Analysis
-
max time kernel
150s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
07/05/2024, 03:30
Static task
static1
Behavioral task
behavioral1
Sample
5be9acaebf27218731ef9bfca990b9f0_NEAS.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
5be9acaebf27218731ef9bfca990b9f0_NEAS.exe
Resource
win10v2004-20240419-en
General
-
Target
5be9acaebf27218731ef9bfca990b9f0_NEAS.exe
-
Size
3.6MB
-
MD5
5be9acaebf27218731ef9bfca990b9f0
-
SHA1
903185395cf0bb739612903a048788538517c65a
-
SHA256
fda373f32ac00a6d88ffb7ccfac41df243b8b6e42234d22b90b97cf385d70010
-
SHA512
a0b2d8b1a1d07dcdc1c012f1abd416597d4ff7d275ad9604b8a025a8ad4f53744cfcc63621a9b56ddf05779f930807fdcc34258b0aa2ceae7337ff9ba700028c
-
SSDEEP
49152:ksgY1bXNn4iM1mo7JFAU9YfLxd4cY1DJmXTHX1bLu1LriJzf64iVDJEY:5gwrNn4Yo7Lefb4cY1DY5bL4Lrc7NaJ3
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" svchost.exe -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 5 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 5be9acaebf27218731ef9bfca990b9f0_NEAS.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorer.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ spoolsv.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ svchost.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ spoolsv.exe -
Checks BIOS information in registry 2 TTPs 10 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion spoolsv.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 5be9acaebf27218731ef9bfca990b9f0_NEAS.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 5be9acaebf27218731ef9bfca990b9f0_NEAS.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion spoolsv.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion spoolsv.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion spoolsv.exe -
Executes dropped EXE 4 IoCs
pid Process 1972 explorer.exe 2240 spoolsv.exe 2756 svchost.exe 2660 spoolsv.exe -
Loads dropped DLL 4 IoCs
pid Process 2192 5be9acaebf27218731ef9bfca990b9f0_NEAS.exe 1972 explorer.exe 2240 spoolsv.exe 2756 svchost.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" svchost.exe -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA spoolsv.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 5be9acaebf27218731ef9bfca990b9f0_NEAS.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA explorer.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA spoolsv.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA svchost.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 5 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PhysicalDrive0 spoolsv.exe File opened for modification \??\PhysicalDrive0 svchost.exe File opened for modification \??\PhysicalDrive0 spoolsv.exe File opened for modification \??\PhysicalDrive0 5be9acaebf27218731ef9bfca990b9f0_NEAS.exe File opened for modification \??\PhysicalDrive0 explorer.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\explorer.exe explorer.exe File opened for modification C:\Windows\SysWOW64\explorer.exe svchost.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
pid Process 2192 5be9acaebf27218731ef9bfca990b9f0_NEAS.exe 1972 explorer.exe 2240 spoolsv.exe 2756 svchost.exe 2660 spoolsv.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File opened for modification \??\c:\windows\resources\themes\explorer.exe 5be9acaebf27218731ef9bfca990b9f0_NEAS.exe File opened for modification \??\c:\windows\resources\spoolsv.exe explorer.exe File opened for modification \??\c:\windows\resources\svchost.exe spoolsv.exe File opened for modification C:\Windows\Resources\tjud.exe explorer.exe -
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2560 schtasks.exe 2040 schtasks.exe 1144 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2192 5be9acaebf27218731ef9bfca990b9f0_NEAS.exe 2192 5be9acaebf27218731ef9bfca990b9f0_NEAS.exe 2192 5be9acaebf27218731ef9bfca990b9f0_NEAS.exe 2192 5be9acaebf27218731ef9bfca990b9f0_NEAS.exe 2192 5be9acaebf27218731ef9bfca990b9f0_NEAS.exe 2192 5be9acaebf27218731ef9bfca990b9f0_NEAS.exe 2192 5be9acaebf27218731ef9bfca990b9f0_NEAS.exe 2192 5be9acaebf27218731ef9bfca990b9f0_NEAS.exe 2192 5be9acaebf27218731ef9bfca990b9f0_NEAS.exe 2192 5be9acaebf27218731ef9bfca990b9f0_NEAS.exe 2192 5be9acaebf27218731ef9bfca990b9f0_NEAS.exe 2192 5be9acaebf27218731ef9bfca990b9f0_NEAS.exe 2192 5be9acaebf27218731ef9bfca990b9f0_NEAS.exe 2192 5be9acaebf27218731ef9bfca990b9f0_NEAS.exe 2192 5be9acaebf27218731ef9bfca990b9f0_NEAS.exe 2192 5be9acaebf27218731ef9bfca990b9f0_NEAS.exe 2192 5be9acaebf27218731ef9bfca990b9f0_NEAS.exe 2192 5be9acaebf27218731ef9bfca990b9f0_NEAS.exe 1972 explorer.exe 1972 explorer.exe 1972 explorer.exe 1972 explorer.exe 1972 explorer.exe 1972 explorer.exe 1972 explorer.exe 1972 explorer.exe 1972 explorer.exe 1972 explorer.exe 1972 explorer.exe 1972 explorer.exe 1972 explorer.exe 1972 explorer.exe 1972 explorer.exe 1972 explorer.exe 1972 explorer.exe 2240 spoolsv.exe 2756 svchost.exe 2756 svchost.exe 2756 svchost.exe 2756 svchost.exe 2756 svchost.exe 2756 svchost.exe 2756 svchost.exe 2756 svchost.exe 2756 svchost.exe 2756 svchost.exe 2756 svchost.exe 2756 svchost.exe 2756 svchost.exe 2756 svchost.exe 2756 svchost.exe 2756 svchost.exe 2756 svchost.exe 2660 spoolsv.exe 1972 explorer.exe 1972 explorer.exe 1972 explorer.exe 1972 explorer.exe 1972 explorer.exe 2756 svchost.exe 2756 svchost.exe 1972 explorer.exe 2756 svchost.exe 1972 explorer.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 1972 explorer.exe 2756 svchost.exe -
Suspicious use of SetWindowsHookEx 10 IoCs
pid Process 2192 5be9acaebf27218731ef9bfca990b9f0_NEAS.exe 2192 5be9acaebf27218731ef9bfca990b9f0_NEAS.exe 1972 explorer.exe 1972 explorer.exe 2240 spoolsv.exe 2240 spoolsv.exe 2756 svchost.exe 2756 svchost.exe 2660 spoolsv.exe 2660 spoolsv.exe -
Suspicious use of WriteProcessMemory 32 IoCs
description pid Process procid_target PID 2192 wrote to memory of 1972 2192 5be9acaebf27218731ef9bfca990b9f0_NEAS.exe 29 PID 2192 wrote to memory of 1972 2192 5be9acaebf27218731ef9bfca990b9f0_NEAS.exe 29 PID 2192 wrote to memory of 1972 2192 5be9acaebf27218731ef9bfca990b9f0_NEAS.exe 29 PID 2192 wrote to memory of 1972 2192 5be9acaebf27218731ef9bfca990b9f0_NEAS.exe 29 PID 1972 wrote to memory of 2240 1972 explorer.exe 30 PID 1972 wrote to memory of 2240 1972 explorer.exe 30 PID 1972 wrote to memory of 2240 1972 explorer.exe 30 PID 1972 wrote to memory of 2240 1972 explorer.exe 30 PID 2240 wrote to memory of 2756 2240 spoolsv.exe 31 PID 2240 wrote to memory of 2756 2240 spoolsv.exe 31 PID 2240 wrote to memory of 2756 2240 spoolsv.exe 31 PID 2240 wrote to memory of 2756 2240 spoolsv.exe 31 PID 2756 wrote to memory of 2660 2756 svchost.exe 32 PID 2756 wrote to memory of 2660 2756 svchost.exe 32 PID 2756 wrote to memory of 2660 2756 svchost.exe 32 PID 2756 wrote to memory of 2660 2756 svchost.exe 32 PID 1972 wrote to memory of 2932 1972 explorer.exe 33 PID 1972 wrote to memory of 2932 1972 explorer.exe 33 PID 1972 wrote to memory of 2932 1972 explorer.exe 33 PID 1972 wrote to memory of 2932 1972 explorer.exe 33 PID 2756 wrote to memory of 2560 2756 svchost.exe 34 PID 2756 wrote to memory of 2560 2756 svchost.exe 34 PID 2756 wrote to memory of 2560 2756 svchost.exe 34 PID 2756 wrote to memory of 2560 2756 svchost.exe 34 PID 2756 wrote to memory of 2040 2756 svchost.exe 39 PID 2756 wrote to memory of 2040 2756 svchost.exe 39 PID 2756 wrote to memory of 2040 2756 svchost.exe 39 PID 2756 wrote to memory of 2040 2756 svchost.exe 39 PID 2756 wrote to memory of 1144 2756 svchost.exe 41 PID 2756 wrote to memory of 1144 2756 svchost.exe 41 PID 2756 wrote to memory of 1144 2756 svchost.exe 41 PID 2756 wrote to memory of 1144 2756 svchost.exe 41
Processes
-
C:\Users\Admin\AppData\Local\Temp\5be9acaebf27218731ef9bfca990b9f0_NEAS.exe"C:\Users\Admin\AppData\Local\Temp\5be9acaebf27218731ef9bfca990b9f0_NEAS.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Loads dropped DLL
- Checks whether UAC is enabled
- Writes to the Master Boot Record (MBR)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2192 -
\??\c:\windows\resources\themes\explorer.exec:\windows\resources\themes\explorer.exe2⤵
- Modifies visiblity of hidden/system files in Explorer
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1972 -
\??\c:\windows\resources\spoolsv.exec:\windows\resources\spoolsv.exe SE3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Writes to the Master Boot Record (MBR)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2240 -
\??\c:\windows\resources\svchost.exec:\windows\resources\svchost.exe4⤵
- Modifies visiblity of hidden/system files in Explorer
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2756 -
\??\c:\windows\resources\spoolsv.exec:\windows\resources\spoolsv.exe PR5⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Writes to the Master Boot Record (MBR)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2660
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 03:32 /f5⤵
- Creates scheduled task(s)
PID:2560
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 03:33 /f5⤵
- Creates scheduled task(s)
PID:2040
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 03:34 /f5⤵
- Creates scheduled task(s)
PID:1144
-
-
-
-
C:\Windows\Explorer.exeC:\Windows\Explorer.exe3⤵PID:2932
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Pre-OS Boot
1Bootkit
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Modify Registry
2Pre-OS Boot
1Bootkit
1Virtualization/Sandbox Evasion
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
16B
MD50f02c2e0896d526c1474a6f940945377
SHA1ba2b111ec4bec3dc4841e48c25131c620986756f
SHA256be4e28813d7bd4309c47abeb388ce18260d5328f950b4f32be20d4d71cde3e61
SHA512708cb7c3cb20c82264e492b1354df96993053bcd54b2620bd4d60bf922b36d61b4548fddec3e52cf78b6fcabdfe37aabde87c58d900a7733c95e8ad3fe5fdf78
-
Filesize
3.6MB
MD5d265bece931d77b73b997e8f1ac5c4b9
SHA1a20e5611e518a8356760ad9a3215ac86a817243d
SHA25644b949869ea9596c846df4cb5993d5610affb6f04753e382bcba0dc501c291d3
SHA512f46c15d828c2edaa527986d39d808eae509b2974b0ec1ce498d6f7251239f5fb0f3c697a279da5e005305a284923e6cfa0e7c5ce3b90c24eebd27ad5d2025137
-
Filesize
3.6MB
MD5b6268b246a2858bbe3409449c4f0c302
SHA1b50fcad53e4d32e8eda408945487957a5ee9b48a
SHA25687cedfe2e0d65b631792720c416358ce0462435f0208c31f9380b6a8c0d1fc0f
SHA51242f93ae4639ed56719c4eb5843b317213d35097750dbbde6295b651f12ce55f86674327e9a4b3656c08144ea8c43a210be95736be0df2078f82c9662d45f29c7
-
Filesize
3.6MB
MD5dcf48dc95dd6131ce82cb4a45af34229
SHA10ccd81945476c018e6781f61df5bd73a389115d0
SHA2564287805ebdf1e27a6957ceef8ced455af194e9445d5cfeee1ff3b785202a347c
SHA512b587afa5ac3005d0d0d1791d95899c268753316b5267fb3060f0f8c663055d532d611f53c06455b78e4dbfb038f7918543b88c786db19a567d40b63433eec37d