Analysis Overview
SHA256
5d24ca80652b9a954e917fd6dd0413421baff5c7b8a60ab0ac084818faea67bf
Threat Level: Known bad
The file 106458aa333a28ab327b65eb36ffc6a0_NEAS was found to be: Known bad.
Malicious Activity Summary
Modifies visiblity of hidden/system files in Explorer
Checks BIOS information in registry
Executes dropped EXE
Loads dropped DLL
Writes to the Master Boot Record (MBR)
Adds Run key to start application
Drops file in System32 directory
Drops file in Windows directory
Drops file in Program Files directory
Unsigned PE
Modifies system certificate store
Suspicious use of WriteProcessMemory
Suspicious use of SetWindowsHookEx
Suspicious behavior: GetForegroundWindowSpam
Creates scheduled task(s)
Enumerates system info in registry
Suspicious behavior: EnumeratesProcesses
Checks processor information in registry
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-05-07 08:41
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-07 08:41
Reported
2024-05-07 08:44
Platform
win7-20240221-en
Max time kernel
150s
Max time network
121s
Command Line
Signatures
Modifies visiblity of hidden/system files in Explorer
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | \??\c:\windows\resources\themes\explorer.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | \??\c:\windows\resources\svchost.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | \??\c:\users\admin\appdata\local\temp\106458aa333a28ab327b65eb36ffc6a0_neas.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | \??\c:\users\admin\appdata\local\temp\106458aa333a28ab327b65eb36ffc6a0_neas.exe | N/A |
| N/A | N/A | C:\Windows\Resources\Themes\icsys.icn.exe | N/A |
| N/A | N/A | \??\c:\windows\resources\themes\explorer.exe | N/A |
| N/A | N/A | \??\c:\windows\resources\spoolsv.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | \??\c:\windows\resources\svchost.exe | N/A |
| N/A | N/A | \??\c:\windows\resources\spoolsv.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\106458aa333a28ab327b65eb36ffc6a0_NEAS.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\106458aa333a28ab327b65eb36ffc6a0_NEAS.exe | N/A |
| N/A | N/A | C:\Windows\Resources\Themes\icsys.icn.exe | N/A |
| N/A | N/A | \??\c:\windows\resources\themes\explorer.exe | N/A |
| N/A | N/A | \??\c:\windows\resources\spoolsv.exe | N/A |
| N/A | N/A | \??\c:\windows\resources\svchost.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" | \??\c:\windows\resources\themes\explorer.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" | \??\c:\windows\resources\themes\explorer.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" | \??\c:\windows\resources\svchost.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" | \??\c:\windows\resources\svchost.exe | N/A |
Writes to the Master Boot Record (MBR)
| Description | Indicator | Process | Target |
| File opened for modification | \??\PHYSICALDRIVE0 | \??\c:\users\admin\appdata\local\temp\106458aa333a28ab327b65eb36ffc6a0_neas.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\explorer.exe | \??\c:\windows\resources\themes\explorer.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\explorer.exe | \??\c:\windows\resources\svchost.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files\checkwritepermissions.exe | \??\c:\users\admin\appdata\local\temp\106458aa333a28ab327b65eb36ffc6a0_neas.exe | N/A |
| File created | C:\Program Files (x86)\checkwritepermissions.exe | \??\c:\users\admin\appdata\local\temp\106458aa333a28ab327b65eb36ffc6a0_neas.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\Resources\Themes\icsys.icn.exe | C:\Users\Admin\AppData\Local\Temp\106458aa333a28ab327b65eb36ffc6a0_NEAS.exe | N/A |
| File opened for modification | \??\c:\windows\resources\themes\explorer.exe | C:\Windows\Resources\Themes\icsys.icn.exe | N/A |
| File opened for modification | \??\c:\windows\resources\spoolsv.exe | \??\c:\windows\resources\themes\explorer.exe | N/A |
| File opened for modification | \??\c:\windows\resources\svchost.exe | \??\c:\windows\resources\spoolsv.exe | N/A |
| File opened for modification | C:\Windows\Resources\tjud.exe | \??\c:\windows\resources\themes\explorer.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | \??\c:\users\admin\appdata\local\temp\106458aa333a28ab327b65eb36ffc6a0_neas.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | \??\c:\users\admin\appdata\local\temp\106458aa333a28ab327b65eb36ffc6a0_neas.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | \??\c:\users\admin\appdata\local\temp\106458aa333a28ab327b65eb36ffc6a0_neas.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | \??\c:\users\admin\appdata\local\temp\106458aa333a28ab327b65eb36ffc6a0_neas.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | \??\c:\users\admin\appdata\local\temp\106458aa333a28ab327b65eb36ffc6a0_neas.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 | \??\c:\users\admin\appdata\local\temp\106458aa333a28ab327b65eb36ffc6a0_neas.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 | \??\c:\users\admin\appdata\local\temp\106458aa333a28ab327b65eb36ffc6a0_neas.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 | \??\c:\users\admin\appdata\local\temp\106458aa333a28ab327b65eb36ffc6a0_neas.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43 | \??\c:\users\admin\appdata\local\temp\106458aa333a28ab327b65eb36ffc6a0_neas.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | \??\c:\windows\resources\themes\explorer.exe | N/A |
| N/A | N/A | \??\c:\windows\resources\svchost.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\106458aa333a28ab327b65eb36ffc6a0_NEAS.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\106458aa333a28ab327b65eb36ffc6a0_NEAS.exe | N/A |
| N/A | N/A | C:\Windows\Resources\Themes\icsys.icn.exe | N/A |
| N/A | N/A | C:\Windows\Resources\Themes\icsys.icn.exe | N/A |
| N/A | N/A | \??\c:\windows\resources\themes\explorer.exe | N/A |
| N/A | N/A | \??\c:\windows\resources\themes\explorer.exe | N/A |
| N/A | N/A | \??\c:\windows\resources\spoolsv.exe | N/A |
| N/A | N/A | \??\c:\windows\resources\spoolsv.exe | N/A |
| N/A | N/A | \??\c:\windows\resources\svchost.exe | N/A |
| N/A | N/A | \??\c:\windows\resources\svchost.exe | N/A |
| N/A | N/A | \??\c:\windows\resources\spoolsv.exe | N/A |
| N/A | N/A | \??\c:\windows\resources\spoolsv.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\106458aa333a28ab327b65eb36ffc6a0_NEAS.exe
"C:\Users\Admin\AppData\Local\Temp\106458aa333a28ab327b65eb36ffc6a0_NEAS.exe"
\??\c:\users\admin\appdata\local\temp\106458aa333a28ab327b65eb36ffc6a0_neas.exe
c:\users\admin\appdata\local\temp\106458aa333a28ab327b65eb36ffc6a0_neas.exe
C:\Windows\Resources\Themes\icsys.icn.exe
C:\Windows\Resources\Themes\icsys.icn.exe
\??\c:\windows\resources\themes\explorer.exe
c:\windows\resources\themes\explorer.exe
\??\c:\windows\resources\spoolsv.exe
c:\windows\resources\spoolsv.exe SE
\??\c:\windows\resources\svchost.exe
c:\windows\resources\svchost.exe
\??\c:\windows\resources\spoolsv.exe
c:\windows\resources\spoolsv.exe PR
C:\Windows\Explorer.exe
C:\Windows\Explorer.exe
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 08:43 /f
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 08:44 /f
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 08:45 /f
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | download.mql5.com | udp |
| US | 8.8.8.8:53 | content.finteza.com | udp |
| NL | 78.140.180.43:443 | download.mql5.com | tcp |
| NL | 78.140.180.86:443 | content.finteza.com | tcp |
| NL | 78.140.180.43:443 | download.mql5.com | tcp |
| SG | 117.20.41.198:443 | tcp | |
| RU | 88.212.232.132:443 | tcp | |
| ZA | 156.38.206.18:443 | tcp | |
| BR | 177.154.156.125:443 | tcp | |
| IR | 185.252.31.15:443 | tcp | |
| AU | 66.203.112.227:443 | tcp | |
| AE | 47.91.106.176:443 | tcp | |
| IN | 148.113.1.241:443 | tcp | |
| US | 142.215.208.235:443 | tcp | |
| NG | 104.166.145.86:443 | tcp | |
| JP | 199.254.199.227:443 | tcp | |
| HK | 27.111.161.152:443 | tcp | |
| HK | 8.217.147.178:443 | tcp | |
| DE | 195.201.80.82:443 | download.mql5.com | tcp |
Files
memory/1964-0-0x0000000000400000-0x000000000041F000-memory.dmp
\Users\Admin\AppData\Local\Temp\106458aa333a28ab327b65eb36ffc6a0_neas.exe
| MD5 | e23164ad69da0120959905d089365fed |
| SHA1 | 99cbe30e0aa84e43b693ffa55d994567aaba74de |
| SHA256 | 40dacc4c8fbbc81128302078c95da93b7854060eec5412aeebf0ec7d51794515 |
| SHA512 | 9b10c7a16dfb9f384241cf338fbeba25648d0e5553f5d305120ef152bb32389962fe0bb257ad25deb0c61d5a95d5ad9a9de8de021e42f40aa2bb673785b2181e |
\Windows\Resources\Themes\icsys.icn.exe
| MD5 | 4aa47bce7a2899bfbbbf3ef14d237588 |
| SHA1 | 4cb2b4972e9d6589e49db782f11597e60ff44706 |
| SHA256 | f190739c52960909dba303bb9773e63686b907caf28e4eaa67af8ade0071de12 |
| SHA512 | aea2d3ea94698e0d88be1d72e28113d217142fdd8f13a55afa438e8b531d89d87c90c9fc4be6565736da95e69ee21ec703abd88d4d9e60e53bcde8545c8e237f |
memory/1964-14-0x0000000000290000-0x00000000002AF000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Cab204F.tmp
| MD5 | ac05d27423a85adc1622c714f2cb6184 |
| SHA1 | b0fe2b1abddb97837ea0195be70ab2ff14d43198 |
| SHA256 | c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d |
| SHA512 | 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d |
C:\Users\Admin\AppData\Local\Temp\Tar20A0.tmp
| MD5 | 9c0c641c06238516f27941aa1166d427 |
| SHA1 | 64cd549fb8cf014fcd9312aa7a5b023847b6c977 |
| SHA256 | 4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f |
| SHA512 | 936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06 |
C:\Windows\Resources\Themes\explorer.exe
| MD5 | 913394cd26de1cdc2a5b8a4a9e648b5e |
| SHA1 | 8b667e28182b8415ecf7efa7bdda241e9956dfc3 |
| SHA256 | c2b9f7252893da29566a03339acd5c563f729fe845c67fa09b1844a987776d23 |
| SHA512 | 4f1aa420af1bfd112d6ee2c81431d2fb13195c1bfe7b3b0e71171a1458d4f56d954b308e68097485dd92584999aa72ea8efab3c04f17fa321030c4f2d67aa756 |
\Windows\Resources\spoolsv.exe
| MD5 | 8d6c9b9b6ed44b4805c25c8c22e695f2 |
| SHA1 | 66e82826a76e35484fd83cdfd76435e6cd11d5ba |
| SHA256 | bf2399483f80802bad82e836d3797f338e120eaea78c967d2b8ee45795918969 |
| SHA512 | 660f6cfdec06ea763d777cdaa3721e7b3c30d248f3333eb2f8fa78495820368683d5ca4ec65088431e3bc5f242578cb9250490aa836ebae2ae587c30216d7241 |
memory/2612-58-0x0000000000570000-0x000000000058F000-memory.dmp
\Windows\Resources\svchost.exe
| MD5 | 4e36d81cded267aa991ed67e514ebad0 |
| SHA1 | 920890d61783f9fc27bc047b97b2925e511ef80b |
| SHA256 | 013740ce9721cbc646373b104c4025d4d4bd235ba7b782181d287ff69c65008b |
| SHA512 | d54b8503893292b86f4f95ac0d188e672017dced6a204154305a9b7ce2a96c1e41419da11fe70776c23a8529428023ea9ae5a4953f7f8a9dbf8f051c3ed05f77 |
memory/2492-67-0x0000000000320000-0x000000000033F000-memory.dmp
memory/2092-72-0x0000000000400000-0x000000000041F000-memory.dmp
memory/2092-77-0x0000000000370000-0x000000000038F000-memory.dmp
memory/2776-81-0x0000000000400000-0x000000000041F000-memory.dmp
memory/2492-82-0x0000000000400000-0x000000000041F000-memory.dmp
memory/3000-84-0x0000000000400000-0x000000000041F000-memory.dmp
memory/1964-83-0x0000000000400000-0x000000000041F000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-07 08:41
Reported
2024-05-07 08:44
Platform
win10v2004-20240226-en
Max time kernel
152s
Max time network
122s
Command Line
Signatures
Modifies visiblity of hidden/system files in Explorer
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | \??\c:\windows\resources\themes\explorer.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | \??\c:\windows\resources\svchost.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | \??\c:\users\admin\appdata\local\temp\106458aa333a28ab327b65eb36ffc6a0_neas.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | \??\c:\users\admin\appdata\local\temp\106458aa333a28ab327b65eb36ffc6a0_neas.exe | N/A |
| N/A | N/A | C:\Windows\Resources\Themes\icsys.icn.exe | N/A |
| N/A | N/A | \??\c:\windows\resources\themes\explorer.exe | N/A |
| N/A | N/A | \??\c:\windows\resources\spoolsv.exe | N/A |
| N/A | N/A | \??\c:\windows\resources\svchost.exe | N/A |
| N/A | N/A | \??\c:\windows\resources\spoolsv.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" | \??\c:\windows\resources\themes\explorer.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" | \??\c:\windows\resources\themes\explorer.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" | \??\c:\windows\resources\svchost.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" | \??\c:\windows\resources\svchost.exe | N/A |
Writes to the Master Boot Record (MBR)
| Description | Indicator | Process | Target |
| File opened for modification | \??\PHYSICALDRIVE0 | \??\c:\users\admin\appdata\local\temp\106458aa333a28ab327b65eb36ffc6a0_neas.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\explorer.exe | \??\c:\windows\resources\themes\explorer.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\explorer.exe | \??\c:\windows\resources\svchost.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files\checkwritepermissions.exe | \??\c:\users\admin\appdata\local\temp\106458aa333a28ab327b65eb36ffc6a0_neas.exe | N/A |
| File created | C:\Program Files (x86)\checkwritepermissions.exe | \??\c:\users\admin\appdata\local\temp\106458aa333a28ab327b65eb36ffc6a0_neas.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\Resources\tjud.exe | \??\c:\windows\resources\themes\explorer.exe | N/A |
| File opened for modification | C:\Windows\Resources\Themes\icsys.icn.exe | C:\Users\Admin\AppData\Local\Temp\106458aa333a28ab327b65eb36ffc6a0_NEAS.exe | N/A |
| File opened for modification | \??\c:\windows\resources\themes\explorer.exe | C:\Windows\Resources\Themes\icsys.icn.exe | N/A |
| File opened for modification | \??\c:\windows\resources\spoolsv.exe | \??\c:\windows\resources\themes\explorer.exe | N/A |
| File opened for modification | \??\c:\windows\resources\svchost.exe | \??\c:\windows\resources\spoolsv.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | \??\c:\users\admin\appdata\local\temp\106458aa333a28ab327b65eb36ffc6a0_neas.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | \??\c:\users\admin\appdata\local\temp\106458aa333a28ab327b65eb36ffc6a0_neas.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | \??\c:\users\admin\appdata\local\temp\106458aa333a28ab327b65eb36ffc6a0_neas.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | \??\c:\users\admin\appdata\local\temp\106458aa333a28ab327b65eb36ffc6a0_neas.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | \??\c:\users\admin\appdata\local\temp\106458aa333a28ab327b65eb36ffc6a0_neas.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | \??\c:\windows\resources\themes\explorer.exe | N/A |
| N/A | N/A | \??\c:\windows\resources\svchost.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\106458aa333a28ab327b65eb36ffc6a0_NEAS.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\106458aa333a28ab327b65eb36ffc6a0_NEAS.exe | N/A |
| N/A | N/A | C:\Windows\Resources\Themes\icsys.icn.exe | N/A |
| N/A | N/A | C:\Windows\Resources\Themes\icsys.icn.exe | N/A |
| N/A | N/A | \??\c:\windows\resources\themes\explorer.exe | N/A |
| N/A | N/A | \??\c:\windows\resources\themes\explorer.exe | N/A |
| N/A | N/A | \??\c:\windows\resources\spoolsv.exe | N/A |
| N/A | N/A | \??\c:\windows\resources\spoolsv.exe | N/A |
| N/A | N/A | \??\c:\windows\resources\svchost.exe | N/A |
| N/A | N/A | \??\c:\windows\resources\svchost.exe | N/A |
| N/A | N/A | \??\c:\windows\resources\spoolsv.exe | N/A |
| N/A | N/A | \??\c:\windows\resources\spoolsv.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\106458aa333a28ab327b65eb36ffc6a0_NEAS.exe
"C:\Users\Admin\AppData\Local\Temp\106458aa333a28ab327b65eb36ffc6a0_NEAS.exe"
\??\c:\users\admin\appdata\local\temp\106458aa333a28ab327b65eb36ffc6a0_neas.exe
c:\users\admin\appdata\local\temp\106458aa333a28ab327b65eb36ffc6a0_neas.exe
C:\Windows\Resources\Themes\icsys.icn.exe
C:\Windows\Resources\Themes\icsys.icn.exe
\??\c:\windows\resources\themes\explorer.exe
c:\windows\resources\themes\explorer.exe
\??\c:\windows\resources\spoolsv.exe
c:\windows\resources\spoolsv.exe SE
\??\c:\windows\resources\svchost.exe
c:\windows\resources\svchost.exe
\??\c:\windows\resources\spoolsv.exe
c:\windows\resources\spoolsv.exe PR
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3976 --field-trial-handle=2244,i,11878111470816612087,2265290141962607370,262144 --variations-seed-version /prefetch:8
Network
| Country | Destination | Domain | Proto |
| GB | 216.58.201.106:443 | tcp | |
| US | 8.8.8.8:53 | download.mql5.com | udp |
| US | 8.8.8.8:53 | content.finteza.com | udp |
| DE | 195.201.80.82:443 | download.mql5.com | tcp |
| NL | 78.140.180.86:443 | content.finteza.com | tcp |
| SG | 117.20.41.198:443 | tcp | |
| NL | 78.140.180.43:443 | download.mql5.com | tcp |
| IN | 148.113.1.241:443 | tcp | |
| RU | 88.212.232.132:443 | tcp | |
| NG | 104.166.145.86:443 | tcp | |
| ZA | 156.38.206.18:443 | tcp | |
| US | 142.215.208.235:443 | tcp | |
| BR | 177.154.156.125:443 | tcp | |
| JP | 199.254.199.227:443 | tcp | |
| IR | 185.252.31.15:443 | tcp | |
| HK | 27.111.161.152:443 | tcp | |
| AU | 66.203.112.227:443 | tcp | |
| DE | 195.201.80.82:443 | download.mql5.com | tcp |
| AE | 47.91.106.176:443 | tcp | |
| HK | 8.217.147.178:443 | tcp | |
| US | 8.8.8.8:53 | 86.180.140.78.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 82.80.201.195.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.180.140.78.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 132.232.212.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 235.208.215.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.31.252.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 176.106.91.47.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.1.113.148.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.145.166.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.206.38.156.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 125.156.154.177.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 227.199.254.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 178.147.217.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.41.20.117.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 152.161.111.27.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 227.112.203.66.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 140.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 142.53.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
Files
memory/1836-0-0x0000000000400000-0x000000000041F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\106458aa333a28ab327b65eb36ffc6a0_neas.exe
| MD5 | e23164ad69da0120959905d089365fed |
| SHA1 | 99cbe30e0aa84e43b693ffa55d994567aaba74de |
| SHA256 | 40dacc4c8fbbc81128302078c95da93b7854060eec5412aeebf0ec7d51794515 |
| SHA512 | 9b10c7a16dfb9f384241cf338fbeba25648d0e5553f5d305120ef152bb32389962fe0bb257ad25deb0c61d5a95d5ad9a9de8de021e42f40aa2bb673785b2181e |
C:\Windows\Resources\Themes\icsys.icn.exe
| MD5 | 4aa47bce7a2899bfbbbf3ef14d237588 |
| SHA1 | 4cb2b4972e9d6589e49db782f11597e60ff44706 |
| SHA256 | f190739c52960909dba303bb9773e63686b907caf28e4eaa67af8ade0071de12 |
| SHA512 | aea2d3ea94698e0d88be1d72e28113d217142fdd8f13a55afa438e8b531d89d87c90c9fc4be6565736da95e69ee21ec703abd88d4d9e60e53bcde8545c8e237f |
C:\Windows\Resources\Themes\explorer.exe
| MD5 | 397b931a07fba2794de6c68b3fd2601f |
| SHA1 | 292b5bdb154af6055c7143446810c6f1923b1d9e |
| SHA256 | 9cc303273c05b8d7cd0e7b4fa3355242a3360433eaed371c04155087d91572ec |
| SHA512 | 80c8a9de17432d04825a00404050ed5961090c46017d2359c9c260bc0540c1d9f0d9d0c6c7f83e56ecb7bb10ca1fc7665acf58c85f082440ceeba53a0783d763 |
C:\Windows\Resources\spoolsv.exe
| MD5 | e59c314e8a45aad74934ac2851a06e5b |
| SHA1 | 6d6ca1e63a5bf65214ff65a8592a1761018da398 |
| SHA256 | 5335a9dae18b51b813212cf3a6c49af5dd9ecf8b9cd60be0ce896057ac929316 |
| SHA512 | 6e7962d281cd39116a814e1d1355613d01dc056ce0b52dac84b3a5e781c4f38e4ec2dd3b809e6a5d6d200e4bd4f90f3fec846176df561b4ba7bb160a438e8cd0 |
\??\c:\windows\resources\svchost.exe
| MD5 | 638ba018b1afb26df8eff01faaf7abc0 |
| SHA1 | 4325bad71d4b7105a7784b2e5cc0cd88534213b1 |
| SHA256 | a53836c210e6117b3c521ca62c89c51b16909918d239e60caf0bf44629dfc93b |
| SHA512 | dc5493169ed950da39d186bab93c281e5f267c2c7ee47cf7501711cd9cdc7ba4fcbbc0b0bc66b630bef6d7fac30f326c7797a2029749838514e819d067eae7b6 |
memory/1136-47-0x0000000000400000-0x000000000041F000-memory.dmp
memory/1836-46-0x0000000000400000-0x000000000041F000-memory.dmp
memory/5000-45-0x0000000000400000-0x000000000041F000-memory.dmp
memory/1064-44-0x0000000000400000-0x000000000041F000-memory.dmp