Analysis
-
max time kernel
136s -
max time network
137s -
platform
windows10-2004_x64 -
resource
win10v2004-20240419-en -
resource tags
-
submitted
07-05-2024 03:18
General
-
Target
595838b7cdc0e394afcb3e486e05af90_NEAS.exe
-
Size
5.2MB
-
MD5
595838b7cdc0e394afcb3e486e05af90
-
SHA1
6f0945c7fe89fde93b8fad3026d269b2a49c1340
-
SHA256
8765013a5849321898e3f2aa322adafc03a8e77cf318c38460dca2c7d2ac97ae
-
SHA512
0d9904f5d5d7720d4daa231307b28c5230a146270650409164baec6101556b93d4666c9c340ee57ed392b58e3cda3556548b318c43cfa10248faf01c01716495
-
SSDEEP
98304:Kps6efPfBOPvLtabi4X0MV+dYdcGt7VIb4:sfefPJws3V+a
Malware Config
Signatures
-
Sets service image path in registry 2 TTPs 1 IoCs
-
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Drops file in System32 directory 27 IoCs
-
Drops file in Program Files directory 15 IoCs
-
Drops file in Windows directory 13 IoCs
-
Executes dropped EXE 2 IoCs
-
Loads dropped DLL 20 IoCs
-
Registers COM server for autorun 1 TTPs 3 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 5 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Modifies data under HKEY_USERS 9 IoCs
-
Modifies registry class 37 IoCs
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 29 IoCs
-
Suspicious use of SendNotifyMessage 27 IoCs
-
Suspicious use of WriteProcessMemory 19 IoCs
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\595838b7cdc0e394afcb3e486e05af90_NEAS.exe"C:\Users\Admin\AppData\Local\Temp\595838b7cdc0e394afcb3e486e05af90_NEAS.exe"1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Local\Temp\ScreenConnect\02aacd0ff7720c8e\setup.msi"2⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Registers COM server for autorun
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding BF44A046337C84AA203E97A32C2527CA C2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\MSI46FC.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240600953 1 ScreenConnect.InstallerActions!ScreenConnect.ClientInstallerActions.FixupServiceArguments3⤵
- Loads dropped DLL
-
-
-
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:22⤵
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 36B04E298E5D1EC91300C53B0BF1684C2⤵
- Loads dropped DLL
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 2FAA87AE4F930E710F8EA0E1746161CD E Global\MSI00002⤵
- Drops file in Windows directory
- Loads dropped DLL
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Checks SCSI registry key(s)
-
C:\Program Files (x86)\ScreenConnect Client (02aacd0ff7720c8e)\ScreenConnect.ClientService.exe"C:\Program Files (x86)\ScreenConnect Client (02aacd0ff7720c8e)\ScreenConnect.ClientService.exe" "?e=Access&y=Guest&h=instance-cjeh24-relay.screenconnect.com&p=443&s=1134a39d-7d7a-40c6-b778-b963e49b5842&k=BgIAAACkAABSU0ExAAgAAAEAAQDZKTW%2f%2b%2f0HZmYMCXtdMD%2bn02Nt2VBCvuFrPfNtNBBCGc%2b0LcJ9P4u2z8uxREmtJoDrc%2bj7EMgJ8x7wyzgfLtNFDv41m%2bXSlDRjrSKKim%2fbNMv%2f9mkMtRamV478yX%2fc3VlECJEYHAFK%2fpDKpPZ1F%2fGbTFkenTsR7AdEv%2f61cW%2fRNTPaJ6Fmq8qBTkD6WZDPTBFVGuZ8d39SUtwUIEQ55FCbSiB3Bc1bTHHTUu%2fsa6e4yjeX14Z1%2bcVVui7%2f50qy1%2fEG18N%2b0p1HIv955Fk4DHPNMPeDIfd9x%2f5gakn0zF5jGtpd2iIpuuK2%2fuRIp86BX4AjwN%2bQNpm9QL8W0dBt0%2fbT&c=845964277694137&c=&c=&c=&c=&c=&c=&c="1⤵
- Sets service image path in registry
- Drops file in System32 directory
- Executes dropped EXE
- Loads dropped DLL
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\ScreenConnect Client (02aacd0ff7720c8e)\ScreenConnect.WindowsClient.exe"C:\Program Files (x86)\ScreenConnect Client (02aacd0ff7720c8e)\ScreenConnect.WindowsClient.exe" "RunRole" "75289902-277f-4486-b3a5-d3ac6e42a4d4" "User"2⤵
- Executes dropped EXE
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
213KB
MD53284e61aef055d8dd2e2f8c33c735c55
SHA15a85ceb7737f84a22144bef7ec9d10c964530ebc
SHA256462d2f8aeda465b3294b3e8079f4febec190990bfe6c48dbc8b9c596b6198fd1
SHA51208a6e45b1e8ef7a8211cdd5e5e74b76c2482cbe08fe865d5d170bb20f5191426cc505ec83246f06dc8edb283b345a133f02d7dce8aaec11460ffec45c53e3edb
-
Filesize
47KB
MD53e83a3aa62c5ff54ed98e27b3fbecf90
SHA196d8927c870a74a478864240b3ace94ad543dfb8
SHA2562d88b97d28be01abca4544c6381a4370c1a1ce05142c176742f13b44889ddf90
SHA512ea9d05a4aa1ee5cccc61c4f5e8994efba9efff0549b69577bef1f2a22cce908739124eff1e0db5cfdd69e077ad2d7cdb1307de92d79673c9309ee621cb139956
-
Filesize
26KB
MD55cd580b22da0c33ec6730b10a6c74932
SHA10b6bded7936178d80841b289769c6ff0c8eead2d
SHA256de185ee5d433e6cfbb2e5fcc903dbd60cc833a3ca5299f2862b253a41e7aa08c
SHA512c2494533b26128fbf8149f7d20257d78d258abffb30e4e595cb9c6a742f00f1bf31b1ee202d4184661b98793b9909038cf03c04b563ce4eca1e2ee2dec3bf787
-
Filesize
188KB
MD56bc9611d5b6cee698149a18d986547a8
SHA1f36ab74e4e502fdaf81e101836b94c91d80cb8ea
SHA25617377a52eeae11e8ee01eb629d6a60c10015ad2bb8bc9768e5c8e4b6500a15ed
SHA5123f23670d0ba150de19a805db6beb6eed8538bbad6fbe3cc21d17d738a43cf411c679a23cea11549e69be0321e672f740791d40e92498aef9d1f8650743ee85ea
-
Filesize
60KB
MD522af3a23bd30484514cdacf67c5b3810
SHA1e92a4eaee9d896964de541ce2f01c2404b638258
SHA2567c5442121dba2a30ab9579ec08e111ded372cf9cf90fb3256f273980b975afa9
SHA51295e40b27e90fce7ca85e76afbbc16eb62b4bb977664702b987de2eb2294e6fe9e6df5610ec7b2362c2c68493313f30fbbcbd3446dbe8ae2fa47b89407f5d5936
-
Filesize
93KB
MD5dc615e9d8ec81cbf2e2452516373e5a0
SHA1ec83d37a4f45caeb07b1605324d0315f959452e9
SHA256e9ab064ed381c29a3930f75ca3e05605c6ee07f30a69c043f576a5461de3bafc
SHA51282fe00447fb9785264dfb8032399adf6d33d91d71058212d252742c9e5fd54f5a52f6baf4fb05e95f9a4055057c60a33a7c1c642f18a6a4e045b49be88fa5d9f
-
Filesize
1.6MB
MD529454a0cb83f28c24805e9a70e53444a
SHA1334202965b07ab69f08b16fed0ee6c7274463556
SHA256998cc3f9af5bd41ccf0f9be86192bbe20cdec08a6ff73c1199e1364195a83e14
SHA51262790920974a2f1b018d466ae3e3b5100006a3c8013f43bdb04af7074cfe5d992caaeb610de2b1b72ff0e4acf8762db1513a4a0cf331f9a340ae0ce53c3be895
-
Filesize
573KB
MD55dec65c4047de914c78816b8663e3602
SHA18807695ee8345e37efec43cbc0874277ed9b0a66
SHA25671602f6b0b27c8b7d8ad624248e6126970939effde785ec913ace19052e9960e
SHA51227b5dcb5b0aeadf246b91a173d06e5e8d6cf2cd19d86ca358e0a85b84cd9d8f2b26372ef34c3d427f57803d90f2e97cf59692c80c268a71865f08fc0e7ce42d1
-
Filesize
266B
MD5728175e20ffbceb46760bb5e1112f38b
SHA12421add1f3c9c5ed9c80b339881d08ab10b340e3
SHA25687c640d3184c17d3b446a72d5f13d643a774b4ecc7afbedfd4e8da7795ea8077
SHA512fb9b57f4e6c04537e8fdb7cc367743c51bf2a0ad4c3c70dddab4ea0cf9ff42d5aeb9d591125e7331374f8201cebf8d0293ad934c667c1394dc63ce96933124e7
-
Filesize
746KB
MD5f01a59c5cf7ec437097d414d7c6d59c4
SHA19ea1c3fbf3b5adbe5a23578dea3b511d44e6a2dd
SHA25662b405f32a43da0c8e8ed14a58ec7b9b4422b154bfd4aed4f9be5de0bc6eb5e8
SHA512587748ad4dd18677a3b7943eab1c0f8e77fe50a45e17266ba9a0e1363eda0ff1eabcf11884a5d608e23baf86af8f011db745ad06bcdecdfd01c20430745fe4bb
-
Filesize
990B
MD5ace48c542097f3b3ddad7684110e98c5
SHA129331db5ff5dd81ff8de659aaaf411ee873925d3
SHA2564c7e293aca2e3354a5192679a5f90a86804d97f9bcb95e3c9b252767587ca6d7
SHA5124c87c4971631ffee618db3325434fd908ba58fe8aa8c84fb479ed3cef839cfad21011f09a4eeda3e4ffa7eddf2f0bc81002e30b7aa9347cc5167c70704f94a8e
-
Filesize
1017KB
MD58d94c9f4c07b76b4e32daffcc51109da
SHA162e31a89c488d6745abb72a3071f688fd6180d33
SHA2562b35c0e4088b2a7728fa7bc6a5bfdefed7665598de6d49641fdf5d1f1271a4d7
SHA5120092cbbd95777e6931864d61931efdf3a349f79c575030cad9a1771432f52e1bdc25d5640e2923d202c42c2ce242d00187486334a946e97319d48211233eb0ac
-
Filesize
172KB
MD55ef88919012e4a3d8a1e2955dc8c8d81
SHA1c0cfb830b8f1d990e3836e0bcc786e7972c9ed62
SHA2563e54286e348ebd3d70eaed8174cca500455c3e098cdd1fccb167bc43d93db29d
SHA5124544565b7d69761f9b4532cc85e7c654e591b2264eb8da28e60a058151030b53a99d1b2833f11bfc8acc837eecc44a7d0dbd8bc7af97fc0e0f4938c43f9c2684
-
Filesize
519KB
MD5b319407e807be1a49e366f7f8ea7ee2a
SHA1b12197a877fb7e33b1cb5ba11b0da5ca706581ba
SHA256761b7e50baa229e8afcd9a50990d7f776ddb5ed1ea5fbb131c802e57cf918742
SHA512dc497643790dc608dece9c8fe7264efedd13724bd24c9bf28a60d848b405fddefb8337a60f3f32bb91518910e02c7a2aaf29fc32f86a464dfcafa365526bdb7f
-
Filesize
21KB
MD5b0585159161d50e330b7f8eda50a2770
SHA18636fab3ce6c21a42d3e5fbd495c2ddad4279162
SHA256ca9e51d51f24e16428d1b0e9a0829a44da2678bfc7ba00f0b46a57dcd6d734b8
SHA512e9ae99bdce64ca4282fa4580d3b081f7d0874c756aef77fb58e10db148e2f670ba48667ce62033c6f514ff825dc54c1bdbae2c7f8d5f9355486402cf75e1d5ad
-
Filesize
7.4MB
MD5098e68eec540f86a46ac70fd054ccdd2
SHA1a93f9b582e5748250df3bb34ed63b53f3b5b423e
SHA256c9cbc7830114e5fed7185688d26f6e810966f4c3d1e9dfeb1dd63322a4cb3b60
SHA512cf4c82edd5bf5142a124f2e21ffc350ed0f15cf172016db9f356b383aa217b49387d6adf55a9c1a15a84e563b654aead49a96481dc54d7239312e50af1027bb7
-
Filesize
202KB
MD5ba84dd4e0c1408828ccc1de09f585eda
SHA1e8e10065d479f8f591b9885ea8487bc673301298
SHA2563cff4ac91288a0ff0c13278e73b282a64e83d089c5a61a45d483194ab336b852
SHA5127a38418f6ee8dbc66fab2cd5ad8e033e761912efc465daa484858d451da4b8576079fe90fd3b6640410edc8b3cac31c57719898134f246f4000d60a252d88290
-
Filesize
586B
MD5d7688600306899f4eb8ac16396980484
SHA1c1a26cd3828b52d399173f3b4f58e67fe659fb36
SHA256e8579d4d610e377ceb35b51afada4420d09ae09d03c407c9b6e7298ff4027c53
SHA512f61d95c7a1f00be7c4e63c45046acc7570da07ca733099852f2f0d88fdb93035f2170817ecb57e24e53971157305f70352fcc42534109db6f0294178e7b586cd
-
Filesize
586B
MD5549f991f08df15bfe1e6cfa301edd89d
SHA1167522c04818207444af34c82facaf9b4e668223
SHA2561db13f6814fea59b39a80cf8e0f6cdbea287862b3f2d6e60c1edd2f9566f7234
SHA51232dd63668ce66f45dbd51aa44109fad2ced9a709a3e9b1c87654d953e61d7cdaa08e9599214a1bb78a2f5626126b32fc5a3447c617f0f605071b1af6a0cf004d
-
Filesize
586B
MD57e3db4f9961b324b6fde470391c348d5
SHA1b0f165efb258f81de20bab7bf91f79ae1d882e03
SHA2566d27894af4f57f7f81ec3228d057eb0016a1e0483037ebce635ded777ff5f35e
SHA512839f373ab18fc0e1764bb7c9c5f145e7a0c83c6e1634f5962eddd1a315e36597dad7b20a14f7c45691979c9d5588defc633f526990e4885f07fa2d9a8724000a
-
Filesize
586B
MD5b928a004535a058e9702dd68c35d1445
SHA1f2b3c251f34b6fb4c7f7fc00755c0200c939e014
SHA25670933846c3eaa2aac2ad10f797184661a3185fb363a41cd286cddc0a030de112
SHA51225f3b9a531479402ec1c08b5c8821c808fe2d3a0924d8e9d24b9a7a9d0349ceab7d05e8540c745baba9e93d7ff04647d97a696cdc3cc4fe51457dd993c631db2
-
Filesize
586B
MD57cf170613810f3c98a805799e3c4148b
SHA1ea4ff07ab90dbbc7354877503a1ffa7b80966aa0
SHA25685b45055cfd8457aac584b2bb459e0e6c985d869a61e256aae4e3942a80aca45
SHA512e93249ebc61c51f412175b42c7b0e1e5b57cf1ed56911003f14940db65112310176e01f65142ffb40220a555c32c840e35d89773b5c4a64c659bdf424a21147b
-
Filesize
586B
MD59a8659cf271d76c8b8fec80887395c66
SHA1b2afa538378808b3d5ab4b8f0e90030da45acd6a
SHA256aab4ea552b4079bb1b3f38f2595e499e9dbaa6b1e8445e21bf4813b0d49c8e95
SHA51218e32e3533fc77cd38dce39ce8b65c8ab3d5c0a3173a71abd8b3c423583e91935446f0a704ad234ce00151444f6a02abdd9d6430d90eebd32d707b538fff39ac
-
Filesize
586B
MD5845f0e60471b81a4cc7811c67f267dc8
SHA11064c745f7d5d9621e1c5daebe466ca86f7ed50a
SHA256112d09aa65c01d6c2608e4f6bf7362dda852d0819692c09fdaadec3992f6b078
SHA51210c921e1ccf4a16d854a554263a26da41d7e5601c8af8e5b709a0b20645dddada1076f07476d170b559822cab497940bc8ddaf3b3099672f5ce4cf1e887ceac7
-
Filesize
586B
MD52ef528678506efd69ec9c0c9568b863f
SHA1abc6832ab79745b59f8394878da2535343ff8b56
SHA256b7b1551cef8320320f8bdf3346ecd215de2a2933b06ae21c85de703fc6cc08c1
SHA51285e8c67a35a0a54a88e9fef552fd43631991bfd77cd8bcba2269153b64493f6cc4d7f7e488a101bb02f1c4ea918672a55f39ab8046664835ccab18f458b949d1
-
Filesize
586B
MD564390c1cc9e65954ec2c16da22b01629
SHA17daa7f77744a21dacb162590fac4950a02f42136
SHA256498c2c1ca80f01787f27fe447a504d1ce6c32080d371b756bca08c5dbadac090
SHA5124ca01247d7b622bcb2f26dc32732b3e166c1596f4aaa4e138f47e5ac0fe130c2a7879d6479a968398a5f52cc229e2800a3e0059e153bb1ff45aca4eb5cc27781
-
Filesize
24.1MB
MD5af1f79555ed34386e82c31ff35b5c66d
SHA1123dd7bb2c778c5939a798c439c7337cc294ebf9
SHA2563380293eb34b2d9e9a2bc526dafd96c7d8cdc9894873ce074c75dec224efe5a2
SHA5127bfe9093ba036bb1b79ce59f98741691ce5a17d228f77b50098ec77a0b1c1a6bc9f6e6a1ea09b7f36a582a07187288ad0d1eabaf82a825c2b65b4ced91247f1d
-
Filesize
6KB
MD58bb7e7b4d7cafb1015c8e5ef5a80ea79
SHA1342c32890d262df55724109b007e157fcce554d8
SHA256e9391d2d72f9f09c73517f9da9c8b18a5a74149d59b6d7e5a7c4140887465e93
SHA512cf80e665719bb6ef33713e61367ac23ba291905b2ef955ba18ffb5c880faeb0677bf5ab16e3e48c0b39ced0ef478e473441588f2232ba8a668918054717e43eb
-
Filesize
136KB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
4KB
-
Filesize
544KB
-
Filesize
7.7MB
-
Filesize
2.8MB
-
Filesize
32KB
-
Filesize
48KB
-
Filesize
544KB
-
Filesize
184KB
-
Filesize
1.7MB
-
Filesize
584KB
-
Filesize
88KB
-
Filesize
5.6MB
-
Filesize
320KB
-
Filesize
216KB
-
Filesize
760KB
-
Filesize
88KB
-
Filesize
592KB
-
Filesize
216KB
-
Filesize
544KB
-
Filesize
1.7MB
-
Filesize
88KB
-
Filesize
1.5MB