Analysis
-
max time kernel
140s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20231025-en -
resource tags
arch:x64arch:x86image:win10v2004-20231025-enlocale:en-usos:windows10-2004-x64system -
submitted
17-11-2023 16:26
Behavioral task
behavioral1
Sample
NEAS.17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe
Resource
win7-20231023-en
Behavioral task
behavioral2
Sample
NEAS.17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe
Resource
win10v2004-20231025-en
General
-
Target
NEAS.17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe
-
Size
164KB
-
MD5
ca337c7130eef4f4ff8e8a4a8ec28647
-
SHA1
28558e35d3f9af01fe438eba7fba1c38201c86de
-
SHA256
17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467
-
SHA512
60b9b7841a942a6bcb700872b6ff1353fd282a7b318d6ac8d47e419573978aff43c961436a2fdb6a076e81545ef9759e7848fdc9eaa5a571638ab19d666a1c1c
-
SSDEEP
3072:LBVn11HzIOLbi4eTMlwDCnun4XbZIt+ypUF:d9jzvbnWJnu14p
Malware Config
Signatures
-
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
NEAS.17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000\Control Panel\International\Geo\Nation NEAS.17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
NEAS.17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exedescription ioc process File opened (read-only) \??\B: NEAS.17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe File opened (read-only) \??\H: NEAS.17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe File opened (read-only) \??\J: NEAS.17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe File opened (read-only) \??\O: NEAS.17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe File opened (read-only) \??\S: NEAS.17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe File opened (read-only) \??\X: NEAS.17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe File opened (read-only) \??\Z: NEAS.17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe File opened (read-only) \??\I: NEAS.17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe File opened (read-only) \??\M: NEAS.17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe File opened (read-only) \??\P: NEAS.17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe File opened (read-only) \??\Q: NEAS.17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe File opened (read-only) \??\V: NEAS.17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe File opened (read-only) \??\A: NEAS.17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe File opened (read-only) \??\G: NEAS.17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe File opened (read-only) \??\T: NEAS.17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe File opened (read-only) \??\Y: NEAS.17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe File opened (read-only) \??\E: NEAS.17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe File opened (read-only) \??\K: NEAS.17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe File opened (read-only) \??\L: NEAS.17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe File opened (read-only) \??\N: NEAS.17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe File opened (read-only) \??\R: NEAS.17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe File opened (read-only) \??\U: NEAS.17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe File opened (read-only) \??\W: NEAS.17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe -
Drops file in Windows directory 64 IoCs
Processes:
NEAS.17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exedescription ioc process File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-security-spp_31bf3856ad364e35_10.0.19041.1266_none_8f272afdd624490f_sppsvc.exe_fc6922a9 NEAS.17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe File opened for modification C:\Windows\WinSxS\Backup\wow64_microsoft-windows-setupapi_31bf3856ad364e35_10.0.19041.1237_none_b40cbfe2afd2c015_wowreg32.exe_94fc2d06 NEAS.17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-w..ient-core.resources_31bf3856ad364e35_10.0.19041.1_es-es_ba1334d77db7a118_wuaueng.dll.mui_297f975d NEAS.17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-com-base.resources_31bf3856ad364e35_10.0.19041.1_it-it_fb1b92cca7311236.manifest NEAS.17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-security-schannel_31bf3856ad364e35_10.0.19041.789_none_ffe75708b42fd74f_schannel.dll_7364eaa8 NEAS.17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-v..skservice.resources_31bf3856ad364e35_10.0.19041.1_de-de_af1113fd9cfe31c0_vdsutil.dll.mui_0caf9b0e NEAS.17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-client-li..se-platform-service_31bf3856ad364e35_10.0.19041.84_none_cc8b03b372325d69.manifest NEAS.17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-b..re-memorydiagnostic_31bf3856ad364e35_10.0.19041.1202_none_4cf57b53b9d3b259_memtest.efi_01d7fdbb NEAS.17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-lsa-minwin_31bf3856ad364e35_10.0.19041.1266_none_b2317523477fbd48_lsass.exe_682060de NEAS.17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe File opened for modification C:\Windows\WinSxS\Backup\wow64_microsoft-windows-profapi-onecore_31bf3856ad364e35_10.0.19041.844_none_ee6879440a206942.manifest NEAS.17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe File opened for modification C:\Windows\WinSxS\Backup\wow64_microsoft-windows-sechost_31bf3856ad364e35_10.0.19041.1_none_480894b3a0b47f35.manifest NEAS.17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-b..os-loader.resources_31bf3856ad364e35_10.0.19041.1_en-us_2c89c78983615cee.manifest NEAS.17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-p..ng-client-overrides_31bf3856ad364e35_10.0.19041.1266_none_8e5f726ca832e39d_power.settings.graphics.ppkg_84d8ed15 NEAS.17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-time-service.resources_31bf3856ad364e35_10.0.19041.1_de-de_6006045d449d1cd6.manifest NEAS.17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe File opened for modification C:\Windows\WinSxS\Backup\wow64_microsoft-windows-com-base_31bf3856ad364e35_10.0.19041.264_none_f62481abb9c79874.manifest NEAS.17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe File opened for modification C:\Windows\WinSxS\Backup\wow64_microsoft-windows-ldap-client_31bf3856ad364e35_10.0.19041.546_none_db8a38e9e99bc04d.manifest NEAS.17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-offlinefiles-core_31bf3856ad364e35_10.0.19041.1_none_5439566afb44d091.manifest NEAS.17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-profsvcext_31bf3856ad364e35_10.0.19041.1_none_da1ac6c21358ec33.manifest NEAS.17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-s..ertificates-utility_31bf3856ad364e35_10.0.19041.1_none_3eeeb9b5ca0761f9.manifest NEAS.17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-profsvc.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_bf2ff44896ca733c_profsvc.dll.mui_32482e9e NEAS.17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-win32kbase_31bf3856ad364e35_10.0.19041.1288_none_233dec521bed18a8.manifest NEAS.17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe File opened for modification C:\Windows\WinSxS\Backup\wow64_microsoft-windows-msauditevtlog_31bf3856ad364e35_10.0.19041.610_none_afaadb8f0b8a9278_msaudite.dll_9eacd00a NEAS.17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-tcpip_31bf3856ad364e35_10.0.19041.746_none_3f7ee0a8ee28ef7d_netiougc.exe_94123cfe NEAS.17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-i..er-engine.resources_31bf3856ad364e35_10.0.19041.906_bg-bg_36e6bc5fe8ecffc2_msimsg.dll.mui_72e8994f NEAS.17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-shsvcs.resources_31bf3856ad364e35_10.0.19041.1_en-us_4ddd600c7fa5e884.manifest NEAS.17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe File opened for modification C:\Windows\WinSxS\Backup\x86_microsoft-windows-b..ager-pcat.resources_31bf3856ad364e35_10.0.19041.1_nl-nl_32602d1a95f90be1_bootmgr.exe.mui_c434701f NEAS.17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-d..ui-resourceswin8rtm_31bf3856ad364e35_10.0.19041.1_none_40a3e631822403fd.manifest NEAS.17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-themeservice.resources_31bf3856ad364e35_10.0.19041.1_es-es_1724b854923485bf_themeservice.dll.mui_9e71f1ab NEAS.17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-v..skservice.resources_31bf3856ad364e35_10.0.19041.1_en-us_5801e9f68bdc3d85_vds.exe.mui_2268d934 NEAS.17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe File opened for modification C:\Windows\WinSxS\Backup\wow64_microsoft-windows-com-base-qfe-ole32_31bf3856ad364e35_10.0.19041.1202_none_2b327e97dbe87a1a_ole32.dll_e9dcc2e3 NEAS.17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe File opened for modification C:\Windows\WinSxS\Backup\wow64_microsoft-windows-rasrtutils_31bf3856ad364e35_10.0.19041.84_none_0f0d5b9b4cf8bb4a.manifest NEAS.17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-i..er-engine.resources_31bf3856ad364e35_10.0.19041.906_uk-ua_4f4fad6deb8a668a.manifest NEAS.17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-rasbase.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_b68b71ac47f7eb2c_kmddsp.tsp.mui_80ddeedb NEAS.17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-w..r-webclnt.resources_31bf3856ad364e35_10.0.19041.1_de-de_4c6b2c19811dd13e_webclnt.dll.mui_e8f04040 NEAS.17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-s..geservice.resources_31bf3856ad364e35_10.0.19041.1_it-it_b281bba039a7e747_storsvc.dll.mui_2fc7b1d3 NEAS.17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-wininit_31bf3856ad364e35_10.0.19041.1202_none_a5b2e5b8b986fe3d.manifest NEAS.17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe File opened for modification C:\Windows\WinSxS\Backup\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.19041.1023_et-ee_b7f98987b747df8e.manifest NEAS.17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-commonlog.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_6acc9b918cd7cb00.manifest NEAS.17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-font-bitmap-terminal_31bf3856ad364e35_10.0.19041.1_none_ca60666860ba12d7_dos869.fon_85f815ea NEAS.17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-i..r_service.resources_31bf3856ad364e35_10.0.19041.1_es-es_6871eca24b40d9a0_iscsicli.exe.mui_64c0a23c NEAS.17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-security-spp.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_81894ccc937e212a_sppsvc.exe.mui_40875a72 NEAS.17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-v..skservice.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_86d2322d49223ce5_vdsutil.dll.mui_0caf9b0e NEAS.17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.19041.1_it-it_580bf62c3d55fd5e.manifest NEAS.17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe File opened for modification C:\Windows\WinSxS\Backup\wow64_microsoft-windows-setupapi_31bf3856ad364e35_10.0.19041.1237_none_b40cbfe2afd2c015.manifest NEAS.17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-b..nager-efi.resources_31bf3856ad364e35_10.0.19041.1_cs-cz_f172b704a150188c.manifest NEAS.17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-m..ntmanager.resources_31bf3856ad364e35_10.0.19041.1_it-it_7fa90776a8cf7d8b_mountmgr.sys.mui_71b54a25 NEAS.17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-ncrypt-dll_31bf3856ad364e35_10.0.19041.662_none_3bbdfd78507f28c7.manifest NEAS.17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-u..istration.resources_31bf3856ad364e35_10.0.19041.1202_en-us_d882497830128342.manifest NEAS.17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe File opened for modification C:\Windows\WinSxS\Backup\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.19041.1_cs-cz_cfb8187da0acdc81_comctl32.dll.mui_0da4e682 NEAS.17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_5.82.19041.1_ro-ro_a7fd6f88bbbece6f.manifest NEAS.17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-rasbase-core_31bf3856ad364e35_10.0.19041.546_none_0fdfc09722e8c30a_ndistapi.sys_8cfad169 NEAS.17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-user32.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_9671d830bd73c88f_user32.dll.mui_14652dbb NEAS.17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-w..gon-tools.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_6e2070f8240ab764.manifest NEAS.17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-shsvcs.resources_31bf3856ad364e35_10.0.19041.1_it-it_da88293649d0d609_shsvcs.dll.mui_b69fccab NEAS.17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-usermodensi.resources_31bf3856ad364e35_10.0.19041.1_es-es_f20d80907f57aa9d_nsisvc.dll.mui_237a741f NEAS.17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe File opened for modification C:\Windows\WinSxS\Backup\wow64_microsoft-windows-netapi32_31bf3856ad364e35_10.0.19041.1_none_4d79d2e8d54e26a8.manifest NEAS.17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-efs-service.resources_31bf3856ad364e35_10.0.19041.1_en-us_02d41c75ec2f1710.manifest NEAS.17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-rasbase_31bf3856ad364e35_10.0.19041.746_none_ebd9b2add93e89de_cis.scp_0303a193 NEAS.17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.19041.1_pl-pl_caa978e2e1557994_comctl32.dll.mui_0da4e682 NEAS.17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_5.82.19041.1_nb-no_1c114980f11087ca.manifest NEAS.17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe File opened for modification C:\Windows\WinSxS\Backup\x86_microsoft-windows-b..ager-pcat.resources_31bf3856ad364e35_10.0.19041.1_it-it_05ff04e5d71bfd5f_bootmgr.exe.mui_c434701f NEAS.17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-w..cture-bsp.resources_31bf3856ad364e35_10.0.19041.1_en-us_83d24a0903134528_mswsock.dll.mui_d7c2a730 NEAS.17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe File opened for modification C:\Windows\WinSxS\Backup\wow64_microsoft-windows-ui-xaml-controls_31bf3856ad364e35_10.0.19041.1023_none_95090027c7abbbb9_windows.ui.xaml.controls.dll_4c861b99 NEAS.17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-tcpip.resources_31bf3856ad364e35_10.0.19041.1_en-us_823386dc6c818518.manifest NEAS.17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
NEAS.17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exepid process 4692 NEAS.17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe 4692 NEAS.17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
NEAS.17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exedescription pid process target process PID 4692 wrote to memory of 2808 4692 NEAS.17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe cmd.exe PID 4692 wrote to memory of 2808 4692 NEAS.17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe cmd.exe PID 4692 wrote to memory of 2808 4692 NEAS.17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe"1⤵
- Checks computer location settings
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet & bcdedit /set {default} recoveryenabled No & bcdedit /set {default} bootstatuspolicy ignoreallfailures2⤵