Analysis Overview
SHA256
fe5406b43a014e3f51cbd6d28426f27db4566918637554a5e04b1b652ffb3797
Threat Level: Known bad
The file 059198935af7c5e3c0ae5080d10dc630_NEAS was found to be: Known bad.
Malicious Activity Summary
Modifies WinLogon for persistence
Modifies Windows Firewall
Loads dropped DLL
Executes dropped EXE
Adds Run key to start application
Writes to the Master Boot Record (MBR)
Suspicious use of SetThreadContext
Unsigned PE
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-05-07 08:16
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-07 08:16
Reported
2024-05-07 08:18
Platform
win10v2004-20240426-en
Max time kernel
142s
Max time network
142s
Command Line
Signatures
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Users\\Admin\\AppData\\Roaming\\lsass.exe\"" | C:\Users\Admin\AppData\Local\Temp\059198935af7c5e3c0ae5080d10dc630_NEAS.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Users\\Admin\\AppData\\Roaming\\lsass.exe\"" | C:\Users\Admin\AppData\Roaming\lsass.exe | N/A |
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\lsass.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\lsass.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\lsass.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSWUpdate = "\"C:\\Users\\Admin\\AppData\\Roaming\\lsass.exe\"" | C:\Users\Admin\AppData\Local\Temp\059198935af7c5e3c0ae5080d10dc630_NEAS.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MSWUpdate = "\"C:\\Users\\Admin\\AppData\\Roaming\\lsass.exe\"" | C:\Users\Admin\AppData\Local\Temp\059198935af7c5e3c0ae5080d10dc630_NEAS.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSWUpdate = "\"C:\\Users\\Admin\\AppData\\Roaming\\lsass.exe\"" | C:\Users\Admin\AppData\Roaming\lsass.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MSWUpdate = "\"C:\\Users\\Admin\\AppData\\Roaming\\lsass.exe\"" | C:\Users\Admin\AppData\Roaming\lsass.exe | N/A |
Writes to the Master Boot Record (MBR)
| Description | Indicator | Process | Target |
| File opened for modification | \??\PhysicalDrive0 | C:\Users\Admin\AppData\Local\Temp\059198935af7c5e3c0ae5080d10dc630_NEAS.exe | N/A |
| File opened for modification | \??\PhysicalDrive0 | C:\Users\Admin\AppData\Roaming\lsass.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3524 set thread context of 2240 | N/A | C:\Users\Admin\AppData\Local\Temp\059198935af7c5e3c0ae5080d10dc630_NEAS.exe | C:\Users\Admin\AppData\Local\Temp\059198935af7c5e3c0ae5080d10dc630_NEAS.exe |
| PID 2240 set thread context of 5112 | N/A | C:\Users\Admin\AppData\Local\Temp\059198935af7c5e3c0ae5080d10dc630_NEAS.exe | C:\Users\Admin\AppData\Local\Temp\059198935af7c5e3c0ae5080d10dc630_NEAS.exe |
| PID 2920 set thread context of 4812 | N/A | C:\Users\Admin\AppData\Roaming\lsass.exe | C:\Users\Admin\AppData\Roaming\lsass.exe |
| PID 4812 set thread context of 4288 | N/A | C:\Users\Admin\AppData\Roaming\lsass.exe | C:\Users\Admin\AppData\Roaming\lsass.exe |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\059198935af7c5e3c0ae5080d10dc630_NEAS.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\059198935af7c5e3c0ae5080d10dc630_NEAS.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\059198935af7c5e3c0ae5080d10dc630_NEAS.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\lsass.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\lsass.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\lsass.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\059198935af7c5e3c0ae5080d10dc630_NEAS.exe
"C:\Users\Admin\AppData\Local\Temp\059198935af7c5e3c0ae5080d10dc630_NEAS.exe"
C:\Users\Admin\AppData\Local\Temp\059198935af7c5e3c0ae5080d10dc630_NEAS.exe
C:\Users\Admin\AppData\Local\Temp\059198935af7c5e3c0ae5080d10dc630_NEAS.exe
C:\Users\Admin\AppData\Local\Temp\059198935af7c5e3c0ae5080d10dc630_NEAS.exe
C:\Users\Admin\AppData\Local\Temp\059198935af7c5e3c0ae5080d10dc630_NEAS.exe
C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram program = C:\Users\Admin\AppData\Roaming\lsass.exename = Nero mode = ENABLE
C:\Users\Admin\AppData\Roaming\lsass.exe
/d C:\Users\Admin\AppData\Local\Temp\059198935af7c5e3c0ae5080d10dc630_NEAS.exe
C:\Users\Admin\AppData\Roaming\lsass.exe
C:\Users\Admin\AppData\Roaming\lsass.exe
C:\Users\Admin\AppData\Roaming\lsass.exe
C:\Users\Admin\AppData\Roaming\lsass.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| GB | 23.73.138.80:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| GB | 23.73.138.80:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 80.138.73.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | jp5.no-ip.info | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | jp5.no-ip.info | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | jp5.no-ip.info | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 142.53.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | jp5.no-ip.info | udp |
| US | 8.8.8.8:53 | jp5.no-ip.info | udp |
| US | 8.8.8.8:53 | jp5.no-ip.info | udp |
| US | 8.8.8.8:53 | jp5.no-ip.info | udp |
| US | 8.8.8.8:53 | jp5.no-ip.info | udp |
| US | 8.8.8.8:53 | jp5.no-ip.info | udp |
| US | 8.8.8.8:53 | jp5.no-ip.info | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | jp5.no-ip.info | udp |
| US | 8.8.8.8:53 | jp5.no-ip.info | udp |
| US | 8.8.8.8:53 | jp5.no-ip.info | udp |
| US | 8.8.8.8:53 | 88.16.208.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | jp5.no-ip.info | udp |
Files
memory/2240-2-0x0000000000400000-0x000000000044B000-memory.dmp
memory/2240-4-0x0000000000400000-0x000000000044B000-memory.dmp
memory/5112-7-0x0000000000400000-0x0000000000440000-memory.dmp
memory/5112-9-0x0000000000400000-0x0000000000440000-memory.dmp
memory/2240-12-0x0000000000400000-0x000000000044B000-memory.dmp
C:\Users\Admin\AppData\Roaming\lsass.exe
| MD5 | 6241ff61a6ed5c8affb47e20cbb382c2 |
| SHA1 | 8bcdf3be2e5079ec64b07dbb5fc8412357c94b9d |
| SHA256 | a183c39c88aec94b95510739fbbd27742b2dbe80a8a40d7692485924024241d2 |
| SHA512 | aadc3b2e85e168560219fe2c391997876eb8c13b068e8737dc2155be7c1d2b633cde8f81a0ce43c38ac169b4d8d98610fd69fe2a8c07490f25c1b98fbb5d4709 |
memory/4812-28-0x0000000000400000-0x000000000044B000-memory.dmp
memory/4812-40-0x0000000000400000-0x000000000044B000-memory.dmp
memory/5112-37-0x0000000000400000-0x0000000000440000-memory.dmp
memory/4288-41-0x0000000000400000-0x0000000000440000-memory.dmp
memory/4288-43-0x0000000000400000-0x0000000000440000-memory.dmp
memory/4288-46-0x0000000000400000-0x0000000000440000-memory.dmp
memory/4288-49-0x0000000000400000-0x0000000000440000-memory.dmp
memory/4288-53-0x0000000000400000-0x0000000000440000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-07 08:16
Reported
2024-05-07 08:18
Platform
win7-20240221-en
Max time kernel
142s
Max time network
142s
Command Line
Signatures
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Users\\Admin\\AppData\\Roaming\\lsass.exe\"" | C:\Users\Admin\AppData\Local\Temp\059198935af7c5e3c0ae5080d10dc630_NEAS.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Users\\Admin\\AppData\\Roaming\\lsass.exe\"" | C:\Users\Admin\AppData\Roaming\lsass.exe | N/A |
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\lsass.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\lsass.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\lsass.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\059198935af7c5e3c0ae5080d10dc630_NEAS.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\059198935af7c5e3c0ae5080d10dc630_NEAS.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\lsass.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\lsass.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\lsass.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSWUpdate = "\"C:\\Users\\Admin\\AppData\\Roaming\\lsass.exe\"" | C:\Users\Admin\AppData\Local\Temp\059198935af7c5e3c0ae5080d10dc630_NEAS.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MSWUpdate = "\"C:\\Users\\Admin\\AppData\\Roaming\\lsass.exe\"" | C:\Users\Admin\AppData\Local\Temp\059198935af7c5e3c0ae5080d10dc630_NEAS.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSWUpdate = "\"C:\\Users\\Admin\\AppData\\Roaming\\lsass.exe\"" | C:\Users\Admin\AppData\Roaming\lsass.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MSWUpdate = "\"C:\\Users\\Admin\\AppData\\Roaming\\lsass.exe\"" | C:\Users\Admin\AppData\Roaming\lsass.exe | N/A |
Writes to the Master Boot Record (MBR)
| Description | Indicator | Process | Target |
| File opened for modification | \??\PhysicalDrive0 | C:\Users\Admin\AppData\Roaming\lsass.exe | N/A |
| File opened for modification | \??\PhysicalDrive0 | C:\Users\Admin\AppData\Local\Temp\059198935af7c5e3c0ae5080d10dc630_NEAS.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2972 set thread context of 2812 | N/A | C:\Users\Admin\AppData\Local\Temp\059198935af7c5e3c0ae5080d10dc630_NEAS.exe | C:\Users\Admin\AppData\Local\Temp\059198935af7c5e3c0ae5080d10dc630_NEAS.exe |
| PID 2812 set thread context of 2552 | N/A | C:\Users\Admin\AppData\Local\Temp\059198935af7c5e3c0ae5080d10dc630_NEAS.exe | C:\Users\Admin\AppData\Local\Temp\059198935af7c5e3c0ae5080d10dc630_NEAS.exe |
| PID 2708 set thread context of 2612 | N/A | C:\Users\Admin\AppData\Roaming\lsass.exe | C:\Users\Admin\AppData\Roaming\lsass.exe |
| PID 2612 set thread context of 2424 | N/A | C:\Users\Admin\AppData\Roaming\lsass.exe | C:\Users\Admin\AppData\Roaming\lsass.exe |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\059198935af7c5e3c0ae5080d10dc630_NEAS.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\059198935af7c5e3c0ae5080d10dc630_NEAS.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\059198935af7c5e3c0ae5080d10dc630_NEAS.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\lsass.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\lsass.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\lsass.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\059198935af7c5e3c0ae5080d10dc630_NEAS.exe
"C:\Users\Admin\AppData\Local\Temp\059198935af7c5e3c0ae5080d10dc630_NEAS.exe"
C:\Users\Admin\AppData\Local\Temp\059198935af7c5e3c0ae5080d10dc630_NEAS.exe
C:\Users\Admin\AppData\Local\Temp\059198935af7c5e3c0ae5080d10dc630_NEAS.exe
C:\Users\Admin\AppData\Local\Temp\059198935af7c5e3c0ae5080d10dc630_NEAS.exe
C:\Users\Admin\AppData\Local\Temp\059198935af7c5e3c0ae5080d10dc630_NEAS.exe
C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram program = C:\Users\Admin\AppData\Roaming\lsass.exename = Nero mode = ENABLE
C:\Users\Admin\AppData\Roaming\lsass.exe
/d C:\Users\Admin\AppData\Local\Temp\059198935af7c5e3c0ae5080d10dc630_NEAS.exe
C:\Users\Admin\AppData\Roaming\lsass.exe
C:\Users\Admin\AppData\Roaming\lsass.exe
C:\Users\Admin\AppData\Roaming\lsass.exe
C:\Users\Admin\AppData\Roaming\lsass.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | jp5.no-ip.info | udp |
Files
memory/2812-6-0x0000000000400000-0x000000000044B000-memory.dmp
memory/2812-8-0x0000000000400000-0x000000000044B000-memory.dmp
memory/2812-4-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2812-2-0x0000000000400000-0x000000000044B000-memory.dmp
memory/2552-15-0x0000000000400000-0x0000000000440000-memory.dmp
memory/2552-11-0x0000000000400000-0x0000000000440000-memory.dmp
memory/2552-13-0x0000000000400000-0x0000000000440000-memory.dmp
memory/2812-26-0x0000000000400000-0x000000000044B000-memory.dmp
memory/2552-27-0x0000000000400000-0x0000000000440000-memory.dmp
\Users\Admin\AppData\Roaming\lsass.exe
| MD5 | 6241ff61a6ed5c8affb47e20cbb382c2 |
| SHA1 | 8bcdf3be2e5079ec64b07dbb5fc8412357c94b9d |
| SHA256 | a183c39c88aec94b95510739fbbd27742b2dbe80a8a40d7692485924024241d2 |
| SHA512 | aadc3b2e85e168560219fe2c391997876eb8c13b068e8737dc2155be7c1d2b633cde8f81a0ce43c38ac169b4d8d98610fd69fe2a8c07490f25c1b98fbb5d4709 |
memory/2552-45-0x0000000000400000-0x0000000000440000-memory.dmp
memory/2612-56-0x0000000000400000-0x000000000044B000-memory.dmp
memory/2612-77-0x0000000000400000-0x000000000044B000-memory.dmp
memory/2424-78-0x0000000000400000-0x0000000000440000-memory.dmp
memory/2424-79-0x0000000000400000-0x0000000000440000-memory.dmp
memory/2424-80-0x0000000000400000-0x0000000000440000-memory.dmp
memory/2424-81-0x0000000000400000-0x0000000000440000-memory.dmp
memory/2424-82-0x0000000000400000-0x0000000000440000-memory.dmp
memory/2424-83-0x0000000000400000-0x0000000000440000-memory.dmp
memory/2424-84-0x0000000000400000-0x0000000000440000-memory.dmp
memory/2424-85-0x0000000000400000-0x0000000000440000-memory.dmp
memory/2424-86-0x0000000000400000-0x0000000000440000-memory.dmp
memory/2424-87-0x0000000000400000-0x0000000000440000-memory.dmp
memory/2424-88-0x0000000000400000-0x0000000000440000-memory.dmp
memory/2424-89-0x0000000000400000-0x0000000000440000-memory.dmp
memory/2424-90-0x0000000000400000-0x0000000000440000-memory.dmp
memory/2424-91-0x0000000000400000-0x0000000000440000-memory.dmp