Analysis
-
max time kernel
150s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20231020-en -
resource tags
arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system -
submitted
16-11-2023 10:37
Static task
static1
Behavioral task
behavioral1
Sample
NEAS.a5c63e560b29d86f59e932cb1967bc60.exe
Resource
win7-20231020-en
Behavioral task
behavioral2
Sample
NEAS.a5c63e560b29d86f59e932cb1967bc60.exe
Resource
win10v2004-20231020-en
General
-
Target
NEAS.a5c63e560b29d86f59e932cb1967bc60.exe
-
Size
742KB
-
MD5
a5c63e560b29d86f59e932cb1967bc60
-
SHA1
2deaf371f59fabb2c483c32d711eb594cfdad007
-
SHA256
aa09ca2d5591d13eeab08ab0b2f6921031a341f577cc13a8a7ac96c9c43eeed0
-
SHA512
fbafbd93612296da99579004f9427c59316a52ece230e24848ecc95240c9a853158da6e238734c912f58de620808adece20728163c127cc4b567518da7e481c2
-
SSDEEP
12288:ltTuhrf45I8jWtJ8OgL27rd69bk5NCgGhSFB79gYhLIf6EQ9EYcw1F/:lIt4kt0Kd6F6CNzYhUiEWEYcwH
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" svchost.exe -
Executes dropped EXE 4 IoCs
pid Process 1448 explorer.exe 2748 spoolsv.exe 2656 svchost.exe 2820 spoolsv.exe -
Loads dropped DLL 4 IoCs
pid Process 2196 NEAS.a5c63e560b29d86f59e932cb1967bc60.exe 1448 explorer.exe 2748 spoolsv.exe 2656 svchost.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" svchost.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\explorer.exe svchost.exe File opened for modification C:\Windows\SysWOW64\explorer.exe explorer.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 19 IoCs
pid Process 2196 NEAS.a5c63e560b29d86f59e932cb1967bc60.exe 1448 explorer.exe 2748 spoolsv.exe 2656 svchost.exe 2820 spoolsv.exe 1448 explorer.exe 2656 svchost.exe 1448 explorer.exe 2656 svchost.exe 1448 explorer.exe 2656 svchost.exe 1448 explorer.exe 2656 svchost.exe 1448 explorer.exe 2656 svchost.exe 1448 explorer.exe 2656 svchost.exe 1448 explorer.exe 2656 svchost.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File opened for modification \??\c:\windows\resources\themes\explorer.exe NEAS.a5c63e560b29d86f59e932cb1967bc60.exe File opened for modification \??\c:\windows\resources\spoolsv.exe explorer.exe File opened for modification \??\c:\windows\resources\svchost.exe spoolsv.exe File opened for modification C:\Windows\Resources\tjud.exe explorer.exe -
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2664 schtasks.exe 3008 schtasks.exe 1908 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2196 NEAS.a5c63e560b29d86f59e932cb1967bc60.exe 2196 NEAS.a5c63e560b29d86f59e932cb1967bc60.exe 2196 NEAS.a5c63e560b29d86f59e932cb1967bc60.exe 2196 NEAS.a5c63e560b29d86f59e932cb1967bc60.exe 2196 NEAS.a5c63e560b29d86f59e932cb1967bc60.exe 2196 NEAS.a5c63e560b29d86f59e932cb1967bc60.exe 2196 NEAS.a5c63e560b29d86f59e932cb1967bc60.exe 2196 NEAS.a5c63e560b29d86f59e932cb1967bc60.exe 2196 NEAS.a5c63e560b29d86f59e932cb1967bc60.exe 2196 NEAS.a5c63e560b29d86f59e932cb1967bc60.exe 2196 NEAS.a5c63e560b29d86f59e932cb1967bc60.exe 2196 NEAS.a5c63e560b29d86f59e932cb1967bc60.exe 2196 NEAS.a5c63e560b29d86f59e932cb1967bc60.exe 2196 NEAS.a5c63e560b29d86f59e932cb1967bc60.exe 2196 NEAS.a5c63e560b29d86f59e932cb1967bc60.exe 2196 NEAS.a5c63e560b29d86f59e932cb1967bc60.exe 2196 NEAS.a5c63e560b29d86f59e932cb1967bc60.exe 2196 NEAS.a5c63e560b29d86f59e932cb1967bc60.exe 2196 NEAS.a5c63e560b29d86f59e932cb1967bc60.exe 2196 NEAS.a5c63e560b29d86f59e932cb1967bc60.exe 2196 NEAS.a5c63e560b29d86f59e932cb1967bc60.exe 1448 explorer.exe 1448 explorer.exe 1448 explorer.exe 1448 explorer.exe 1448 explorer.exe 1448 explorer.exe 1448 explorer.exe 1448 explorer.exe 1448 explorer.exe 1448 explorer.exe 1448 explorer.exe 1448 explorer.exe 1448 explorer.exe 1448 explorer.exe 1448 explorer.exe 1448 explorer.exe 1448 explorer.exe 1448 explorer.exe 1448 explorer.exe 2196 NEAS.a5c63e560b29d86f59e932cb1967bc60.exe 2196 NEAS.a5c63e560b29d86f59e932cb1967bc60.exe 2748 spoolsv.exe 2748 spoolsv.exe 2748 spoolsv.exe 2748 spoolsv.exe 1448 explorer.exe 2656 svchost.exe 2656 svchost.exe 2656 svchost.exe 2656 svchost.exe 2656 svchost.exe 2656 svchost.exe 2196 NEAS.a5c63e560b29d86f59e932cb1967bc60.exe 2196 NEAS.a5c63e560b29d86f59e932cb1967bc60.exe 2196 NEAS.a5c63e560b29d86f59e932cb1967bc60.exe 2656 svchost.exe 2656 svchost.exe 2656 svchost.exe 2656 svchost.exe 2656 svchost.exe 2656 svchost.exe 2656 svchost.exe 2656 svchost.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 1448 explorer.exe 2656 svchost.exe -
Suspicious use of SetWindowsHookEx 15 IoCs
pid Process 2196 NEAS.a5c63e560b29d86f59e932cb1967bc60.exe 2196 NEAS.a5c63e560b29d86f59e932cb1967bc60.exe 2196 NEAS.a5c63e560b29d86f59e932cb1967bc60.exe 1448 explorer.exe 1448 explorer.exe 1448 explorer.exe 2748 spoolsv.exe 2748 spoolsv.exe 2748 spoolsv.exe 2656 svchost.exe 2656 svchost.exe 2656 svchost.exe 2820 spoolsv.exe 2820 spoolsv.exe 2820 spoolsv.exe -
Suspicious use of WriteProcessMemory 32 IoCs
description pid Process procid_target PID 2196 wrote to memory of 1448 2196 NEAS.a5c63e560b29d86f59e932cb1967bc60.exe 28 PID 2196 wrote to memory of 1448 2196 NEAS.a5c63e560b29d86f59e932cb1967bc60.exe 28 PID 2196 wrote to memory of 1448 2196 NEAS.a5c63e560b29d86f59e932cb1967bc60.exe 28 PID 2196 wrote to memory of 1448 2196 NEAS.a5c63e560b29d86f59e932cb1967bc60.exe 28 PID 1448 wrote to memory of 2748 1448 explorer.exe 29 PID 1448 wrote to memory of 2748 1448 explorer.exe 29 PID 1448 wrote to memory of 2748 1448 explorer.exe 29 PID 1448 wrote to memory of 2748 1448 explorer.exe 29 PID 2748 wrote to memory of 2656 2748 spoolsv.exe 30 PID 2748 wrote to memory of 2656 2748 spoolsv.exe 30 PID 2748 wrote to memory of 2656 2748 spoolsv.exe 30 PID 2748 wrote to memory of 2656 2748 spoolsv.exe 30 PID 2656 wrote to memory of 2820 2656 svchost.exe 31 PID 2656 wrote to memory of 2820 2656 svchost.exe 31 PID 2656 wrote to memory of 2820 2656 svchost.exe 31 PID 2656 wrote to memory of 2820 2656 svchost.exe 31 PID 1448 wrote to memory of 2600 1448 explorer.exe 32 PID 1448 wrote to memory of 2600 1448 explorer.exe 32 PID 1448 wrote to memory of 2600 1448 explorer.exe 32 PID 1448 wrote to memory of 2600 1448 explorer.exe 32 PID 2656 wrote to memory of 2664 2656 svchost.exe 33 PID 2656 wrote to memory of 2664 2656 svchost.exe 33 PID 2656 wrote to memory of 2664 2656 svchost.exe 33 PID 2656 wrote to memory of 2664 2656 svchost.exe 33 PID 2656 wrote to memory of 3008 2656 svchost.exe 38 PID 2656 wrote to memory of 3008 2656 svchost.exe 38 PID 2656 wrote to memory of 3008 2656 svchost.exe 38 PID 2656 wrote to memory of 3008 2656 svchost.exe 38 PID 2656 wrote to memory of 1908 2656 svchost.exe 40 PID 2656 wrote to memory of 1908 2656 svchost.exe 40 PID 2656 wrote to memory of 1908 2656 svchost.exe 40 PID 2656 wrote to memory of 1908 2656 svchost.exe 40
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.a5c63e560b29d86f59e932cb1967bc60.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.a5c63e560b29d86f59e932cb1967bc60.exe"1⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2196 -
\??\c:\windows\resources\themes\explorer.exec:\windows\resources\themes\explorer.exe2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1448 -
\??\c:\windows\resources\spoolsv.exec:\windows\resources\spoolsv.exe SE3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2748 -
\??\c:\windows\resources\svchost.exec:\windows\resources\svchost.exe4⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2656 -
\??\c:\windows\resources\spoolsv.exec:\windows\resources\spoolsv.exe PR5⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
PID:2820
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 10:39 /f5⤵
- Creates scheduled task(s)
PID:2664
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 10:40 /f5⤵
- Creates scheduled task(s)
PID:3008
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 10:41 /f5⤵
- Creates scheduled task(s)
PID:1908
-
-
-
-
C:\Windows\Explorer.exeC:\Windows\Explorer.exe3⤵PID:2600
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
741KB
MD5bd5d39cb52ed2592d01f6af9c5afc6e8
SHA130d60ff95715bc5c1d4979f1d44f6dca19282785
SHA25642a57cd647de81302809ccf2f43636193f5dfadd570577ae28e6d62265f1f14a
SHA512db472cbaac243c0cc174e81a3aef8323f5391857945179aba23157907cc57eda5eeba85cc101ca83a62a117fbc1cb91cddfb30e5eba245b475106b296b1441c2
-
Filesize
742KB
MD5582e2c6e1f992691ae05d77c1114bb5a
SHA1071d4ace443f3114eca6b09f71269817ef19a806
SHA2563e3034c65b2b13d0b497be6495195975e94f950a577eb99a65de004d03fd4ca0
SHA5122a956d2b9cf34868763840c2acc5d6f3b9f4f2a57b30ce88a9b80d3389cf660ad2e31e8c324362b404beb76c33e94825a684b21ed2340c716cc0604a57a36397
-
Filesize
742KB
MD5582e2c6e1f992691ae05d77c1114bb5a
SHA1071d4ace443f3114eca6b09f71269817ef19a806
SHA2563e3034c65b2b13d0b497be6495195975e94f950a577eb99a65de004d03fd4ca0
SHA5122a956d2b9cf34868763840c2acc5d6f3b9f4f2a57b30ce88a9b80d3389cf660ad2e31e8c324362b404beb76c33e94825a684b21ed2340c716cc0604a57a36397
-
Filesize
742KB
MD5582e2c6e1f992691ae05d77c1114bb5a
SHA1071d4ace443f3114eca6b09f71269817ef19a806
SHA2563e3034c65b2b13d0b497be6495195975e94f950a577eb99a65de004d03fd4ca0
SHA5122a956d2b9cf34868763840c2acc5d6f3b9f4f2a57b30ce88a9b80d3389cf660ad2e31e8c324362b404beb76c33e94825a684b21ed2340c716cc0604a57a36397
-
Filesize
741KB
MD58fc015f5b8f1480ebd27f515c2b3b918
SHA1135d1f9392d0b552468e04fce89b1e96cc3b436c
SHA256b55edc4264ed726ba664ba3b12d3e1db207deb45a4f67a277f36296d71f30b68
SHA512b5496d25d06290752da74895bd871f63868a80b21c80955f6fa7c6af496e7fbc9cd4481aae1eaf09f35fe71183b18cc28d0eb750f3ddae0898016755c151baa2
-
Filesize
742KB
MD5582e2c6e1f992691ae05d77c1114bb5a
SHA1071d4ace443f3114eca6b09f71269817ef19a806
SHA2563e3034c65b2b13d0b497be6495195975e94f950a577eb99a65de004d03fd4ca0
SHA5122a956d2b9cf34868763840c2acc5d6f3b9f4f2a57b30ce88a9b80d3389cf660ad2e31e8c324362b404beb76c33e94825a684b21ed2340c716cc0604a57a36397
-
Filesize
741KB
MD58fc015f5b8f1480ebd27f515c2b3b918
SHA1135d1f9392d0b552468e04fce89b1e96cc3b436c
SHA256b55edc4264ed726ba664ba3b12d3e1db207deb45a4f67a277f36296d71f30b68
SHA512b5496d25d06290752da74895bd871f63868a80b21c80955f6fa7c6af496e7fbc9cd4481aae1eaf09f35fe71183b18cc28d0eb750f3ddae0898016755c151baa2
-
Filesize
741KB
MD5bd5d39cb52ed2592d01f6af9c5afc6e8
SHA130d60ff95715bc5c1d4979f1d44f6dca19282785
SHA25642a57cd647de81302809ccf2f43636193f5dfadd570577ae28e6d62265f1f14a
SHA512db472cbaac243c0cc174e81a3aef8323f5391857945179aba23157907cc57eda5eeba85cc101ca83a62a117fbc1cb91cddfb30e5eba245b475106b296b1441c2
-
Filesize
741KB
MD5bd5d39cb52ed2592d01f6af9c5afc6e8
SHA130d60ff95715bc5c1d4979f1d44f6dca19282785
SHA25642a57cd647de81302809ccf2f43636193f5dfadd570577ae28e6d62265f1f14a
SHA512db472cbaac243c0cc174e81a3aef8323f5391857945179aba23157907cc57eda5eeba85cc101ca83a62a117fbc1cb91cddfb30e5eba245b475106b296b1441c2
-
Filesize
742KB
MD5582e2c6e1f992691ae05d77c1114bb5a
SHA1071d4ace443f3114eca6b09f71269817ef19a806
SHA2563e3034c65b2b13d0b497be6495195975e94f950a577eb99a65de004d03fd4ca0
SHA5122a956d2b9cf34868763840c2acc5d6f3b9f4f2a57b30ce88a9b80d3389cf660ad2e31e8c324362b404beb76c33e94825a684b21ed2340c716cc0604a57a36397
-
Filesize
742KB
MD5582e2c6e1f992691ae05d77c1114bb5a
SHA1071d4ace443f3114eca6b09f71269817ef19a806
SHA2563e3034c65b2b13d0b497be6495195975e94f950a577eb99a65de004d03fd4ca0
SHA5122a956d2b9cf34868763840c2acc5d6f3b9f4f2a57b30ce88a9b80d3389cf660ad2e31e8c324362b404beb76c33e94825a684b21ed2340c716cc0604a57a36397
-
Filesize
741KB
MD58fc015f5b8f1480ebd27f515c2b3b918
SHA1135d1f9392d0b552468e04fce89b1e96cc3b436c
SHA256b55edc4264ed726ba664ba3b12d3e1db207deb45a4f67a277f36296d71f30b68
SHA512b5496d25d06290752da74895bd871f63868a80b21c80955f6fa7c6af496e7fbc9cd4481aae1eaf09f35fe71183b18cc28d0eb750f3ddae0898016755c151baa2