Overview

overview

10

Static

static

3

NEAS.4124e...00.exe

windows7-x64

10

NEAS.4124e...00.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    151s
  • max time network
    143s
  • platform
    windows7_x64
  • resource
    win7-20231023-en
  • resource tags

    arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system
  • submitted
    12-11-2023 23:23

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    NEAS.4124ecb309aecaad72e04ee68d48b300.exe

  • Size

    135KB

  • MD5

    4124ecb309aecaad72e04ee68d48b300

  • SHA1

    eeead9c39a8cc09b107fdd3159867fe71c0d3233

  • SHA256

    6855231b153d3ca40a5981c0ddce3845bf2896efbe59e2f762f786acc7cd9fe0

  • SHA512

    a8cc34968b3280e9b1ea75a055bb26a25cc0dab69951a40086ecf70da055dcb0f97012ff230cc38b0ac0fc4aa816d288ade18eca1beeb68996a8ca1d616cee33

  • SSDEEP

    1536:UfsEqouTRcG/Mzvgf7xEuvnXNTRdUzwTekUOisZ1yDDajtXbV89:UVqoCl/YgjxEufVU0TbTyDDalS9

Score
10/10
evasionpersistence

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
    evasion
  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 4 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Drops file in System32 directory 2 IoCs
  • Drops file in Windows directory 4 IoCs
  • Creates scheduled task(s) 1 TTPs 3 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of SetWindowsHookEx 10 IoCs
  • Suspicious use of WriteProcessMemory 32 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\NEAS.4124ecb309aecaad72e04ee68d48b300.exe
    "C:\Users\Admin\AppData\Local\Temp\NEAS.4124ecb309aecaad72e04ee68d48b300.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1192
    • \??\c:\windows\resources\themes\explorer.exe
      c:\windows\resources\themes\explorer.exe
      2⤵
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • Drops file in System32 directory
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2176
      • \??\c:\windows\resources\spoolsv.exe
        c:\windows\resources\spoolsv.exe SE
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Drops file in Windows directory
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2728
        • \??\c:\windows\resources\svchost.exe
          c:\windows\resources\svchost.exe
          4⤵
          • Modifies visiblity of hidden/system files in Explorer
          • Executes dropped EXE
          • Loads dropped DLL
          • Adds Run key to start application
          • Drops file in System32 directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:2632
          • C:\Windows\SysWOW64\schtasks.exe
            schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 23:27 /f
            5⤵
            • Creates scheduled task(s)
            PID:1104
          • C:\Windows\SysWOW64\schtasks.exe
            schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 23:28 /f
            5⤵
            • Creates scheduled task(s)
            PID:2356
      • C:\Windows\Explorer.exe
        C:\Windows\Explorer.exe
        3⤵
          PID:3040
    • C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 23:26 /f
      1⤵
      • Creates scheduled task(s)
      PID:2508
    • \??\c:\windows\resources\spoolsv.exe
      c:\windows\resources\spoolsv.exe PR
      1⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:2616

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Windows\Resources\Themes\explorer.exe
      Filesize

      135KB

      MD5

      e9637a0ca4517b2b10ef4c8fee2855d1

      SHA1

      a2ec67454710b371664ee0bbbc1b92f3fb48dc46

      SHA256

      22352a8abdbdebbee901624c51be0b2ab5dc71e8bc37d1acaf0439f0c4fa8596

      SHA512

      d7e8635abb24ecaacce81265c38361e837304e956690399f290371ac44c42e0eaf10651b9807c5f3d9a3167c7ed6f3a75940276d7bb3cde7d6a5a0b0de5ceea2

      Download Submit

    • C:\Windows\Resources\spoolsv.exe
      Filesize

      135KB

      MD5

      61e43c1d0876ff125e25c0639e46833c

      SHA1

      5b3a729d7058056dae4d159abc38af6652bd2a4c

      SHA256

      ede99284cbf6312773ef9a5a0b12aeb88d712aa9f0303a14b7d221a3ba00714d

      SHA512

      23c749a5098c5dd091aa98b0bafa8e22f32e1103ceb3cae36ffd4d3416b8cf851d65e3ad0862ca5707a360dfe20c6c86b34e70b0e3fb607ae19dcb1c16366bb3

      Download Submit

    • C:\Windows\Resources\spoolsv.exe
      Filesize

      135KB

      MD5

      61e43c1d0876ff125e25c0639e46833c

      SHA1

      5b3a729d7058056dae4d159abc38af6652bd2a4c

      SHA256

      ede99284cbf6312773ef9a5a0b12aeb88d712aa9f0303a14b7d221a3ba00714d

      SHA512

      23c749a5098c5dd091aa98b0bafa8e22f32e1103ceb3cae36ffd4d3416b8cf851d65e3ad0862ca5707a360dfe20c6c86b34e70b0e3fb607ae19dcb1c16366bb3

      Download Submit

    • C:\Windows\Resources\spoolsv.exe
      Filesize

      135KB

      MD5

      61e43c1d0876ff125e25c0639e46833c

      SHA1

      5b3a729d7058056dae4d159abc38af6652bd2a4c

      SHA256

      ede99284cbf6312773ef9a5a0b12aeb88d712aa9f0303a14b7d221a3ba00714d

      SHA512

      23c749a5098c5dd091aa98b0bafa8e22f32e1103ceb3cae36ffd4d3416b8cf851d65e3ad0862ca5707a360dfe20c6c86b34e70b0e3fb607ae19dcb1c16366bb3

      Download Submit

    • C:\Windows\Resources\svchost.exe
      Filesize

      135KB

      MD5

      0d627b49682e81f1d9d771a6f532ffb6

      SHA1

      baed4a80c2fc4dcabc07fa3fa0f447b4cadb74b1

      SHA256

      3f3e95bacc70cb329d5efa6b80eba1cb65ad14ad2e0b0a7127017c04b7eb6b00

      SHA512

      8b35a356e49a7ad36ccbaca26b662b0eb0b7add755f4eaa64224d7b0e46aff6ee51131f359107b31b23ddb993013ab56c3ffae053ff8af99446a5da625349381

      Download Submit

    • \??\c:\windows\resources\spoolsv.exe
      Filesize

      135KB

      MD5

      61e43c1d0876ff125e25c0639e46833c

      SHA1

      5b3a729d7058056dae4d159abc38af6652bd2a4c

      SHA256

      ede99284cbf6312773ef9a5a0b12aeb88d712aa9f0303a14b7d221a3ba00714d

      SHA512

      23c749a5098c5dd091aa98b0bafa8e22f32e1103ceb3cae36ffd4d3416b8cf851d65e3ad0862ca5707a360dfe20c6c86b34e70b0e3fb607ae19dcb1c16366bb3

      Download Submit

    • \??\c:\windows\resources\svchost.exe
      Filesize

      135KB

      MD5

      0d627b49682e81f1d9d771a6f532ffb6

      SHA1

      baed4a80c2fc4dcabc07fa3fa0f447b4cadb74b1

      SHA256

      3f3e95bacc70cb329d5efa6b80eba1cb65ad14ad2e0b0a7127017c04b7eb6b00

      SHA512

      8b35a356e49a7ad36ccbaca26b662b0eb0b7add755f4eaa64224d7b0e46aff6ee51131f359107b31b23ddb993013ab56c3ffae053ff8af99446a5da625349381

      Download Submit

    • \??\c:\windows\resources\themes\explorer.exe
      Filesize

      135KB

      MD5

      e9637a0ca4517b2b10ef4c8fee2855d1

      SHA1

      a2ec67454710b371664ee0bbbc1b92f3fb48dc46

      SHA256

      22352a8abdbdebbee901624c51be0b2ab5dc71e8bc37d1acaf0439f0c4fa8596

      SHA512

      d7e8635abb24ecaacce81265c38361e837304e956690399f290371ac44c42e0eaf10651b9807c5f3d9a3167c7ed6f3a75940276d7bb3cde7d6a5a0b0de5ceea2

      Download Submit

    • \Windows\Resources\Themes\explorer.exe
      Filesize

      135KB

      MD5

      e9637a0ca4517b2b10ef4c8fee2855d1

      SHA1

      a2ec67454710b371664ee0bbbc1b92f3fb48dc46

      SHA256

      22352a8abdbdebbee901624c51be0b2ab5dc71e8bc37d1acaf0439f0c4fa8596

      SHA512

      d7e8635abb24ecaacce81265c38361e837304e956690399f290371ac44c42e0eaf10651b9807c5f3d9a3167c7ed6f3a75940276d7bb3cde7d6a5a0b0de5ceea2

      Download Submit

    • \Windows\Resources\spoolsv.exe
      Filesize

      135KB

      MD5

      61e43c1d0876ff125e25c0639e46833c

      SHA1

      5b3a729d7058056dae4d159abc38af6652bd2a4c

      SHA256

      ede99284cbf6312773ef9a5a0b12aeb88d712aa9f0303a14b7d221a3ba00714d

      SHA512

      23c749a5098c5dd091aa98b0bafa8e22f32e1103ceb3cae36ffd4d3416b8cf851d65e3ad0862ca5707a360dfe20c6c86b34e70b0e3fb607ae19dcb1c16366bb3

      Download Submit

    • \Windows\Resources\spoolsv.exe
      Filesize

      135KB

      MD5

      61e43c1d0876ff125e25c0639e46833c

      SHA1

      5b3a729d7058056dae4d159abc38af6652bd2a4c

      SHA256

      ede99284cbf6312773ef9a5a0b12aeb88d712aa9f0303a14b7d221a3ba00714d

      SHA512

      23c749a5098c5dd091aa98b0bafa8e22f32e1103ceb3cae36ffd4d3416b8cf851d65e3ad0862ca5707a360dfe20c6c86b34e70b0e3fb607ae19dcb1c16366bb3

      Download Submit

    • \Windows\Resources\svchost.exe
      Filesize

      135KB

      MD5

      0d627b49682e81f1d9d771a6f532ffb6

      SHA1

      baed4a80c2fc4dcabc07fa3fa0f447b4cadb74b1

      SHA256

      3f3e95bacc70cb329d5efa6b80eba1cb65ad14ad2e0b0a7127017c04b7eb6b00

      SHA512

      8b35a356e49a7ad36ccbaca26b662b0eb0b7add755f4eaa64224d7b0e46aff6ee51131f359107b31b23ddb993013ab56c3ffae053ff8af99446a5da625349381

      Download Submit

    • memory/1192-0-0x0000000000400000-0x000000000041F000-memory.dmp

      Filesize

      124KB

      Download

    • memory/1192-43-0x0000000000400000-0x000000000041F000-memory.dmp

      Filesize

      124KB

      Download

    • memory/1192-10-0x0000000000290000-0x00000000002AF000-memory.dmp

      Filesize

      124KB

      Download

    • memory/2616-42-0x0000000000400000-0x000000000041F000-memory.dmp

      Filesize

      124KB

      Download

    • memory/2632-38-0x0000000000290000-0x00000000002AF000-memory.dmp

      Filesize

      124KB

      Download

    • memory/2728-23-0x0000000000400000-0x000000000041F000-memory.dmp

      Filesize

      124KB

      Download