Analysis
-
max time kernel
142s -
max time network
142s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
07/05/2024, 08:16
Static task
static1
Behavioral task
behavioral1
Sample
059198935af7c5e3c0ae5080d10dc630_NEAS.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
059198935af7c5e3c0ae5080d10dc630_NEAS.exe
Resource
win10v2004-20240426-en
General
-
Target
059198935af7c5e3c0ae5080d10dc630_NEAS.exe
-
Size
396KB
-
MD5
059198935af7c5e3c0ae5080d10dc630
-
SHA1
f464d2a21668a4310f93debb711f555044a79e0d
-
SHA256
fe5406b43a014e3f51cbd6d28426f27db4566918637554a5e04b1b652ffb3797
-
SHA512
74a9961001bbc4d5dd55b8ce67a1483651611e06e346467f8df495d990f8c8b61816caacb368c63764b6200493a060f229d9e0724d16ef03898698ed61ccb6de
-
SSDEEP
12288:YEyTE+7JnTmf/GxrmHtqXoEWOujM67hEG3:C7dOoaHcoEhA
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Users\\Admin\\AppData\\Roaming\\lsass.exe\"" 059198935af7c5e3c0ae5080d10dc630_NEAS.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Users\\Admin\\AppData\\Roaming\\lsass.exe\"" lsass.exe -
Modifies Windows Firewall 2 TTPs 1 IoCs
pid Process 4988 netsh.exe -
Executes dropped EXE 3 IoCs
pid Process 2920 lsass.exe 4812 lsass.exe 4288 lsass.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSWUpdate = "\"C:\\Users\\Admin\\AppData\\Roaming\\lsass.exe\"" 059198935af7c5e3c0ae5080d10dc630_NEAS.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MSWUpdate = "\"C:\\Users\\Admin\\AppData\\Roaming\\lsass.exe\"" 059198935af7c5e3c0ae5080d10dc630_NEAS.exe Set value (str) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSWUpdate = "\"C:\\Users\\Admin\\AppData\\Roaming\\lsass.exe\"" lsass.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MSWUpdate = "\"C:\\Users\\Admin\\AppData\\Roaming\\lsass.exe\"" lsass.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PhysicalDrive0 059198935af7c5e3c0ae5080d10dc630_NEAS.exe File opened for modification \??\PhysicalDrive0 lsass.exe -
Suspicious use of SetThreadContext 4 IoCs
description pid Process procid_target PID 3524 set thread context of 2240 3524 059198935af7c5e3c0ae5080d10dc630_NEAS.exe 85 PID 2240 set thread context of 5112 2240 059198935af7c5e3c0ae5080d10dc630_NEAS.exe 86 PID 2920 set thread context of 4812 2920 lsass.exe 91 PID 4812 set thread context of 4288 4812 lsass.exe 92 -
Suspicious use of SetWindowsHookEx 6 IoCs
pid Process 3524 059198935af7c5e3c0ae5080d10dc630_NEAS.exe 2240 059198935af7c5e3c0ae5080d10dc630_NEAS.exe 5112 059198935af7c5e3c0ae5080d10dc630_NEAS.exe 2920 lsass.exe 4812 lsass.exe 4288 lsass.exe -
Suspicious use of WriteProcessMemory 32 IoCs
description pid Process procid_target PID 3524 wrote to memory of 2240 3524 059198935af7c5e3c0ae5080d10dc630_NEAS.exe 85 PID 3524 wrote to memory of 2240 3524 059198935af7c5e3c0ae5080d10dc630_NEAS.exe 85 PID 3524 wrote to memory of 2240 3524 059198935af7c5e3c0ae5080d10dc630_NEAS.exe 85 PID 3524 wrote to memory of 2240 3524 059198935af7c5e3c0ae5080d10dc630_NEAS.exe 85 PID 3524 wrote to memory of 2240 3524 059198935af7c5e3c0ae5080d10dc630_NEAS.exe 85 PID 2240 wrote to memory of 5112 2240 059198935af7c5e3c0ae5080d10dc630_NEAS.exe 86 PID 2240 wrote to memory of 5112 2240 059198935af7c5e3c0ae5080d10dc630_NEAS.exe 86 PID 2240 wrote to memory of 5112 2240 059198935af7c5e3c0ae5080d10dc630_NEAS.exe 86 PID 2240 wrote to memory of 5112 2240 059198935af7c5e3c0ae5080d10dc630_NEAS.exe 86 PID 2240 wrote to memory of 5112 2240 059198935af7c5e3c0ae5080d10dc630_NEAS.exe 86 PID 2240 wrote to memory of 5112 2240 059198935af7c5e3c0ae5080d10dc630_NEAS.exe 86 PID 2240 wrote to memory of 5112 2240 059198935af7c5e3c0ae5080d10dc630_NEAS.exe 86 PID 2240 wrote to memory of 5112 2240 059198935af7c5e3c0ae5080d10dc630_NEAS.exe 86 PID 5112 wrote to memory of 4988 5112 059198935af7c5e3c0ae5080d10dc630_NEAS.exe 87 PID 5112 wrote to memory of 4988 5112 059198935af7c5e3c0ae5080d10dc630_NEAS.exe 87 PID 5112 wrote to memory of 4988 5112 059198935af7c5e3c0ae5080d10dc630_NEAS.exe 87 PID 5112 wrote to memory of 2920 5112 059198935af7c5e3c0ae5080d10dc630_NEAS.exe 89 PID 5112 wrote to memory of 2920 5112 059198935af7c5e3c0ae5080d10dc630_NEAS.exe 89 PID 5112 wrote to memory of 2920 5112 059198935af7c5e3c0ae5080d10dc630_NEAS.exe 89 PID 2920 wrote to memory of 4812 2920 lsass.exe 91 PID 2920 wrote to memory of 4812 2920 lsass.exe 91 PID 2920 wrote to memory of 4812 2920 lsass.exe 91 PID 2920 wrote to memory of 4812 2920 lsass.exe 91 PID 2920 wrote to memory of 4812 2920 lsass.exe 91 PID 4812 wrote to memory of 4288 4812 lsass.exe 92 PID 4812 wrote to memory of 4288 4812 lsass.exe 92 PID 4812 wrote to memory of 4288 4812 lsass.exe 92 PID 4812 wrote to memory of 4288 4812 lsass.exe 92 PID 4812 wrote to memory of 4288 4812 lsass.exe 92 PID 4812 wrote to memory of 4288 4812 lsass.exe 92 PID 4812 wrote to memory of 4288 4812 lsass.exe 92 PID 4812 wrote to memory of 4288 4812 lsass.exe 92
Processes
-
C:\Users\Admin\AppData\Local\Temp\059198935af7c5e3c0ae5080d10dc630_NEAS.exe"C:\Users\Admin\AppData\Local\Temp\059198935af7c5e3c0ae5080d10dc630_NEAS.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3524 -
C:\Users\Admin\AppData\Local\Temp\059198935af7c5e3c0ae5080d10dc630_NEAS.exeC:\Users\Admin\AppData\Local\Temp\059198935af7c5e3c0ae5080d10dc630_NEAS.exe2⤵
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2240 -
C:\Users\Admin\AppData\Local\Temp\059198935af7c5e3c0ae5080d10dc630_NEAS.exeC:\Users\Admin\AppData\Local\Temp\059198935af7c5e3c0ae5080d10dc630_NEAS.exe3⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5112 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram program = C:\Users\Admin\AppData\Roaming\lsass.exename = Nero mode = ENABLE4⤵
- Modifies Windows Firewall
PID:4988
-
-
C:\Users\Admin\AppData\Roaming\lsass.exe/d C:\Users\Admin\AppData\Local\Temp\059198935af7c5e3c0ae5080d10dc630_NEAS.exe4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2920 -
C:\Users\Admin\AppData\Roaming\lsass.exeC:\Users\Admin\AppData\Roaming\lsass.exe5⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4812 -
C:\Users\Admin\AppData\Roaming\lsass.exeC:\Users\Admin\AppData\Roaming\lsass.exe6⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
PID:4288
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Pre-OS Boot
1Bootkit
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
396KB
MD56241ff61a6ed5c8affb47e20cbb382c2
SHA18bcdf3be2e5079ec64b07dbb5fc8412357c94b9d
SHA256a183c39c88aec94b95510739fbbd27742b2dbe80a8a40d7692485924024241d2
SHA512aadc3b2e85e168560219fe2c391997876eb8c13b068e8737dc2155be7c1d2b633cde8f81a0ce43c38ac169b4d8d98610fd69fe2a8c07490f25c1b98fbb5d4709