Overview

overview

7

Static

static

3

NEAS.79e4f...10.exe

windows7-x64

7

NEAS.79e4f...10.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    139s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231023-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02-11-2023 16:44

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    NEAS.79e4ff7e07ef027149bee83fa1615910.exe

  • Size

    568KB

  • MD5

    79e4ff7e07ef027149bee83fa1615910

  • SHA1

    89c552505738eeb20376788de9b80d2bf3b941c3

  • SHA256

    41971e0f60de2d25dc70c6cab9acb668a6f643e08f98a993f51c27159769342c

  • SHA512

    5334832dfeae54af3a6c0d62916187b44f4ab967fa13f6b5698db56566e6e789f9b8bf700b1d083c292a4ab0391bd36da47b98893b2815dce2a29900562b6f43

  • SSDEEP

    12288:1mnsl+4bSDyoJMRhxgrO12i+4f0c5/3wb:1mx4bwTJM1N2Kc

Score
7/10
persistence

Malware Config

Signatures

  • Executes dropped EXE 4 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Drops file in Program Files directory 6 IoCs
  • Modifies Internet Explorer settings 1 TTPs 33 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SetWindowsHookEx 12 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\NEAS.79e4ff7e07ef027149bee83fa1615910.exe
    "C:\Users\Admin\AppData\Local\Temp\NEAS.79e4ff7e07ef027149bee83fa1615910.exe"
    1⤵
    • Adds Run key to start application
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:208
    • \??\c:\users\admin\appdata\local\temp\wmpscfgs.exe
      c:\users\admin\appdata\local\temp\\wmpscfgs.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:4496
    • C:\Program Files (x86)\Internet Explorer\wmpscfgs.exe
      C:\Program Files (x86)\Internet Explorer\wmpscfgs.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops file in Program Files directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4424
      • \??\c:\users\admin\appdata\local\temp\wmpscfgs.exe
        c:\users\admin\appdata\local\temp\\wmpscfgs.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:5004
      • C:\Program Files (x86)\Internet Explorer\wmpscfgs.exe
        C:\Program Files (x86)\Internet Explorer\wmpscfgs.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:4376
  • C:\Program Files (x86)\Internet Explorer\ielowutil.exe
    "C:\Program Files (x86)\Internet Explorer\ielowutil.exe" -CLSID:{0002DF01-0000-0000-C000-000000000046} -Embedding
    1⤵
      PID:3772
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:3952
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3952 CREDAT:17410 /prefetch:2
        2⤵
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:4948
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3952 CREDAT:17416 /prefetch:2
        2⤵
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:960
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3952 CREDAT:17424 /prefetch:2
        2⤵
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:4448

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files (x86)\Internet Explorer\wmpscfgs.exe
      Filesize

      582KB

      MD5

      9cb2855cabb6a26f2ab3f550b8dd4892

      SHA1

      0b7251ac6189f38328a6899df58ff42eb083e674

      SHA256

      b2d5d5a629815ee355fcd7b420994b7d31716957c286610ad4199ab0cef34cf1

      SHA512

      b184aaf932f3d1cf244433ebdd920828330b1f0fe7d623a81bf9ff754172528afe48e06ef54456965aaa4b44f347306933562fd896e7bb9222a9f923c13a9d6c

      Download Submit

    • C:\Program Files (x86)\Internet Explorer\wmpscfgs.exe
      Filesize

      582KB

      MD5

      9cb2855cabb6a26f2ab3f550b8dd4892

      SHA1

      0b7251ac6189f38328a6899df58ff42eb083e674

      SHA256

      b2d5d5a629815ee355fcd7b420994b7d31716957c286610ad4199ab0cef34cf1

      SHA512

      b184aaf932f3d1cf244433ebdd920828330b1f0fe7d623a81bf9ff754172528afe48e06ef54456965aaa4b44f347306933562fd896e7bb9222a9f923c13a9d6c

      Download Submit

    • C:\Program Files (x86)\Internet Explorer\wmpscfgs.exe
      Filesize

      582KB

      MD5

      9cb2855cabb6a26f2ab3f550b8dd4892

      SHA1

      0b7251ac6189f38328a6899df58ff42eb083e674

      SHA256

      b2d5d5a629815ee355fcd7b420994b7d31716957c286610ad4199ab0cef34cf1

      SHA512

      b184aaf932f3d1cf244433ebdd920828330b1f0fe7d623a81bf9ff754172528afe48e06ef54456965aaa4b44f347306933562fd896e7bb9222a9f923c13a9d6c

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\223DE96EE265046957A660ED7C9DD9E7_EFF9B9BA98DEAA773F261FA85A0B1771
      Filesize

      2KB

      MD5

      857de04ecede314e9dd398ed2168a704

      SHA1

      f1d708044dd0542be85ce7a1e569a8b18f3486d3

      SHA256

      e6b2e526e4844e72a863965544a71f5717676d1614c84b6468d607fad2570303

      SHA512

      82ab829fc1a6d2fd52f888352ce518529d4d031ea923378350eefda80118bfe0d3860d31a94470f90f83388be776e2851192c72b58dc7211d5d6333eefdd3398

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\223DE96EE265046957A660ED7C9DD9E7_EFF9B9BA98DEAA773F261FA85A0B1771
      Filesize

      450B

      MD5

      940022adbf1e4a98b8535d182033e851

      SHA1

      83dca2b71ee363e4eac10dd1197eab18e0682336

      SHA256

      8a265fbfe2f86add8d07dfcd7e229dd0df88620dcd6a3866d8d2965d27bf64fd

      SHA512

      3c29b2ac50c9f9b667cb76cbc617e1b1df0a00f31e8018eea6ec18498d6c1d0d4c2e8179f1bd471a4f39843b2442726d33837ef72902137d9678de0675bcd205

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\PR01V9ZG\px[1].js
      Filesize

      476B

      MD5

      d2183968f9080b37babfeba3ccf10df2

      SHA1

      24b9cf589ee6789e567fac3ae5acfc25826d00c6

      SHA256

      4d9b83714539f82372e1e0177924bcb5180b75148e22d6725468fd2fb6f96bcc

      SHA512

      0e16d127a199a4238138eb99a461adf2665cee4f803d63874b4bcef52301d0ecd1d2eb71af3f77187916fe04c5f9b152c51171131c2380f31ca267a0a46d2a42

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\wmpscfgs.exe
      Filesize

      607KB

      MD5

      8a1e797986fe84fa9dd4da4f75a77170

      SHA1

      af4f3c9e72c14b3d88d15af6a6ba211158dd1a1a

      SHA256

      327d2d47768d0b0d0678855627e6e177402c25d65b760475a2e9e635fea0e68e

      SHA512

      465a741c7be103ebf3ca74940b85eb22ae6c05b543ee8c098d7c4f1dad07f630669537fde4a8d246eec29fe4ce376a88a6990eabbadbe3e4aee07e73138562e3

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\wmpscfgs.exe
      Filesize

      607KB

      MD5

      8a1e797986fe84fa9dd4da4f75a77170

      SHA1

      af4f3c9e72c14b3d88d15af6a6ba211158dd1a1a

      SHA256

      327d2d47768d0b0d0678855627e6e177402c25d65b760475a2e9e635fea0e68e

      SHA512

      465a741c7be103ebf3ca74940b85eb22ae6c05b543ee8c098d7c4f1dad07f630669537fde4a8d246eec29fe4ce376a88a6990eabbadbe3e4aee07e73138562e3

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\wmpscfgs.exe
      Filesize

      586KB

      MD5

      7ffeda236f0669c66348bb86bbb88855

      SHA1

      72abb5c8f7d0fa10665db12dc064d105909be955

      SHA256

      c9d92978c232c68c52af17c4a61c002144b30bb14536da18aa1f6ddb0bd5601f

      SHA512

      b5d4d6418ef3a81de77065e0de788693e6d1ae6a490c6cfad6a013847f0c2e4ba3035d296e95f788eb9f401ebf9634a7250822cc3cde00897bf883e8172afe0d

      Download Submit

    • \??\c:\program files (x86)\adobe\acrotray .exe
      Filesize

      596KB

      MD5

      f3badfb9efa5891aefe7adc7999298c9

      SHA1

      6ee3654cc5c6772c5fd1f2342bad3e625f2beaf1

      SHA256

      33c1a639af7010a169f9cc7b9349a2f736d66989c11121cbc5419e5908b0e78b

      SHA512

      b7be10970f68d6536d24ba55f05cc194f86f3dc5f04872fd73849f650a35c1cb7ada49270615b20db24226d35497467b46538c73d352ecb40dafd6ee12a80325

      Download Submit

    • \??\c:\users\admin\appdata\local\temp\wmpscfgs.exe
      Filesize

      607KB

      MD5

      8a1e797986fe84fa9dd4da4f75a77170

      SHA1

      af4f3c9e72c14b3d88d15af6a6ba211158dd1a1a

      SHA256

      327d2d47768d0b0d0678855627e6e177402c25d65b760475a2e9e635fea0e68e

      SHA512

      465a741c7be103ebf3ca74940b85eb22ae6c05b543ee8c098d7c4f1dad07f630669537fde4a8d246eec29fe4ce376a88a6990eabbadbe3e4aee07e73138562e3

      Download Submit

    • memory/208-0-0x0000000010000000-0x0000000010010000-memory.dmp

      Filesize

      64KB

      Download