Analysis
-
max time kernel
142s -
max time network
142s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
07/05/2024, 08:16
Static task
static1
Behavioral task
behavioral1
Sample
059198935af7c5e3c0ae5080d10dc630_NEAS.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
059198935af7c5e3c0ae5080d10dc630_NEAS.exe
Resource
win10v2004-20240426-en
General
-
Target
059198935af7c5e3c0ae5080d10dc630_NEAS.exe
-
Size
396KB
-
MD5
059198935af7c5e3c0ae5080d10dc630
-
SHA1
f464d2a21668a4310f93debb711f555044a79e0d
-
SHA256
fe5406b43a014e3f51cbd6d28426f27db4566918637554a5e04b1b652ffb3797
-
SHA512
74a9961001bbc4d5dd55b8ce67a1483651611e06e346467f8df495d990f8c8b61816caacb368c63764b6200493a060f229d9e0724d16ef03898698ed61ccb6de
-
SSDEEP
12288:YEyTE+7JnTmf/GxrmHtqXoEWOujM67hEG3:C7dOoaHcoEhA
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Users\\Admin\\AppData\\Roaming\\lsass.exe\"" 059198935af7c5e3c0ae5080d10dc630_NEAS.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Users\\Admin\\AppData\\Roaming\\lsass.exe\"" lsass.exe -
Modifies Windows Firewall 2 TTPs 1 IoCs
pid Process 2728 netsh.exe -
Executes dropped EXE 3 IoCs
pid Process 2708 lsass.exe 2612 lsass.exe 2424 lsass.exe -
Loads dropped DLL 5 IoCs
pid Process 2552 059198935af7c5e3c0ae5080d10dc630_NEAS.exe 2552 059198935af7c5e3c0ae5080d10dc630_NEAS.exe 2708 lsass.exe 2612 lsass.exe 2612 lsass.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSWUpdate = "\"C:\\Users\\Admin\\AppData\\Roaming\\lsass.exe\"" 059198935af7c5e3c0ae5080d10dc630_NEAS.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MSWUpdate = "\"C:\\Users\\Admin\\AppData\\Roaming\\lsass.exe\"" 059198935af7c5e3c0ae5080d10dc630_NEAS.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSWUpdate = "\"C:\\Users\\Admin\\AppData\\Roaming\\lsass.exe\"" lsass.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MSWUpdate = "\"C:\\Users\\Admin\\AppData\\Roaming\\lsass.exe\"" lsass.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PhysicalDrive0 lsass.exe File opened for modification \??\PhysicalDrive0 059198935af7c5e3c0ae5080d10dc630_NEAS.exe -
Suspicious use of SetThreadContext 4 IoCs
description pid Process procid_target PID 2972 set thread context of 2812 2972 059198935af7c5e3c0ae5080d10dc630_NEAS.exe 28 PID 2812 set thread context of 2552 2812 059198935af7c5e3c0ae5080d10dc630_NEAS.exe 29 PID 2708 set thread context of 2612 2708 lsass.exe 33 PID 2612 set thread context of 2424 2612 lsass.exe 34 -
Suspicious use of SetWindowsHookEx 6 IoCs
pid Process 2972 059198935af7c5e3c0ae5080d10dc630_NEAS.exe 2812 059198935af7c5e3c0ae5080d10dc630_NEAS.exe 2552 059198935af7c5e3c0ae5080d10dc630_NEAS.exe 2708 lsass.exe 2612 lsass.exe 2424 lsass.exe -
Suspicious use of WriteProcessMemory 38 IoCs
description pid Process procid_target PID 2972 wrote to memory of 2812 2972 059198935af7c5e3c0ae5080d10dc630_NEAS.exe 28 PID 2972 wrote to memory of 2812 2972 059198935af7c5e3c0ae5080d10dc630_NEAS.exe 28 PID 2972 wrote to memory of 2812 2972 059198935af7c5e3c0ae5080d10dc630_NEAS.exe 28 PID 2972 wrote to memory of 2812 2972 059198935af7c5e3c0ae5080d10dc630_NEAS.exe 28 PID 2972 wrote to memory of 2812 2972 059198935af7c5e3c0ae5080d10dc630_NEAS.exe 28 PID 2972 wrote to memory of 2812 2972 059198935af7c5e3c0ae5080d10dc630_NEAS.exe 28 PID 2812 wrote to memory of 2552 2812 059198935af7c5e3c0ae5080d10dc630_NEAS.exe 29 PID 2812 wrote to memory of 2552 2812 059198935af7c5e3c0ae5080d10dc630_NEAS.exe 29 PID 2812 wrote to memory of 2552 2812 059198935af7c5e3c0ae5080d10dc630_NEAS.exe 29 PID 2812 wrote to memory of 2552 2812 059198935af7c5e3c0ae5080d10dc630_NEAS.exe 29 PID 2812 wrote to memory of 2552 2812 059198935af7c5e3c0ae5080d10dc630_NEAS.exe 29 PID 2812 wrote to memory of 2552 2812 059198935af7c5e3c0ae5080d10dc630_NEAS.exe 29 PID 2812 wrote to memory of 2552 2812 059198935af7c5e3c0ae5080d10dc630_NEAS.exe 29 PID 2812 wrote to memory of 2552 2812 059198935af7c5e3c0ae5080d10dc630_NEAS.exe 29 PID 2812 wrote to memory of 2552 2812 059198935af7c5e3c0ae5080d10dc630_NEAS.exe 29 PID 2552 wrote to memory of 2728 2552 059198935af7c5e3c0ae5080d10dc630_NEAS.exe 30 PID 2552 wrote to memory of 2728 2552 059198935af7c5e3c0ae5080d10dc630_NEAS.exe 30 PID 2552 wrote to memory of 2728 2552 059198935af7c5e3c0ae5080d10dc630_NEAS.exe 30 PID 2552 wrote to memory of 2728 2552 059198935af7c5e3c0ae5080d10dc630_NEAS.exe 30 PID 2552 wrote to memory of 2708 2552 059198935af7c5e3c0ae5080d10dc630_NEAS.exe 32 PID 2552 wrote to memory of 2708 2552 059198935af7c5e3c0ae5080d10dc630_NEAS.exe 32 PID 2552 wrote to memory of 2708 2552 059198935af7c5e3c0ae5080d10dc630_NEAS.exe 32 PID 2552 wrote to memory of 2708 2552 059198935af7c5e3c0ae5080d10dc630_NEAS.exe 32 PID 2708 wrote to memory of 2612 2708 lsass.exe 33 PID 2708 wrote to memory of 2612 2708 lsass.exe 33 PID 2708 wrote to memory of 2612 2708 lsass.exe 33 PID 2708 wrote to memory of 2612 2708 lsass.exe 33 PID 2708 wrote to memory of 2612 2708 lsass.exe 33 PID 2708 wrote to memory of 2612 2708 lsass.exe 33 PID 2612 wrote to memory of 2424 2612 lsass.exe 34 PID 2612 wrote to memory of 2424 2612 lsass.exe 34 PID 2612 wrote to memory of 2424 2612 lsass.exe 34 PID 2612 wrote to memory of 2424 2612 lsass.exe 34 PID 2612 wrote to memory of 2424 2612 lsass.exe 34 PID 2612 wrote to memory of 2424 2612 lsass.exe 34 PID 2612 wrote to memory of 2424 2612 lsass.exe 34 PID 2612 wrote to memory of 2424 2612 lsass.exe 34 PID 2612 wrote to memory of 2424 2612 lsass.exe 34
Processes
-
C:\Users\Admin\AppData\Local\Temp\059198935af7c5e3c0ae5080d10dc630_NEAS.exe"C:\Users\Admin\AppData\Local\Temp\059198935af7c5e3c0ae5080d10dc630_NEAS.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2972 -
C:\Users\Admin\AppData\Local\Temp\059198935af7c5e3c0ae5080d10dc630_NEAS.exeC:\Users\Admin\AppData\Local\Temp\059198935af7c5e3c0ae5080d10dc630_NEAS.exe2⤵
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2812 -
C:\Users\Admin\AppData\Local\Temp\059198935af7c5e3c0ae5080d10dc630_NEAS.exeC:\Users\Admin\AppData\Local\Temp\059198935af7c5e3c0ae5080d10dc630_NEAS.exe3⤵
- Modifies WinLogon for persistence
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2552 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram program = C:\Users\Admin\AppData\Roaming\lsass.exename = Nero mode = ENABLE4⤵
- Modifies Windows Firewall
PID:2728
-
-
C:\Users\Admin\AppData\Roaming\lsass.exe/d C:\Users\Admin\AppData\Local\Temp\059198935af7c5e3c0ae5080d10dc630_NEAS.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2708 -
C:\Users\Admin\AppData\Roaming\lsass.exeC:\Users\Admin\AppData\Roaming\lsass.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2612 -
C:\Users\Admin\AppData\Roaming\lsass.exeC:\Users\Admin\AppData\Roaming\lsass.exe6⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
PID:2424
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Pre-OS Boot
1Bootkit
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
396KB
MD56241ff61a6ed5c8affb47e20cbb382c2
SHA18bcdf3be2e5079ec64b07dbb5fc8412357c94b9d
SHA256a183c39c88aec94b95510739fbbd27742b2dbe80a8a40d7692485924024241d2
SHA512aadc3b2e85e168560219fe2c391997876eb8c13b068e8737dc2155be7c1d2b633cde8f81a0ce43c38ac169b4d8d98610fd69fe2a8c07490f25c1b98fbb5d4709