Analysis

  • max time kernel
    152s
  • max time network
    122s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07/05/2024, 08:41

General

  • Target

    106458aa333a28ab327b65eb36ffc6a0_NEAS.exe

  • Size

    3.8MB

  • MD5

    106458aa333a28ab327b65eb36ffc6a0

  • SHA1

    c1faa7712fb46fc6bcdb0b94cf1d3876d9fa0618

  • SHA256

    5d24ca80652b9a954e917fd6dd0413421baff5c7b8a60ab0ac084818faea67bf

  • SHA512

    be334d4fc806b036ce1d5cbca8b4c39c2b252352316698f45db0ebc2255d6f6c38a486009a13051a269f42fedd3bbb450344867fbb68bb2aafb38d63dc1f89f2

  • SSDEEP

    49152:tCQyB2zaAtGvugaRnBdUvVQqCdUmVfoIn8ulITuqk1eCuDHwb0X3nNVR:MbAzgaxcVImuak1WHQSdVR

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
  • Checks BIOS information in registry 2 TTPs 1 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Executes dropped EXE 6 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

  • Drops file in System32 directory 2 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Drops file in Windows directory 5 IoCs
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of SetWindowsHookEx 12 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\106458aa333a28ab327b65eb36ffc6a0_NEAS.exe
    "C:\Users\Admin\AppData\Local\Temp\106458aa333a28ab327b65eb36ffc6a0_NEAS.exe"
    1⤵
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1836
    • \??\c:\users\admin\appdata\local\temp\106458aa333a28ab327b65eb36ffc6a0_neas.exe 
      c:\users\admin\appdata\local\temp\106458aa333a28ab327b65eb36ffc6a0_neas.exe 
      2⤵
      • Checks BIOS information in registry
      • Executes dropped EXE
      • Writes to the Master Boot Record (MBR)
      • Drops file in Program Files directory
      • Checks processor information in registry
      • Enumerates system info in registry
      PID:3600
    • C:\Windows\Resources\Themes\icsys.icn.exe
      C:\Windows\Resources\Themes\icsys.icn.exe
      2⤵
      • Executes dropped EXE
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1136
      • \??\c:\windows\resources\themes\explorer.exe
        c:\windows\resources\themes\explorer.exe
        3⤵
        • Modifies visiblity of hidden/system files in Explorer
        • Executes dropped EXE
        • Adds Run key to start application
        • Drops file in System32 directory
        • Drops file in Windows directory
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:4560
        • \??\c:\windows\resources\spoolsv.exe
          c:\windows\resources\spoolsv.exe SE
          4⤵
          • Executes dropped EXE
          • Drops file in Windows directory
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:5000
          • \??\c:\windows\resources\svchost.exe
            c:\windows\resources\svchost.exe
            5⤵
            • Modifies visiblity of hidden/system files in Explorer
            • Executes dropped EXE
            • Adds Run key to start application
            • Drops file in System32 directory
            • Suspicious behavior: GetForegroundWindowSpam
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:4816
            • \??\c:\windows\resources\spoolsv.exe
              c:\windows\resources\spoolsv.exe PR
              6⤵
              • Executes dropped EXE
              • Suspicious use of SetWindowsHookEx
              PID:1064
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3976 --field-trial-handle=2244,i,11878111470816612087,2265290141962607370,262144 --variations-seed-version /prefetch:8
    1⤵
      PID:4384

    Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\106458aa333a28ab327b65eb36ffc6a0_neas.exe 

            Filesize

            3.7MB

            MD5

            e23164ad69da0120959905d089365fed

            SHA1

            99cbe30e0aa84e43b693ffa55d994567aaba74de

            SHA256

            40dacc4c8fbbc81128302078c95da93b7854060eec5412aeebf0ec7d51794515

            SHA512

            9b10c7a16dfb9f384241cf338fbeba25648d0e5553f5d305120ef152bb32389962fe0bb257ad25deb0c61d5a95d5ad9a9de8de021e42f40aa2bb673785b2181e

          • C:\Windows\Resources\Themes\explorer.exe

            Filesize

            135KB

            MD5

            397b931a07fba2794de6c68b3fd2601f

            SHA1

            292b5bdb154af6055c7143446810c6f1923b1d9e

            SHA256

            9cc303273c05b8d7cd0e7b4fa3355242a3360433eaed371c04155087d91572ec

            SHA512

            80c8a9de17432d04825a00404050ed5961090c46017d2359c9c260bc0540c1d9f0d9d0c6c7f83e56ecb7bb10ca1fc7665acf58c85f082440ceeba53a0783d763

          • C:\Windows\Resources\Themes\icsys.icn.exe

            Filesize

            135KB

            MD5

            4aa47bce7a2899bfbbbf3ef14d237588

            SHA1

            4cb2b4972e9d6589e49db782f11597e60ff44706

            SHA256

            f190739c52960909dba303bb9773e63686b907caf28e4eaa67af8ade0071de12

            SHA512

            aea2d3ea94698e0d88be1d72e28113d217142fdd8f13a55afa438e8b531d89d87c90c9fc4be6565736da95e69ee21ec703abd88d4d9e60e53bcde8545c8e237f

          • C:\Windows\Resources\spoolsv.exe

            Filesize

            135KB

            MD5

            e59c314e8a45aad74934ac2851a06e5b

            SHA1

            6d6ca1e63a5bf65214ff65a8592a1761018da398

            SHA256

            5335a9dae18b51b813212cf3a6c49af5dd9ecf8b9cd60be0ce896057ac929316

            SHA512

            6e7962d281cd39116a814e1d1355613d01dc056ce0b52dac84b3a5e781c4f38e4ec2dd3b809e6a5d6d200e4bd4f90f3fec846176df561b4ba7bb160a438e8cd0

          • \??\c:\windows\resources\svchost.exe

            Filesize

            135KB

            MD5

            638ba018b1afb26df8eff01faaf7abc0

            SHA1

            4325bad71d4b7105a7784b2e5cc0cd88534213b1

            SHA256

            a53836c210e6117b3c521ca62c89c51b16909918d239e60caf0bf44629dfc93b

            SHA512

            dc5493169ed950da39d186bab93c281e5f267c2c7ee47cf7501711cd9cdc7ba4fcbbc0b0bc66b630bef6d7fac30f326c7797a2029749838514e819d067eae7b6

          • memory/1064-44-0x0000000000400000-0x000000000041F000-memory.dmp

            Filesize

            124KB

          • memory/1136-47-0x0000000000400000-0x000000000041F000-memory.dmp

            Filesize

            124KB

          • memory/1836-0-0x0000000000400000-0x000000000041F000-memory.dmp

            Filesize

            124KB

          • memory/1836-46-0x0000000000400000-0x000000000041F000-memory.dmp

            Filesize

            124KB

          • memory/5000-45-0x0000000000400000-0x000000000041F000-memory.dmp

            Filesize

            124KB