Overview

overview

10

Static

static

3

NEAS.1eddd...60.exe

windows7-x64

10

NEAS.1eddd...60.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    146s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231023-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13/11/2023, 06:27

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    NEAS.1eddd459cda30ef6d213a0783d429060.exe

  • Size

    438KB

  • MD5

    1eddd459cda30ef6d213a0783d429060

  • SHA1

    faf313df2dd6fddaca614c88f1bdf4d737386b29

  • SHA256

    d12a3937f4026ce87ccc080bda2d393387aef5685643f3756fea79f1c88a7205

  • SHA512

    c3e691c5ea9e41e3b4a2fa67a84a9ff83c0cac34aa10c3721d7b0f46769388c7188721a3139b7bdd4dc91a9f4d17aa8a716ca786569152ac40f22551066d0a16

  • SSDEEP

    6144:dC4umWphVf4j27zo1ArpOA5MIgNDi4h9aRzSr8yrR4zi21fCY277QRnMt:H9WphJx7kAr3ggxRzSwyrX21fxk

Score
10/10
persistence

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops file in System32 directory 3 IoCs
  • Drops file in Program Files directory 58 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\NEAS.1eddd459cda30ef6d213a0783d429060.exe
    "C:\Users\Admin\AppData\Local\Temp\NEAS.1eddd459cda30ef6d213a0783d429060.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2960
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c reg ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v WinIcons /t REG_SZ /d C:\Windows\system32\winicons.exe /f
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4036
      • C:\Windows\SysWOW64\reg.exe
        reg ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v WinIcons /t REG_SZ /d C:\Windows\system32\winicons.exe /f
        3⤵
        • Adds Run key to start application
        PID:3808

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Windows\SysWOW64\sychost.exe
          Filesize

          438KB

          MD5

          1eddd459cda30ef6d213a0783d429060

          SHA1

          faf313df2dd6fddaca614c88f1bdf4d737386b29

          SHA256

          d12a3937f4026ce87ccc080bda2d393387aef5685643f3756fea79f1c88a7205

          SHA512

          c3e691c5ea9e41e3b4a2fa67a84a9ff83c0cac34aa10c3721d7b0f46769388c7188721a3139b7bdd4dc91a9f4d17aa8a716ca786569152ac40f22551066d0a16

          Download Submit

        • C:\log.txt
          Filesize

          137B

          MD5

          f3d9f1cf659613d9d318a27728ac6460

          SHA1

          ca39b843146c98fc9efded5f4a20912bf6356648

          SHA256

          a50064cb07238feccba052ab6d330caab72d4eea063cd6c9a0c7fa2c5147bf6e

          SHA512

          b20cf398ddacf21dff4bea0e4c25f74730de2e31a5666852a69c0ee9f0c0310cc1b3f0b342bbc3ae37df4152f6e6cc7506a4c1e3a0eeac3bb00fe8387565cc9c

          Download Submit

        • memory/2960-52-0x0000000000400000-0x0000000000412000-memory.dmp

          Filesize

          72KB

          Download

        • memory/2960-71-0x0000000000400000-0x0000000000412000-memory.dmp

          Filesize

          72KB

          Download

        • memory/2960-72-0x0000000000400000-0x0000000000412000-memory.dmp

          Filesize

          72KB

          Download

        • memory/2960-88-0x0000000000400000-0x0000000000412000-memory.dmp

          Filesize

          72KB

          Download

        • memory/2960-90-0x0000000000400000-0x0000000000412000-memory.dmp

          Filesize

          72KB

          Download

        • memory/2960-92-0x0000000000400000-0x0000000000412000-memory.dmp

          Filesize

          72KB

          Download

        • memory/2960-94-0x0000000000400000-0x0000000000412000-memory.dmp

          Filesize

          72KB

          Download

        • memory/2960-95-0x0000000000400000-0x0000000000412000-memory.dmp

          Filesize

          72KB

          Download

        • memory/2960-96-0x0000000000400000-0x0000000000412000-memory.dmp

          Filesize

          72KB

          Download

        • memory/2960-97-0x0000000000400000-0x0000000000412000-memory.dmp

          Filesize

          72KB

          Download

        • memory/2960-98-0x0000000000400000-0x0000000000412000-memory.dmp

          Filesize

          72KB

          Download