9e074a43c56ea0305fb2dfcb22b93756316b8535c26fa8289496e3519386feb1

General

Target

NEAS.1aefc03ad5daa50c1287f543021a1510.exe
Size

288KB
MD5

1aefc03ad5daa50c1287f543021a1510
SHA1

fe90d49b431123525a3095edbcb06031cb3db4a9
SHA256

9e074a43c56ea0305fb2dfcb22b93756316b8535c26fa8289496e3519386feb1
SHA512

703cf833d56587c45e5ef8de300773669dfc4d79a12f042a465a7c71ad23f8e182961b5674d3ef09a882404970846936783c842f7a2ed2d10aef66570e112cde
SSDEEP

3072:eMRpJx2Eem+5GpORRm8Nd6B9qAIt5X8PNvRKGkD2IZvQ1OIGCf7db/uLoY46HGV9:ppuIpqf6B9qAaZeNvQzlZ43oohZnmYi

Score

8^/10

evasion persistence

Malware Config

Signatures

Modifies Windows Firewall 1 TTPs 1 IoCs

evasion

Windows Service

T1543.003

pid	Process
1440	netsh.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\server.exe	NEAS.1aefc03ad5daa50c1287f543021a1510.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\server.exe	NEAS.1aefc03ad5daa50c1287f543021a1510.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Windows\CurrentVersion\Run\def9b6cd3f2b0c43097dfbc918862b82 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NEAS.1aefc03ad5daa50c1287f543021a1510.exe"	NEAS.1aefc03ad5daa50c1287f543021a1510.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\def9b6cd3f2b0c43097dfbc918862b82 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NEAS.1aefc03ad5daa50c1287f543021a1510.exe"	NEAS.1aefc03ad5daa50c1287f543021a1510.exe

Suspicious use of AdjustPrivilegeToken 30 IoCs

description	pid	Process
Token: SeCreateTokenPrivilege	2164	NEAS.1aefc03ad5daa50c1287f543021a1510.exe
Token: SeAssignPrimaryTokenPrivilege	2164	NEAS.1aefc03ad5daa50c1287f543021a1510.exe
Token: SeLockMemoryPrivilege	2164	NEAS.1aefc03ad5daa50c1287f543021a1510.exe
Token: SeIncreaseQuotaPrivilege	2164	NEAS.1aefc03ad5daa50c1287f543021a1510.exe
Token: 0	2164	NEAS.1aefc03ad5daa50c1287f543021a1510.exe
Token: SeMachineAccountPrivilege	2164	NEAS.1aefc03ad5daa50c1287f543021a1510.exe
Token: SeTcbPrivilege	2164	NEAS.1aefc03ad5daa50c1287f543021a1510.exe
Token: SeSecurityPrivilege	2164	NEAS.1aefc03ad5daa50c1287f543021a1510.exe
Token: SeTakeOwnershipPrivilege	2164	NEAS.1aefc03ad5daa50c1287f543021a1510.exe
Token: SeLoadDriverPrivilege	2164	NEAS.1aefc03ad5daa50c1287f543021a1510.exe
Token: SeSystemProfilePrivilege	2164	NEAS.1aefc03ad5daa50c1287f543021a1510.exe
Token: SeSystemtimePrivilege	2164	NEAS.1aefc03ad5daa50c1287f543021a1510.exe
Token: SeProfSingleProcessPrivilege	2164	NEAS.1aefc03ad5daa50c1287f543021a1510.exe
Token: SeIncBasePriorityPrivilege	2164	NEAS.1aefc03ad5daa50c1287f543021a1510.exe
Token: SeCreatePagefilePrivilege	2164	NEAS.1aefc03ad5daa50c1287f543021a1510.exe
Token: SeCreatePermanentPrivilege	2164	NEAS.1aefc03ad5daa50c1287f543021a1510.exe
Token: SeBackupPrivilege	2164	NEAS.1aefc03ad5daa50c1287f543021a1510.exe
Token: SeRestorePrivilege	2164	NEAS.1aefc03ad5daa50c1287f543021a1510.exe
Token: SeShutdownPrivilege	2164	NEAS.1aefc03ad5daa50c1287f543021a1510.exe
Token: SeDebugPrivilege	2164	NEAS.1aefc03ad5daa50c1287f543021a1510.exe
Token: SeAuditPrivilege	2164	NEAS.1aefc03ad5daa50c1287f543021a1510.exe
Token: SeSystemEnvironmentPrivilege	2164	NEAS.1aefc03ad5daa50c1287f543021a1510.exe
Token: SeChangeNotifyPrivilege	2164	NEAS.1aefc03ad5daa50c1287f543021a1510.exe
Token: SeRemoteShutdownPrivilege	2164	NEAS.1aefc03ad5daa50c1287f543021a1510.exe
Token: SeUndockPrivilege	2164	NEAS.1aefc03ad5daa50c1287f543021a1510.exe
Token: SeSyncAgentPrivilege	2164	NEAS.1aefc03ad5daa50c1287f543021a1510.exe
Token: SeEnableDelegationPrivilege	2164	NEAS.1aefc03ad5daa50c1287f543021a1510.exe
Token: SeManageVolumePrivilege	2164	NEAS.1aefc03ad5daa50c1287f543021a1510.exe
Token: SeImpersonatePrivilege	2164	NEAS.1aefc03ad5daa50c1287f543021a1510.exe
Token: SeCreateGlobalPrivilege	2164	NEAS.1aefc03ad5daa50c1287f543021a1510.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2164	NEAS.1aefc03ad5daa50c1287f543021a1510.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2164 wrote to memory of 1440	2164	NEAS.1aefc03ad5daa50c1287f543021a1510.exe	29
PID 2164 wrote to memory of 1440	2164	NEAS.1aefc03ad5daa50c1287f543021a1510.exe	29
PID 2164 wrote to memory of 1440	2164	NEAS.1aefc03ad5daa50c1287f543021a1510.exe	29

C:\Users\Admin\AppData\Local\Temp\NEAS.1aefc03ad5daa50c1287f543021a1510.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.1aefc03ad5daa50c1287f543021a1510.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2164
- C:\Windows\system32\netsh.exe
  netsh firewall add allowedprogram C:\Users\Admin\AppData\Local\Temp\NEAS.1aefc03ad5daa50c1287f543021a1510.exe "NEAS.1aefc03ad5daa50c1287f543021a1510.exe" ENABLE
  2⤵
  - Modifies Windows Firewall
  PID:1440