dd726446220fd9c0f4d4cc69268c4935b55e620b1a710185f14cbd7a3eab4d0d

Analysis

max time kernel
150s
max time network
118s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
06/05/2024, 23:58

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

365363beb9928ec19bd7b7c7ea6a4e70_NEAS.exe
Size

804KB
MD5

365363beb9928ec19bd7b7c7ea6a4e70
SHA1

c246a89a078a599b7ed1300cf16298d1c0dc21a6
SHA256

dd726446220fd9c0f4d4cc69268c4935b55e620b1a710185f14cbd7a3eab4d0d
SHA512

feed937665c2606eff53610abc27082f5bc0e99670f120490a5ebc264189d957c5d690282d9fb78b510b3f5aeb9c9379496a7af3d7b713d054d861fbb7c1da4e
SSDEEP

12288:PFUNDaHz14TZYCdvf/WCCr8+bNlz+OeO+OeNhBBhhBBHClpYZjMsYEe1azQ3+042:PFOaHq1fObNlS3OsQaKZSqw7m9dgkx

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe

Executes dropped EXE 6 IoCs

pid	Process
2504	365363beb9928ec19bd7b7c7ea6a4e70_neas.exe
2556	icsys.icn.exe
2568	explorer.exe
2208	spoolsv.exe
2628	svchost.exe
2636	spoolsv.exe

Loads dropped DLL 6 IoCs

pid	Process
1756	365363beb9928ec19bd7b7c7ea6a4e70_NEAS.exe
1756	365363beb9928ec19bd7b7c7ea6a4e70_NEAS.exe
2556	icsys.icn.exe
2568	explorer.exe
2208	spoolsv.exe
2628	svchost.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	explorer.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\explorer.exe	svchost.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Resources\Themes\icsys.icn.exe	365363beb9928ec19bd7b7c7ea6a4e70_NEAS.exe
File opened for modification	\??\c:\windows\resources\themes\explorer.exe	icsys.icn.exe
File opened for modification	\??\c:\windows\resources\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\resources\svchost.exe	spoolsv.exe
File opened for modification	C:\Windows\Resources\tjud.exe	explorer.exe

Creates scheduled task(s) 1 TTPs 3 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2828	schtasks.exe
2124	schtasks.exe
2840	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1756	365363beb9928ec19bd7b7c7ea6a4e70_NEAS.exe
1756	365363beb9928ec19bd7b7c7ea6a4e70_NEAS.exe
1756	365363beb9928ec19bd7b7c7ea6a4e70_NEAS.exe
1756	365363beb9928ec19bd7b7c7ea6a4e70_NEAS.exe
1756	365363beb9928ec19bd7b7c7ea6a4e70_NEAS.exe
1756	365363beb9928ec19bd7b7c7ea6a4e70_NEAS.exe
1756	365363beb9928ec19bd7b7c7ea6a4e70_NEAS.exe
1756	365363beb9928ec19bd7b7c7ea6a4e70_NEAS.exe
1756	365363beb9928ec19bd7b7c7ea6a4e70_NEAS.exe
1756	365363beb9928ec19bd7b7c7ea6a4e70_NEAS.exe
1756	365363beb9928ec19bd7b7c7ea6a4e70_NEAS.exe
1756	365363beb9928ec19bd7b7c7ea6a4e70_NEAS.exe
1756	365363beb9928ec19bd7b7c7ea6a4e70_NEAS.exe
1756	365363beb9928ec19bd7b7c7ea6a4e70_NEAS.exe
1756	365363beb9928ec19bd7b7c7ea6a4e70_NEAS.exe
1756	365363beb9928ec19bd7b7c7ea6a4e70_NEAS.exe
2556	icsys.icn.exe
2556	icsys.icn.exe
2556	icsys.icn.exe
2556	icsys.icn.exe
2556	icsys.icn.exe
2556	icsys.icn.exe
2556	icsys.icn.exe
2556	icsys.icn.exe
2556	icsys.icn.exe
2556	icsys.icn.exe
2556	icsys.icn.exe
2556	icsys.icn.exe
2556	icsys.icn.exe
2556	icsys.icn.exe
2556	icsys.icn.exe
2556	icsys.icn.exe
2556	icsys.icn.exe
2568	explorer.exe
2568	explorer.exe
2568	explorer.exe
2568	explorer.exe
2568	explorer.exe
2568	explorer.exe
2568	explorer.exe
2568	explorer.exe
2568	explorer.exe
2568	explorer.exe
2568	explorer.exe
2568	explorer.exe
2568	explorer.exe
2568	explorer.exe
2568	explorer.exe
2568	explorer.exe
2628	svchost.exe
2628	svchost.exe
2628	svchost.exe
2628	svchost.exe
2628	svchost.exe
2628	svchost.exe
2628	svchost.exe
2628	svchost.exe
2628	svchost.exe
2628	svchost.exe
2628	svchost.exe
2628	svchost.exe
2628	svchost.exe
2628	svchost.exe
2628	svchost.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
2628	svchost.exe
2568	explorer.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
1756	365363beb9928ec19bd7b7c7ea6a4e70_NEAS.exe
1756	365363beb9928ec19bd7b7c7ea6a4e70_NEAS.exe
2556	icsys.icn.exe
2556	icsys.icn.exe
2568	explorer.exe
2568	explorer.exe
2208	spoolsv.exe
2208	spoolsv.exe
2628	svchost.exe
2628	svchost.exe
2636	spoolsv.exe
2636	spoolsv.exe

Suspicious use of WriteProcessMemory 40 IoCs

description	pid	Process	procid_target
PID 1756 wrote to memory of 2504	1756	365363beb9928ec19bd7b7c7ea6a4e70_NEAS.exe	28
PID 1756 wrote to memory of 2504	1756	365363beb9928ec19bd7b7c7ea6a4e70_NEAS.exe	28
PID 1756 wrote to memory of 2504	1756	365363beb9928ec19bd7b7c7ea6a4e70_NEAS.exe	28
PID 1756 wrote to memory of 2504	1756	365363beb9928ec19bd7b7c7ea6a4e70_NEAS.exe	28
PID 1756 wrote to memory of 2556	1756	365363beb9928ec19bd7b7c7ea6a4e70_NEAS.exe	30
PID 1756 wrote to memory of 2556	1756	365363beb9928ec19bd7b7c7ea6a4e70_NEAS.exe	30
PID 1756 wrote to memory of 2556	1756	365363beb9928ec19bd7b7c7ea6a4e70_NEAS.exe	30
PID 1756 wrote to memory of 2556	1756	365363beb9928ec19bd7b7c7ea6a4e70_NEAS.exe	30
PID 2556 wrote to memory of 2568	2556	icsys.icn.exe	31
PID 2556 wrote to memory of 2568	2556	icsys.icn.exe	31
PID 2556 wrote to memory of 2568	2556	icsys.icn.exe	31
PID 2556 wrote to memory of 2568	2556	icsys.icn.exe	31
PID 2568 wrote to memory of 2208	2568	explorer.exe	32
PID 2568 wrote to memory of 2208	2568	explorer.exe	32
PID 2568 wrote to memory of 2208	2568	explorer.exe	32
PID 2568 wrote to memory of 2208	2568	explorer.exe	32
PID 2208 wrote to memory of 2628	2208	spoolsv.exe	33
PID 2208 wrote to memory of 2628	2208	spoolsv.exe	33
PID 2208 wrote to memory of 2628	2208	spoolsv.exe	33
PID 2208 wrote to memory of 2628	2208	spoolsv.exe	33
PID 2628 wrote to memory of 2636	2628	svchost.exe	34
PID 2628 wrote to memory of 2636	2628	svchost.exe	34
PID 2628 wrote to memory of 2636	2628	svchost.exe	34
PID 2628 wrote to memory of 2636	2628	svchost.exe	34
PID 2568 wrote to memory of 2324	2568	explorer.exe	35
PID 2568 wrote to memory of 2324	2568	explorer.exe	35
PID 2568 wrote to memory of 2324	2568	explorer.exe	35
PID 2568 wrote to memory of 2324	2568	explorer.exe	35
PID 2628 wrote to memory of 2828	2628	svchost.exe	36
PID 2628 wrote to memory of 2828	2628	svchost.exe	36
PID 2628 wrote to memory of 2828	2628	svchost.exe	36
PID 2628 wrote to memory of 2828	2628	svchost.exe	36
PID 2628 wrote to memory of 2124	2628	svchost.exe	41
PID 2628 wrote to memory of 2124	2628	svchost.exe	41
PID 2628 wrote to memory of 2124	2628	svchost.exe	41
PID 2628 wrote to memory of 2124	2628	svchost.exe	41
PID 2628 wrote to memory of 2840	2628	svchost.exe	43
PID 2628 wrote to memory of 2840	2628	svchost.exe	43
PID 2628 wrote to memory of 2840	2628	svchost.exe	43
PID 2628 wrote to memory of 2840	2628	svchost.exe	43

C:\Users\Admin\AppData\Local\Temp\365363beb9928ec19bd7b7c7ea6a4e70_NEAS.exe
"C:\Users\Admin\AppData\Local\Temp\365363beb9928ec19bd7b7c7ea6a4e70_NEAS.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1756
- \??\c:\users\admin\appdata\local\temp\365363beb9928ec19bd7b7c7ea6a4e70_neas.exe
  c:\users\admin\appdata\local\temp\365363beb9928ec19bd7b7c7ea6a4e70_neas.exe
  2⤵
  - Executes dropped EXE
  PID:2504
- C:\Windows\Resources\Themes\icsys.icn.exe
  C:\Windows\Resources\Themes\icsys.icn.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2556
- - \??\c:\windows\resources\themes\explorer.exe
    c:\windows\resources\themes\explorer.exe
    3⤵
    - Modifies visiblity of hidden/system files in Explorer
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2568
  - - \??\c:\windows\resources\spoolsv.exe
      c:\windows\resources\spoolsv.exe SE
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in Windows directory
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2208
    - - \??\c:\windows\resources\svchost.exe
        
        c:\windows\resources\svchost.exe
        5⤵
        Modifies visiblity of hidden/system files in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2628
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe PR
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2636
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 00:00 /f
        6⤵
        Creates scheduled task(s)
        
        PID:2828
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 00:01 /f
        6⤵
        Creates scheduled task(s)
        
        PID:2124
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 00:02 /f
        6⤵
        Creates scheduled task(s)
        
        PID:2840
  - - C:\Windows\Explorer.exe
      C:\Windows\Explorer.exe
      4⤵
      PID:2324

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Resources\Themes\explorer.exe

Filesize
135KB

MD5
abd835ce5f26149d1c8eb1b70255cc0a

SHA1
7c3d614a37f3a2ccb67eaea7061f6ede1eabb4a4

SHA256
215f1e9d710fb18b9f72e19a5b079ca41873e5882f6a31345ed6aa6cff3d9b78

SHA512
356275718605a52e0d4205114318501fc39b9e189c6b58580371d23a3f68624c93e2ee60a0e75055e746a0550116af3ed00597eb7cef24e872a2f15b8006c945

Download Submit
\Users\Admin\AppData\Local\Temp\365363beb9928ec19bd7b7c7ea6a4e70_neas.exe

Filesize
669KB

MD5
16c15504e09238d54b3de2ad016db5f2

SHA1
c450125ed4d6d4e8e0aa8ded7bfeeabbf99e3eb4

SHA256
79511902128d2431e70db0f96e3386eb374ed397673adcb02dc25425ffb34b6b

SHA512
9afff271dd331a5d5d27aca8f3645c913f8a3320d85b84046d215ebd9cb7da3f818f3cb5cd8cdceaa43522c48dcfe98264f89bf32236e4d2a5096701a2ee8978

Download Submit
\Windows\Resources\Themes\icsys.icn.exe

Filesize
135KB

MD5
880fdb7c55875a7f884d729823544f53

SHA1
eec235c966f2ac3e659676bdd3dbb3f3f884eb59

SHA256
34729645c0569017ee9c11d402af4734bc4435d69e44da7935b302e98fa51e59

SHA512
4fe3d623ee6d77b78545e7d70c1df1039d9ccd45979147033b74e83c5bc1175bf43ab0acd1ac5a41b9545910b23319c2200339dceb4f105a51d13dd4fa32c55c

Download Submit
\Windows\Resources\spoolsv.exe

Filesize
135KB

MD5
0aa8e82f76b56b1a702d0bc68488e258

SHA1
b75c2acd3ff5590eafb843ae5b2596fa83d38d34

SHA256
96c5715d69b4ee9eb615113592e503d063a900f0a068a0629ab852e7e60dba67

SHA512
5f5d5110675fc364ae6c80c5597155a133ab4c28bb25e984da48bd9829477a1ba2ee6669685b1c4c4a6972aa3ebdb431e1c9c6c28264eb509b58523621a42e22

Download Submit
\Windows\Resources\svchost.exe

Filesize
135KB

MD5
0be0bbfb45d4104f7e47cbcc3021f902

SHA1
3367af15dc46c8437f6a7971ad1d0abd906326fb

SHA256
4802729eada758bc6ef4fe875234600865ffc8898608728a336b17e15bb958b5

SHA512
8f21dc354e1d62004a493bcc97849e0f31dc72bc5de74c409c736f792f8a61fcf113fd9b3bbe880ae8214210614236291c03996c2f0c6f7ebe6528e36c13ddae

Download Submit
memory/1756-59-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1756-0-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2208-37-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2208-57-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2556-58-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2556-24-0x00000000002A0000-0x00000000002BF000-memory.dmp

Filesize
124KB

Download
memory/2628-52-0x00000000004A0000-0x00000000004BF000-memory.dmp

Filesize
124KB

Download
memory/2636-56-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download