Overview

overview

10

Static

static

3

NEAS.0a7f1...30.exe

windows7-x64

10

NEAS.0a7f1...30.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    159s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231023-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12-11-2023 23:53

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    NEAS.0a7f1961580e17dc98dcbc6151782030.exe

  • Size

    206KB

  • MD5

    0a7f1961580e17dc98dcbc6151782030

  • SHA1

    ab17b676e03cfab1dff0e246c6ed59982cf53891

  • SHA256

    cbfd7c0489cd666532a60056af9a4b897028872f6dde723e20ef2f3d40e358eb

  • SHA512

    3d9bcdc72e91a88fbc89f3b8f458101525e759033a7c430fd3114e7fd9ed9476875832e0c4d1f6551dcf44ef4650cc034f57e6816cbcab7a8cca820efb8de5e3

  • SSDEEP

    3072:zvEfVUzSLhIVbV6i5LirrlZrHyrUHUckoMQ2RN6un4:zvEN2U+T6i5LirrllHy4HUcMQY6B

Score
10/10
evasionpersistence

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
    persistence
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
    evasion
  • Modifies Installed Components in the registry 2 TTPs 8 IoCs
    persistence
  • Executes dropped EXE 4 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Drops file in Windows directory 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of SetWindowsHookEx 12 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\NEAS.0a7f1961580e17dc98dcbc6151782030.exe
    "C:\Users\Admin\AppData\Local\Temp\NEAS.0a7f1961580e17dc98dcbc6151782030.exe"
    1⤵
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4908
    • \??\c:\windows\system\explorer.exe
      c:\windows\system\explorer.exe
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visiblity of hidden/system files in Explorer
      • Modifies Installed Components in the registry
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:4984
      • \??\c:\windows\system\spoolsv.exe
        c:\windows\system\spoolsv.exe SE
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:5080
        • \??\c:\windows\system\svchost.exe
          c:\windows\system\svchost.exe
          4⤵
          • Modifies WinLogon for persistence
          • Modifies visiblity of hidden/system files in Explorer
          • Modifies Installed Components in the registry
          • Executes dropped EXE
          • Adds Run key to start application
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:1612
          • \??\c:\windows\system\spoolsv.exe
            c:\windows\system\spoolsv.exe PR
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetWindowsHookEx
            PID:3896
          • C:\Windows\SysWOW64\at.exe
            at 23:55 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
            5⤵
              PID:2468
            • C:\Windows\SysWOW64\at.exe
              at 23:56 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
              5⤵
                PID:2052
              • C:\Windows\SysWOW64\at.exe
                at 23:57 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
                5⤵
                  PID:3496

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Roaming\mrsys.exe
          Filesize

          206KB

          MD5

          0b1ed6388a0e561b0b95bd8f37a6b259

          SHA1

          8036346992a89760f00baa1fada77d755ee032c2

          SHA256

          f2ce0be2ae2a59937e3276ebdf89bd42051ab5b9784cea5717a1b637caf15599

          SHA512

          bc286d3af64fb491f1bfc2159109e08d844211c3380aef725a86bb5b6b07c8aa970ab134aaf64a17b0dc25e4c172fda0e727c0a1bc739c4c310a7c6f545769f7

          Download Submit

        • C:\Windows\System\explorer.exe
          Filesize

          206KB

          MD5

          948ac32c08365098b2882f101c44a5a5

          SHA1

          b6380a36ba01cdc786543093684434501b17e69c

          SHA256

          447eebe8062d5109128c0f86ed240c3b52ff72babaf523bfb7f428ebd700f51c

          SHA512

          3f1e5fe114976af6db0839a7400c96042bcdbb217c58c08c296fae28aec556fb1abbe26ffcea733d05ac52e0cd8d74bf718078b8a86e8fea72d3f784b7d580b5

          Download Submit

        • C:\Windows\System\spoolsv.exe
          Filesize

          206KB

          MD5

          c7b1096f0ffa01a20cf4b132f7b9ab88

          SHA1

          bf63124d7597693fbc46d4c0f6501cfbab690a7c

          SHA256

          9c3915360058eace278602e93c84bda200191176bc03d292eb041b1c3540e863

          SHA512

          e1767f59464045bcdad7a2f1db62674c5d6e662d50d6ec044c914cb98f1f04498363ad0fd70d85d2a7b2a59e7bab05696b3211d8b9aa84ccf0e87fdc2728a280

          Download Submit

        • C:\Windows\System\spoolsv.exe
          Filesize

          206KB

          MD5

          c7b1096f0ffa01a20cf4b132f7b9ab88

          SHA1

          bf63124d7597693fbc46d4c0f6501cfbab690a7c

          SHA256

          9c3915360058eace278602e93c84bda200191176bc03d292eb041b1c3540e863

          SHA512

          e1767f59464045bcdad7a2f1db62674c5d6e662d50d6ec044c914cb98f1f04498363ad0fd70d85d2a7b2a59e7bab05696b3211d8b9aa84ccf0e87fdc2728a280

          Download Submit

        • C:\Windows\System\spoolsv.exe
          Filesize

          206KB

          MD5

          c7b1096f0ffa01a20cf4b132f7b9ab88

          SHA1

          bf63124d7597693fbc46d4c0f6501cfbab690a7c

          SHA256

          9c3915360058eace278602e93c84bda200191176bc03d292eb041b1c3540e863

          SHA512

          e1767f59464045bcdad7a2f1db62674c5d6e662d50d6ec044c914cb98f1f04498363ad0fd70d85d2a7b2a59e7bab05696b3211d8b9aa84ccf0e87fdc2728a280

          Download Submit

        • C:\Windows\System\svchost.exe
          Filesize

          206KB

          MD5

          cd54c1c34ffe7d0f27e22fdbf25840a9

          SHA1

          d629dc18b48b6db3fbde2d226894f870d72127cb

          SHA256

          d4a1c42437d7e061ee9d140682fda2212e9392b60e9fe0e32f9df2cd5e59d14c

          SHA512

          2751427a73397ed328a2dd07a01b738912e9cb62cb7164d353cf63fa3a5671c3b5ab8159c254688f21f5063a46bb8ddbeeb5434fabaa2feeec7768bc6e423fb0

          Download Submit

        • \??\c:\windows\system\explorer.exe
          Filesize

          206KB

          MD5

          948ac32c08365098b2882f101c44a5a5

          SHA1

          b6380a36ba01cdc786543093684434501b17e69c

          SHA256

          447eebe8062d5109128c0f86ed240c3b52ff72babaf523bfb7f428ebd700f51c

          SHA512

          3f1e5fe114976af6db0839a7400c96042bcdbb217c58c08c296fae28aec556fb1abbe26ffcea733d05ac52e0cd8d74bf718078b8a86e8fea72d3f784b7d580b5

          Download Submit

        • \??\c:\windows\system\spoolsv.exe
          Filesize

          206KB

          MD5

          c7b1096f0ffa01a20cf4b132f7b9ab88

          SHA1

          bf63124d7597693fbc46d4c0f6501cfbab690a7c

          SHA256

          9c3915360058eace278602e93c84bda200191176bc03d292eb041b1c3540e863

          SHA512

          e1767f59464045bcdad7a2f1db62674c5d6e662d50d6ec044c914cb98f1f04498363ad0fd70d85d2a7b2a59e7bab05696b3211d8b9aa84ccf0e87fdc2728a280

          Download Submit

        • \??\c:\windows\system\svchost.exe
          Filesize

          206KB

          MD5

          cd54c1c34ffe7d0f27e22fdbf25840a9

          SHA1

          d629dc18b48b6db3fbde2d226894f870d72127cb

          SHA256

          d4a1c42437d7e061ee9d140682fda2212e9392b60e9fe0e32f9df2cd5e59d14c

          SHA512

          2751427a73397ed328a2dd07a01b738912e9cb62cb7164d353cf63fa3a5671c3b5ab8159c254688f21f5063a46bb8ddbeeb5434fabaa2feeec7768bc6e423fb0

          Download Submit