Overview

overview

10

Static

static

3

NEAS.7236b...e0.exe

windows7-x64

10

NEAS.7236b...e0.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    73s
  • max time network
    160s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231023-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12-11-2023 21:48

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    NEAS.7236baf952a8adbea6667ed066c1b4e0.exe

  • Size

    211KB

  • MD5

    7236baf952a8adbea6667ed066c1b4e0

  • SHA1

    ac635d4036085f49543afe2379f2a8c8b3fdec4b

  • SHA256

    e0d11b7c94d1a41391deecadaaaad2749125dd0a8f632dbb61f0d0b9c2c6301d

  • SHA512

    0ab8b07443f1676398ec9d4d36cbd8f1d05ca398fcb5f324e188768de65d3d2ab1ece74c55ca0a4ce25d6eed21d3df00156f9707c4a6289940d07171a094c440

  • SSDEEP

    3072:vDEPeJlYW1ea8HKHSRUN3jjXs9Y+MiMVB/w68PEAjAfIrAvGPZz6sPJBIiFe/GcC:vSAl1IK1aY+MiMVBSes

Score
10/10
evasionpersistence

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
    persistence
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
    evasion
  • Modifies Installed Components in the registry 2 TTPs 8 IoCs
    persistence
  • Executes dropped EXE 4 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Drops file in System32 directory 1 IoCs
  • Drops file in Windows directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of SetWindowsHookEx 12 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\NEAS.7236baf952a8adbea6667ed066c1b4e0.exe
    "C:\Users\Admin\AppData\Local\Temp\NEAS.7236baf952a8adbea6667ed066c1b4e0.exe"
    1⤵
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3976
    • \??\c:\windows\userinit.exe
      c:\windows\userinit.exe
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visiblity of hidden/system files in Explorer
      • Modifies Installed Components in the registry
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops file in System32 directory
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1672
      • \??\c:\windows\spoolsw.exe
        c:\windows\spoolsw.exe SE
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:3836
        • \??\c:\windows\swchost.exe
          c:\windows\swchost.exe
          4⤵
          • Modifies WinLogon for persistence
          • Modifies visiblity of hidden/system files in Explorer
          • Modifies Installed Components in the registry
          • Executes dropped EXE
          • Adds Run key to start application
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:1516
          • \??\c:\windows\spoolsw.exe
            c:\windows\spoolsw.exe PR
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetWindowsHookEx
            PID:3404

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\mrsys.exe
    Filesize

    211KB

    MD5

    ecf2a36f0fb0ed4c97062d3489bdd57f

    SHA1

    7020d8bc01464cc9592b2164b89799e8f6d1bd44

    SHA256

    4ef5b7a11d4d595e773b0ab13014b9ab69073bb6ffb42b485356826aaa10c0e5

    SHA512

    478ca8572c94e0453f65e7f5c839b025bec224a0f404f3f6995c5f70b0373999de69e23e4715a05dc9901ad14d6d268acb0d36663a98165b669b0c37872cfd8b

    Download Submit

  • C:\Windows\spoolsw.exe
    Filesize

    211KB

    MD5

    ced6a9db60a9a41dee22808cd9987e54

    SHA1

    f299cea4cbf97c76dec5c724ee261d017933a5a0

    SHA256

    2dfd2472861131ee3827a71a2d5e503ceed631b27b6562dc06f0a0b8b7128db4

    SHA512

    ab6937f8d534e042bd3df09bfde7ad693d6793174e9f7e93ab151084ae09ff09907917e4025d8539b361b8c227dc68c8edce2fab9f4c795fde23d47748cecc5e

    Download Submit

  • C:\Windows\spoolsw.exe
    Filesize

    211KB

    MD5

    ced6a9db60a9a41dee22808cd9987e54

    SHA1

    f299cea4cbf97c76dec5c724ee261d017933a5a0

    SHA256

    2dfd2472861131ee3827a71a2d5e503ceed631b27b6562dc06f0a0b8b7128db4

    SHA512

    ab6937f8d534e042bd3df09bfde7ad693d6793174e9f7e93ab151084ae09ff09907917e4025d8539b361b8c227dc68c8edce2fab9f4c795fde23d47748cecc5e

    Download Submit

  • C:\Windows\spoolsw.exe
    Filesize

    211KB

    MD5

    ced6a9db60a9a41dee22808cd9987e54

    SHA1

    f299cea4cbf97c76dec5c724ee261d017933a5a0

    SHA256

    2dfd2472861131ee3827a71a2d5e503ceed631b27b6562dc06f0a0b8b7128db4

    SHA512

    ab6937f8d534e042bd3df09bfde7ad693d6793174e9f7e93ab151084ae09ff09907917e4025d8539b361b8c227dc68c8edce2fab9f4c795fde23d47748cecc5e

    Download Submit

  • C:\Windows\swchost.exe
    Filesize

    211KB

    MD5

    1e494eaefed305891b309ff7eee83bcc

    SHA1

    78aac8459fa66bb29d714a810bc80e618a151ed4

    SHA256

    c76d78cde1b0e45e65e63d2a57575a28dceda9e5304a9df91085ea5e797800e0

    SHA512

    098d1772b07aeb6b69a59b1f81c49c6bdc490cf7d4230366416d5c34e8bb6a42727439d7f5906ceadeedb65097e6d4a23eb0c3c7758f186931be74e12939bb51

    Download Submit

  • C:\Windows\userinit.exe
    Filesize

    211KB

    MD5

    f179802172e6c22216a26a2dec7afce3

    SHA1

    30c6c102a76e0217342c13c5128ac3a2f7028610

    SHA256

    ec207f272eb1415284f36025aae3a75d9f20860c5df31c3d3e90406ee5354d66

    SHA512

    1db4dba79e1522cf6badaf9d046c001d3b1b3ea83e61c335a867e89a04de4e40434eac53545aa6adae8f46e01d7663dc8c86e9e1377efe163307f55824d07636

    Download Submit

  • \??\c:\windows\spoolsw.exe
    Filesize

    211KB

    MD5

    ced6a9db60a9a41dee22808cd9987e54

    SHA1

    f299cea4cbf97c76dec5c724ee261d017933a5a0

    SHA256

    2dfd2472861131ee3827a71a2d5e503ceed631b27b6562dc06f0a0b8b7128db4

    SHA512

    ab6937f8d534e042bd3df09bfde7ad693d6793174e9f7e93ab151084ae09ff09907917e4025d8539b361b8c227dc68c8edce2fab9f4c795fde23d47748cecc5e

    Download Submit

  • \??\c:\windows\swchost.exe
    Filesize

    211KB

    MD5

    1e494eaefed305891b309ff7eee83bcc

    SHA1

    78aac8459fa66bb29d714a810bc80e618a151ed4

    SHA256

    c76d78cde1b0e45e65e63d2a57575a28dceda9e5304a9df91085ea5e797800e0

    SHA512

    098d1772b07aeb6b69a59b1f81c49c6bdc490cf7d4230366416d5c34e8bb6a42727439d7f5906ceadeedb65097e6d4a23eb0c3c7758f186931be74e12939bb51

    Download Submit

  • \??\c:\windows\userinit.exe
    Filesize

    211KB

    MD5

    f179802172e6c22216a26a2dec7afce3

    SHA1

    30c6c102a76e0217342c13c5128ac3a2f7028610

    SHA256

    ec207f272eb1415284f36025aae3a75d9f20860c5df31c3d3e90406ee5354d66

    SHA512

    1db4dba79e1522cf6badaf9d046c001d3b1b3ea83e61c335a867e89a04de4e40434eac53545aa6adae8f46e01d7663dc8c86e9e1377efe163307f55824d07636

    Download Submit