Overview

overview

10

Static

static

3

NEAS.19a58...b0.exe

windows7-x64

10

NEAS.19a58...b0.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    124s
  • platform
    windows7_x64
  • resource
    win7-20231025-en
  • resource tags

    arch:x64arch:x86image:win7-20231025-enlocale:en-usos:windows7-x64system
  • submitted
    17/11/2023, 19:58

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    NEAS.19a58f81b02199879dc32323dcd079b0.exe

  • Size

    211KB

  • MD5

    19a58f81b02199879dc32323dcd079b0

  • SHA1

    202bab4b8926c0462b383fce99f848c6a601fed3

  • SHA256

    a52fdfb6ccf0200b9ebcb2c313c37e52bc066612a0be860dd24a8ea56b772ed8

  • SHA512

    963beec0654bf293b589db3e3f42fb84d21803703a5d5ad719b3f52c08a4d9a497fcccc03fed16d59e972f5b661ca87d90e4759d721f80698a5b8d7bf5184612

  • SSDEEP

    3072:JD6Xtx68yygRBE52mxkEOHLRMpZ4deth8PEAjAfIbAYGPhz6sPJBInxZqO0:Jh8cBzHLRMpZ4d1Z0

Score
10/10
evasionpersistence

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
    persistence
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
    evasion
  • Modifies Installed Components in the registry 2 TTPs 8 IoCs
    persistence
  • Executes dropped EXE 4 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Drops file in System32 directory 1 IoCs
  • Drops file in Windows directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of SetWindowsHookEx 12 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\NEAS.19a58f81b02199879dc32323dcd079b0.exe
    "C:\Users\Admin\AppData\Local\Temp\NEAS.19a58f81b02199879dc32323dcd079b0.exe"
    1⤵
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2428
    • \??\c:\windows\userinit.exe
      c:\windows\userinit.exe
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visiblity of hidden/system files in Explorer
      • Modifies Installed Components in the registry
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops file in System32 directory
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2744
      • \??\c:\windows\spoolsw.exe
        c:\windows\spoolsw.exe SE
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2740
        • \??\c:\windows\swchost.exe
          c:\windows\swchost.exe
          4⤵
          • Modifies WinLogon for persistence
          • Modifies visiblity of hidden/system files in Explorer
          • Modifies Installed Components in the registry
          • Executes dropped EXE
          • Adds Run key to start application
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:2676
          • \??\c:\windows\spoolsw.exe
            c:\windows\spoolsw.exe PR
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetWindowsHookEx
            PID:2712

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\mrsys.exe
          Filesize

          211KB

          MD5

          2b17900a9c444c60cd2d4fa9aadc4836

          SHA1

          21a69110d02c1cbdb02f721f2b8974d54085bb51

          SHA256

          d5fa2e9fd0bda8b097881df0a6f15524fe44523fbeb997f0faae9df5cdb930d5

          SHA512

          9a858ea6f634cf411b947dfae203d454cfe53de6c9990f965860d90871a2426df925ea915dd5ea5b7af80eb36efa429ec396ac7a5eb7276019bfaa6b114f6e2c

          Download Submit

        • C:\Windows\spoolsw.exe
          Filesize

          211KB

          MD5

          fafa524cf661c42bdcd2b5270ccc1d21

          SHA1

          688149fd59bea4f269fdc8f51e5ed7d51a0f23d7

          SHA256

          b0c646bad73d7a146f0961cb63a9239b0e8bc6a978e461f9c9642b72dde580d3

          SHA512

          1a4ec3e6bdde3fb221844409a0d85086b5dc4cf6ef20ba143909854335e6bb61079e9530e7bfb690937fa63cb451112bca538cc6f561420af613aaa6a22c740a

          Download Submit

        • C:\Windows\spoolsw.exe
          Filesize

          211KB

          MD5

          fafa524cf661c42bdcd2b5270ccc1d21

          SHA1

          688149fd59bea4f269fdc8f51e5ed7d51a0f23d7

          SHA256

          b0c646bad73d7a146f0961cb63a9239b0e8bc6a978e461f9c9642b72dde580d3

          SHA512

          1a4ec3e6bdde3fb221844409a0d85086b5dc4cf6ef20ba143909854335e6bb61079e9530e7bfb690937fa63cb451112bca538cc6f561420af613aaa6a22c740a

          Download Submit

        • C:\Windows\swchost.exe
          Filesize

          211KB

          MD5

          7f9c599d9bad1690f41902a3f1fd3675

          SHA1

          9f220b7ab485ca9fdb806841fe4cdd20f8c9ba6b

          SHA256

          bffcaf49b5ba9dd9b4703fb65f5b3b4665cbf8e9e9b4494a1d6fa11772f7726b

          SHA512

          0e9d88892b6f953660bcfbf73c203368ccce3e4620434340a7d703212cadbefd1dfb439a5018db70c52d1451c457bc7af99d7d961b7c9099a568e648cb59289e

          Download Submit

        • C:\Windows\userinit.exe
          Filesize

          211KB

          MD5

          d435e18aac38195433a0972ca1c333f0

          SHA1

          2c381ed74392e081c544f3d6f9aee16ac9297a0a

          SHA256

          7be7774f8f40ebcd89ad64bf14bf044a12bc7c16ee8476ea8318d3a65a2bd528

          SHA512

          7504dd9eaf7e5eda5ddc7d02855c31a5e6f7398832346c3d3f664148fb3a84ca99939cbe274a9a1971fdd7919696f79a075bb9d576f7a9c3e4c3a90c2a7dd4ab

          Download Submit

        • C:\Windows\userinit.exe
          Filesize

          211KB

          MD5

          d435e18aac38195433a0972ca1c333f0

          SHA1

          2c381ed74392e081c544f3d6f9aee16ac9297a0a

          SHA256

          7be7774f8f40ebcd89ad64bf14bf044a12bc7c16ee8476ea8318d3a65a2bd528

          SHA512

          7504dd9eaf7e5eda5ddc7d02855c31a5e6f7398832346c3d3f664148fb3a84ca99939cbe274a9a1971fdd7919696f79a075bb9d576f7a9c3e4c3a90c2a7dd4ab

          Download Submit

        • \??\c:\windows\spoolsw.exe
          Filesize

          211KB

          MD5

          fafa524cf661c42bdcd2b5270ccc1d21

          SHA1

          688149fd59bea4f269fdc8f51e5ed7d51a0f23d7

          SHA256

          b0c646bad73d7a146f0961cb63a9239b0e8bc6a978e461f9c9642b72dde580d3

          SHA512

          1a4ec3e6bdde3fb221844409a0d85086b5dc4cf6ef20ba143909854335e6bb61079e9530e7bfb690937fa63cb451112bca538cc6f561420af613aaa6a22c740a

          Download Submit

        • \??\c:\windows\swchost.exe
          Filesize

          211KB

          MD5

          7f9c599d9bad1690f41902a3f1fd3675

          SHA1

          9f220b7ab485ca9fdb806841fe4cdd20f8c9ba6b

          SHA256

          bffcaf49b5ba9dd9b4703fb65f5b3b4665cbf8e9e9b4494a1d6fa11772f7726b

          SHA512

          0e9d88892b6f953660bcfbf73c203368ccce3e4620434340a7d703212cadbefd1dfb439a5018db70c52d1451c457bc7af99d7d961b7c9099a568e648cb59289e

          Download Submit

        • \??\c:\windows\userinit.exe
          Filesize

          211KB

          MD5

          d435e18aac38195433a0972ca1c333f0

          SHA1

          2c381ed74392e081c544f3d6f9aee16ac9297a0a

          SHA256

          7be7774f8f40ebcd89ad64bf14bf044a12bc7c16ee8476ea8318d3a65a2bd528

          SHA512

          7504dd9eaf7e5eda5ddc7d02855c31a5e6f7398832346c3d3f664148fb3a84ca99939cbe274a9a1971fdd7919696f79a075bb9d576f7a9c3e4c3a90c2a7dd4ab

          Download Submit