443862c81b4d4c8fda7e72af1901b8446b5b94a21a83e13cb936ff623d5d6c25

Analysis

max time kernel
143s
max time network
136s
platform
windows10-2004_x64
resource
win10v2004-20231020-en
resource tags

arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
submitted
16/11/2023, 10:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.cd3cd158e5e84f4733f5453bc0c13320.exe
Size

63KB
MD5

cd3cd158e5e84f4733f5453bc0c13320
SHA1

ccfe677890b815252c525fe4711a080a90efb173
SHA256

443862c81b4d4c8fda7e72af1901b8446b5b94a21a83e13cb936ff623d5d6c25
SHA512

0e3d4e0af1cd86fc2c46eabad06ffabaab25e287a48c43cea0414eafbe7b231122eca7da534e24444d80ff87b535dfba0a149acaf9721b6df690533cbdd699c5
SSDEEP

1536:jRsjdEIUFC2p79OCnouy8VDtHAG4RsfU:jOm9CshoutdtR4

Score

10^/10

evasion persistence upx

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\""	NEAS.cd3cd158e5e84f4733f5453bc0c13320.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe"	NEAS.cd3cd158e5e84f4733f5453bc0c13320.exe

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	NEAS.cd3cd158e5e84f4733f5453bc0c13320.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	NEAS.cd3cd158e5e84f4733f5453bc0c13320.exe

Disables RegEdit via registry modification 2 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	NEAS.cd3cd158e5e84f4733f5453bc0c13320.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	NEAS.cd3cd158e5e84f4733f5453bc0c13320.exe

Disables use of System Restore points 1 TTPs
evasion

Inhibit System Recovery
T1490

Executes dropped EXE 14 IoCs

pid	Process
4484	xk.exe
1372	IExplorer.exe
1984	WINLOGON.EXE
5068	CSRSS.EXE
4852	SERVICES.EXE
1440	LSASS.EXE
1088	SMSS.EXE
3848	xk.exe
1984	IExplorer.exe
416	WINLOGON.EXE
1440	CSRSS.EXE
1268	SERVICES.EXE
556	LSASS.EXE
4540	SMSS.EXE

Modifies system executable filetype association 2 TTPs 13 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	NEAS.cd3cd158e5e84f4733f5453bc0c13320.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	NEAS.cd3cd158e5e84f4733f5453bc0c13320.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	NEAS.cd3cd158e5e84f4733f5453bc0c13320.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	NEAS.cd3cd158e5e84f4733f5453bc0c13320.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	NEAS.cd3cd158e5e84f4733f5453bc0c13320.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	NEAS.cd3cd158e5e84f4733f5453bc0c13320.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell	NEAS.cd3cd158e5e84f4733f5453bc0c13320.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	NEAS.cd3cd158e5e84f4733f5453bc0c13320.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	NEAS.cd3cd158e5e84f4733f5453bc0c13320.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	NEAS.cd3cd158e5e84f4733f5453bc0c13320.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open	NEAS.cd3cd158e5e84f4733f5453bc0c13320.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	NEAS.cd3cd158e5e84f4733f5453bc0c13320.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	NEAS.cd3cd158e5e84f4733f5453bc0c13320.exe

UPX packed file 41 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3800-0-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral2/files/0x0006000000022e5d-7.dat	upx
behavioral2/files/0x0006000000022e59-47.dat	upx
behavioral2/files/0x0006000000022e59-48.dat	upx
behavioral2/memory/4484-49-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral2/memory/4484-54-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral2/files/0x0006000000022e5d-53.dat	upx
behavioral2/files/0x0006000000022e5d-55.dat	upx
behavioral2/memory/1372-58-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral2/files/0x0006000000022e5f-60.dat	upx
behavioral2/files/0x0006000000022e5f-61.dat	upx
behavioral2/memory/1984-64-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral2/files/0x0006000000022e60-66.dat	upx
behavioral2/files/0x0006000000022e60-67.dat	upx
behavioral2/memory/5068-68-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral2/memory/5068-71-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral2/files/0x0006000000022e61-73.dat	upx
behavioral2/files/0x0006000000022e61-74.dat	upx
behavioral2/memory/4852-77-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral2/files/0x0006000000022e62-79.dat	upx
behavioral2/files/0x0006000000022e62-80.dat	upx
behavioral2/memory/1440-83-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral2/files/0x0006000000022e63-84.dat	upx
behavioral2/files/0x0006000000022e63-86.dat	upx
behavioral2/memory/1088-89-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral2/memory/3800-115-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral2/files/0x0006000000022e59-223.dat	upx
behavioral2/files/0x0006000000022e5d-228.dat	upx
behavioral2/memory/3848-226-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral2/memory/1984-231-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral2/files/0x0006000000022e5f-233.dat	upx
behavioral2/memory/416-236-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral2/files/0x0006000000022e60-238.dat	upx
behavioral2/memory/1440-241-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral2/files/0x0006000000022e61-243.dat	upx
behavioral2/memory/1268-247-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral2/files/0x0006000000022e62-248.dat	upx
behavioral2/memory/556-251-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral2/files/0x0006000000022e63-253.dat	upx
behavioral2/memory/4540-256-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral2/memory/3800-257-0x0000000000400000-0x000000000042F000-memory.dmp	upx

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xk = "C:\\Windows\\xk.exe"	NEAS.cd3cd158e5e84f4733f5453bc0c13320.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE"	NEAS.cd3cd158e5e84f4733f5453bc0c13320.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\LSASS.EXE"	NEAS.cd3cd158e5e84f4733f5453bc0c13320.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE"	NEAS.cd3cd158e5e84f4733f5453bc0c13320.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE"	NEAS.cd3cd158e5e84f4733f5453bc0c13320.exe

Drops desktop.ini file(s) 4 IoCs

description	ioc	Process
File opened for modification	C:\desktop.ini	NEAS.cd3cd158e5e84f4733f5453bc0c13320.exe
File created	C:\desktop.ini	NEAS.cd3cd158e5e84f4733f5453bc0c13320.exe
File opened for modification	F:\desktop.ini	NEAS.cd3cd158e5e84f4733f5453bc0c13320.exe
File created	F:\desktop.ini	NEAS.cd3cd158e5e84f4733f5453bc0c13320.exe

Enumerates connected drives 3 TTPs 22 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\G:	NEAS.cd3cd158e5e84f4733f5453bc0c13320.exe
File opened (read-only)	\??\N:	NEAS.cd3cd158e5e84f4733f5453bc0c13320.exe
File opened (read-only)	\??\O:	NEAS.cd3cd158e5e84f4733f5453bc0c13320.exe
File opened (read-only)	\??\T:	NEAS.cd3cd158e5e84f4733f5453bc0c13320.exe
File opened (read-only)	\??\U:	NEAS.cd3cd158e5e84f4733f5453bc0c13320.exe
File opened (read-only)	\??\E:	NEAS.cd3cd158e5e84f4733f5453bc0c13320.exe
File opened (read-only)	\??\H:	NEAS.cd3cd158e5e84f4733f5453bc0c13320.exe
File opened (read-only)	\??\I:	NEAS.cd3cd158e5e84f4733f5453bc0c13320.exe
File opened (read-only)	\??\K:	NEAS.cd3cd158e5e84f4733f5453bc0c13320.exe
File opened (read-only)	\??\M:	NEAS.cd3cd158e5e84f4733f5453bc0c13320.exe
File opened (read-only)	\??\R:	NEAS.cd3cd158e5e84f4733f5453bc0c13320.exe
File opened (read-only)	\??\S:	NEAS.cd3cd158e5e84f4733f5453bc0c13320.exe
File opened (read-only)	\??\V:	NEAS.cd3cd158e5e84f4733f5453bc0c13320.exe
File opened (read-only)	\??\X:	NEAS.cd3cd158e5e84f4733f5453bc0c13320.exe
File opened (read-only)	\??\Z:	NEAS.cd3cd158e5e84f4733f5453bc0c13320.exe
File opened (read-only)	\??\B:	NEAS.cd3cd158e5e84f4733f5453bc0c13320.exe
File opened (read-only)	\??\J:	NEAS.cd3cd158e5e84f4733f5453bc0c13320.exe
File opened (read-only)	\??\L:	NEAS.cd3cd158e5e84f4733f5453bc0c13320.exe
File opened (read-only)	\??\P:	NEAS.cd3cd158e5e84f4733f5453bc0c13320.exe
File opened (read-only)	\??\Q:	NEAS.cd3cd158e5e84f4733f5453bc0c13320.exe
File opened (read-only)	\??\W:	NEAS.cd3cd158e5e84f4733f5453bc0c13320.exe
File opened (read-only)	\??\Y:	NEAS.cd3cd158e5e84f4733f5453bc0c13320.exe

Drops file in System32 directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\IExplorer.exe	NEAS.cd3cd158e5e84f4733f5453bc0c13320.exe
File opened for modification	C:\Windows\SysWOW64\Mig2.scr	NEAS.cd3cd158e5e84f4733f5453bc0c13320.exe
File opened for modification	C:\Windows\SysWOW64\shell.exe	NEAS.cd3cd158e5e84f4733f5453bc0c13320.exe
File created	C:\Windows\SysWOW64\shell.exe	NEAS.cd3cd158e5e84f4733f5453bc0c13320.exe
File created	C:\Windows\SysWOW64\Mig2.scr	NEAS.cd3cd158e5e84f4733f5453bc0c13320.exe
File created	C:\Windows\SysWOW64\IExplorer.exe	NEAS.cd3cd158e5e84f4733f5453bc0c13320.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\xk.exe	NEAS.cd3cd158e5e84f4733f5453bc0c13320.exe
File created	C:\Windows\xk.exe	NEAS.cd3cd158e5e84f4733f5453bc0c13320.exe

Modifies Control Panel 4 IoCs

evasion

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\Control Panel\Desktop\	NEAS.cd3cd158e5e84f4733f5453bc0c13320.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\Mig~mig.SCR"	NEAS.cd3cd158e5e84f4733f5453bc0c13320.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	NEAS.cd3cd158e5e84f4733f5453bc0c13320.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	NEAS.cd3cd158e5e84f4733f5453bc0c13320.exe

Modifies registry class 15 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	NEAS.cd3cd158e5e84f4733f5453bc0c13320.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	NEAS.cd3cd158e5e84f4733f5453bc0c13320.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	NEAS.cd3cd158e5e84f4733f5453bc0c13320.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	NEAS.cd3cd158e5e84f4733f5453bc0c13320.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open	NEAS.cd3cd158e5e84f4733f5453bc0c13320.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	NEAS.cd3cd158e5e84f4733f5453bc0c13320.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	NEAS.cd3cd158e5e84f4733f5453bc0c13320.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	NEAS.cd3cd158e5e84f4733f5453bc0c13320.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	NEAS.cd3cd158e5e84f4733f5453bc0c13320.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile	NEAS.cd3cd158e5e84f4733f5453bc0c13320.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	NEAS.cd3cd158e5e84f4733f5453bc0c13320.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	NEAS.cd3cd158e5e84f4733f5453bc0c13320.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	NEAS.cd3cd158e5e84f4733f5453bc0c13320.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	NEAS.cd3cd158e5e84f4733f5453bc0c13320.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell	NEAS.cd3cd158e5e84f4733f5453bc0c13320.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3800	NEAS.cd3cd158e5e84f4733f5453bc0c13320.exe
3800	NEAS.cd3cd158e5e84f4733f5453bc0c13320.exe

Suspicious use of SetWindowsHookEx 15 IoCs

pid	Process
3800	NEAS.cd3cd158e5e84f4733f5453bc0c13320.exe
4484	xk.exe
1372	IExplorer.exe
1984	WINLOGON.EXE
5068	CSRSS.EXE
4852	SERVICES.EXE
1440	LSASS.EXE
1088	SMSS.EXE
3848	xk.exe
1984	IExplorer.exe
416	WINLOGON.EXE
1440	CSRSS.EXE
1268	SERVICES.EXE
556	LSASS.EXE
4540	SMSS.EXE

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 3800 wrote to memory of 4484	3800	NEAS.cd3cd158e5e84f4733f5453bc0c13320.exe	89
PID 3800 wrote to memory of 4484	3800	NEAS.cd3cd158e5e84f4733f5453bc0c13320.exe	89
PID 3800 wrote to memory of 4484	3800	NEAS.cd3cd158e5e84f4733f5453bc0c13320.exe	89
PID 3800 wrote to memory of 1372	3800	NEAS.cd3cd158e5e84f4733f5453bc0c13320.exe	90
PID 3800 wrote to memory of 1372	3800	NEAS.cd3cd158e5e84f4733f5453bc0c13320.exe	90
PID 3800 wrote to memory of 1372	3800	NEAS.cd3cd158e5e84f4733f5453bc0c13320.exe	90
PID 3800 wrote to memory of 1984	3800	NEAS.cd3cd158e5e84f4733f5453bc0c13320.exe	91
PID 3800 wrote to memory of 1984	3800	NEAS.cd3cd158e5e84f4733f5453bc0c13320.exe	91
PID 3800 wrote to memory of 1984	3800	NEAS.cd3cd158e5e84f4733f5453bc0c13320.exe	91
PID 3800 wrote to memory of 5068	3800	NEAS.cd3cd158e5e84f4733f5453bc0c13320.exe	92
PID 3800 wrote to memory of 5068	3800	NEAS.cd3cd158e5e84f4733f5453bc0c13320.exe	92
PID 3800 wrote to memory of 5068	3800	NEAS.cd3cd158e5e84f4733f5453bc0c13320.exe	92
PID 3800 wrote to memory of 4852	3800	NEAS.cd3cd158e5e84f4733f5453bc0c13320.exe	93
PID 3800 wrote to memory of 4852	3800	NEAS.cd3cd158e5e84f4733f5453bc0c13320.exe	93
PID 3800 wrote to memory of 4852	3800	NEAS.cd3cd158e5e84f4733f5453bc0c13320.exe	93
PID 3800 wrote to memory of 1440	3800	NEAS.cd3cd158e5e84f4733f5453bc0c13320.exe	94
PID 3800 wrote to memory of 1440	3800	NEAS.cd3cd158e5e84f4733f5453bc0c13320.exe	94
PID 3800 wrote to memory of 1440	3800	NEAS.cd3cd158e5e84f4733f5453bc0c13320.exe	94
PID 3800 wrote to memory of 1088	3800	NEAS.cd3cd158e5e84f4733f5453bc0c13320.exe	95
PID 3800 wrote to memory of 1088	3800	NEAS.cd3cd158e5e84f4733f5453bc0c13320.exe	95
PID 3800 wrote to memory of 1088	3800	NEAS.cd3cd158e5e84f4733f5453bc0c13320.exe	95
PID 3800 wrote to memory of 3848	3800	NEAS.cd3cd158e5e84f4733f5453bc0c13320.exe	103
PID 3800 wrote to memory of 3848	3800	NEAS.cd3cd158e5e84f4733f5453bc0c13320.exe	103
PID 3800 wrote to memory of 3848	3800	NEAS.cd3cd158e5e84f4733f5453bc0c13320.exe	103
PID 3800 wrote to memory of 1984	3800	NEAS.cd3cd158e5e84f4733f5453bc0c13320.exe	105
PID 3800 wrote to memory of 1984	3800	NEAS.cd3cd158e5e84f4733f5453bc0c13320.exe	105
PID 3800 wrote to memory of 1984	3800	NEAS.cd3cd158e5e84f4733f5453bc0c13320.exe	105
PID 3800 wrote to memory of 416	3800	NEAS.cd3cd158e5e84f4733f5453bc0c13320.exe	106
PID 3800 wrote to memory of 416	3800	NEAS.cd3cd158e5e84f4733f5453bc0c13320.exe	106
PID 3800 wrote to memory of 416	3800	NEAS.cd3cd158e5e84f4733f5453bc0c13320.exe	106
PID 3800 wrote to memory of 1440	3800	NEAS.cd3cd158e5e84f4733f5453bc0c13320.exe	108
PID 3800 wrote to memory of 1440	3800	NEAS.cd3cd158e5e84f4733f5453bc0c13320.exe	108
PID 3800 wrote to memory of 1440	3800	NEAS.cd3cd158e5e84f4733f5453bc0c13320.exe	108
PID 3800 wrote to memory of 1268	3800	NEAS.cd3cd158e5e84f4733f5453bc0c13320.exe	109
PID 3800 wrote to memory of 1268	3800	NEAS.cd3cd158e5e84f4733f5453bc0c13320.exe	109
PID 3800 wrote to memory of 1268	3800	NEAS.cd3cd158e5e84f4733f5453bc0c13320.exe	109
PID 3800 wrote to memory of 556	3800	NEAS.cd3cd158e5e84f4733f5453bc0c13320.exe	110
PID 3800 wrote to memory of 556	3800	NEAS.cd3cd158e5e84f4733f5453bc0c13320.exe	110
PID 3800 wrote to memory of 556	3800	NEAS.cd3cd158e5e84f4733f5453bc0c13320.exe	110
PID 3800 wrote to memory of 4540	3800	NEAS.cd3cd158e5e84f4733f5453bc0c13320.exe	111
PID 3800 wrote to memory of 4540	3800	NEAS.cd3cd158e5e84f4733f5453bc0c13320.exe	111
PID 3800 wrote to memory of 4540	3800	NEAS.cd3cd158e5e84f4733f5453bc0c13320.exe	111

System policy modification 1 TTPs 4 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	NEAS.cd3cd158e5e84f4733f5453bc0c13320.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	NEAS.cd3cd158e5e84f4733f5453bc0c13320.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	NEAS.cd3cd158e5e84f4733f5453bc0c13320.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	NEAS.cd3cd158e5e84f4733f5453bc0c13320.exe

C:\Users\Admin\AppData\Local\Temp\NEAS.cd3cd158e5e84f4733f5453bc0c13320.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.cd3cd158e5e84f4733f5453bc0c13320.exe"
1⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Modifies system executable filetype association
- Adds Run key to start application
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3800
- C:\Windows\xk.exe
  C:\Windows\xk.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4484
- C:\Windows\SysWOW64\IExplorer.exe
  C:\Windows\system32\IExplorer.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1372
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1984
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:5068
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4852
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1440
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1088
- C:\Windows\xk.exe
  C:\Windows\xk.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:3848
- C:\Windows\SysWOW64\IExplorer.exe
  C:\Windows\system32\IExplorer.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1984
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:416
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1440
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1268
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:556
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4540

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\WINDOWS\CSRSS.EXE

Filesize
63KB

MD5
479b1f9a93ff4fb40c6058b906497680

SHA1
25cd90d964cff73ce109907661100b395913060f

SHA256
9f672e53edcc1d9d151af1137add07e6ba2adb48f419a97c3b7c4fa797937747

SHA512
a52130d69e78c65d583f2802ff3498c1c2c1f28e690673857dc7902bfb12df44db5fb7f97602657c5d04e6d21bc9025d61be9a5d29414bb571f83bcf9c16abbe

Download Submit
C:\Users\Admin\AppData\Local\WINDOWS\CSRSS.EXE

Filesize
63KB

MD5
63fbbc4d0d5790cce49aef09512ecdbb

SHA1
2cc48c697153a895d3d68c63d46cb6c29df75cff

SHA256
14c465bb5dd5168a26badff1adc5235d222ea8dcb45c3c7978523eb3eddaf407

SHA512
81af4829739d7d720a6928e447b7536e22544a3b0ae5b1b1ac9a2495c15c8572edf4b2fbabb719009d36fa82c3ae50c22a29000cdcc2815ad2e9d4a6e9d6ca50

Download Submit
C:\Users\Admin\AppData\Local\WINDOWS\LSASS.EXE

Filesize
63KB

MD5
24cca3802c75919751b1076d6a79ce38

SHA1
8a614108b1aac31d24c168e465146b1bcd8bbced

SHA256
8d8d1da2bff1bb78c130b6707f6ebf5b6ca953afe2d990ba566b0ff5dd71709c

SHA512
1c049e8b5ea3850a96feaa456e3acdc5803b0e079bc777118c3b36af3e1dff4599368a2996ca4232407afff610bd8a11db0c4fc70ecde45b0099978dd0e34b9a

Download Submit
C:\Users\Admin\AppData\Local\WINDOWS\LSASS.EXE

Filesize
63KB

MD5
28f8576df79e76fe1a7eeb075cb0f381

SHA1
7df73f84ce369d7f6ef1805e7fe9949824d81047

SHA256
533a1be0a3c49accfae03577c52cf0118dbe8e96fe8f24351c2f32e1d52d9797

SHA512
4bc3ad89d9e606d256926398f1dac8f2c1799771958b4919e5dff8c2cda8c6e04ea630528378b69eec8614fa558346505569c043ba48a32b36a2821a237e9968

Download Submit
C:\Users\Admin\AppData\Local\WINDOWS\SERVICES.EXE

Filesize
63KB

MD5
c9e0ee3c964e1185cad6a0d3182b351c

SHA1
657f5e7ab4c72a959b1623cfa73cc7008b951621

SHA256
a2447fe5b14bc934593b4058ad4f0558822af58e78022ab4ccedf09b8103fff9

SHA512
7f7748b03b751cec5a71fb2c35740191612f57d631b0b64f16427f30f0b1b2e4debf31e615bff08c524c178137c6495876ffde433cd141001b28a2c43bafcecd

Download Submit
C:\Users\Admin\AppData\Local\WINDOWS\SERVICES.EXE

Filesize
63KB

MD5
2f9b0b7b6caa200b0b46e3c11ea6e14d

SHA1
4f4897b1936eea06e91fad6ba342d00842af30f8

SHA256
2fd2eb619045ab1dfdb4b4ddc75deca80a44c86bf512fa6c2fa77ea817eef52a

SHA512
4fe8230e0eb22c3bcdc8615d3cced90c775a8a3149f07d19daad5f6cd125cc2fdf479b81ba237d6a5bee668ec1e431b7cd86f7a5054b1cd5f094e5678b767be2

Download Submit
C:\Users\Admin\AppData\Local\WINDOWS\SMSS.EXE

Filesize
63KB

MD5
fb87e39f82a311e84c7df85a14a7393f

SHA1
a797a0f4d48edfdb688464fabfe6e1d91f199066

SHA256
f421a4a9db54ca5a6e5e9c9daa3bac61771bd39bceadccbf6fed5d84d1060da5

SHA512
adb68e45007b3973443337040dfde4d40cec5d4925a01fceab0a2ad573bb4d6e0a6ffc24584f6e3f5cc5fdada7f003b072ca3a9a8bacda40834a55d1bbac41ac

Download Submit
C:\Users\Admin\AppData\Local\WINDOWS\SMSS.EXE

Filesize
63KB

MD5
c391869d4b0944c2f9589bec5352a6c3

SHA1
f22f146a2229ba2dff87dcef54c08f5570024d01

SHA256
5692d8aa874bedd238746b1012aaa35b66a70fc56e2514f200f635c414bd8d51

SHA512
3541ec3efdee48b5d8cd70eba290850c068759b52d00f1f4f0dadb447895e7d728704dffb579166face684ad42ab44dfdfb221fc06c666e1fd68dfe5937f5ace

Download Submit
C:\Users\Admin\AppData\Local\WINDOWS\WINLOGON.EXE

Filesize
63KB

MD5
193197c924046103c905bc6a9c87b2f8

SHA1
c8dcb9fc840e0530376bc17054801af49a2f39db

SHA256
7d9cfc943ba91ede14c181c406d6f71834f5b86afb3f4529d350c42e26defedc

SHA512
4c459e8b9389c88325c3ed36c463a27c8cb6a1f021f0d414d2f85c4eacb5bc5af8cc0ec741e430c82f4b12cb250238e766bf7a9a961a156e56f916f7ee129733

Download Submit
C:\Users\Admin\AppData\Local\WINDOWS\WINLOGON.EXE

Filesize
63KB

MD5
1be326330d300662cb37b6b1c8c5db90

SHA1
2262e8e2374da8dbfced23670aaaf0aa82ff7d10

SHA256
9716948da01827128bfc9bd00c128d49b612f8b82a6c90aa3617ed6b3982d5c7

SHA512
15c747f89e9438d8e54042ee0391b11680af13b68ed3aab35fc0bb7a630f39e3c8b88aeeb09ec36097b76da95e45c48a1d0ed95e61df2cf43cda9bc3348a9538

Download Submit
C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE

Filesize
63KB

MD5
63fbbc4d0d5790cce49aef09512ecdbb

SHA1
2cc48c697153a895d3d68c63d46cb6c29df75cff

SHA256
14c465bb5dd5168a26badff1adc5235d222ea8dcb45c3c7978523eb3eddaf407

SHA512
81af4829739d7d720a6928e447b7536e22544a3b0ae5b1b1ac9a2495c15c8572edf4b2fbabb719009d36fa82c3ae50c22a29000cdcc2815ad2e9d4a6e9d6ca50

Download Submit
C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE

Filesize
63KB

MD5
28f8576df79e76fe1a7eeb075cb0f381

SHA1
7df73f84ce369d7f6ef1805e7fe9949824d81047

SHA256
533a1be0a3c49accfae03577c52cf0118dbe8e96fe8f24351c2f32e1d52d9797

SHA512
4bc3ad89d9e606d256926398f1dac8f2c1799771958b4919e5dff8c2cda8c6e04ea630528378b69eec8614fa558346505569c043ba48a32b36a2821a237e9968

Download Submit
C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE

Filesize
63KB

MD5
2f9b0b7b6caa200b0b46e3c11ea6e14d

SHA1
4f4897b1936eea06e91fad6ba342d00842af30f8

SHA256
2fd2eb619045ab1dfdb4b4ddc75deca80a44c86bf512fa6c2fa77ea817eef52a

SHA512
4fe8230e0eb22c3bcdc8615d3cced90c775a8a3149f07d19daad5f6cd125cc2fdf479b81ba237d6a5bee668ec1e431b7cd86f7a5054b1cd5f094e5678b767be2

Download Submit
C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE

Filesize
63KB

MD5
c391869d4b0944c2f9589bec5352a6c3

SHA1
f22f146a2229ba2dff87dcef54c08f5570024d01

SHA256
5692d8aa874bedd238746b1012aaa35b66a70fc56e2514f200f635c414bd8d51

SHA512
3541ec3efdee48b5d8cd70eba290850c068759b52d00f1f4f0dadb447895e7d728704dffb579166face684ad42ab44dfdfb221fc06c666e1fd68dfe5937f5ace

Download Submit
C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE

Filesize
63KB

MD5
1be326330d300662cb37b6b1c8c5db90

SHA1
2262e8e2374da8dbfced23670aaaf0aa82ff7d10

SHA256
9716948da01827128bfc9bd00c128d49b612f8b82a6c90aa3617ed6b3982d5c7

SHA512
15c747f89e9438d8e54042ee0391b11680af13b68ed3aab35fc0bb7a630f39e3c8b88aeeb09ec36097b76da95e45c48a1d0ed95e61df2cf43cda9bc3348a9538

Download Submit
C:\Windows\SysWOW64\IExplorer.exe

Filesize
63KB

MD5
eba04d12cf4d107eaae7c906168ab624

SHA1
197a6bb751ca59e4d826b067ed0a1678403e6986

SHA256
61688a652657a146f4b7757e9f1dce244673608aa5ae12623cb9d3f737cf936c

SHA512
f2cc6a9e9e23e274eab0ae7d9b2165b572773ab78287d780bd6f01edefd61a6a959eea512d4119e27d76e16b95aa0348e15fa523cd3b35caa93116685a906f54

Download Submit
C:\Windows\SysWOW64\IExplorer.exe

Filesize
63KB

MD5
fea9bf752eb17a004b5bf9ec72e73020

SHA1
a5d45d056623d1e4ca2897244cd07000287a0109

SHA256
a6f0d85763e3e67a2824827e07c41e7d86d179f61edb8902852db12935846c8d

SHA512
23edbd1309af827143ea23fd17920897beb6cc541fc45ae03fee150545c20aefa5962e638e9f121334dd8064e6c6d804ba18d1886dd6c77e95a1fb9a5991b846

Download Submit
C:\Windows\SysWOW64\IExplorer.exe

Filesize
63KB

MD5
fea9bf752eb17a004b5bf9ec72e73020

SHA1
a5d45d056623d1e4ca2897244cd07000287a0109

SHA256
a6f0d85763e3e67a2824827e07c41e7d86d179f61edb8902852db12935846c8d

SHA512
23edbd1309af827143ea23fd17920897beb6cc541fc45ae03fee150545c20aefa5962e638e9f121334dd8064e6c6d804ba18d1886dd6c77e95a1fb9a5991b846

Download Submit
C:\Windows\SysWOW64\IExplorer.exe

Filesize
63KB

MD5
cd3cd158e5e84f4733f5453bc0c13320

SHA1
ccfe677890b815252c525fe4711a080a90efb173

SHA256
443862c81b4d4c8fda7e72af1901b8446b5b94a21a83e13cb936ff623d5d6c25

SHA512
0e3d4e0af1cd86fc2c46eabad06ffabaab25e287a48c43cea0414eafbe7b231122eca7da534e24444d80ff87b535dfba0a149acaf9721b6df690533cbdd699c5

Download Submit
C:\Windows\xk.exe

Filesize
63KB

MD5
a7ad10298bde1c4380e64da3bb7d4e41

SHA1
ab66d948ae5c60b4999ad505f186941cf886e6fd

SHA256
fe5f7886d162a1cf930088f08f6b477696ad14157ca8388a201c6a33e02d9242

SHA512
02ce2a124b9b51da137a5c41cc9bb6ba8e330b8026d6f0fd2077db017e31f48cff53b2c3b08094060bd56bffdb48404564748f8d4f2f6a6e14e810db4dbd16ef

Download Submit
C:\Windows\xk.exe

Filesize
63KB

MD5
df16f066b8c8fb42898b6c07f697fee1

SHA1
9eeab9d5ca28780c8d849709bed4586aa4842e56

SHA256
78544d506c7deec90430fcd7a75ffea70e39a15749514752ccd4fc6afa51212a

SHA512
d3dcece2d53a02c8e927dd0bd109c03162b34a4f9f9e9fe37e286986ffe7a01a4e7262d62582abe88ef7164a9e86f7b51744864d81f8a22769b0393ced6dcf6e

Download Submit
C:\Windows\xk.exe

Filesize
63KB

MD5
df16f066b8c8fb42898b6c07f697fee1

SHA1
9eeab9d5ca28780c8d849709bed4586aa4842e56

SHA256
78544d506c7deec90430fcd7a75ffea70e39a15749514752ccd4fc6afa51212a

SHA512
d3dcece2d53a02c8e927dd0bd109c03162b34a4f9f9e9fe37e286986ffe7a01a4e7262d62582abe88ef7164a9e86f7b51744864d81f8a22769b0393ced6dcf6e

Download Submit
memory/416-236-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/556-251-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1088-89-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1268-247-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1372-58-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1440-83-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1440-241-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1984-64-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1984-231-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3800-115-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3800-0-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3800-257-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3848-226-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4484-49-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4484-54-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4540-256-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4852-77-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5068-71-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5068-68-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download