e731fae1171efdc23c71c88196207b1e9bf533410e968326088103a5f56ffaa6

Analysis

max time kernel
120s
max time network
121s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
07/05/2024, 05:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

705e1215c36cabed6e4c7c50efda92e0_NEAS.exe
Size

138KB
MD5

705e1215c36cabed6e4c7c50efda92e0
SHA1

13431563441915bc99fbb568f680d92688e09a37
SHA256

e731fae1171efdc23c71c88196207b1e9bf533410e968326088103a5f56ffaa6
SHA512

10379eb5897bb641f7479c07ba2f154de1d737255f855a2b37b8661c89122b3f649377af9c454ecc6f3af42f8447a54b833073c404005fa4864d478ea50fdf28
SSDEEP

1536:rC2/fYuPfbESFYXRWhpKRycRd57JkIqFHhzm4hWru/BzihhMN45MF5FvHP132xPc:r7YubEwYXRWhpAJUHhzm4hUukS6KmecO

Score

8^/10

evasion execution

Malware Config

Signatures

Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Executes dropped EXE 1 IoCs

pid	Process
2972	smss.exe

Loads dropped DLL 2 IoCs

pid	Process
1956	705e1215c36cabed6e4c7c50efda92e0_NEAS.exe
1956	705e1215c36cabed6e4c7c50efda92e0_NEAS.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\1230\smss.exe	705e1215c36cabed6e4c7c50efda92e0_NEAS.exe
File opened for modification	C:\Windows\SysWOW64\1230\smss.exe	smss.exe
File opened for modification	C:\Windows\SysWOW64\Service.exe	smss.exe

Launches sc.exe 4 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2352	sc.exe
2144	sc.exe
2672	sc.exe
2936	sc.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1956	705e1215c36cabed6e4c7c50efda92e0_NEAS.exe
2972	smss.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 1956 wrote to memory of 2352	1956	705e1215c36cabed6e4c7c50efda92e0_NEAS.exe	28
PID 1956 wrote to memory of 2352	1956	705e1215c36cabed6e4c7c50efda92e0_NEAS.exe	28
PID 1956 wrote to memory of 2352	1956	705e1215c36cabed6e4c7c50efda92e0_NEAS.exe	28
PID 1956 wrote to memory of 2352	1956	705e1215c36cabed6e4c7c50efda92e0_NEAS.exe	28
PID 1956 wrote to memory of 2144	1956	705e1215c36cabed6e4c7c50efda92e0_NEAS.exe	30
PID 1956 wrote to memory of 2144	1956	705e1215c36cabed6e4c7c50efda92e0_NEAS.exe	30
PID 1956 wrote to memory of 2144	1956	705e1215c36cabed6e4c7c50efda92e0_NEAS.exe	30
PID 1956 wrote to memory of 2144	1956	705e1215c36cabed6e4c7c50efda92e0_NEAS.exe	30
PID 1956 wrote to memory of 2972	1956	705e1215c36cabed6e4c7c50efda92e0_NEAS.exe	32
PID 1956 wrote to memory of 2972	1956	705e1215c36cabed6e4c7c50efda92e0_NEAS.exe	32
PID 1956 wrote to memory of 2972	1956	705e1215c36cabed6e4c7c50efda92e0_NEAS.exe	32
PID 1956 wrote to memory of 2972	1956	705e1215c36cabed6e4c7c50efda92e0_NEAS.exe	32
PID 2972 wrote to memory of 2672	2972	smss.exe	33
PID 2972 wrote to memory of 2672	2972	smss.exe	33
PID 2972 wrote to memory of 2672	2972	smss.exe	33
PID 2972 wrote to memory of 2672	2972	smss.exe	33
PID 2972 wrote to memory of 2936	2972	smss.exe	35
PID 2972 wrote to memory of 2936	2972	smss.exe	35
PID 2972 wrote to memory of 2936	2972	smss.exe	35
PID 2972 wrote to memory of 2936	2972	smss.exe	35

C:\Users\Admin\AppData\Local\Temp\705e1215c36cabed6e4c7c50efda92e0_NEAS.exe
"C:\Users\Admin\AppData\Local\Temp\705e1215c36cabed6e4c7c50efda92e0_NEAS.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1956
- C:\Windows\SysWOW64\sc.exe
  C:\Windows\system32\sc.exe stop SharedAccess
  2⤵
  - Launches sc.exe
  PID:2352
- C:\Windows\SysWOW64\sc.exe
  C:\Windows\system32\sc.exe stop wscsvc
  2⤵
  - Launches sc.exe
  PID:2144
- C:\Windows\SysWOW64\1230\smss.exe
  C:\Windows\system32\1230\smss.exe -d
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2972
- - C:\Windows\SysWOW64\sc.exe
    C:\Windows\system32\sc.exe stop SharedAccess
    3⤵
    - Launches sc.exe
    PID:2672
- - C:\Windows\SysWOW64\sc.exe
    C:\Windows\system32\sc.exe stop wscsvc
    3⤵
    - Launches sc.exe
    PID:2936

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

\Windows\SysWOW64\1230\smss.exe

Filesize
138KB

MD5
01be88c38718cd27cd1902db91e77334

SHA1
e4308efffff5e8308b14f9095421827dde8224b9

SHA256
1085049c48e9500f9d482b630ba99450c0b8a849fc55310ad0cf3e2b057a5cf7

SHA512
052a9ace662a7871681632258129477e3607930f88bba8af77d2ca99ed0878818c0e45310469dfe0d221d7e64322d7c4cad96da5d8988fdbc8358bb84cef0808

Download Submit