Overview

overview

10

Static

static

3

NEAS.02b70...00.exe

windows7-x64

10

NEAS.02b70...00.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    155s
  • max time network
    162s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231020-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12-11-2023 09:41

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    NEAS.02b70a97c3c0b99ccf84ab7ffe3be600.exe

  • Size

    293KB

  • MD5

    02b70a97c3c0b99ccf84ab7ffe3be600

  • SHA1

    d93886c2b4a2901be15c0469c8ad4adb4c3d53e6

  • SHA256

    b525eb7207acc2739513e6996df64c569151be26ea3e4dfaa73c2df4c215d311

  • SHA512

    8fff2c644f0c8caa3863d17e5c9c6cf0c50463b6a47796660bf8bbdda03e273500af6babe7bdae39637ae704149b4bd4be0b28321b3bc31f0d75e73a731d8862

  • SSDEEP

    3072:AygCullUQN7gsBh1L1QygCullUQN7gsBh1L12:ARleK7712RleK771o

Score
10/10
evasionpersistence

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
    persistence
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
    evasion
  • Modifies Installed Components in the registry 2 TTPs 8 IoCs
    persistence
  • Executes dropped EXE 4 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Drops file in Windows directory 7 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of SetWindowsHookEx 10 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\NEAS.02b70a97c3c0b99ccf84ab7ffe3be600.exe
    "C:\Users\Admin\AppData\Local\Temp\NEAS.02b70a97c3c0b99ccf84ab7ffe3be600.exe"
    1⤵
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2828
    • \??\c:\windows\system\explorer.exe
      c:\windows\system\explorer.exe
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visiblity of hidden/system files in Explorer
      • Modifies Installed Components in the registry
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:680
      • \??\c:\windows\system\spoolsv.exe
        c:\windows\system\spoolsv.exe SE
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:4952
        • \??\c:\windows\system\svchost.exe
          c:\windows\system\svchost.exe
          4⤵
          • Modifies WinLogon for persistence
          • Modifies visiblity of hidden/system files in Explorer
          • Modifies Installed Components in the registry
          • Executes dropped EXE
          • Adds Run key to start application
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:3708
          • \??\c:\windows\system\spoolsv.exe
            c:\windows\system\spoolsv.exe PR
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetWindowsHookEx
            PID:4204

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\mrsys.exe
    Filesize

    293KB

    MD5

    264943634b5a224595a3c49e382065f3

    SHA1

    17a176ef7ab08de17874feae572036c5c5890249

    SHA256

    a5ada09653db92cc6bdc159b2ff3610012369cf98ec9e94402049bb187040442

    SHA512

    4de038d3541c91c1c102f97ed90c7311ce321b36d4541b41dd74c3c6cc39d46745a6a2f8dd2c09b92de63b926b18c8289bad377396b448d664740631f913eecf

    Download Submit

  • C:\Windows\System\explorer.exe
    Filesize

    292KB

    MD5

    5f325511d1c1d6d4bc99c35655e1f163

    SHA1

    0c849e52c35280c1d935204031909d36b05fd24c

    SHA256

    9f1d3767e45834447d501fbb607accae0363499ba6900a1b22eb306f4e47b149

    SHA512

    0d5f52cdc036cb1198e34507feefc750877c7ce056c5b374164e03cb10d1aa79c8cef4970c0038a264908428ef940b7da1c7392f41169e8b34493acf746f4cb5

    Download Submit

  • C:\Windows\System\spoolsv.exe
    Filesize

    293KB

    MD5

    a2562e5b26ea61c09420a4ba685e7f3f

    SHA1

    6e7084599d4ec13b117dfeda869474dde0a7b056

    SHA256

    c84355385abdd7a90da68cfa0759f275b439cc2d33bde1d9fba0832f4d8da6a0

    SHA512

    5016144c29abbae07bbbfc3e08aa22d0d635c311d01de746cab00ed4c0ca087805d4503c82aa3a95519c7f5bc2a8acc99187bc06e8472e5364cce47724777635

    Download Submit

  • C:\Windows\System\spoolsv.exe
    Filesize

    293KB

    MD5

    a2562e5b26ea61c09420a4ba685e7f3f

    SHA1

    6e7084599d4ec13b117dfeda869474dde0a7b056

    SHA256

    c84355385abdd7a90da68cfa0759f275b439cc2d33bde1d9fba0832f4d8da6a0

    SHA512

    5016144c29abbae07bbbfc3e08aa22d0d635c311d01de746cab00ed4c0ca087805d4503c82aa3a95519c7f5bc2a8acc99187bc06e8472e5364cce47724777635

    Download Submit

  • C:\Windows\System\spoolsv.exe
    Filesize

    293KB

    MD5

    a2562e5b26ea61c09420a4ba685e7f3f

    SHA1

    6e7084599d4ec13b117dfeda869474dde0a7b056

    SHA256

    c84355385abdd7a90da68cfa0759f275b439cc2d33bde1d9fba0832f4d8da6a0

    SHA512

    5016144c29abbae07bbbfc3e08aa22d0d635c311d01de746cab00ed4c0ca087805d4503c82aa3a95519c7f5bc2a8acc99187bc06e8472e5364cce47724777635

    Download Submit

  • C:\Windows\System\svchost.exe
    Filesize

    293KB

    MD5

    48575234c51d1f1844dcc0ab7f5c5511

    SHA1

    64e191b3b5273291e4007951f7959482cd969860

    SHA256

    66b8ae12cc1781577b2aa139011ba732b5cf90c7a08168567bcc9771ddab5130

    SHA512

    fce4d32385cc0b5b6b6523654e36d743a40e241a8cf7161542b8580f19595321cbdf839adb2c290147e9770fb5bb5c062b9f3d706da50f2ea3dc62557daa83ae

    Download Submit

  • \??\c:\windows\system\explorer.exe
    Filesize

    292KB

    MD5

    5f325511d1c1d6d4bc99c35655e1f163

    SHA1

    0c849e52c35280c1d935204031909d36b05fd24c

    SHA256

    9f1d3767e45834447d501fbb607accae0363499ba6900a1b22eb306f4e47b149

    SHA512

    0d5f52cdc036cb1198e34507feefc750877c7ce056c5b374164e03cb10d1aa79c8cef4970c0038a264908428ef940b7da1c7392f41169e8b34493acf746f4cb5

    Download Submit

  • \??\c:\windows\system\spoolsv.exe
    Filesize

    293KB

    MD5

    a2562e5b26ea61c09420a4ba685e7f3f

    SHA1

    6e7084599d4ec13b117dfeda869474dde0a7b056

    SHA256

    c84355385abdd7a90da68cfa0759f275b439cc2d33bde1d9fba0832f4d8da6a0

    SHA512

    5016144c29abbae07bbbfc3e08aa22d0d635c311d01de746cab00ed4c0ca087805d4503c82aa3a95519c7f5bc2a8acc99187bc06e8472e5364cce47724777635

    Download Submit

  • \??\c:\windows\system\svchost.exe
    Filesize

    293KB

    MD5

    48575234c51d1f1844dcc0ab7f5c5511

    SHA1

    64e191b3b5273291e4007951f7959482cd969860

    SHA256

    66b8ae12cc1781577b2aa139011ba732b5cf90c7a08168567bcc9771ddab5130

    SHA512

    fce4d32385cc0b5b6b6523654e36d743a40e241a8cf7161542b8580f19595321cbdf839adb2c290147e9770fb5bb5c062b9f3d706da50f2ea3dc62557daa83ae

    Download Submit