Analysis
-
max time kernel
150s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
07/05/2024, 08:41
Static task
static1
Behavioral task
behavioral1
Sample
106458aa333a28ab327b65eb36ffc6a0_NEAS.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
106458aa333a28ab327b65eb36ffc6a0_NEAS.exe
Resource
win10v2004-20240226-en
General
-
Target
106458aa333a28ab327b65eb36ffc6a0_NEAS.exe
-
Size
3.8MB
-
MD5
106458aa333a28ab327b65eb36ffc6a0
-
SHA1
c1faa7712fb46fc6bcdb0b94cf1d3876d9fa0618
-
SHA256
5d24ca80652b9a954e917fd6dd0413421baff5c7b8a60ab0ac084818faea67bf
-
SHA512
be334d4fc806b036ce1d5cbca8b4c39c2b252352316698f45db0ebc2255d6f6c38a486009a13051a269f42fedd3bbb450344867fbb68bb2aafb38d63dc1f89f2
-
SSDEEP
49152:tCQyB2zaAtGvugaRnBdUvVQqCdUmVfoIn8ulITuqk1eCuDHwb0X3nNVR:MbAzgaxcVImuak1WHQSdVR
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" svchost.exe -
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 106458aa333a28ab327b65eb36ffc6a0_neas.exe -
Executes dropped EXE 7 IoCs
pid Process 2044 106458aa333a28ab327b65eb36ffc6a0_neas.exe 3000 icsys.icn.exe 2612 explorer.exe 2492 spoolsv.exe 1208 Process not Found 2092 svchost.exe 2776 spoolsv.exe -
Loads dropped DLL 6 IoCs
pid Process 1964 106458aa333a28ab327b65eb36ffc6a0_NEAS.exe 1964 106458aa333a28ab327b65eb36ffc6a0_NEAS.exe 3000 icsys.icn.exe 2612 explorer.exe 2492 spoolsv.exe 2092 svchost.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" svchost.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PHYSICALDRIVE0 106458aa333a28ab327b65eb36ffc6a0_neas.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\explorer.exe explorer.exe File opened for modification C:\Windows\SysWOW64\explorer.exe svchost.exe -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\Program Files\checkwritepermissions.exe 106458aa333a28ab327b65eb36ffc6a0_neas.exe File created C:\Program Files (x86)\checkwritepermissions.exe 106458aa333a28ab327b65eb36ffc6a0_neas.exe -
Drops file in Windows directory 5 IoCs
description ioc Process File opened for modification C:\Windows\Resources\Themes\icsys.icn.exe 106458aa333a28ab327b65eb36ffc6a0_NEAS.exe File opened for modification \??\c:\windows\resources\themes\explorer.exe icsys.icn.exe File opened for modification \??\c:\windows\resources\spoolsv.exe explorer.exe File opened for modification \??\c:\windows\resources\svchost.exe spoolsv.exe File opened for modification C:\Windows\Resources\tjud.exe explorer.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 106458aa333a28ab327b65eb36ffc6a0_neas.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 106458aa333a28ab327b65eb36ffc6a0_neas.exe -
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2944 schtasks.exe 784 schtasks.exe 1540 schtasks.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS 106458aa333a28ab327b65eb36ffc6a0_neas.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer 106458aa333a28ab327b65eb36ffc6a0_neas.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName 106458aa333a28ab327b65eb36ffc6a0_neas.exe -
description ioc Process Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 106458aa333a28ab327b65eb36ffc6a0_neas.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 106458aa333a28ab327b65eb36ffc6a0_neas.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 106458aa333a28ab327b65eb36ffc6a0_neas.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43 106458aa333a28ab327b65eb36ffc6a0_neas.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1964 106458aa333a28ab327b65eb36ffc6a0_NEAS.exe 1964 106458aa333a28ab327b65eb36ffc6a0_NEAS.exe 1964 106458aa333a28ab327b65eb36ffc6a0_NEAS.exe 1964 106458aa333a28ab327b65eb36ffc6a0_NEAS.exe 1964 106458aa333a28ab327b65eb36ffc6a0_NEAS.exe 1964 106458aa333a28ab327b65eb36ffc6a0_NEAS.exe 1964 106458aa333a28ab327b65eb36ffc6a0_NEAS.exe 1964 106458aa333a28ab327b65eb36ffc6a0_NEAS.exe 1964 106458aa333a28ab327b65eb36ffc6a0_NEAS.exe 1964 106458aa333a28ab327b65eb36ffc6a0_NEAS.exe 1964 106458aa333a28ab327b65eb36ffc6a0_NEAS.exe 1964 106458aa333a28ab327b65eb36ffc6a0_NEAS.exe 1964 106458aa333a28ab327b65eb36ffc6a0_NEAS.exe 1964 106458aa333a28ab327b65eb36ffc6a0_NEAS.exe 1964 106458aa333a28ab327b65eb36ffc6a0_NEAS.exe 1964 106458aa333a28ab327b65eb36ffc6a0_NEAS.exe 3000 icsys.icn.exe 3000 icsys.icn.exe 3000 icsys.icn.exe 3000 icsys.icn.exe 3000 icsys.icn.exe 3000 icsys.icn.exe 3000 icsys.icn.exe 3000 icsys.icn.exe 3000 icsys.icn.exe 3000 icsys.icn.exe 3000 icsys.icn.exe 3000 icsys.icn.exe 3000 icsys.icn.exe 3000 icsys.icn.exe 3000 icsys.icn.exe 3000 icsys.icn.exe 3000 icsys.icn.exe 2612 explorer.exe 2612 explorer.exe 2612 explorer.exe 2612 explorer.exe 2612 explorer.exe 2612 explorer.exe 2612 explorer.exe 2612 explorer.exe 2612 explorer.exe 2612 explorer.exe 2612 explorer.exe 2612 explorer.exe 2612 explorer.exe 2612 explorer.exe 2612 explorer.exe 2612 explorer.exe 2092 svchost.exe 2092 svchost.exe 2092 svchost.exe 2092 svchost.exe 2092 svchost.exe 2092 svchost.exe 2092 svchost.exe 2092 svchost.exe 2092 svchost.exe 2092 svchost.exe 2092 svchost.exe 2092 svchost.exe 2092 svchost.exe 2092 svchost.exe 2092 svchost.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 2612 explorer.exe 2092 svchost.exe -
Suspicious use of SetWindowsHookEx 12 IoCs
pid Process 1964 106458aa333a28ab327b65eb36ffc6a0_NEAS.exe 1964 106458aa333a28ab327b65eb36ffc6a0_NEAS.exe 3000 icsys.icn.exe 3000 icsys.icn.exe 2612 explorer.exe 2612 explorer.exe 2492 spoolsv.exe 2492 spoolsv.exe 2092 svchost.exe 2092 svchost.exe 2776 spoolsv.exe 2776 spoolsv.exe -
Suspicious use of WriteProcessMemory 40 IoCs
description pid Process procid_target PID 1964 wrote to memory of 2044 1964 106458aa333a28ab327b65eb36ffc6a0_NEAS.exe 28 PID 1964 wrote to memory of 2044 1964 106458aa333a28ab327b65eb36ffc6a0_NEAS.exe 28 PID 1964 wrote to memory of 2044 1964 106458aa333a28ab327b65eb36ffc6a0_NEAS.exe 28 PID 1964 wrote to memory of 2044 1964 106458aa333a28ab327b65eb36ffc6a0_NEAS.exe 28 PID 1964 wrote to memory of 3000 1964 106458aa333a28ab327b65eb36ffc6a0_NEAS.exe 29 PID 1964 wrote to memory of 3000 1964 106458aa333a28ab327b65eb36ffc6a0_NEAS.exe 29 PID 1964 wrote to memory of 3000 1964 106458aa333a28ab327b65eb36ffc6a0_NEAS.exe 29 PID 1964 wrote to memory of 3000 1964 106458aa333a28ab327b65eb36ffc6a0_NEAS.exe 29 PID 3000 wrote to memory of 2612 3000 icsys.icn.exe 30 PID 3000 wrote to memory of 2612 3000 icsys.icn.exe 30 PID 3000 wrote to memory of 2612 3000 icsys.icn.exe 30 PID 3000 wrote to memory of 2612 3000 icsys.icn.exe 30 PID 2612 wrote to memory of 2492 2612 explorer.exe 31 PID 2612 wrote to memory of 2492 2612 explorer.exe 31 PID 2612 wrote to memory of 2492 2612 explorer.exe 31 PID 2612 wrote to memory of 2492 2612 explorer.exe 31 PID 2492 wrote to memory of 2092 2492 spoolsv.exe 32 PID 2492 wrote to memory of 2092 2492 spoolsv.exe 32 PID 2492 wrote to memory of 2092 2492 spoolsv.exe 32 PID 2492 wrote to memory of 2092 2492 spoolsv.exe 32 PID 2092 wrote to memory of 2776 2092 svchost.exe 33 PID 2092 wrote to memory of 2776 2092 svchost.exe 33 PID 2092 wrote to memory of 2776 2092 svchost.exe 33 PID 2092 wrote to memory of 2776 2092 svchost.exe 33 PID 2612 wrote to memory of 2940 2612 explorer.exe 34 PID 2612 wrote to memory of 2940 2612 explorer.exe 34 PID 2612 wrote to memory of 2940 2612 explorer.exe 34 PID 2612 wrote to memory of 2940 2612 explorer.exe 34 PID 2092 wrote to memory of 2944 2092 svchost.exe 35 PID 2092 wrote to memory of 2944 2092 svchost.exe 35 PID 2092 wrote to memory of 2944 2092 svchost.exe 35 PID 2092 wrote to memory of 2944 2092 svchost.exe 35 PID 2092 wrote to memory of 784 2092 svchost.exe 40 PID 2092 wrote to memory of 784 2092 svchost.exe 40 PID 2092 wrote to memory of 784 2092 svchost.exe 40 PID 2092 wrote to memory of 784 2092 svchost.exe 40 PID 2092 wrote to memory of 1540 2092 svchost.exe 42 PID 2092 wrote to memory of 1540 2092 svchost.exe 42 PID 2092 wrote to memory of 1540 2092 svchost.exe 42 PID 2092 wrote to memory of 1540 2092 svchost.exe 42
Processes
-
C:\Users\Admin\AppData\Local\Temp\106458aa333a28ab327b65eb36ffc6a0_NEAS.exe"C:\Users\Admin\AppData\Local\Temp\106458aa333a28ab327b65eb36ffc6a0_NEAS.exe"1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1964 -
\??\c:\users\admin\appdata\local\temp\106458aa333a28ab327b65eb36ffc6a0_neas.exec:\users\admin\appdata\local\temp\106458aa333a28ab327b65eb36ffc6a0_neas.exe2⤵
- Checks BIOS information in registry
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Drops file in Program Files directory
- Checks processor information in registry
- Enumerates system info in registry
- Modifies system certificate store
PID:2044
-
-
C:\Windows\Resources\Themes\icsys.icn.exeC:\Windows\Resources\Themes\icsys.icn.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3000 -
\??\c:\windows\resources\themes\explorer.exec:\windows\resources\themes\explorer.exe3⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2612 -
\??\c:\windows\resources\spoolsv.exec:\windows\resources\spoolsv.exe SE4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2492 -
\??\c:\windows\resources\svchost.exec:\windows\resources\svchost.exe5⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2092 -
\??\c:\windows\resources\spoolsv.exec:\windows\resources\spoolsv.exe PR6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2776
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 08:43 /f6⤵
- Creates scheduled task(s)
PID:2944
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 08:44 /f6⤵
- Creates scheduled task(s)
PID:784
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 08:45 /f6⤵
- Creates scheduled task(s)
PID:1540
-
-
-
-
C:\Windows\Explorer.exeC:\Windows\Explorer.exe4⤵PID:2940
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Pre-OS Boot
1Bootkit
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
65KB
MD5ac05d27423a85adc1622c714f2cb6184
SHA1b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA5126d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d
-
Filesize
171KB
MD59c0c641c06238516f27941aa1166d427
SHA164cd549fb8cf014fcd9312aa7a5b023847b6c977
SHA2564276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f
SHA512936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06
-
Filesize
135KB
MD5913394cd26de1cdc2a5b8a4a9e648b5e
SHA18b667e28182b8415ecf7efa7bdda241e9956dfc3
SHA256c2b9f7252893da29566a03339acd5c563f729fe845c67fa09b1844a987776d23
SHA5124f1aa420af1bfd112d6ee2c81431d2fb13195c1bfe7b3b0e71171a1458d4f56d954b308e68097485dd92584999aa72ea8efab3c04f17fa321030c4f2d67aa756
-
Filesize
3.7MB
MD5e23164ad69da0120959905d089365fed
SHA199cbe30e0aa84e43b693ffa55d994567aaba74de
SHA25640dacc4c8fbbc81128302078c95da93b7854060eec5412aeebf0ec7d51794515
SHA5129b10c7a16dfb9f384241cf338fbeba25648d0e5553f5d305120ef152bb32389962fe0bb257ad25deb0c61d5a95d5ad9a9de8de021e42f40aa2bb673785b2181e
-
Filesize
135KB
MD54aa47bce7a2899bfbbbf3ef14d237588
SHA14cb2b4972e9d6589e49db782f11597e60ff44706
SHA256f190739c52960909dba303bb9773e63686b907caf28e4eaa67af8ade0071de12
SHA512aea2d3ea94698e0d88be1d72e28113d217142fdd8f13a55afa438e8b531d89d87c90c9fc4be6565736da95e69ee21ec703abd88d4d9e60e53bcde8545c8e237f
-
Filesize
135KB
MD58d6c9b9b6ed44b4805c25c8c22e695f2
SHA166e82826a76e35484fd83cdfd76435e6cd11d5ba
SHA256bf2399483f80802bad82e836d3797f338e120eaea78c967d2b8ee45795918969
SHA512660f6cfdec06ea763d777cdaa3721e7b3c30d248f3333eb2f8fa78495820368683d5ca4ec65088431e3bc5f242578cb9250490aa836ebae2ae587c30216d7241
-
Filesize
135KB
MD54e36d81cded267aa991ed67e514ebad0
SHA1920890d61783f9fc27bc047b97b2925e511ef80b
SHA256013740ce9721cbc646373b104c4025d4d4bd235ba7b782181d287ff69c65008b
SHA512d54b8503893292b86f4f95ac0d188e672017dced6a204154305a9b7ce2a96c1e41419da11fe70776c23a8529428023ea9ae5a4953f7f8a9dbf8f051c3ed05f77