Overview

overview

7

Static

static

3

NEAS.e5db5...80.exe

windows7-x64

7

NEAS.e5db5...80.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    165s
  • max time network
    161s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231023-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07/11/2023, 20:48

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    NEAS.e5db559b3f619ff4c25146a52a2e4980.exe

  • Size

    484KB

  • MD5

    e5db559b3f619ff4c25146a52a2e4980

  • SHA1

    3adf73858ad6a3931d3be57f8bf0e9840e87b56a

  • SHA256

    d35f693e246a8cd36d639537247d1dc3eacf3a4e9820bd3208f8b4cf094f9040

  • SHA512

    f6a27d70a561b1328043535ea1193703f5244be355543751828dd6ff5b2990c4786acaffa4e28db6834570dd5099a0eccf1138d255ec4db77a27dfd377482530

  • SSDEEP

    6144:hm6UslnVK8ZiOdphJ/6pMjT5/7riwtIQnpzo0Q4zRhELjrx/93gRk/4FztrnPmlp:hmDslUSCaZVW0Q+y3V4vBRe9

Score
7/10
persistence

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 4 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Drops file in Program Files directory 8 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies Internet Explorer settings 1 TTPs 42 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 14 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SetWindowsHookEx 16 IoCs
  • Suspicious use of WriteProcessMemory 26 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\NEAS.e5db559b3f619ff4c25146a52a2e4980.exe
    "C:\Users\Admin\AppData\Local\Temp\NEAS.e5db559b3f619ff4c25146a52a2e4980.exe"
    1⤵
    • Adds Run key to start application
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1848
    • \??\c:\users\admin\appdata\local\temp\wmpscfgs.exe
      c:\users\admin\appdata\local\temp\\wmpscfgs.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops file in Program Files directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2912
      • \??\c:\users\admin\appdata\local\temp\wmpscfgs.exe
        c:\users\admin\appdata\local\temp\\wmpscfgs.exe
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1188
      • C:\Program Files (x86)\Internet Explorer\wmpscfgs.exe
        C:\Program Files (x86)\Internet Explorer\wmpscfgs.exe
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4224
    • C:\Program Files (x86)\Internet Explorer\wmpscfgs.exe
      C:\Program Files (x86)\Internet Explorer\wmpscfgs.exe
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Drops file in Program Files directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:912
      • C:\program files (x86)\internet explorer\iexplore.exe
        "C:\program files (x86)\internet explorer\iexplore.exe" RUNAS
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2428
        • C:\Program Files\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files\Internet Explorer\IEXPLORE.EXE" RUNAS
          4⤵
          • Modifies Internet Explorer settings
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:3768
          • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
            "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3768 CREDAT:17410 /prefetch:2
            5⤵
            • Modifies Internet Explorer settings
            • Suspicious use of SetWindowsHookEx
            PID:1272
          • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
            "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3768 CREDAT:17414 /prefetch:2
            5⤵
            • Modifies Internet Explorer settings
            • Suspicious use of SetWindowsHookEx
            PID:5036
  • C:\Program Files (x86)\Internet Explorer\ielowutil.exe
    "C:\Program Files (x86)\Internet Explorer\ielowutil.exe" -CLSID:{0002DF01-0000-0000-C000-000000000046} -Embedding
    1⤵
      PID:2740
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2900
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2900 CREDAT:17410 /prefetch:2
        2⤵
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:548

    Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Program Files (x86)\240686406.dat
            Filesize

            4B

            MD5

            4352d88a78aa39750bf70cd6f27bcaa5

            SHA1

            3c585604e87f855973731fea83e21fab9392d2fc

            SHA256

            67abdd721024f0ff4e0b3f4c2fc13bc5bad42d0b7851d456d88d203d15aaa450

            SHA512

            edf92e3d4f80fc47d948ea2f17b9bfc742d34e2e785a7a4927f3e261e8bd9d400b648bff2123b8396d24fb28f5869979e08d58b4b5d156e640344a2c0a54675d

            Download Submit

          • C:\Program Files (x86)\Internet Explorer\wmpscfgs.exe
            Filesize

            492KB

            MD5

            994d163a4248157977ce1ed258f3515b

            SHA1

            b1fab87ad61c0ed22719ceb0a2caddf2c663c5e7

            SHA256

            2b154d231c11ce668cd1c37267b01b1056997d963a2d8c59ce5e0fdd03959e7e

            SHA512

            f168038b073d15c238786723ad96268b01a6bac4d8adee60c1e06dfed9ea75f1a326591f31d3ebdce80eb3d9d06e0fd4aa51c2fa9e2baf3d0ac41b84040fcfaa

            Download Submit

          • C:\Program Files (x86)\Internet Explorer\wmpscfgs.exe
            Filesize

            492KB

            MD5

            994d163a4248157977ce1ed258f3515b

            SHA1

            b1fab87ad61c0ed22719ceb0a2caddf2c663c5e7

            SHA256

            2b154d231c11ce668cd1c37267b01b1056997d963a2d8c59ce5e0fdd03959e7e

            SHA512

            f168038b073d15c238786723ad96268b01a6bac4d8adee60c1e06dfed9ea75f1a326591f31d3ebdce80eb3d9d06e0fd4aa51c2fa9e2baf3d0ac41b84040fcfaa

            Download Submit

          • C:\Program Files (x86)\Internet Explorer\wmpscfgs.exe
            Filesize

            492KB

            MD5

            994d163a4248157977ce1ed258f3515b

            SHA1

            b1fab87ad61c0ed22719ceb0a2caddf2c663c5e7

            SHA256

            2b154d231c11ce668cd1c37267b01b1056997d963a2d8c59ce5e0fdd03959e7e

            SHA512

            f168038b073d15c238786723ad96268b01a6bac4d8adee60c1e06dfed9ea75f1a326591f31d3ebdce80eb3d9d06e0fd4aa51c2fa9e2baf3d0ac41b84040fcfaa

            Download Submit

          • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{A48E7B0E-7E7C-11EE-92AA-D2C25AFC0924}.dat
            Filesize

            3KB

            MD5

            f55fc36dc3597d4f859e18d411d84239

            SHA1

            63f1def67fceddc16640e4bc81403885191b7da0

            SHA256

            ace09071ca501a6b601ff04a8822918c4fced27b9fb5003c671f2edc015a5ff6

            SHA512

            7124ebcc17a2f180628bc4a3da6a504e883bb82d96448a75f5edeefdd77fecec444e64645e79440474d267b51815071ece29669ace4df06ee6a7379e68c1b8fb

            Download Submit

          • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{A551FD02-7E7C-11EE-92AA-D2C25AFC0924}.dat
            Filesize

            4KB

            MD5

            5c27baa6c6b7418c702bf0b4ba387b6e

            SHA1

            eea4dc0d61a37d39cd3a2f20d20f43f04b5ae19e

            SHA256

            57da4a13ef7a046087cda39bf613451d091dfc03d1a4baaf0026062cc11208df

            SHA512

            ba7085bac5c19a7dfc1f3a5082a6e323ace4fcd8035e10f49d684e32e7fd567c08d65375a1abff7729ffcdf99ff10df09a51e39446e900f5ff18961a9325ee3a

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\wmpscfgs.exe
            Filesize

            485KB

            MD5

            f538b7ef0b8934c62115e26df30b8d17

            SHA1

            cb39cd0ef99aefb7caf66c0d319021585c2ddd0b

            SHA256

            57e00f184a7d0dd53d8f9d6c8f3c6863e75f853b0b5cc30b3e9df8fdcebb0bf2

            SHA512

            5953a1f444ed626857efc3e2aae12a344d1b8f170d8660a22094b54cfaae08c5be53ca512f2dd2603d1e2c2dfdcecd8ff83549073f458a4f1f637ef16d8b8047

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\wmpscfgs.exe
            Filesize

            485KB

            MD5

            f538b7ef0b8934c62115e26df30b8d17

            SHA1

            cb39cd0ef99aefb7caf66c0d319021585c2ddd0b

            SHA256

            57e00f184a7d0dd53d8f9d6c8f3c6863e75f853b0b5cc30b3e9df8fdcebb0bf2

            SHA512

            5953a1f444ed626857efc3e2aae12a344d1b8f170d8660a22094b54cfaae08c5be53ca512f2dd2603d1e2c2dfdcecd8ff83549073f458a4f1f637ef16d8b8047

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\wmpscfgs.exe
            Filesize

            485KB

            MD5

            f538b7ef0b8934c62115e26df30b8d17

            SHA1

            cb39cd0ef99aefb7caf66c0d319021585c2ddd0b

            SHA256

            57e00f184a7d0dd53d8f9d6c8f3c6863e75f853b0b5cc30b3e9df8fdcebb0bf2

            SHA512

            5953a1f444ed626857efc3e2aae12a344d1b8f170d8660a22094b54cfaae08c5be53ca512f2dd2603d1e2c2dfdcecd8ff83549073f458a4f1f637ef16d8b8047

            Download Submit

          • \??\c:\program files (x86)\adobe\acrotray .exe
            Filesize

            493KB

            MD5

            ddbfee84098ca216c2d1117d6e642da5

            SHA1

            70ceede9d740b355818a25ca2e5de1346c8847a3

            SHA256

            f03efe6fdb78c9b8cef86f21f70520506a3cb92e27cd559ccf9eb5265aca7110

            SHA512

            5d3c2acdcbaa1d152f890011c48b05a818bd653597cc8190b84d2eb859e06caed0023bfd9cb7b032d9fc33abe9f6ee497d6d26cb26984ba6cd1231e84eb317a9

            Download Submit

          • \??\c:\program files (x86)\adobe\acrotray.exe
            Filesize

            504KB

            MD5

            75c3d6dd97de334d28ae0685fadeba89

            SHA1

            0c90d54fac2a888849c463d8b06f11ba046958ed

            SHA256

            ac1c990e7201ccc11afa11790edae3ea5c4f6ea1be882d32b23439bc446c975b

            SHA512

            a53a6cfa697d185b1375a3eba31c6e9ed6e777832c29782ea5138269c939e9ac5344ae570514929c430cc274b3ae8b1fb407593deb8fd9937bad9cd242d39fb0

            Download Submit

          • \??\c:\users\admin\appdata\local\temp\wmpscfgs.exe
            Filesize

            485KB

            MD5

            f538b7ef0b8934c62115e26df30b8d17

            SHA1

            cb39cd0ef99aefb7caf66c0d319021585c2ddd0b

            SHA256

            57e00f184a7d0dd53d8f9d6c8f3c6863e75f853b0b5cc30b3e9df8fdcebb0bf2

            SHA512

            5953a1f444ed626857efc3e2aae12a344d1b8f170d8660a22094b54cfaae08c5be53ca512f2dd2603d1e2c2dfdcecd8ff83549073f458a4f1f637ef16d8b8047

            Download Submit

          • memory/1848-0-0x0000000010000000-0x0000000010010000-memory.dmp

            Filesize

            64KB

            Download