Analysis
-
max time kernel
133s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20231023-en -
resource tags
arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system -
submitted
16-11-2023 11:50
Static task
static1
Behavioral task
behavioral1
Sample
NEAS.08c90de8fe931fa196de085ce4e92960.exe
Resource
win7-20231020-en
Behavioral task
behavioral2
Sample
NEAS.08c90de8fe931fa196de085ce4e92960.exe
Resource
win10v2004-20231023-en
General
-
Target
NEAS.08c90de8fe931fa196de085ce4e92960.exe
-
Size
272KB
-
MD5
08c90de8fe931fa196de085ce4e92960
-
SHA1
b534e4a16cb62696bcc7f81205b6223b611af41c
-
SHA256
44c0f51238445a49226874169ea0dc8891f2574b535f138f4176ba60cbc2320f
-
SHA512
e9effbe14e40f1e9ee03f0020ed0a56ca9ac6eb9883023272173197ac603da12edacfadb9e606db82fde89f26f0011703f4c609ae58e0737b4579cbbbe410d6e
-
SSDEEP
3072:PtD/aDHJ2V6e8Q4/6idYJB+H94ul40j+6OHacSwgvxdWF/n9yZHJ+vp:hyDpVIfPg+6OHa7MF/9w+v
Malware Config
Signatures
-
Sets file execution options in registry 2 TTPs 8 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe NEAS.08c90de8fe931fa196de085ce4e92960.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\Debugger = "C:\\Windows\\win32.exe" NEAS.08c90de8fe931fa196de085ce4e92960.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe NEAS.08c90de8fe931fa196de085ce4e92960.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\Debugger = "C:\\Windows\\win32.exe" NEAS.08c90de8fe931fa196de085ce4e92960.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe NEAS.08c90de8fe931fa196de085ce4e92960.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\Debugger = "C:\\Windows\\win32.exe" NEAS.08c90de8fe931fa196de085ce4e92960.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe NEAS.08c90de8fe931fa196de085ce4e92960.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe\Debugger = "C:\\Windows\\win32.exe" NEAS.08c90de8fe931fa196de085ce4e92960.exe -
Drops file in System32 directory 7 IoCs
description ioc Process File created C:\Windows\SysWOW64\copy.pif NEAS.08c90de8fe931fa196de085ce4e92960.exe File opened for modification C:\Windows\SysWOW64\copy.pif NEAS.08c90de8fe931fa196de085ce4e92960.exe File created C:\Windows\SysWOW64\_default.pif NEAS.08c90de8fe931fa196de085ce4e92960.exe File opened for modification C:\Windows\SysWOW64\_default.pif NEAS.08c90de8fe931fa196de085ce4e92960.exe File created C:\Windows\SysWOW64\surif.bin NEAS.08c90de8fe931fa196de085ce4e92960.exe File opened for modification C:\Windows\SysWOW64\surif.bin NEAS.08c90de8fe931fa196de085ce4e92960.exe File created C:\Windows\SysWOW64\Oeminfo.ini NEAS.08c90de8fe931fa196de085ce4e92960.exe -
Drops file in Windows directory 7 IoCs
description ioc Process File created C:\Windows\.exe NEAS.08c90de8fe931fa196de085ce4e92960.exe File opened for modification C:\Windows\.exe NEAS.08c90de8fe931fa196de085ce4e92960.exe File created C:\Windows\win32.exe NEAS.08c90de8fe931fa196de085ce4e92960.exe File opened for modification C:\Windows\win32.exe NEAS.08c90de8fe931fa196de085ce4e92960.exe File created C:\Windows\ActiveX.exe NEAS.08c90de8fe931fa196de085ce4e92960.exe File opened for modification C:\Windows\ActiveX.exe NEAS.08c90de8fe931fa196de085ce4e92960.exe File opened for modification C:\Windows\system\lsass.exe NEAS.08c90de8fe931fa196de085ce4e92960.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 3780 1476 WerFault.exe 85 -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1476 NEAS.08c90de8fe931fa196de085ce4e92960.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.08c90de8fe931fa196de085ce4e92960.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.08c90de8fe931fa196de085ce4e92960.exe"1⤵
- Sets file execution options in registry
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:1476 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1476 -s 5962⤵
- Program crash
PID:3780
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 1476 -ip 14761⤵PID:716
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
272KB
MD5a5c3cc87a539c0741fba694c6ce0bd29
SHA1e94dba146632d9ff3ed78e496bab41c7d52bcfe8
SHA25683100b90ebdce55f30b089d0e45fd12fb52d3a66b4ad19ae54ab3ef75920eaba
SHA512aa9b7349aa2935a24939fe73f13d31b8cbd7acdb66813de1416f367de83702168ffe1c47cf2ad92128f7ae3294b49cd71119abe707ea0efa9cab249a06f8737e