Analysis
-
max time kernel
152s -
max time network
122s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
07/05/2024, 08:41
Static task
static1
Behavioral task
behavioral1
Sample
106458aa333a28ab327b65eb36ffc6a0_NEAS.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
106458aa333a28ab327b65eb36ffc6a0_NEAS.exe
Resource
win10v2004-20240226-en
General
-
Target
106458aa333a28ab327b65eb36ffc6a0_NEAS.exe
-
Size
3.8MB
-
MD5
106458aa333a28ab327b65eb36ffc6a0
-
SHA1
c1faa7712fb46fc6bcdb0b94cf1d3876d9fa0618
-
SHA256
5d24ca80652b9a954e917fd6dd0413421baff5c7b8a60ab0ac084818faea67bf
-
SHA512
be334d4fc806b036ce1d5cbca8b4c39c2b252352316698f45db0ebc2255d6f6c38a486009a13051a269f42fedd3bbb450344867fbb68bb2aafb38d63dc1f89f2
-
SSDEEP
49152:tCQyB2zaAtGvugaRnBdUvVQqCdUmVfoIn8ulITuqk1eCuDHwb0X3nNVR:MbAzgaxcVImuak1WHQSdVR
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" svchost.exe -
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 106458aa333a28ab327b65eb36ffc6a0_neas.exe -
Executes dropped EXE 6 IoCs
pid Process 3600 106458aa333a28ab327b65eb36ffc6a0_neas.exe 1136 icsys.icn.exe 4560 explorer.exe 5000 spoolsv.exe 4816 svchost.exe 1064 spoolsv.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" svchost.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PHYSICALDRIVE0 106458aa333a28ab327b65eb36ffc6a0_neas.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\explorer.exe explorer.exe File opened for modification C:\Windows\SysWOW64\explorer.exe svchost.exe -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\Program Files\checkwritepermissions.exe 106458aa333a28ab327b65eb36ffc6a0_neas.exe File created C:\Program Files (x86)\checkwritepermissions.exe 106458aa333a28ab327b65eb36ffc6a0_neas.exe -
Drops file in Windows directory 5 IoCs
description ioc Process File opened for modification C:\Windows\Resources\tjud.exe explorer.exe File opened for modification C:\Windows\Resources\Themes\icsys.icn.exe 106458aa333a28ab327b65eb36ffc6a0_NEAS.exe File opened for modification \??\c:\windows\resources\themes\explorer.exe icsys.icn.exe File opened for modification \??\c:\windows\resources\spoolsv.exe explorer.exe File opened for modification \??\c:\windows\resources\svchost.exe spoolsv.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 106458aa333a28ab327b65eb36ffc6a0_neas.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 106458aa333a28ab327b65eb36ffc6a0_neas.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS 106458aa333a28ab327b65eb36ffc6a0_neas.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer 106458aa333a28ab327b65eb36ffc6a0_neas.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName 106458aa333a28ab327b65eb36ffc6a0_neas.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1836 106458aa333a28ab327b65eb36ffc6a0_NEAS.exe 1836 106458aa333a28ab327b65eb36ffc6a0_NEAS.exe 1836 106458aa333a28ab327b65eb36ffc6a0_NEAS.exe 1836 106458aa333a28ab327b65eb36ffc6a0_NEAS.exe 1836 106458aa333a28ab327b65eb36ffc6a0_NEAS.exe 1836 106458aa333a28ab327b65eb36ffc6a0_NEAS.exe 1836 106458aa333a28ab327b65eb36ffc6a0_NEAS.exe 1836 106458aa333a28ab327b65eb36ffc6a0_NEAS.exe 1836 106458aa333a28ab327b65eb36ffc6a0_NEAS.exe 1836 106458aa333a28ab327b65eb36ffc6a0_NEAS.exe 1836 106458aa333a28ab327b65eb36ffc6a0_NEAS.exe 1836 106458aa333a28ab327b65eb36ffc6a0_NEAS.exe 1836 106458aa333a28ab327b65eb36ffc6a0_NEAS.exe 1836 106458aa333a28ab327b65eb36ffc6a0_NEAS.exe 1836 106458aa333a28ab327b65eb36ffc6a0_NEAS.exe 1836 106458aa333a28ab327b65eb36ffc6a0_NEAS.exe 1836 106458aa333a28ab327b65eb36ffc6a0_NEAS.exe 1836 106458aa333a28ab327b65eb36ffc6a0_NEAS.exe 1836 106458aa333a28ab327b65eb36ffc6a0_NEAS.exe 1836 106458aa333a28ab327b65eb36ffc6a0_NEAS.exe 1836 106458aa333a28ab327b65eb36ffc6a0_NEAS.exe 1836 106458aa333a28ab327b65eb36ffc6a0_NEAS.exe 1836 106458aa333a28ab327b65eb36ffc6a0_NEAS.exe 1836 106458aa333a28ab327b65eb36ffc6a0_NEAS.exe 1836 106458aa333a28ab327b65eb36ffc6a0_NEAS.exe 1836 106458aa333a28ab327b65eb36ffc6a0_NEAS.exe 1836 106458aa333a28ab327b65eb36ffc6a0_NEAS.exe 1836 106458aa333a28ab327b65eb36ffc6a0_NEAS.exe 1836 106458aa333a28ab327b65eb36ffc6a0_NEAS.exe 1836 106458aa333a28ab327b65eb36ffc6a0_NEAS.exe 1836 106458aa333a28ab327b65eb36ffc6a0_NEAS.exe 1836 106458aa333a28ab327b65eb36ffc6a0_NEAS.exe 1136 icsys.icn.exe 1136 icsys.icn.exe 1136 icsys.icn.exe 1136 icsys.icn.exe 1136 icsys.icn.exe 1136 icsys.icn.exe 1136 icsys.icn.exe 1136 icsys.icn.exe 1136 icsys.icn.exe 1136 icsys.icn.exe 1136 icsys.icn.exe 1136 icsys.icn.exe 1136 icsys.icn.exe 1136 icsys.icn.exe 1136 icsys.icn.exe 1136 icsys.icn.exe 1136 icsys.icn.exe 1136 icsys.icn.exe 1136 icsys.icn.exe 1136 icsys.icn.exe 1136 icsys.icn.exe 1136 icsys.icn.exe 1136 icsys.icn.exe 1136 icsys.icn.exe 1136 icsys.icn.exe 1136 icsys.icn.exe 1136 icsys.icn.exe 1136 icsys.icn.exe 1136 icsys.icn.exe 1136 icsys.icn.exe 1136 icsys.icn.exe 1136 icsys.icn.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 4560 explorer.exe 4816 svchost.exe -
Suspicious use of SetWindowsHookEx 12 IoCs
pid Process 1836 106458aa333a28ab327b65eb36ffc6a0_NEAS.exe 1836 106458aa333a28ab327b65eb36ffc6a0_NEAS.exe 1136 icsys.icn.exe 1136 icsys.icn.exe 4560 explorer.exe 4560 explorer.exe 5000 spoolsv.exe 5000 spoolsv.exe 4816 svchost.exe 4816 svchost.exe 1064 spoolsv.exe 1064 spoolsv.exe -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 1836 wrote to memory of 3600 1836 106458aa333a28ab327b65eb36ffc6a0_NEAS.exe 90 PID 1836 wrote to memory of 3600 1836 106458aa333a28ab327b65eb36ffc6a0_NEAS.exe 90 PID 1836 wrote to memory of 1136 1836 106458aa333a28ab327b65eb36ffc6a0_NEAS.exe 91 PID 1836 wrote to memory of 1136 1836 106458aa333a28ab327b65eb36ffc6a0_NEAS.exe 91 PID 1836 wrote to memory of 1136 1836 106458aa333a28ab327b65eb36ffc6a0_NEAS.exe 91 PID 1136 wrote to memory of 4560 1136 icsys.icn.exe 92 PID 1136 wrote to memory of 4560 1136 icsys.icn.exe 92 PID 1136 wrote to memory of 4560 1136 icsys.icn.exe 92 PID 4560 wrote to memory of 5000 4560 explorer.exe 93 PID 4560 wrote to memory of 5000 4560 explorer.exe 93 PID 4560 wrote to memory of 5000 4560 explorer.exe 93 PID 5000 wrote to memory of 4816 5000 spoolsv.exe 94 PID 5000 wrote to memory of 4816 5000 spoolsv.exe 94 PID 5000 wrote to memory of 4816 5000 spoolsv.exe 94 PID 4816 wrote to memory of 1064 4816 svchost.exe 95 PID 4816 wrote to memory of 1064 4816 svchost.exe 95 PID 4816 wrote to memory of 1064 4816 svchost.exe 95
Processes
-
C:\Users\Admin\AppData\Local\Temp\106458aa333a28ab327b65eb36ffc6a0_NEAS.exe"C:\Users\Admin\AppData\Local\Temp\106458aa333a28ab327b65eb36ffc6a0_NEAS.exe"1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1836 -
\??\c:\users\admin\appdata\local\temp\106458aa333a28ab327b65eb36ffc6a0_neas.exec:\users\admin\appdata\local\temp\106458aa333a28ab327b65eb36ffc6a0_neas.exe2⤵
- Checks BIOS information in registry
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Drops file in Program Files directory
- Checks processor information in registry
- Enumerates system info in registry
PID:3600
-
-
C:\Windows\Resources\Themes\icsys.icn.exeC:\Windows\Resources\Themes\icsys.icn.exe2⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1136 -
\??\c:\windows\resources\themes\explorer.exec:\windows\resources\themes\explorer.exe3⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4560 -
\??\c:\windows\resources\spoolsv.exec:\windows\resources\spoolsv.exe SE4⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5000 -
\??\c:\windows\resources\svchost.exec:\windows\resources\svchost.exe5⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4816 -
\??\c:\windows\resources\spoolsv.exec:\windows\resources\spoolsv.exe PR6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1064
-
-
-
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3976 --field-trial-handle=2244,i,11878111470816612087,2265290141962607370,262144 --variations-seed-version /prefetch:81⤵PID:4384
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Pre-OS Boot
1Bootkit
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.7MB
MD5e23164ad69da0120959905d089365fed
SHA199cbe30e0aa84e43b693ffa55d994567aaba74de
SHA25640dacc4c8fbbc81128302078c95da93b7854060eec5412aeebf0ec7d51794515
SHA5129b10c7a16dfb9f384241cf338fbeba25648d0e5553f5d305120ef152bb32389962fe0bb257ad25deb0c61d5a95d5ad9a9de8de021e42f40aa2bb673785b2181e
-
Filesize
135KB
MD5397b931a07fba2794de6c68b3fd2601f
SHA1292b5bdb154af6055c7143446810c6f1923b1d9e
SHA2569cc303273c05b8d7cd0e7b4fa3355242a3360433eaed371c04155087d91572ec
SHA51280c8a9de17432d04825a00404050ed5961090c46017d2359c9c260bc0540c1d9f0d9d0c6c7f83e56ecb7bb10ca1fc7665acf58c85f082440ceeba53a0783d763
-
Filesize
135KB
MD54aa47bce7a2899bfbbbf3ef14d237588
SHA14cb2b4972e9d6589e49db782f11597e60ff44706
SHA256f190739c52960909dba303bb9773e63686b907caf28e4eaa67af8ade0071de12
SHA512aea2d3ea94698e0d88be1d72e28113d217142fdd8f13a55afa438e8b531d89d87c90c9fc4be6565736da95e69ee21ec703abd88d4d9e60e53bcde8545c8e237f
-
Filesize
135KB
MD5e59c314e8a45aad74934ac2851a06e5b
SHA16d6ca1e63a5bf65214ff65a8592a1761018da398
SHA2565335a9dae18b51b813212cf3a6c49af5dd9ecf8b9cd60be0ce896057ac929316
SHA5126e7962d281cd39116a814e1d1355613d01dc056ce0b52dac84b3a5e781c4f38e4ec2dd3b809e6a5d6d200e4bd4f90f3fec846176df561b4ba7bb160a438e8cd0
-
Filesize
135KB
MD5638ba018b1afb26df8eff01faaf7abc0
SHA14325bad71d4b7105a7784b2e5cc0cd88534213b1
SHA256a53836c210e6117b3c521ca62c89c51b16909918d239e60caf0bf44629dfc93b
SHA512dc5493169ed950da39d186bab93c281e5f267c2c7ee47cf7501711cd9cdc7ba4fcbbc0b0bc66b630bef6d7fac30f326c7797a2029749838514e819d067eae7b6