3f88ac9d2516992a501263d7d6bb00c8616c7ba83a1947266c977b3a841b09b3

Analysis

max time kernel
171s
max time network
167s
platform
windows10-2004_x64
resource
win10v2004-20231023-en
resource tags

arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
submitted
12/11/2023, 09:45

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

NEAS.7a122d7ae75c307301314d6ff85941c0.exe
Size

135KB
MD5

7a122d7ae75c307301314d6ff85941c0
SHA1

ab416cff99d47503520ba4d5473f5bcc709d5781
SHA256

3f88ac9d2516992a501263d7d6bb00c8616c7ba83a1947266c977b3a841b09b3
SHA512

ed1ca64f6930d7b61c4aaeaf1f503a188332273a947e944fcb68b00e297d4618869e5061a19f8d9db096e22c9a6958fcaa54f189ac289a1bd92413239798b1a7
SSDEEP

1536:UfsEqouTRcG/Mzvgf7xEuvnXNTRdUzwTekUOisZ1yDDajtXbV1iFt:UVqoCl/YgjxEufVU0TbTyDDalP0t

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe

Executes dropped EXE 4 IoCs

pid	Process
2580	explorer.exe
2488	spoolsv.exe
4888	svchost.exe
3680	spoolsv.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	explorer.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\explorer.exe	svchost.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\resources\themes\explorer.exe	NEAS.7a122d7ae75c307301314d6ff85941c0.exe
File opened for modification	\??\c:\windows\resources\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\resources\svchost.exe	spoolsv.exe
File opened for modification	C:\Windows\Resources\tjud.exe	explorer.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3068	NEAS.7a122d7ae75c307301314d6ff85941c0.exe
3068	NEAS.7a122d7ae75c307301314d6ff85941c0.exe
3068	NEAS.7a122d7ae75c307301314d6ff85941c0.exe
3068	NEAS.7a122d7ae75c307301314d6ff85941c0.exe
3068	NEAS.7a122d7ae75c307301314d6ff85941c0.exe
3068	NEAS.7a122d7ae75c307301314d6ff85941c0.exe
3068	NEAS.7a122d7ae75c307301314d6ff85941c0.exe
3068	NEAS.7a122d7ae75c307301314d6ff85941c0.exe
3068	NEAS.7a122d7ae75c307301314d6ff85941c0.exe
3068	NEAS.7a122d7ae75c307301314d6ff85941c0.exe
3068	NEAS.7a122d7ae75c307301314d6ff85941c0.exe
3068	NEAS.7a122d7ae75c307301314d6ff85941c0.exe
3068	NEAS.7a122d7ae75c307301314d6ff85941c0.exe
3068	NEAS.7a122d7ae75c307301314d6ff85941c0.exe
3068	NEAS.7a122d7ae75c307301314d6ff85941c0.exe
3068	NEAS.7a122d7ae75c307301314d6ff85941c0.exe
3068	NEAS.7a122d7ae75c307301314d6ff85941c0.exe
3068	NEAS.7a122d7ae75c307301314d6ff85941c0.exe
3068	NEAS.7a122d7ae75c307301314d6ff85941c0.exe
3068	NEAS.7a122d7ae75c307301314d6ff85941c0.exe
3068	NEAS.7a122d7ae75c307301314d6ff85941c0.exe
3068	NEAS.7a122d7ae75c307301314d6ff85941c0.exe
3068	NEAS.7a122d7ae75c307301314d6ff85941c0.exe
3068	NEAS.7a122d7ae75c307301314d6ff85941c0.exe
3068	NEAS.7a122d7ae75c307301314d6ff85941c0.exe
3068	NEAS.7a122d7ae75c307301314d6ff85941c0.exe
3068	NEAS.7a122d7ae75c307301314d6ff85941c0.exe
3068	NEAS.7a122d7ae75c307301314d6ff85941c0.exe
3068	NEAS.7a122d7ae75c307301314d6ff85941c0.exe
3068	NEAS.7a122d7ae75c307301314d6ff85941c0.exe
3068	NEAS.7a122d7ae75c307301314d6ff85941c0.exe
3068	NEAS.7a122d7ae75c307301314d6ff85941c0.exe
3068	NEAS.7a122d7ae75c307301314d6ff85941c0.exe
3068	NEAS.7a122d7ae75c307301314d6ff85941c0.exe
2580	explorer.exe
2580	explorer.exe
2580	explorer.exe
2580	explorer.exe
2580	explorer.exe
2580	explorer.exe
2580	explorer.exe
2580	explorer.exe
2580	explorer.exe
2580	explorer.exe
2580	explorer.exe
2580	explorer.exe
2580	explorer.exe
2580	explorer.exe
2580	explorer.exe
2580	explorer.exe
2580	explorer.exe
2580	explorer.exe
2580	explorer.exe
2580	explorer.exe
2580	explorer.exe
2580	explorer.exe
2580	explorer.exe
2580	explorer.exe
2580	explorer.exe
2580	explorer.exe
2580	explorer.exe
2580	explorer.exe
2580	explorer.exe
2580	explorer.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
2580	explorer.exe
4888	svchost.exe

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
3068	NEAS.7a122d7ae75c307301314d6ff85941c0.exe
3068	NEAS.7a122d7ae75c307301314d6ff85941c0.exe
2580	explorer.exe
2580	explorer.exe
2488	spoolsv.exe
2488	spoolsv.exe
4888	svchost.exe
4888	svchost.exe
3680	spoolsv.exe
3680	spoolsv.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3068 wrote to memory of 2580	3068	NEAS.7a122d7ae75c307301314d6ff85941c0.exe	93
PID 3068 wrote to memory of 2580	3068	NEAS.7a122d7ae75c307301314d6ff85941c0.exe	93
PID 3068 wrote to memory of 2580	3068	NEAS.7a122d7ae75c307301314d6ff85941c0.exe	93
PID 2580 wrote to memory of 2488	2580	explorer.exe	94
PID 2580 wrote to memory of 2488	2580	explorer.exe	94
PID 2580 wrote to memory of 2488	2580	explorer.exe	94
PID 2488 wrote to memory of 4888	2488	spoolsv.exe	95
PID 2488 wrote to memory of 4888	2488	spoolsv.exe	95
PID 2488 wrote to memory of 4888	2488	spoolsv.exe	95
PID 4888 wrote to memory of 3680	4888	svchost.exe	96
PID 4888 wrote to memory of 3680	4888	svchost.exe	96
PID 4888 wrote to memory of 3680	4888	svchost.exe	96

C:\Users\Admin\AppData\Local\Temp\NEAS.7a122d7ae75c307301314d6ff85941c0.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.7a122d7ae75c307301314d6ff85941c0.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3068
- \??\c:\windows\resources\themes\explorer.exe
  c:\windows\resources\themes\explorer.exe
  2⤵
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2580
- - \??\c:\windows\resources\spoolsv.exe
    c:\windows\resources\spoolsv.exe SE
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2488
  - - \??\c:\windows\resources\svchost.exe
      c:\windows\resources\svchost.exe
      4⤵
      Modifies visiblity of hidden/system files in Explorer
      Executes dropped EXE
      Adds Run key to start application
      Drops file in System32 directory
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:4888
    - - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe PR
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3680

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Resources\Themes\explorer.exe

Filesize
135KB

MD5
a67bedf7dd28d81df863f40dd7e8a1f0

SHA1
5de62b9eabaae79266fdcf6cd2aa8ad197010c4e

SHA256
e5d41a4a87d0609f9a8527e129530720784d4d3cb3a1bb1abf2c55940c81a46d

SHA512
e4f8e5e85be2b89732f78fce1856787584b098f3791114dd20b102cf7ba8869183cbfe4958c181be37dcd50e834c6ee2cd8bfc230fd70725a5b5ed396806166a

Download Submit
C:\Windows\Resources\spoolsv.exe

Filesize
135KB

MD5
fea08bf294ea2d37d8a9904b1641318d

SHA1
21cab680096c491b2a70c5aa42c385de6a01121b

SHA256
e6b8a4ad24664927de24732fab08dbef8517908226822832be5a30e342d61281

SHA512
48d715980eb7c3db7576fdc25a117b7ece7f9203b2659be51271b679e4383ff83afeec20f0b0fd38a8eae8a605cccb9abd3eae863338e1f9466e8e0a35ee55b0

Download Submit
C:\Windows\Resources\spoolsv.exe

Filesize
135KB

MD5
fea08bf294ea2d37d8a9904b1641318d

SHA1
21cab680096c491b2a70c5aa42c385de6a01121b

SHA256
e6b8a4ad24664927de24732fab08dbef8517908226822832be5a30e342d61281

SHA512
48d715980eb7c3db7576fdc25a117b7ece7f9203b2659be51271b679e4383ff83afeec20f0b0fd38a8eae8a605cccb9abd3eae863338e1f9466e8e0a35ee55b0

Download Submit
C:\Windows\Resources\spoolsv.exe

Filesize
135KB

MD5
fea08bf294ea2d37d8a9904b1641318d

SHA1
21cab680096c491b2a70c5aa42c385de6a01121b

SHA256
e6b8a4ad24664927de24732fab08dbef8517908226822832be5a30e342d61281

SHA512
48d715980eb7c3db7576fdc25a117b7ece7f9203b2659be51271b679e4383ff83afeec20f0b0fd38a8eae8a605cccb9abd3eae863338e1f9466e8e0a35ee55b0

Download Submit
C:\Windows\Resources\svchost.exe

Filesize
135KB

MD5
ce8f4ea841bd7e7d881f74efc6bef350

SHA1
ca037c583a41f5f97475331fa8d6a2b3866316ed

SHA256
ed17dac491192a12a1c0dcd366a42da66a231f56d7949279384d64e20954810b

SHA512
b7f5d6d72b243599363fbaccf9a8c5395d689bb35e547d3c6e7f8c729159c0dce7f1d4f19773e204a42fde2aa00359f8123fa06c55deb27ab16347ded80977ca

Download Submit
\??\c:\windows\resources\spoolsv.exe

Filesize
135KB

MD5
fea08bf294ea2d37d8a9904b1641318d

SHA1
21cab680096c491b2a70c5aa42c385de6a01121b

SHA256
e6b8a4ad24664927de24732fab08dbef8517908226822832be5a30e342d61281

SHA512
48d715980eb7c3db7576fdc25a117b7ece7f9203b2659be51271b679e4383ff83afeec20f0b0fd38a8eae8a605cccb9abd3eae863338e1f9466e8e0a35ee55b0

Download Submit
\??\c:\windows\resources\svchost.exe

Filesize
135KB

MD5
ce8f4ea841bd7e7d881f74efc6bef350

SHA1
ca037c583a41f5f97475331fa8d6a2b3866316ed

SHA256
ed17dac491192a12a1c0dcd366a42da66a231f56d7949279384d64e20954810b

SHA512
b7f5d6d72b243599363fbaccf9a8c5395d689bb35e547d3c6e7f8c729159c0dce7f1d4f19773e204a42fde2aa00359f8123fa06c55deb27ab16347ded80977ca

Download Submit
\??\c:\windows\resources\themes\explorer.exe

Filesize
135KB

MD5
a67bedf7dd28d81df863f40dd7e8a1f0

SHA1
5de62b9eabaae79266fdcf6cd2aa8ad197010c4e

SHA256
e5d41a4a87d0609f9a8527e129530720784d4d3cb3a1bb1abf2c55940c81a46d

SHA512
e4f8e5e85be2b89732f78fce1856787584b098f3791114dd20b102cf7ba8869183cbfe4958c181be37dcd50e834c6ee2cd8bfc230fd70725a5b5ed396806166a

Download Submit
memory/2488-33-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2580-9-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3068-0-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3068-35-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3680-34-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download