Overview

overview

10

Static

static

3

NEAS.f2110...80.exe

windows7-x64

10

NEAS.f2110...80.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    125s
  • platform
    windows7_x64
  • resource
    win7-20231023-en
  • resource tags

    arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system
  • submitted
    02-11-2023 14:04

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    NEAS.f2110ab4d6630c812a5428384735be80.exe

  • Size

    135KB

  • MD5

    f2110ab4d6630c812a5428384735be80

  • SHA1

    ad0a630ea8f496e26c09864c255feb6b3c0f06b9

  • SHA256

    69d629150b0aef221218b0112ba5693e56bdf02ad1f4ba4bbbdbeecbad1cdd52

  • SHA512

    d618acb0d692bfb871a178a9e58bf47380dc5053af3ea288697a5ee64297db6bf7dfff636c6a13df810d8e9e0c3c996487832ed81b7f942e61cc64008e9672dd

  • SSDEEP

    1536:UfsEqouTRcG/Mzvgf7xEuvnXNTRdUzwTekUOisZ1yDDajtXbV9i1OFA:UVqoCl/YgjxEufVU0TbTyDDalDZFA

Score
10/10
evasionpersistence

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
    evasion
  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 4 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Drops file in System32 directory 2 IoCs
  • Drops file in Windows directory 4 IoCs
  • Creates scheduled task(s) 1 TTPs 3 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of SetWindowsHookEx 10 IoCs
  • Suspicious use of WriteProcessMemory 32 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\NEAS.f2110ab4d6630c812a5428384735be80.exe
    "C:\Users\Admin\AppData\Local\Temp\NEAS.f2110ab4d6630c812a5428384735be80.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3044
    • \??\c:\windows\resources\themes\explorer.exe
      c:\windows\resources\themes\explorer.exe
      2⤵
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • Drops file in System32 directory
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2476
      • \??\c:\windows\resources\spoolsv.exe
        c:\windows\resources\spoolsv.exe SE
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Drops file in Windows directory
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1676
        • \??\c:\windows\resources\svchost.exe
          c:\windows\resources\svchost.exe
          4⤵
          • Modifies visiblity of hidden/system files in Explorer
          • Executes dropped EXE
          • Loads dropped DLL
          • Adds Run key to start application
          • Drops file in System32 directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:2640
          • \??\c:\windows\resources\spoolsv.exe
            c:\windows\resources\spoolsv.exe PR
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetWindowsHookEx
            PID:2776
          • C:\Windows\SysWOW64\schtasks.exe
            schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 14:06 /f
            5⤵
            • Creates scheduled task(s)
            PID:2536
          • C:\Windows\SysWOW64\schtasks.exe
            schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 14:07 /f
            5⤵
            • Creates scheduled task(s)
            PID:2872
          • C:\Windows\SysWOW64\schtasks.exe
            schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 14:08 /f
            5⤵
            • Creates scheduled task(s)
            PID:584
      • C:\Windows\Explorer.exe
        C:\Windows\Explorer.exe
        3⤵
          PID:2996

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Windows\Resources\Themes\explorer.exe
      Filesize

      135KB

      MD5

      16df8ee0b49a6eb1953bfd9a8b713d69

      SHA1

      957c5146696be9fc3a6a4669669cb4bec945abaf

      SHA256

      ea65db6f2ce340e7595c1dd9738360b7735da6fc2531494a7f34c6a1839cb4ea

      SHA512

      f220348822d8a6482890ac311150bd80c8479dcc1faed24119f0b5367552f326b7648d922881482ba66d4c7c3c7d6a8c7cac17d0f653c5f956aa6ce112f88021

      Download Submit

    • C:\Windows\Resources\spoolsv.exe
      Filesize

      135KB

      MD5

      e6d306b03bcb7ca62c1ba6d822bc86ad

      SHA1

      50d750d58d5f6e1c6967fb2711be4e4c511040d4

      SHA256

      6b13f49d6adfa6e22041b2c8c89e074492eb8f3d4ca7c6d2ea7efbe2693a4a4f

      SHA512

      9800fc77675a93d541269cd9f28914438b14d35d4df8b8dcb439d6a2405dd7d83db675d60c852ca218c27ea6c456a851aa5542556ad6ffb893d01ef1fc465963

      Download Submit

    • C:\Windows\Resources\spoolsv.exe
      Filesize

      135KB

      MD5

      e6d306b03bcb7ca62c1ba6d822bc86ad

      SHA1

      50d750d58d5f6e1c6967fb2711be4e4c511040d4

      SHA256

      6b13f49d6adfa6e22041b2c8c89e074492eb8f3d4ca7c6d2ea7efbe2693a4a4f

      SHA512

      9800fc77675a93d541269cd9f28914438b14d35d4df8b8dcb439d6a2405dd7d83db675d60c852ca218c27ea6c456a851aa5542556ad6ffb893d01ef1fc465963

      Download Submit

    • C:\Windows\Resources\spoolsv.exe
      Filesize

      135KB

      MD5

      e6d306b03bcb7ca62c1ba6d822bc86ad

      SHA1

      50d750d58d5f6e1c6967fb2711be4e4c511040d4

      SHA256

      6b13f49d6adfa6e22041b2c8c89e074492eb8f3d4ca7c6d2ea7efbe2693a4a4f

      SHA512

      9800fc77675a93d541269cd9f28914438b14d35d4df8b8dcb439d6a2405dd7d83db675d60c852ca218c27ea6c456a851aa5542556ad6ffb893d01ef1fc465963

      Download Submit

    • C:\Windows\Resources\svchost.exe
      Filesize

      135KB

      MD5

      4fce76e2b8c2f3dccc874ed15ddc20bd

      SHA1

      c414b31606847e9deafcd7e7d349c18d91cddb83

      SHA256

      8ba45d86476864cc27862650ef21745a65e7fc81cbf808ff04b73e6b7c98bb2c

      SHA512

      72abceab8247d02fc32b76655a9626d1a2a58a903df316f66bdfa8053da0d040939c56fd44b5529fa77e6985b524fe1eae6f4cee63dc20925fa1978a2460bc28

      Download Submit

    • \??\c:\windows\resources\spoolsv.exe
      Filesize

      135KB

      MD5

      e6d306b03bcb7ca62c1ba6d822bc86ad

      SHA1

      50d750d58d5f6e1c6967fb2711be4e4c511040d4

      SHA256

      6b13f49d6adfa6e22041b2c8c89e074492eb8f3d4ca7c6d2ea7efbe2693a4a4f

      SHA512

      9800fc77675a93d541269cd9f28914438b14d35d4df8b8dcb439d6a2405dd7d83db675d60c852ca218c27ea6c456a851aa5542556ad6ffb893d01ef1fc465963

      Download Submit

    • \??\c:\windows\resources\svchost.exe
      Filesize

      135KB

      MD5

      4fce76e2b8c2f3dccc874ed15ddc20bd

      SHA1

      c414b31606847e9deafcd7e7d349c18d91cddb83

      SHA256

      8ba45d86476864cc27862650ef21745a65e7fc81cbf808ff04b73e6b7c98bb2c

      SHA512

      72abceab8247d02fc32b76655a9626d1a2a58a903df316f66bdfa8053da0d040939c56fd44b5529fa77e6985b524fe1eae6f4cee63dc20925fa1978a2460bc28

      Download Submit

    • \??\c:\windows\resources\themes\explorer.exe
      Filesize

      135KB

      MD5

      16df8ee0b49a6eb1953bfd9a8b713d69

      SHA1

      957c5146696be9fc3a6a4669669cb4bec945abaf

      SHA256

      ea65db6f2ce340e7595c1dd9738360b7735da6fc2531494a7f34c6a1839cb4ea

      SHA512

      f220348822d8a6482890ac311150bd80c8479dcc1faed24119f0b5367552f326b7648d922881482ba66d4c7c3c7d6a8c7cac17d0f653c5f956aa6ce112f88021

      Download Submit

    • \Windows\Resources\Themes\explorer.exe
      Filesize

      135KB

      MD5

      16df8ee0b49a6eb1953bfd9a8b713d69

      SHA1

      957c5146696be9fc3a6a4669669cb4bec945abaf

      SHA256

      ea65db6f2ce340e7595c1dd9738360b7735da6fc2531494a7f34c6a1839cb4ea

      SHA512

      f220348822d8a6482890ac311150bd80c8479dcc1faed24119f0b5367552f326b7648d922881482ba66d4c7c3c7d6a8c7cac17d0f653c5f956aa6ce112f88021

      Download Submit

    • \Windows\Resources\spoolsv.exe
      Filesize

      135KB

      MD5

      e6d306b03bcb7ca62c1ba6d822bc86ad

      SHA1

      50d750d58d5f6e1c6967fb2711be4e4c511040d4

      SHA256

      6b13f49d6adfa6e22041b2c8c89e074492eb8f3d4ca7c6d2ea7efbe2693a4a4f

      SHA512

      9800fc77675a93d541269cd9f28914438b14d35d4df8b8dcb439d6a2405dd7d83db675d60c852ca218c27ea6c456a851aa5542556ad6ffb893d01ef1fc465963

      Download Submit

    • \Windows\Resources\spoolsv.exe
      Filesize

      135KB

      MD5

      e6d306b03bcb7ca62c1ba6d822bc86ad

      SHA1

      50d750d58d5f6e1c6967fb2711be4e4c511040d4

      SHA256

      6b13f49d6adfa6e22041b2c8c89e074492eb8f3d4ca7c6d2ea7efbe2693a4a4f

      SHA512

      9800fc77675a93d541269cd9f28914438b14d35d4df8b8dcb439d6a2405dd7d83db675d60c852ca218c27ea6c456a851aa5542556ad6ffb893d01ef1fc465963

      Download Submit

    • \Windows\Resources\svchost.exe
      Filesize

      135KB

      MD5

      4fce76e2b8c2f3dccc874ed15ddc20bd

      SHA1

      c414b31606847e9deafcd7e7d349c18d91cddb83

      SHA256

      8ba45d86476864cc27862650ef21745a65e7fc81cbf808ff04b73e6b7c98bb2c

      SHA512

      72abceab8247d02fc32b76655a9626d1a2a58a903df316f66bdfa8053da0d040939c56fd44b5529fa77e6985b524fe1eae6f4cee63dc20925fa1978a2460bc28

      Download Submit

    • memory/1676-41-0x0000000000400000-0x000000000041F000-memory.dmp

      Filesize

      124KB

      Download

    • memory/2476-43-0x0000000000400000-0x000000000041F000-memory.dmp

      Filesize

      124KB

      Download

    • memory/2640-35-0x00000000002F0000-0x000000000030F000-memory.dmp

      Filesize

      124KB

      Download

    • memory/2640-44-0x0000000000400000-0x000000000041F000-memory.dmp

      Filesize

      124KB

      Download

    • memory/2776-40-0x0000000000400000-0x000000000041F000-memory.dmp

      Filesize

      124KB

      Download

    • memory/3044-0-0x0000000000400000-0x000000000041F000-memory.dmp

      Filesize

      124KB

      Download

    • memory/3044-42-0x0000000000400000-0x000000000041F000-memory.dmp

      Filesize

      124KB

      Download