ccf1d683e5d23f634491ee482108426fe35f17b6a4fae79d15e0d344d90dc3e73bedef5

    Download Submit

  • \??\c:\windows\spoolsw.exe
    Filesize

    211KB

    MD5

    829a26801d0f5a95c278eeab0bbc7505

    SHA1

    b4fbf69c8c3a8ecedea6785ce4cf526ec72a62c4

    SHA256

    f171203821fee1fd2eb8c0152a7f1ea6e95db26e2ee281131993c6684bc3f6b7

    SHA512

    daf4311a317c9a32620a04f4e346af4502418322d2468f8cc03bd3e887df3d358d762d150447a26d53a4160dcbd499fff9d69474555e50d7dab53644701ae18a

    Download Submit

  • \??\c:\windows\swchost.exe
    Filesize

    211KB

    MD5

    942b9db8589eec899738c77425e10e9c

    SHA1

    aabcf0e0aa18d975c41f582cbe7b58cfca1e31dc

    SHA256

    c201a19b686b3ceefe874ba3d301610e1d50c6d3b934a183e36417120df3a625

    SHA512

    3e0e53dfe2178081964b872000df0dd6ec5452ba7cec91a5a13707342125e827291be3e46b81580161a4b387744d3578be3a00c68784abe15d47599d70469c69

    Download Submit

  • \??\c:\windows\userinit.exe
    Filesize

    211KB

    MD5

    9cb246821adc886f469f3325d1a77581

    SHA1

    4fbfb69a3933efc2f50de60dc5ba5565ce674a23

    SHA256

    cddaedf8e7683fedb907bf78b38c230bc6b649c5146f94b89ba7e350d11a611a

    SHA512

    ef075b7f289cc24fac1f15b386efe6becbf2e1a087d26dc8ba10c1858ccf1d683e5d23f634491ee482108426fe35f17b6a4fae79d15e0d344d90dc3e73bedef5

    Download Submit

  • memory/876-38-0x0000000000400000-0x0000000000430000-memory.dmp

    Filesize

    192KB

    Download

  • memory/1656-0-0x0000000000400000-0x0000000000430000-memory.dmp

    Filesize

    192KB

    Download

  • memory/1656-36-0x0000000000400000-0x0000000000430000-memory.dmp

    Filesize

    192KB

    Download

  • memory/1856-32-0x0000000000400000-0x0000000000430000-memory.dmp

    Filesize

    192KB

    Download

  • memory/3552-35-0x0000000000400000-0x0000000000430000-memory.dmp

    Filesize

    192KB

    Download

  • memory/4644-39-0x0000000000400000-0x0000000000430000-memory.dmp

    Filesize

    192KB

    Download