a066b8eb0516285fa2db56a152113198df0e022001b92a4b124558d72ad81558

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20231020-en
resource tags

arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
submitted
04/11/2023, 12:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.53a86d69337d4213ab796b698a36d240.exe
Size

1.1MB
MD5

53a86d69337d4213ab796b698a36d240
SHA1

6d1d1b90169c7c259cf1f304fdc2a1af70a7c505
SHA256

a066b8eb0516285fa2db56a152113198df0e022001b92a4b124558d72ad81558
SHA512

8e16725493dd91c984e86fe5d48ff53cb48f7d2b22ef8d2fa0b3ff79be7da79dc18392f1c52cb8af67063e570acdc6dcdd0805360a62da7a95238a88417dab8e
SSDEEP

24576:PFOaHyISjuOFLVusD/bOKCWlOxMuBRUgL:tbyzuWpBD//g1aG

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	svchost.exe

Executes dropped EXE 7 IoCs

pid	Process
3224	neas.53a86d69337d4213ab796b698a36d240.exe
4308	icsys.icn.exe
5024	neas.53a86d69337d4213ab796b698a36d240.tmp
2300	explorer.exe
2292	spoolsv.exe
4340	svchost.exe
2152	spoolsv.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	svchost.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\explorer.exe	svchost.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Resources\Themes\icsys.icn.exe	NEAS.53a86d69337d4213ab796b698a36d240.exe
File opened for modification	\??\c:\windows\resources\themes\explorer.exe	icsys.icn.exe
File opened for modification	\??\c:\windows\resources\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\resources\svchost.exe	spoolsv.exe
File opened for modification	C:\Windows\Resources\tjud.exe	explorer.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3808	NEAS.53a86d69337d4213ab796b698a36d240.exe
3808	NEAS.53a86d69337d4213ab796b698a36d240.exe
3808	NEAS.53a86d69337d4213ab796b698a36d240.exe
3808	NEAS.53a86d69337d4213ab796b698a36d240.exe
3808	NEAS.53a86d69337d4213ab796b698a36d240.exe
3808	NEAS.53a86d69337d4213ab796b698a36d240.exe
3808	NEAS.53a86d69337d4213ab796b698a36d240.exe
3808	NEAS.53a86d69337d4213ab796b698a36d240.exe
3808	NEAS.53a86d69337d4213ab796b698a36d240.exe
3808	NEAS.53a86d69337d4213ab796b698a36d240.exe
3808	NEAS.53a86d69337d4213ab796b698a36d240.exe
3808	NEAS.53a86d69337d4213ab796b698a36d240.exe
3808	NEAS.53a86d69337d4213ab796b698a36d240.exe
3808	NEAS.53a86d69337d4213ab796b698a36d240.exe
3808	NEAS.53a86d69337d4213ab796b698a36d240.exe
3808	NEAS.53a86d69337d4213ab796b698a36d240.exe
3808	NEAS.53a86d69337d4213ab796b698a36d240.exe
3808	NEAS.53a86d69337d4213ab796b698a36d240.exe
3808	NEAS.53a86d69337d4213ab796b698a36d240.exe
3808	NEAS.53a86d69337d4213ab796b698a36d240.exe
3808	NEAS.53a86d69337d4213ab796b698a36d240.exe
3808	NEAS.53a86d69337d4213ab796b698a36d240.exe
3808	NEAS.53a86d69337d4213ab796b698a36d240.exe
3808	NEAS.53a86d69337d4213ab796b698a36d240.exe
3808	NEAS.53a86d69337d4213ab796b698a36d240.exe
3808	NEAS.53a86d69337d4213ab796b698a36d240.exe
3808	NEAS.53a86d69337d4213ab796b698a36d240.exe
3808	NEAS.53a86d69337d4213ab796b698a36d240.exe
3808	NEAS.53a86d69337d4213ab796b698a36d240.exe
3808	NEAS.53a86d69337d4213ab796b698a36d240.exe
3808	NEAS.53a86d69337d4213ab796b698a36d240.exe
3808	NEAS.53a86d69337d4213ab796b698a36d240.exe
4308	icsys.icn.exe
4308	icsys.icn.exe
4308	icsys.icn.exe
4308	icsys.icn.exe
4308	icsys.icn.exe
4308	icsys.icn.exe
4308	icsys.icn.exe
4308	icsys.icn.exe
4308	icsys.icn.exe
4308	icsys.icn.exe
4308	icsys.icn.exe
4308	icsys.icn.exe
4308	icsys.icn.exe
4308	icsys.icn.exe
4308	icsys.icn.exe
4308	icsys.icn.exe
4308	icsys.icn.exe
4308	icsys.icn.exe
4308	icsys.icn.exe
4308	icsys.icn.exe
4308	icsys.icn.exe
4308	icsys.icn.exe
4308	icsys.icn.exe
4308	icsys.icn.exe
4308	icsys.icn.exe
4308	icsys.icn.exe
4308	icsys.icn.exe
4308	icsys.icn.exe
4308	icsys.icn.exe
4308	icsys.icn.exe
4308	icsys.icn.exe
4308	icsys.icn.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
2300	explorer.exe
4340	svchost.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
3808	NEAS.53a86d69337d4213ab796b698a36d240.exe
3808	NEAS.53a86d69337d4213ab796b698a36d240.exe
4308	icsys.icn.exe
4308	icsys.icn.exe
2300	explorer.exe
2300	explorer.exe
2292	spoolsv.exe
2292	spoolsv.exe
4340	svchost.exe
4340	svchost.exe
2152	spoolsv.exe
2152	spoolsv.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 3808 wrote to memory of 3224	3808	NEAS.53a86d69337d4213ab796b698a36d240.exe	88
PID 3808 wrote to memory of 3224	3808	NEAS.53a86d69337d4213ab796b698a36d240.exe	88
PID 3808 wrote to memory of 3224	3808	NEAS.53a86d69337d4213ab796b698a36d240.exe	88
PID 3808 wrote to memory of 4308	3808	NEAS.53a86d69337d4213ab796b698a36d240.exe	90
PID 3808 wrote to memory of 4308	3808	NEAS.53a86d69337d4213ab796b698a36d240.exe	90
PID 3808 wrote to memory of 4308	3808	NEAS.53a86d69337d4213ab796b698a36d240.exe	90
PID 3224 wrote to memory of 5024	3224	neas.53a86d69337d4213ab796b698a36d240.exe	92
PID 3224 wrote to memory of 5024	3224	neas.53a86d69337d4213ab796b698a36d240.exe	92
PID 3224 wrote to memory of 5024	3224	neas.53a86d69337d4213ab796b698a36d240.exe	92
PID 4308 wrote to memory of 2300	4308	icsys.icn.exe	94
PID 4308 wrote to memory of 2300	4308	icsys.icn.exe	94
PID 4308 wrote to memory of 2300	4308	icsys.icn.exe	94
PID 2300 wrote to memory of 2292	2300	explorer.exe	95
PID 2300 wrote to memory of 2292	2300	explorer.exe	95
PID 2300 wrote to memory of 2292	2300	explorer.exe	95
PID 2292 wrote to memory of 4340	2292	spoolsv.exe	96
PID 2292 wrote to memory of 4340	2292	spoolsv.exe	96
PID 2292 wrote to memory of 4340	2292	spoolsv.exe	96
PID 4340 wrote to memory of 2152	4340	svchost.exe	97
PID 4340 wrote to memory of 2152	4340	svchost.exe	97
PID 4340 wrote to memory of 2152	4340	svchost.exe	97

C:\Users\Admin\AppData\Local\Temp\NEAS.53a86d69337d4213ab796b698a36d240.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.53a86d69337d4213ab796b698a36d240.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3808
- \??\c:\users\admin\appdata\local\temp\neas.53a86d69337d4213ab796b698a36d240.exe
  c:\users\admin\appdata\local\temp\neas.53a86d69337d4213ab796b698a36d240.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3224
- - C:\Users\Admin\AppData\Local\Temp\is-6HE8K.tmp\neas.53a86d69337d4213ab796b698a36d240.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-6HE8K.tmp\neas.53a86d69337d4213ab796b698a36d240.tmp" /SL5="$90068,731792,58368,c:\users\admin\appdata\local\temp\neas.53a86d69337d4213ab796b698a36d240.exe "
    3⤵
    - Executes dropped EXE
    PID:5024
- C:\Windows\Resources\Themes\icsys.icn.exe
  C:\Windows\Resources\Themes\icsys.icn.exe
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4308
- - \??\c:\windows\resources\themes\explorer.exe
    c:\windows\resources\themes\explorer.exe
    3⤵
    - Modifies visiblity of hidden/system files in Explorer
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2300
  - - \??\c:\windows\resources\spoolsv.exe
      c:\windows\resources\spoolsv.exe SE
      4⤵
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2292
    - - \??\c:\windows\resources\svchost.exe
        
        c:\windows\resources\svchost.exe
        5⤵
        Modifies visiblity of hidden/system files in Explorer
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4340
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe PR
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2152

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\is-6HE8K.tmp\neas.53a86d69337d4213ab796b698a36d240.tmp

Filesize
702KB

MD5
1afbd25db5c9a90fe05309f7c4fbcf09

SHA1
baf330b5c249ca925b4ea19a52fe8b2c27e547fa

SHA256
3bb0ee5569fe5453c6b3fa25aa517b925d4f8d1f7ba3475e58fa09c46290658c

SHA512
3a448f06862c6d163fd58b68b836d866ae513e04a69774abf5a0c5b7df74f5b9ee37240083760185618c5068bf93e7fd812e76b3e530639111fb1d74f4d28419

Download Submit
C:\Users\Admin\AppData\Local\Temp\neas.53a86d69337d4213ab796b698a36d240.exe

Filesize
979KB

MD5
22b56320920f3298a139fe636d96859a

SHA1
99287d9e6a29f5a3dbec78be24bc8cc5e8d874da

SHA256
ccdf5c2de1f7b0af02dad4552aa5171e8d149b95b3cb74876c37e8364521de78

SHA512
fb08610cd6daa1bbd8bf57ac0d0c022aea64811342d867b94fa6f312bbf560cf0b9c808ec5fa372d37ef518b9c981ca836ae3ae7edad1eeff727b695dee6d14c

Download Submit
C:\Windows\Resources\Themes\explorer.exe

Filesize
135KB

MD5
3fcdc01eab5e3904f075af3b93551118

SHA1
b98487fd3e0815b06787d444dd76fa74c2daef88

SHA256
0326a77defcd3b45bfae00d479e380b6fc4f82943d6e2dd7068c57189b47a655

SHA512
b9855f3bebf200c5df1f7c0fa61e787d1f81a06109e195b573e88f1bff8cdd9524b3a8c7a5a7a7c0ea20ba1c24881c4f34a5320d33ae7ee105748fa45dd18635

Download Submit
C:\Windows\Resources\Themes\explorer.exe

Filesize
135KB

MD5
3fcdc01eab5e3904f075af3b93551118

SHA1
b98487fd3e0815b06787d444dd76fa74c2daef88

SHA256
0326a77defcd3b45bfae00d479e380b6fc4f82943d6e2dd7068c57189b47a655

SHA512
b9855f3bebf200c5df1f7c0fa61e787d1f81a06109e195b573e88f1bff8cdd9524b3a8c7a5a7a7c0ea20ba1c24881c4f34a5320d33ae7ee105748fa45dd18635

Download Submit
C:\Windows\Resources\Themes\icsys.icn.exe

Filesize
135KB

MD5
6133887ae17f97d6bb85f1af0445a602

SHA1
cc99037d881a251868969289ae828b15f8d7d2ac

SHA256
70318d339c26dff940c23717bfce8484aa6d7d17a8cc75487b96093b612b7619

SHA512
da79515d687601f3dc4dce932d3fdb6b13cfa462f056d676c7e25e4fdd6721be32f58b588ed4a6d98d74e29bba486151059c7e1db1e4ce7ac34b7dc1e3315a44

Download Submit
C:\Windows\Resources\Themes\icsys.icn.exe

Filesize
135KB

MD5
6133887ae17f97d6bb85f1af0445a602

SHA1
cc99037d881a251868969289ae828b15f8d7d2ac

SHA256
70318d339c26dff940c23717bfce8484aa6d7d17a8cc75487b96093b612b7619

SHA512
da79515d687601f3dc4dce932d3fdb6b13cfa462f056d676c7e25e4fdd6721be32f58b588ed4a6d98d74e29bba486151059c7e1db1e4ce7ac34b7dc1e3315a44

Download Submit
C:\Windows\Resources\spoolsv.exe

Filesize
135KB

MD5
4dd972d2d71753f27ce0cc4fc0a02319

SHA1
325c9de0b40acf470f8af58a4c9daf6c379f471f

SHA256
f8e451505ff20dbde2294d022cf672cf6ea266a6d8bbb112ade91d673254e7f4

SHA512
76519bae151b2238d965f1c49640cd493ea921eba9c0cdde86c0f246be426db654f04ef00863b82b2e0fa7ba581159050840467f18c05e0a67416071e6b673b8

Download Submit
C:\Windows\Resources\spoolsv.exe

Filesize
135KB

MD5
4dd972d2d71753f27ce0cc4fc0a02319

SHA1
325c9de0b40acf470f8af58a4c9daf6c379f471f

SHA256
f8e451505ff20dbde2294d022cf672cf6ea266a6d8bbb112ade91d673254e7f4

SHA512
76519bae151b2238d965f1c49640cd493ea921eba9c0cdde86c0f246be426db654f04ef00863b82b2e0fa7ba581159050840467f18c05e0a67416071e6b673b8

Download Submit
C:\Windows\Resources\svchost.exe

Filesize
135KB

MD5
99c66f2a5d3dac8c52b832ce38cf2b4c

SHA1
7a1246b9be08623595503cf59e48e8882d5cca69

SHA256
2ec0a0228b7267a6badef051e278726211fa3be343572a388afa863fab3bc552

SHA512
b31630cdb5f883077b6e5a1c56ec27dd4b48fb3be26834f6d693e5c5f114c4a6bf45e1b977814d3628df7396716f9e4941e9bcf8faeeeb4b067907064b219050

Download Submit
\??\c:\users\admin\appdata\local\temp\neas.53a86d69337d4213ab796b698a36d240.exe

Filesize
979KB

MD5
22b56320920f3298a139fe636d96859a

SHA1
99287d9e6a29f5a3dbec78be24bc8cc5e8d874da

SHA256
ccdf5c2de1f7b0af02dad4552aa5171e8d149b95b3cb74876c37e8364521de78

SHA512
fb08610cd6daa1bbd8bf57ac0d0c022aea64811342d867b94fa6f312bbf560cf0b9c808ec5fa372d37ef518b9c981ca836ae3ae7edad1eeff727b695dee6d14c

Download Submit
\??\c:\windows\resources\spoolsv.exe

Filesize
135KB

MD5
4dd972d2d71753f27ce0cc4fc0a02319

SHA1
325c9de0b40acf470f8af58a4c9daf6c379f471f

SHA256
f8e451505ff20dbde2294d022cf672cf6ea266a6d8bbb112ade91d673254e7f4

SHA512
76519bae151b2238d965f1c49640cd493ea921eba9c0cdde86c0f246be426db654f04ef00863b82b2e0fa7ba581159050840467f18c05e0a67416071e6b673b8

Download Submit
\??\c:\windows\resources\svchost.exe

Filesize
135KB

MD5
99c66f2a5d3dac8c52b832ce38cf2b4c

SHA1
7a1246b9be08623595503cf59e48e8882d5cca69

SHA256
2ec0a0228b7267a6badef051e278726211fa3be343572a388afa863fab3bc552

SHA512
b31630cdb5f883077b6e5a1c56ec27dd4b48fb3be26834f6d693e5c5f114c4a6bf45e1b977814d3628df7396716f9e4941e9bcf8faeeeb4b067907064b219050

Download Submit
\??\c:\windows\resources\themes\explorer.exe

Filesize
135KB

MD5
3fcdc01eab5e3904f075af3b93551118

SHA1
b98487fd3e0815b06787d444dd76fa74c2daef88

SHA256
0326a77defcd3b45bfae00d479e380b6fc4f82943d6e2dd7068c57189b47a655

SHA512
b9855f3bebf200c5df1f7c0fa61e787d1f81a06109e195b573e88f1bff8cdd9524b3a8c7a5a7a7c0ea20ba1c24881c4f34a5320d33ae7ee105748fa45dd18635

Download Submit
memory/2152-54-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2292-55-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2300-63-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3224-52-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/3224-10-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/3224-62-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/3224-8-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/3808-0-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3808-24-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4308-56-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4340-64-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/5024-31-0x0000000002350000-0x0000000002351000-memory.dmp

Filesize
4KB

Download
memory/5024-58-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/5024-60-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download