3f88ac9d2516992a501263d7d6bb00c8616c7ba83a1947266c977b3a841b09b3

Analysis

max time kernel
114s
max time network
125s
platform
windows7_x64
resource
win7-20231020-en
resource tags

arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system
submitted
12/11/2023, 09:45

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

NEAS.7a122d7ae75c307301314d6ff85941c0.exe
Size

135KB
MD5

7a122d7ae75c307301314d6ff85941c0
SHA1

ab416cff99d47503520ba4d5473f5bcc709d5781
SHA256

3f88ac9d2516992a501263d7d6bb00c8616c7ba83a1947266c977b3a841b09b3
SHA512

ed1ca64f6930d7b61c4aaeaf1f503a188332273a947e944fcb68b00e297d4618869e5061a19f8d9db096e22c9a6958fcaa54f189ac289a1bd92413239798b1a7
SSDEEP

1536:UfsEqouTRcG/Mzvgf7xEuvnXNTRdUzwTekUOisZ1yDDajtXbV1iFt:UVqoCl/YgjxEufVU0TbTyDDalP0t

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	svchost.exe

Executes dropped EXE 4 IoCs

pid	Process
896	explorer.exe
2776	spoolsv.exe
2460	svchost.exe
2796	spoolsv.exe

Loads dropped DLL 4 IoCs

pid	Process
2244	NEAS.7a122d7ae75c307301314d6ff85941c0.exe
896	explorer.exe
2776	spoolsv.exe
2460	svchost.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	svchost.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\explorer.exe	svchost.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\resources\themes\explorer.exe	NEAS.7a122d7ae75c307301314d6ff85941c0.exe
File opened for modification	\??\c:\windows\resources\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\resources\svchost.exe	spoolsv.exe
File opened for modification	C:\Windows\Resources\tjud.exe	explorer.exe

Creates scheduled task(s) 1 TTPs 3 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2852	schtasks.exe
2936	schtasks.exe
1112	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2244	NEAS.7a122d7ae75c307301314d6ff85941c0.exe
2244	NEAS.7a122d7ae75c307301314d6ff85941c0.exe
2244	NEAS.7a122d7ae75c307301314d6ff85941c0.exe
2244	NEAS.7a122d7ae75c307301314d6ff85941c0.exe
2244	NEAS.7a122d7ae75c307301314d6ff85941c0.exe
2244	NEAS.7a122d7ae75c307301314d6ff85941c0.exe
2244	NEAS.7a122d7ae75c307301314d6ff85941c0.exe
2244	NEAS.7a122d7ae75c307301314d6ff85941c0.exe
2244	NEAS.7a122d7ae75c307301314d6ff85941c0.exe
2244	NEAS.7a122d7ae75c307301314d6ff85941c0.exe
2244	NEAS.7a122d7ae75c307301314d6ff85941c0.exe
2244	NEAS.7a122d7ae75c307301314d6ff85941c0.exe
2244	NEAS.7a122d7ae75c307301314d6ff85941c0.exe
2244	NEAS.7a122d7ae75c307301314d6ff85941c0.exe
2244	NEAS.7a122d7ae75c307301314d6ff85941c0.exe
2244	NEAS.7a122d7ae75c307301314d6ff85941c0.exe
2244	NEAS.7a122d7ae75c307301314d6ff85941c0.exe
896	explorer.exe
896	explorer.exe
896	explorer.exe
896	explorer.exe
896	explorer.exe
896	explorer.exe
896	explorer.exe
896	explorer.exe
896	explorer.exe
896	explorer.exe
896	explorer.exe
896	explorer.exe
896	explorer.exe
896	explorer.exe
896	explorer.exe
896	explorer.exe
2460	svchost.exe
2460	svchost.exe
2460	svchost.exe
2460	svchost.exe
2460	svchost.exe
2460	svchost.exe
2460	svchost.exe
2460	svchost.exe
2460	svchost.exe
2460	svchost.exe
2460	svchost.exe
2460	svchost.exe
2460	svchost.exe
2460	svchost.exe
2460	svchost.exe
2460	svchost.exe
896	explorer.exe
896	explorer.exe
896	explorer.exe
2460	svchost.exe
2460	svchost.exe
896	explorer.exe
2460	svchost.exe
896	explorer.exe
2460	svchost.exe
896	explorer.exe
2460	svchost.exe
896	explorer.exe
2460	svchost.exe
896	explorer.exe
2460	svchost.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
896	explorer.exe
2460	svchost.exe

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
2244	NEAS.7a122d7ae75c307301314d6ff85941c0.exe
2244	NEAS.7a122d7ae75c307301314d6ff85941c0.exe
896	explorer.exe
896	explorer.exe
2776	spoolsv.exe
2776	spoolsv.exe
2460	svchost.exe
2460	svchost.exe
2796	spoolsv.exe
2796	spoolsv.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 2244 wrote to memory of 896	2244	NEAS.7a122d7ae75c307301314d6ff85941c0.exe	28
PID 2244 wrote to memory of 896	2244	NEAS.7a122d7ae75c307301314d6ff85941c0.exe	28
PID 2244 wrote to memory of 896	2244	NEAS.7a122d7ae75c307301314d6ff85941c0.exe	28
PID 2244 wrote to memory of 896	2244	NEAS.7a122d7ae75c307301314d6ff85941c0.exe	28
PID 896 wrote to memory of 2776	896	explorer.exe	29
PID 896 wrote to memory of 2776	896	explorer.exe	29
PID 896 wrote to memory of 2776	896	explorer.exe	29
PID 896 wrote to memory of 2776	896	explorer.exe	29
PID 2776 wrote to memory of 2460	2776	spoolsv.exe	35
PID 2776 wrote to memory of 2460	2776	spoolsv.exe	35
PID 2776 wrote to memory of 2460	2776	spoolsv.exe	35
PID 2776 wrote to memory of 2460	2776	spoolsv.exe	35
PID 2460 wrote to memory of 2796	2460	svchost.exe	30
PID 2460 wrote to memory of 2796	2460	svchost.exe	30
PID 2460 wrote to memory of 2796	2460	svchost.exe	30
PID 2460 wrote to memory of 2796	2460	svchost.exe	30
PID 896 wrote to memory of 2688	896	explorer.exe	34
PID 896 wrote to memory of 2688	896	explorer.exe	34
PID 896 wrote to memory of 2688	896	explorer.exe	34
PID 896 wrote to memory of 2688	896	explorer.exe	34
PID 2460 wrote to memory of 2852	2460	svchost.exe	32
PID 2460 wrote to memory of 2852	2460	svchost.exe	32
PID 2460 wrote to memory of 2852	2460	svchost.exe	32
PID 2460 wrote to memory of 2852	2460	svchost.exe	32
PID 2460 wrote to memory of 2936	2460	svchost.exe	39
PID 2460 wrote to memory of 2936	2460	svchost.exe	39
PID 2460 wrote to memory of 2936	2460	svchost.exe	39
PID 2460 wrote to memory of 2936	2460	svchost.exe	39

C:\Users\Admin\AppData\Local\Temp\NEAS.7a122d7ae75c307301314d6ff85941c0.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.7a122d7ae75c307301314d6ff85941c0.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2244
- \??\c:\windows\resources\themes\explorer.exe
  c:\windows\resources\themes\explorer.exe
  2⤵
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:896
- - \??\c:\windows\resources\spoolsv.exe
    c:\windows\resources\spoolsv.exe SE
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2776
  - - \??\c:\windows\resources\svchost.exe
      c:\windows\resources\svchost.exe
      4⤵
      Modifies visiblity of hidden/system files in Explorer
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      Drops file in System32 directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2460
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 09:52 /f
        5⤵
        Creates scheduled task(s)
        
        PID:2936
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 09:53 /f
        5⤵
        Creates scheduled task(s)
        
        PID:1112
- - C:\Windows\Explorer.exe
    C:\Windows\Explorer.exe
    3⤵
    PID:2688

\??\c:\windows\resources\spoolsv.exe
c:\windows\resources\spoolsv.exe PR
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2796

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 09:51 /f
1⤵
- Creates scheduled task(s)
PID:2852

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Resources\Themes\explorer.exe

Filesize
135KB

MD5
c06898b604491777bbae7ea9f821f85a

SHA1
705bdfb837e4dbe2218330ef89b0974cdf1196d0

SHA256
90db3fdd6abe11101e0c58dfe87fdda799fa9b9c01b49b64814c9583fadb068d

SHA512
6c62d2d537ac98383f57a8927e5807d865026f7e43df89b6bb0795b27a78dcd5018bbdb5f3fa5a6e2859e5493278c1a687feca7fab9d962df04b8e03534087d0

Download Submit
C:\Windows\Resources\spoolsv.exe

Filesize
135KB

MD5
884be6ab890715d9f6e2b0ad0ddd478c

SHA1
11a08abab535d054e43c908e0bec4ae281f11663

SHA256
25f41f88cf71368fca62d389382406d413383fb3a4a073bc3c3ca87fe643a0cb

SHA512
5663f11f4620f407f3cb6c03d18167082caf612f806793fb617c27231e671ca1e1985fb37bc09a53d24aee25a416f5b1fe3b963064ff655cfac0ca3850132116

Download Submit
C:\Windows\Resources\spoolsv.exe

Filesize
135KB

MD5
884be6ab890715d9f6e2b0ad0ddd478c

SHA1
11a08abab535d054e43c908e0bec4ae281f11663

SHA256
25f41f88cf71368fca62d389382406d413383fb3a4a073bc3c3ca87fe643a0cb

SHA512
5663f11f4620f407f3cb6c03d18167082caf612f806793fb617c27231e671ca1e1985fb37bc09a53d24aee25a416f5b1fe3b963064ff655cfac0ca3850132116

Download Submit
C:\Windows\Resources\spoolsv.exe

Filesize
135KB

MD5
884be6ab890715d9f6e2b0ad0ddd478c

SHA1
11a08abab535d054e43c908e0bec4ae281f11663

SHA256
25f41f88cf71368fca62d389382406d413383fb3a4a073bc3c3ca87fe643a0cb

SHA512
5663f11f4620f407f3cb6c03d18167082caf612f806793fb617c27231e671ca1e1985fb37bc09a53d24aee25a416f5b1fe3b963064ff655cfac0ca3850132116

Download Submit
C:\Windows\Resources\svchost.exe

Filesize
135KB

MD5
4525f7b67e9aedab90e0297722592324

SHA1
6b5ef919626baf1fa7b66c07ee8493b30ceb2a0b

SHA256
753540a5257b85b17bfb02413e3f4c1c52729d2137e4ed19429b08725c8ddf3e

SHA512
ee4f06305bf8e2ae757bdf22972cf3f21e3efe164efb8bb9478d5be4c84425f44c93d68aaa66db0a7dd64d33b648172bb1aa2206348ee78edcb6cb18bf30a2ef

Download Submit
\??\c:\windows\resources\spoolsv.exe

Filesize
135KB

MD5
884be6ab890715d9f6e2b0ad0ddd478c

SHA1
11a08abab535d054e43c908e0bec4ae281f11663

SHA256
25f41f88cf71368fca62d389382406d413383fb3a4a073bc3c3ca87fe643a0cb

SHA512
5663f11f4620f407f3cb6c03d18167082caf612f806793fb617c27231e671ca1e1985fb37bc09a53d24aee25a416f5b1fe3b963064ff655cfac0ca3850132116

Download Submit
\??\c:\windows\resources\svchost.exe

Filesize
135KB

MD5
4525f7b67e9aedab90e0297722592324

SHA1
6b5ef919626baf1fa7b66c07ee8493b30ceb2a0b

SHA256
753540a5257b85b17bfb02413e3f4c1c52729d2137e4ed19429b08725c8ddf3e

SHA512
ee4f06305bf8e2ae757bdf22972cf3f21e3efe164efb8bb9478d5be4c84425f44c93d68aaa66db0a7dd64d33b648172bb1aa2206348ee78edcb6cb18bf30a2ef

Download Submit
\??\c:\windows\resources\themes\explorer.exe

Filesize
135KB

MD5
c06898b604491777bbae7ea9f821f85a

SHA1
705bdfb837e4dbe2218330ef89b0974cdf1196d0

SHA256
90db3fdd6abe11101e0c58dfe87fdda799fa9b9c01b49b64814c9583fadb068d

SHA512
6c62d2d537ac98383f57a8927e5807d865026f7e43df89b6bb0795b27a78dcd5018bbdb5f3fa5a6e2859e5493278c1a687feca7fab9d962df04b8e03534087d0

Download Submit
\Windows\Resources\Themes\explorer.exe

Filesize
135KB

MD5
c06898b604491777bbae7ea9f821f85a

SHA1
705bdfb837e4dbe2218330ef89b0974cdf1196d0

SHA256
90db3fdd6abe11101e0c58dfe87fdda799fa9b9c01b49b64814c9583fadb068d

SHA512
6c62d2d537ac98383f57a8927e5807d865026f7e43df89b6bb0795b27a78dcd5018bbdb5f3fa5a6e2859e5493278c1a687feca7fab9d962df04b8e03534087d0

Download Submit
\Windows\Resources\spoolsv.exe

Filesize
135KB

MD5
884be6ab890715d9f6e2b0ad0ddd478c

SHA1
11a08abab535d054e43c908e0bec4ae281f11663

SHA256
25f41f88cf71368fca62d389382406d413383fb3a4a073bc3c3ca87fe643a0cb

SHA512
5663f11f4620f407f3cb6c03d18167082caf612f806793fb617c27231e671ca1e1985fb37bc09a53d24aee25a416f5b1fe3b963064ff655cfac0ca3850132116

Download Submit
\Windows\Resources\spoolsv.exe

Filesize
135KB

MD5
884be6ab890715d9f6e2b0ad0ddd478c

SHA1
11a08abab535d054e43c908e0bec4ae281f11663

SHA256
25f41f88cf71368fca62d389382406d413383fb3a4a073bc3c3ca87fe643a0cb

SHA512
5663f11f4620f407f3cb6c03d18167082caf612f806793fb617c27231e671ca1e1985fb37bc09a53d24aee25a416f5b1fe3b963064ff655cfac0ca3850132116

Download Submit
\Windows\Resources\svchost.exe

Filesize
135KB

MD5
4525f7b67e9aedab90e0297722592324

SHA1
6b5ef919626baf1fa7b66c07ee8493b30ceb2a0b

SHA256
753540a5257b85b17bfb02413e3f4c1c52729d2137e4ed19429b08725c8ddf3e

SHA512
ee4f06305bf8e2ae757bdf22972cf3f21e3efe164efb8bb9478d5be4c84425f44c93d68aaa66db0a7dd64d33b648172bb1aa2206348ee78edcb6cb18bf30a2ef

Download Submit
memory/2244-0-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2244-42-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2776-30-0x0000000000270000-0x000000000028F000-memory.dmp

Filesize
124KB

Download
memory/2776-41-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2796-40-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download