Analysis
-
max time kernel
150s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
06-05-2024 17:05
Behavioral task
behavioral1
Sample
3d7e7813207093caa26427cf036cb9c6_NEAS.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
3d7e7813207093caa26427cf036cb9c6_NEAS.exe
Resource
win10v2004-20240419-en
General
-
Target
3d7e7813207093caa26427cf036cb9c6_NEAS.exe
-
Size
5.4MB
-
MD5
3d7e7813207093caa26427cf036cb9c6
-
SHA1
3451b3d29d43b5e5e0d145ff05157e904926db86
-
SHA256
4e62e7a3b77d4d0abb803c175f51d1242fda33bfd3308991b9e90391cac1c369
-
SHA512
a3ee90811d637cbb930ca99c686b0eec454f660e10f6919bae4a101fac60e838cd8bd69b0aabdc267e41bb7e8f63f80132a706067d104eaf5f914cd83a7ec35d
-
SSDEEP
49152:Fl/ijN5j2Xsl3RJ3LHobUQDgok3QTj+J49iApNKBTOyCPOOlYvoGxUSJpXW:FlerjesRJ8YQU/cX9iTOPOOsRXW
Malware Config
Signatures
-
Detect Neshta payload 1 IoCs
Processes:
resource yara_rule behavioral1/files/0x000900000001448a-8.dat family_neshta -
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
3d7e7813207093caa26427cf036cb9c6_NEAS.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WinFirewall = "C:\\905c0769f9a06c95a24ddf945\\patcher.exe" 3d7e7813207093caa26427cf036cb9c6_NEAS.exe -
Drops autorun.inf file 1 TTPs 1 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
Processes:
3d7e7813207093caa26427cf036cb9c6_NEAS.exedescription ioc Process File opened for modification C:\Users\Admin\AppData\Local\Temp\:\autorun.inf 3d7e7813207093caa26427cf036cb9c6_NEAS.exe -
Drops file in System32 directory 64 IoCs
Processes:
3d7e7813207093caa26427cf036cb9c6_NEAS.exedescription ioc Process File opened for modification C:\Windows\SysWOW64\SystemPropertiesComputerName.exe 3d7e7813207093caa26427cf036cb9c6_NEAS.exe File opened for modification C:\Windows\SysWOW64\whoami.exe 3d7e7813207093caa26427cf036cb9c6_NEAS.exe File opened for modification C:\Windows\SysWOW64\makecab.exe 3d7e7813207093caa26427cf036cb9c6_NEAS.exe File opened for modification C:\Windows\SysWOW64\SystemPropertiesAdvanced.exe 3d7e7813207093caa26427cf036cb9c6_NEAS.exe File opened for modification C:\Windows\SysWOW64\SystemPropertiesProtection.exe 3d7e7813207093caa26427cf036cb9c6_NEAS.exe File opened for modification C:\Windows\SysWOW64\IME\IMEJP10\imjpuexc.exe 3d7e7813207093caa26427cf036cb9c6_NEAS.exe File opened for modification C:\Windows\SysWOW64\dcomcnfg.exe 3d7e7813207093caa26427cf036cb9c6_NEAS.exe File opened for modification C:\Windows\SysWOW64\ktmutil.exe 3d7e7813207093caa26427cf036cb9c6_NEAS.exe File opened for modification C:\Windows\SysWOW64\com\comrepl.exe 3d7e7813207093caa26427cf036cb9c6_NEAS.exe File opened for modification C:\Windows\SysWOW64\HOSTNAME.EXE 3d7e7813207093caa26427cf036cb9c6_NEAS.exe File opened for modification C:\Windows\SysWOW64\NAPSTAT.EXE 3d7e7813207093caa26427cf036cb9c6_NEAS.exe File opened for modification C:\Windows\SysWOW64\ntprint.exe 3d7e7813207093caa26427cf036cb9c6_NEAS.exe File opened for modification C:\Windows\SysWOW64\instnm.exe 3d7e7813207093caa26427cf036cb9c6_NEAS.exe File opened for modification C:\Windows\SysWOW64\srdelayed.exe 3d7e7813207093caa26427cf036cb9c6_NEAS.exe File opened for modification C:\Windows\SysWOW64\IME\IMEJP10\IMJPMGR.EXE 3d7e7813207093caa26427cf036cb9c6_NEAS.exe File opened for modification C:\Windows\SysWOW64\dpapimig.exe 3d7e7813207093caa26427cf036cb9c6_NEAS.exe File opened for modification C:\Windows\SysWOW64\DpiScaling.exe 3d7e7813207093caa26427cf036cb9c6_NEAS.exe File opened for modification C:\Windows\SysWOW64\regini.exe 3d7e7813207093caa26427cf036cb9c6_NEAS.exe File opened for modification C:\Windows\SysWOW64\sfc.exe 3d7e7813207093caa26427cf036cb9c6_NEAS.exe File opened for modification C:\Windows\SysWOW64\wusa.exe 3d7e7813207093caa26427cf036cb9c6_NEAS.exe File opened for modification C:\Windows\SysWOW64\wbem\WinMgmt.exe 3d7e7813207093caa26427cf036cb9c6_NEAS.exe File opened for modification C:\Windows\SysWOW64\charmap.exe 3d7e7813207093caa26427cf036cb9c6_NEAS.exe File opened for modification C:\Windows\SysWOW64\upnpcont.exe 3d7e7813207093caa26427cf036cb9c6_NEAS.exe File opened for modification C:\Windows\SysWOW64\convert.exe 3d7e7813207093caa26427cf036cb9c6_NEAS.exe File opened for modification C:\Windows\SysWOW64\osk.exe 3d7e7813207093caa26427cf036cb9c6_NEAS.exe File opened for modification C:\Windows\SysWOW64\print.exe 3d7e7813207093caa26427cf036cb9c6_NEAS.exe File opened for modification C:\Windows\SysWOW64\SystemPropertiesDataExecutionPrevention.exe 3d7e7813207093caa26427cf036cb9c6_NEAS.exe File opened for modification C:\Windows\SysWOW64\wiaacmgr.exe 3d7e7813207093caa26427cf036cb9c6_NEAS.exe File opened for modification C:\Windows\SysWOW64\wbem\WmiPrvSE.exe 3d7e7813207093caa26427cf036cb9c6_NEAS.exe File opened for modification C:\Windows\SysWOW64\odbcad32.exe 3d7e7813207093caa26427cf036cb9c6_NEAS.exe File opened for modification C:\Windows\SysWOW64\runonce.exe 3d7e7813207093caa26427cf036cb9c6_NEAS.exe File opened for modification C:\Windows\SysWOW64\cipher.exe 3d7e7813207093caa26427cf036cb9c6_NEAS.exe File opened for modification C:\Windows\SysWOW64\cmmon32.exe 3d7e7813207093caa26427cf036cb9c6_NEAS.exe File opened for modification C:\Windows\SysWOW64\relog.exe 3d7e7813207093caa26427cf036cb9c6_NEAS.exe File opened for modification C:\Windows\SysWOW64\net.exe 3d7e7813207093caa26427cf036cb9c6_NEAS.exe File opened for modification C:\Windows\SysWOW64\shrpubw.exe 3d7e7813207093caa26427cf036cb9c6_NEAS.exe File opened for modification C:\Windows\SysWOW64\waitfor.exe 3d7e7813207093caa26427cf036cb9c6_NEAS.exe File opened for modification C:\Windows\SysWOW64\icardagt.exe 3d7e7813207093caa26427cf036cb9c6_NEAS.exe File opened for modification C:\Windows\SysWOW64\netsh.exe 3d7e7813207093caa26427cf036cb9c6_NEAS.exe File opened for modification C:\Windows\SysWOW64\replace.exe 3d7e7813207093caa26427cf036cb9c6_NEAS.exe File opened for modification C:\Windows\SysWOW64\autochk.exe 3d7e7813207093caa26427cf036cb9c6_NEAS.exe File opened for modification C:\Windows\SysWOW64\dplaysvr.exe 3d7e7813207093caa26427cf036cb9c6_NEAS.exe File opened for modification C:\Windows\SysWOW64\find.exe 3d7e7813207093caa26427cf036cb9c6_NEAS.exe File opened for modification C:\Windows\SysWOW64\findstr.exe 3d7e7813207093caa26427cf036cb9c6_NEAS.exe File opened for modification C:\Windows\SysWOW64\rdrleakdiag.exe 3d7e7813207093caa26427cf036cb9c6_NEAS.exe File opened for modification C:\Windows\SysWOW64\tcmsetup.exe 3d7e7813207093caa26427cf036cb9c6_NEAS.exe File opened for modification C:\Windows\SysWOW64\WerFault.exe 3d7e7813207093caa26427cf036cb9c6_NEAS.exe File opened for modification C:\Windows\SysWOW64\tasklist.exe 3d7e7813207093caa26427cf036cb9c6_NEAS.exe File opened for modification C:\Windows\SysWOW64\AdapterTroubleshooter.exe 3d7e7813207093caa26427cf036cb9c6_NEAS.exe File opened for modification C:\Windows\SysWOW64\autoconv.exe 3d7e7813207093caa26427cf036cb9c6_NEAS.exe File opened for modification C:\Windows\SysWOW64\CertEnrollCtrl.exe 3d7e7813207093caa26427cf036cb9c6_NEAS.exe File opened for modification C:\Windows\SysWOW64\regedit.exe 3d7e7813207093caa26427cf036cb9c6_NEAS.exe File opened for modification C:\Windows\SysWOW64\runas.exe 3d7e7813207093caa26427cf036cb9c6_NEAS.exe File opened for modification C:\Windows\SysWOW64\setup16.exe 3d7e7813207093caa26427cf036cb9c6_NEAS.exe File opened for modification C:\Windows\SysWOW64\setupugc.exe 3d7e7813207093caa26427cf036cb9c6_NEAS.exe File opened for modification C:\Windows\SysWOW64\wowreg32.exe 3d7e7813207093caa26427cf036cb9c6_NEAS.exe File opened for modification C:\Windows\SysWOW64\eventcreate.exe 3d7e7813207093caa26427cf036cb9c6_NEAS.exe File opened for modification C:\Windows\SysWOW64\hdwwiz.exe 3d7e7813207093caa26427cf036cb9c6_NEAS.exe File opened for modification C:\Windows\SysWOW64\powercfg.exe 3d7e7813207093caa26427cf036cb9c6_NEAS.exe File opened for modification C:\Windows\SysWOW64\regedt32.exe 3d7e7813207093caa26427cf036cb9c6_NEAS.exe File opened for modification C:\Windows\SysWOW64\schtasks.exe 3d7e7813207093caa26427cf036cb9c6_NEAS.exe File opened for modification C:\Windows\SysWOW64\diskraid.exe 3d7e7813207093caa26427cf036cb9c6_NEAS.exe File opened for modification C:\Windows\SysWOW64\iscsicli.exe 3d7e7813207093caa26427cf036cb9c6_NEAS.exe File opened for modification C:\Windows\SysWOW64\WerFaultSecure.exe 3d7e7813207093caa26427cf036cb9c6_NEAS.exe -
Drops file in Program Files directory 64 IoCs
Processes:
3d7e7813207093caa26427cf036cb9c6_NEAS.exedescription ioc Process File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Eula.exe$ 3d7e7813207093caa26427cf036cb9c6_NEAS.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe 3d7e7813207093caa26427cf036cb9c6_NEAS.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PPTICO.EXE$ 3d7e7813207093caa26427cf036cb9c6_NEAS.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\MSInfo\msinfo32.exe 3d7e7813207093caa26427cf036cb9c6_NEAS.exe File created C:\Program Files\Java\jdk1.7.0_80\bin\javadoc.exe 3d7e7813207093caa26427cf036cb9c6_NEAS.exe File created C:\Program Files\Java\jdk1.7.0_80\bin\jstat.exe 3d7e7813207093caa26427cf036cb9c6_NEAS.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe 3d7e7813207093caa26427cf036cb9c6_NEAS.exe File created C:\Program Files (x86)\Microsoft Office\Office14\INFOPATH.EXE 3d7e7813207093caa26427cf036cb9c6_NEAS.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE$ 3d7e7813207093caa26427cf036cb9c6_NEAS.exe File opened for modification C:\Program Files\Java\jre7\bin\orbd.exe 3d7e7813207093caa26427cf036cb9c6_NEAS.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE 3d7e7813207093caa26427cf036cb9c6_NEAS.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\ACCICONS.EXE 3d7e7813207093caa26427cf036cb9c6_NEAS.exe File created C:\Program Files\7-Zip\7zG.exe 3d7e7813207093caa26427cf036cb9c6_NEAS.exe File opened for modification C:\Program Files\Google\Chrome\Application\chrome_proxy.exe 3d7e7813207093caa26427cf036cb9c6_NEAS.exe File created C:\Program Files\Java\jdk1.7.0_80\jre\bin\policytool.exe 3d7e7813207093caa26427cf036cb9c6_NEAS.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\ACCICONS.EXE$ 3d7e7813207093caa26427cf036cb9c6_NEAS.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\VPREVIEW.EXE 3d7e7813207093caa26427cf036cb9c6_NEAS.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.exe 3d7e7813207093caa26427cf036cb9c6_NEAS.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\keytool.exe$ 3d7e7813207093caa26427cf036cb9c6_NEAS.exe File created C:\Program Files\Microsoft Games\Multiplayer\Backgammon\bckgzm.exe 3d7e7813207093caa26427cf036cb9c6_NEAS.exe File opened for modification C:\Program Files\Microsoft Games\Chess\Chess.exe$ 3d7e7813207093caa26427cf036cb9c6_NEAS.exe File opened for modification C:\Program Files\VideoLAN\VLC\uninstall.exe$ 3d7e7813207093caa26427cf036cb9c6_NEAS.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ieinstal.exe 3d7e7813207093caa26427cf036cb9c6_NEAS.exe File created C:\Program Files\Mozilla Firefox\uninstall\helper.exe 3d7e7813207093caa26427cf036cb9c6_NEAS.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\reader_sl.exe 3d7e7813207093caa26427cf036cb9c6_NEAS.exe File created C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\airappinstaller.exe 3d7e7813207093caa26427cf036cb9c6_NEAS.exe File created C:\Program Files (x86)\Microsoft Office\Office14\ACCICONS.EXE 3d7e7813207093caa26427cf036cb9c6_NEAS.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\java.exe$ 3d7e7813207093caa26427cf036cb9c6_NEAS.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\wsgen.exe$ 3d7e7813207093caa26427cf036cb9c6_NEAS.exe File opened for modification C:\Program Files\Microsoft Games\Minesweeper\MineSweeper.exe$ 3d7e7813207093caa26427cf036cb9c6_NEAS.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE 3d7e7813207093caa26427cf036cb9c6_NEAS.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\java.exe 3d7e7813207093caa26427cf036cb9c6_NEAS.exe File created C:\Program Files\Java\jre7\bin\jp2launcher.exe 3d7e7813207093caa26427cf036cb9c6_NEAS.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\MSOSYNC.EXE$ 3d7e7813207093caa26427cf036cb9c6_NEAS.exe File created C:\Program Files (x86)\Common Files\microsoft shared\VSTA\8.0\x86\vsta_ep32.exe 3d7e7813207093caa26427cf036cb9c6_NEAS.exe File created C:\Program Files (x86)\Microsoft Office\Office14\GRAPH.EXE 3d7e7813207093caa26427cf036cb9c6_NEAS.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\java.exe$ 3d7e7813207093caa26427cf036cb9c6_NEAS.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaws.exe$ 3d7e7813207093caa26427cf036cb9c6_NEAS.exe File opened for modification C:\Program Files\Mozilla Firefox\default-browser-agent.exe 3d7e7813207093caa26427cf036cb9c6_NEAS.exe File created C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Setup.exe 3d7e7813207093caa26427cf036cb9c6_NEAS.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\OIS.EXE 3d7e7813207093caa26427cf036cb9c6_NEAS.exe File opened for modification C:\Program Files\Mozilla Firefox\uninstall\helper.exe$ 3d7e7813207093caa26427cf036cb9c6_NEAS.exe File opened for modification C:\Program Files\Mozilla Firefox\firefox.exe 3d7e7813207093caa26427cf036cb9c6_NEAS.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe$ 3d7e7813207093caa26427cf036cb9c6_NEAS.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\ONENOTEM.EXE 3d7e7813207093caa26427cf036cb9c6_NEAS.exe File created C:\Program Files\Java\jdk1.7.0_80\jre\bin\pack200.exe 3d7e7813207093caa26427cf036cb9c6_NEAS.exe File created C:\Program Files\Java\jre7\bin\tnameserv.exe 3d7e7813207093caa26427cf036cb9c6_NEAS.exe File created C:\Program Files\Microsoft Games\Hearts\Hearts.exe 3d7e7813207093caa26427cf036cb9c6_NEAS.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AdobeCollabSync.exe 3d7e7813207093caa26427cf036cb9c6_NEAS.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exe$ 3d7e7813207093caa26427cf036cb9c6_NEAS.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Wordconv.exe 3d7e7813207093caa26427cf036cb9c6_NEAS.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jstatd.exe$ 3d7e7813207093caa26427cf036cb9c6_NEAS.exe File opened for modification C:\Program Files\Mozilla Firefox\minidump-analyzer.exe 3d7e7813207093caa26427cf036cb9c6_NEAS.exe File opened for modification C:\Program Files\Windows Media Player\wmpshare.exe 3d7e7813207093caa26427cf036cb9c6_NEAS.exe File created C:\Program Files\Java\jdk1.7.0_80\bin\javaw.exe 3d7e7813207093caa26427cf036cb9c6_NEAS.exe File created C:\Program Files\Microsoft Games\Chess\Chess.exe 3d7e7813207093caa26427cf036cb9c6_NEAS.exe File opened for modification C:\Program Files\Microsoft Games\Purble Place\PurblePlace.exe$ 3d7e7813207093caa26427cf036cb9c6_NEAS.exe File opened for modification C:\Program Files (x86)\Windows Media Player\wmpenc.exe 3d7e7813207093caa26427cf036cb9c6_NEAS.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe$ 3d7e7813207093caa26427cf036cb9c6_NEAS.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jar.exe$ 3d7e7813207093caa26427cf036cb9c6_NEAS.exe File created C:\Program Files\Java\jdk1.7.0_80\bin\java.exe 3d7e7813207093caa26427cf036cb9c6_NEAS.exe File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice.exe 3d7e7813207093caa26427cf036cb9c6_NEAS.exe File created C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\SmartTagInstall.exe 3d7e7813207093caa26427cf036cb9c6_NEAS.exe File created C:\Program Files (x86)\Microsoft Office\Office14\MSACCESS.EXE 3d7e7813207093caa26427cf036cb9c6_NEAS.exe -
Drops file in Windows directory 64 IoCs
Processes:
3d7e7813207093caa26427cf036cb9c6_NEAS.exedescription ioc Process File opened for modification C:\Windows\winsxs\wow64_eventviewersettings_31bf3856ad364e35_6.1.7600.16385_none_5b41740051c4eca4\eventvwr.exe 3d7e7813207093caa26427cf036cb9c6_NEAS.exe File opened for modification C:\Windows\ehome\ehexthost.exe 3d7e7813207093caa26427cf036cb9c6_NEAS.exe File opened for modification C:\Windows\winsxs\amd64_aspnet_regsql_b03f5f7f11d50a3a_6.1.7600.16385_none_dcb42ec76404494f\aspnet_regsql.exe 3d7e7813207093caa26427cf036cb9c6_NEAS.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-choice_31bf3856ad364e35_6.1.7601.17514_none_218cf07ba262766c\choice.exe 3d7e7813207093caa26427cf036cb9c6_NEAS.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-defrag-cmdline_31bf3856ad364e35_6.1.7600.16385_none_2370c162e00680c3\Defrag.exe 3d7e7813207093caa26427cf036cb9c6_NEAS.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-driverquery_31bf3856ad364e35_6.1.7600.16385_none_f217bd1caebaa683\driverquery.exe 3d7e7813207093caa26427cf036cb9c6_NEAS.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-p..erandprintui-pmcppc_31bf3856ad364e35_6.1.7601.17514_none_698e475b97512fc9\PushPrinterConnections.exe 3d7e7813207093caa26427cf036cb9c6_NEAS.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-t..localsessionmanager_31bf3856ad364e35_6.1.7601.17514_none_036ad230212a39ce\lsm.exe 3d7e7813207093caa26427cf036cb9c6_NEAS.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-winlogon_31bf3856ad364e35_6.1.7601.17514_none_cde90685eb910636\winlogon.exe 3d7e7813207093caa26427cf036cb9c6_NEAS.exe File opened for modification C:\Windows\assembly\GAC_MSIL\WsatConfig\3.0.0.0__b03f5f7f11d50a3a\WsatConfig.exe 3d7e7813207093caa26427cf036cb9c6_NEAS.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe$ 3d7e7813207093caa26427cf036cb9c6_NEAS.exe File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SetupCache\v4.7.03062\SetupUtility.exe 3d7e7813207093caa26427cf036cb9c6_NEAS.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-a..ence-infrastructure_31bf3856ad364e35_6.1.7601.17514_none_3337092d63596104\sdbinst.exe 3d7e7813207093caa26427cf036cb9c6_NEAS.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-coreusermodepnp_31bf3856ad364e35_6.1.7601.17514_none_d527b0a5438b8346\drvinst.exe 3d7e7813207093caa26427cf036cb9c6_NEAS.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-i..xing-service-server_31bf3856ad364e35_6.1.7601.17514_none_0db5e5844ed6ffe9\CISVC.EXE 3d7e7813207093caa26427cf036cb9c6_NEAS.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-p..ting-tools-printbrm_31bf3856ad364e35_6.1.7601.17514_none_dfe02de35bf41e0b\PrintBrm.exe 3d7e7813207093caa26427cf036cb9c6_NEAS.exe File opened for modification C:\Windows\winsxs\amd64_netfx35cdf-csd_cdf_installer_31bf3856ad364e35_6.1.7600.16385_none_b45109ec45a678fc\WFServicesReg.exe 3d7e7813207093caa26427cf036cb9c6_NEAS.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\dfsvc\9bc0d921859b039d6e9f642148333949\dfsvc.ni.exe$ 3d7e7813207093caa26427cf036cb9c6_NEAS.exe File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe 3d7e7813207093caa26427cf036cb9c6_NEAS.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-ddodiag_31bf3856ad364e35_6.1.7600.16385_none_924b83b9b69fb351\ddodiag.exe 3d7e7813207093caa26427cf036cb9c6_NEAS.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-notepadwin_31bf3856ad364e35_6.1.7600.16385_none_9ebebe8614be1470\notepad.exe 3d7e7813207093caa26427cf036cb9c6_NEAS.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-t..es-commandlinetools_31bf3856ad364e35_6.1.7601.17514_none_42d65ed50fa3c682\tsdiscon.exe 3d7e7813207093caa26427cf036cb9c6_NEAS.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-dns-client_31bf3856ad364e35_6.1.7601.17514_none_4008824c98f8edac_dnscacheugc.exe_aa32623e 3d7e7813207093caa26427cf036cb9c6_NEAS.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe 3d7e7813207093caa26427cf036cb9c6_NEAS.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-a..ion-telemetry-agent_31bf3856ad364e35_6.1.7601.17514_none_3092574c7d41010b\aitagent.exe 3d7e7813207093caa26427cf036cb9c6_NEAS.exe File created C:\Windows\assembly\GAC_MSIL\ehexthost\6.1.0.0__31bf3856ad364e35\ehexthost.exe 3d7e7813207093caa26427cf036cb9c6_NEAS.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_64\PresentationFontCac#\0246845f487e5f33d3564eff578665a3\PresentationFontCache.ni.exe 3d7e7813207093caa26427cf036cb9c6_NEAS.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-fax-service_31bf3856ad364e35_6.1.7601.17514_none_0b499f2c96e8f6b2\FXSSVC.exe 3d7e7813207093caa26427cf036cb9c6_NEAS.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-nfs-clientcore_31bf3856ad364e35_6.1.7601.17514_none_0b0882245933a065\nfsclnt.exe 3d7e7813207093caa26427cf036cb9c6_NEAS.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-p..ncetoolscommandline_31bf3856ad364e35_6.1.7601.17514_none_bf4980401574a899\logman.exe 3d7e7813207093caa26427cf036cb9c6_NEAS.exe File opened for modification C:\Windows\winsxs\amd64_subsystem-for-unix-based-applications_31bf3856ad364e35_6.1.7601.17514_none_d20e5d35068f261a\psxrun.exe 3d7e7813207093caa26427cf036cb9c6_NEAS.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-mediaplayer-logagent_31bf3856ad364e35_6.1.7600.16385_none_47357ddedbb9dec6\logagent.exe 3d7e7813207093caa26427cf036cb9c6_NEAS.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-powershell-exe_31bf3856ad364e35_6.1.7600.16385_none_c50af05b1be3aa2b\powershell.exe 3d7e7813207093caa26427cf036cb9c6_NEAS.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\MSBuild\af28543d9b3e7d9f110448ecce53cd72\MSBuild.ni.exe$ 3d7e7813207093caa26427cf036cb9c6_NEAS.exe File created C:\Windows\assembly\NativeImages_v4.0.30319_32\ComSvcConfig\2bd538d545e15452202ef3b41080e2ce\ComSvcConfig.ni.exe 3d7e7813207093caa26427cf036cb9c6_NEAS.exe File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SetupCache\v4.7.03062\Setup.exe 3d7e7813207093caa26427cf036cb9c6_NEAS.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-com-surrogate_31bf3856ad364e35_6.1.7600.16385_none_a018e05d0d33081d\dllhst3g.exe 3d7e7813207093caa26427cf036cb9c6_NEAS.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-international-core_31bf3856ad364e35_6.1.7600.16385_none_459f562ff37206dd\MuiUnattend.exe 3d7e7813207093caa26427cf036cb9c6_NEAS.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-s..otservicing-utility_31bf3856ad364e35_6.1.7600.16385_none_d139a2cea567ce3f\fveupdate.exe 3d7e7813207093caa26427cf036cb9c6_NEAS.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-taskhost_31bf3856ad364e35_6.1.7601.22172_none_86ab4a318a459fda\taskhost.exe 3d7e7813207093caa26427cf036cb9c6_NEAS.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-adaptertroubleshooter_31bf3856ad364e35_6.1.7600.16385_none_2df6395b9cf7e9a5\AdapterTroubleshooter.exe 3d7e7813207093caa26427cf036cb9c6_NEAS.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-eventlog-commandline_31bf3856ad364e35_6.1.7600.16385_none_1cc9274696810e2f\wevtutil.exe 3d7e7813207093caa26427cf036cb9c6_NEAS.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-ie-ieetwcollector_31bf3856ad364e35_11.2.9600.16428_none_a56da9e617d4f97e\ieetwcollector.exe 3d7e7813207093caa26427cf036cb9c6_NEAS.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-mediafoundation_31bf3856ad364e35_6.1.7601.17514_none_fa8534ab236134c4\rrinstaller.exe 3d7e7813207093caa26427cf036cb9c6_NEAS.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-secinit_31bf3856ad364e35_6.1.7600.16385_none_e3ace21ee6af3fb6\secinit.exe 3d7e7813207093caa26427cf036cb9c6_NEAS.exe File opened for modification C:\Windows\winsxs\msil_smsvchost_b03f5f7f11d50a3a_6.1.7601.17514_none_e6b622bd1115139e\SMSvcHost.exe 3d7e7813207093caa26427cf036cb9c6_NEAS.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v3.5\AddInProcess.exe 3d7e7813207093caa26427cf036cb9c6_NEAS.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-fdddo_31bf3856ad364e35_6.1.7600.16385_none_b0de2afe4ca7a1e2\DeviceDisplayObjectProvider.exe 3d7e7813207093caa26427cf036cb9c6_NEAS.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-s..native-whitebox-isv_31bf3856ad364e35_6.1.7601.17514_none_4777e36e0649406c\RMActivate_isv.exe 3d7e7813207093caa26427cf036cb9c6_NEAS.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-tcpip-utility_31bf3856ad364e35_6.1.7601.17514_none_90ecf919657dacf4\MRINFO.EXE 3d7e7813207093caa26427cf036cb9c6_NEAS.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-networkbridge_31bf3856ad364e35_6.1.7600.16385_none_63dee2821fc69fce_bridgeunattend.exe_60b7e340 3d7e7813207093caa26427cf036cb9c6_NEAS.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe 3d7e7813207093caa26427cf036cb9c6_NEAS.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v3.5\WFServicesReg.exe 3d7e7813207093caa26427cf036cb9c6_NEAS.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe 3d7e7813207093caa26427cf036cb9c6_NEAS.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-d..ime-eashared-imepad_31bf3856ad364e35_6.1.7601.17514_none_98b24799b5d08c05\IMEPADSV.EXE 3d7e7813207093caa26427cf036cb9c6_NEAS.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-s..nboxgames-solitaire_31bf3856ad364e35_6.1.7600.16385_none_d1124c00155dfd14\Solitaire.exe 3d7e7813207093caa26427cf036cb9c6_NEAS.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-scripting_31bf3856ad364e35_6.1.7600.16385_none_a45d44bd1a0af822\wscript.exe 3d7e7813207093caa26427cf036cb9c6_NEAS.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_64\Narrator\4cc02fad33053737088d4c18267ca0a0\Narrator.ni.exe 3d7e7813207093caa26427cf036cb9c6_NEAS.exe File opened for modification C:\Windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\cagicon.exe 3d7e7813207093caa26427cf036cb9c6_NEAS.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-lua_31bf3856ad364e35_6.1.7601.17514_none_047062a1736af5b9\consent.exe 3d7e7813207093caa26427cf036cb9c6_NEAS.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-tabletpc-controlpanel_31bf3856ad364e35_6.1.7601.17514_none_3d9977977190cdc4\MultiDigiMon.exe 3d7e7813207093caa26427cf036cb9c6_NEAS.exe File created C:\Windows\assembly\GAC_32\MSBuild\3.5.0.0__b03f5f7f11d50a3a\MSBuild.exe 3d7e7813207093caa26427cf036cb9c6_NEAS.exe File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regbrowsers.exe 3d7e7813207093caa26427cf036cb9c6_NEAS.exe File opened for modification C:\Windows\assembly\NativeImages_v4.0.30319_32\WsatConfig\537950d9c71af966e1d8c9deb550f842\WsatConfig.ni.exe 3d7e7813207093caa26427cf036cb9c6_NEAS.exe -
NTFS ADS 1 IoCs
Processes:
3d7e7813207093caa26427cf036cb9c6_NEAS.exedescription ioc Process File opened for modification C:\Users\Admin\AppData\Local\Temp\:\autorun.inf 3d7e7813207093caa26427cf036cb9c6_NEAS.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
3d7e7813207093caa26427cf036cb9c6_NEAS.exepid Process 3028 3d7e7813207093caa26427cf036cb9c6_NEAS.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\3d7e7813207093caa26427cf036cb9c6_NEAS.exe"C:\Users\Admin\AppData\Local\Temp\3d7e7813207093caa26427cf036cb9c6_NEAS.exe"1⤵
- Adds Run key to start application
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- NTFS ADS
- Suspicious use of SetWindowsHookEx
PID:3028
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
5.4MB
MD53d7e7813207093caa26427cf036cb9c6
SHA13451b3d29d43b5e5e0d145ff05157e904926db86
SHA2564e62e7a3b77d4d0abb803c175f51d1242fda33bfd3308991b9e90391cac1c369
SHA512a3ee90811d637cbb930ca99c686b0eec454f660e10f6919bae4a101fac60e838cd8bd69b0aabdc267e41bb7e8f63f80132a706067d104eaf5f914cd83a7ec35d