Overview

overview

10

Static

static

3

NEAS.81767...JC.exe

windows7-x64

10

NEAS.81767...JC.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230915-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09/10/2023, 16:35

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    NEAS.817671c243db6a0476d13f91e7a64af0_JC.exe

  • Size

    176KB

  • MD5

    817671c243db6a0476d13f91e7a64af0

  • SHA1

    3b1f3cf6b41c1916a1b1eeb45bf8f1c8c0a7685b

  • SHA256

    b6fc8b2b4e0cb9bc4a23a381510f655c3717ac6a1d129f4dd9bae8e3f76922d7

  • SHA512

    756c8798212cebb4c11fd1757b0fc7c125d6e896a2cf7ea558475eeea5c762e2556ef6d2083c68b5b4a01f5c9e31d65867326487ce77000f9868739780f5f5ff

  • SSDEEP

    1536:65ccbljiFsHasXSAIYGXpn2uM6whkJuJSI5pOTz7uDGTmK7AZp0XNuTzsqgopWK6:sBjCSbGXp2FhkDIKT2qS50XNYzmw+YpG

Score
10/10
evasionpersistence

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs 6 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 6 IoCs
    evasion
  • Disables RegEdit via registry modification 12 IoCs
    evasion
  • Disables cmd.exe use via registry modification 6 IoCs
    evasion
  • Drops file in Drivers directory 2 IoCs
  • Drops startup file 2 IoCs
  • Executes dropped EXE 5 IoCs
  • Adds Run key to start application 2 TTPs 12 IoCs
    persistence
  • Drops file in System32 directory 2 IoCs
  • Drops file in Windows directory 7 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\NEAS.817671c243db6a0476d13f91e7a64af0_JC.exe
    "C:\Users\Admin\AppData\Local\Temp\NEAS.817671c243db6a0476d13f91e7a64af0_JC.exe"
    1⤵
    • Modifies visibility of file extensions in Explorer
    • Modifies visiblity of hidden/system files in Explorer
    • Disables RegEdit via registry modification
    • Disables cmd.exe use via registry modification
    • Adds Run key to start application
    • Drops file in Windows directory
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4520
    • C:\Windows\SysWOW64\explorer.exe
      explorer.exe
      2⤵
      • Modifies registry class
      PID:4168
    • C:\Users\Admin\AppData\Local\smss.exe
      C:\Users\Admin\AppData\Local\smss.exe
      2⤵
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Disables RegEdit via registry modification
      • Disables cmd.exe use via registry modification
      • Drops startup file
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops file in System32 directory
      • Drops file in Windows directory
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:4604
      • C:\Users\Admin\AppData\Local\winlogon.exe
        C:\Users\Admin\AppData\Local\winlogon.exe
        3⤵
        • Modifies visibility of file extensions in Explorer
        • Modifies visiblity of hidden/system files in Explorer
        • Disables RegEdit via registry modification
        • Disables cmd.exe use via registry modification
        • Executes dropped EXE
        • Adds Run key to start application
        • Drops file in Windows directory
        • Suspicious use of SetWindowsHookEx
        PID:4840
      • C:\Windows\SysWOW64\at.exe
        at /delete /y
        3⤵
          PID:4216
        • C:\Windows\SysWOW64\at.exe
          at 17:08 /every:M,T,W,Th,F,S,Su "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\bararontok.com"
          3⤵
            PID:4668
          • C:\Users\Admin\AppData\Local\services.exe
            C:\Users\Admin\AppData\Local\services.exe
            3⤵
            • Modifies visibility of file extensions in Explorer
            • Modifies visiblity of hidden/system files in Explorer
            • Disables RegEdit via registry modification
            • Disables cmd.exe use via registry modification
            • Executes dropped EXE
            • Adds Run key to start application
            • Drops file in Windows directory
            • Suspicious use of SetWindowsHookEx
            PID:3380
          • C:\Users\Admin\AppData\Local\lsass.exe
            C:\Users\Admin\AppData\Local\lsass.exe
            3⤵
            • Modifies visibility of file extensions in Explorer
            • Modifies visiblity of hidden/system files in Explorer
            • Disables RegEdit via registry modification
            • Disables cmd.exe use via registry modification
            • Executes dropped EXE
            • Adds Run key to start application
            • Drops file in Windows directory
            • Suspicious use of SetWindowsHookEx
            PID:4552
          • C:\Users\Admin\AppData\Local\inetinfo.exe
            C:\Users\Admin\AppData\Local\inetinfo.exe
            3⤵
            • Modifies visibility of file extensions in Explorer
            • Modifies visiblity of hidden/system files in Explorer
            • Disables RegEdit via registry modification
            • Disables cmd.exe use via registry modification
            • Drops file in Drivers directory
            • Executes dropped EXE
            • Adds Run key to start application
            • Drops file in Windows directory
            • Suspicious use of SetWindowsHookEx
            PID:2424

      Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Local\csrss.exe
              Filesize

              176KB

              MD5

              817671c243db6a0476d13f91e7a64af0

              SHA1

              3b1f3cf6b41c1916a1b1eeb45bf8f1c8c0a7685b

              SHA256

              b6fc8b2b4e0cb9bc4a23a381510f655c3717ac6a1d129f4dd9bae8e3f76922d7

              SHA512

              756c8798212cebb4c11fd1757b0fc7c125d6e896a2cf7ea558475eeea5c762e2556ef6d2083c68b5b4a01f5c9e31d65867326487ce77000f9868739780f5f5ff

              Download Submit

            • C:\Users\Admin\AppData\Local\csrss.exe
              Filesize

              176KB

              MD5

              817671c243db6a0476d13f91e7a64af0

              SHA1

              3b1f3cf6b41c1916a1b1eeb45bf8f1c8c0a7685b

              SHA256

              b6fc8b2b4e0cb9bc4a23a381510f655c3717ac6a1d129f4dd9bae8e3f76922d7

              SHA512

              756c8798212cebb4c11fd1757b0fc7c125d6e896a2cf7ea558475eeea5c762e2556ef6d2083c68b5b4a01f5c9e31d65867326487ce77000f9868739780f5f5ff

              Download Submit

            • C:\Users\Admin\AppData\Local\csrss.exe
              Filesize

              176KB

              MD5

              817671c243db6a0476d13f91e7a64af0

              SHA1

              3b1f3cf6b41c1916a1b1eeb45bf8f1c8c0a7685b

              SHA256

              b6fc8b2b4e0cb9bc4a23a381510f655c3717ac6a1d129f4dd9bae8e3f76922d7

              SHA512

              756c8798212cebb4c11fd1757b0fc7c125d6e896a2cf7ea558475eeea5c762e2556ef6d2083c68b5b4a01f5c9e31d65867326487ce77000f9868739780f5f5ff

              Download Submit

            • C:\Users\Admin\AppData\Local\csrss.exe
              Filesize

              176KB

              MD5

              817671c243db6a0476d13f91e7a64af0

              SHA1

              3b1f3cf6b41c1916a1b1eeb45bf8f1c8c0a7685b

              SHA256

              b6fc8b2b4e0cb9bc4a23a381510f655c3717ac6a1d129f4dd9bae8e3f76922d7

              SHA512

              756c8798212cebb4c11fd1757b0fc7c125d6e896a2cf7ea558475eeea5c762e2556ef6d2083c68b5b4a01f5c9e31d65867326487ce77000f9868739780f5f5ff

              Download Submit

            • C:\Users\Admin\AppData\Local\csrss.exe
              Filesize

              176KB

              MD5

              817671c243db6a0476d13f91e7a64af0

              SHA1

              3b1f3cf6b41c1916a1b1eeb45bf8f1c8c0a7685b

              SHA256

              b6fc8b2b4e0cb9bc4a23a381510f655c3717ac6a1d129f4dd9bae8e3f76922d7

              SHA512

              756c8798212cebb4c11fd1757b0fc7c125d6e896a2cf7ea558475eeea5c762e2556ef6d2083c68b5b4a01f5c9e31d65867326487ce77000f9868739780f5f5ff

              Download Submit

            • C:\Users\Admin\AppData\Local\inetinfo.exe
              Filesize

              176KB

              MD5

              817671c243db6a0476d13f91e7a64af0

              SHA1

              3b1f3cf6b41c1916a1b1eeb45bf8f1c8c0a7685b

              SHA256

              b6fc8b2b4e0cb9bc4a23a381510f655c3717ac6a1d129f4dd9bae8e3f76922d7

              SHA512

              756c8798212cebb4c11fd1757b0fc7c125d6e896a2cf7ea558475eeea5c762e2556ef6d2083c68b5b4a01f5c9e31d65867326487ce77000f9868739780f5f5ff

              Download Submit

            • C:\Users\Admin\AppData\Local\inetinfo.exe
              Filesize

              176KB

              MD5

              817671c243db6a0476d13f91e7a64af0

              SHA1

              3b1f3cf6b41c1916a1b1eeb45bf8f1c8c0a7685b

              SHA256

              b6fc8b2b4e0cb9bc4a23a381510f655c3717ac6a1d129f4dd9bae8e3f76922d7

              SHA512

              756c8798212cebb4c11fd1757b0fc7c125d6e896a2cf7ea558475eeea5c762e2556ef6d2083c68b5b4a01f5c9e31d65867326487ce77000f9868739780f5f5ff

              Download Submit

            • C:\Users\Admin\AppData\Local\inetinfo.exe
              Filesize

              176KB

              MD5

              817671c243db6a0476d13f91e7a64af0

              SHA1

              3b1f3cf6b41c1916a1b1eeb45bf8f1c8c0a7685b

              SHA256

              b6fc8b2b4e0cb9bc4a23a381510f655c3717ac6a1d129f4dd9bae8e3f76922d7

              SHA512

              756c8798212cebb4c11fd1757b0fc7c125d6e896a2cf7ea558475eeea5c762e2556ef6d2083c68b5b4a01f5c9e31d65867326487ce77000f9868739780f5f5ff

              Download Submit

            • C:\Users\Admin\AppData\Local\inetinfo.exe
              Filesize

              176KB

              MD5

              817671c243db6a0476d13f91e7a64af0

              SHA1

              3b1f3cf6b41c1916a1b1eeb45bf8f1c8c0a7685b

              SHA256

              b6fc8b2b4e0cb9bc4a23a381510f655c3717ac6a1d129f4dd9bae8e3f76922d7

              SHA512

              756c8798212cebb4c11fd1757b0fc7c125d6e896a2cf7ea558475eeea5c762e2556ef6d2083c68b5b4a01f5c9e31d65867326487ce77000f9868739780f5f5ff

              Download Submit

            • C:\Users\Admin\AppData\Local\inetinfo.exe
              Filesize

              176KB

              MD5

              817671c243db6a0476d13f91e7a64af0

              SHA1

              3b1f3cf6b41c1916a1b1eeb45bf8f1c8c0a7685b

              SHA256

              b6fc8b2b4e0cb9bc4a23a381510f655c3717ac6a1d129f4dd9bae8e3f76922d7

              SHA512

              756c8798212cebb4c11fd1757b0fc7c125d6e896a2cf7ea558475eeea5c762e2556ef6d2083c68b5b4a01f5c9e31d65867326487ce77000f9868739780f5f5ff

              Download Submit

            • C:\Users\Admin\AppData\Local\lsass.exe
              Filesize

              176KB

              MD5

              817671c243db6a0476d13f91e7a64af0

              SHA1

              3b1f3cf6b41c1916a1b1eeb45bf8f1c8c0a7685b

              SHA256

              b6fc8b2b4e0cb9bc4a23a381510f655c3717ac6a1d129f4dd9bae8e3f76922d7

              SHA512

              756c8798212cebb4c11fd1757b0fc7c125d6e896a2cf7ea558475eeea5c762e2556ef6d2083c68b5b4a01f5c9e31d65867326487ce77000f9868739780f5f5ff

              Download Submit

            • C:\Users\Admin\AppData\Local\lsass.exe
              Filesize

              176KB

              MD5

              817671c243db6a0476d13f91e7a64af0

              SHA1

              3b1f3cf6b41c1916a1b1eeb45bf8f1c8c0a7685b

              SHA256

              b6fc8b2b4e0cb9bc4a23a381510f655c3717ac6a1d129f4dd9bae8e3f76922d7

              SHA512

              756c8798212cebb4c11fd1757b0fc7c125d6e896a2cf7ea558475eeea5c762e2556ef6d2083c68b5b4a01f5c9e31d65867326487ce77000f9868739780f5f5ff

              Download Submit

            • C:\Users\Admin\AppData\Local\lsass.exe
              Filesize

              176KB

              MD5

              817671c243db6a0476d13f91e7a64af0

              SHA1

              3b1f3cf6b41c1916a1b1eeb45bf8f1c8c0a7685b

              SHA256

              b6fc8b2b4e0cb9bc4a23a381510f655c3717ac6a1d129f4dd9bae8e3f76922d7

              SHA512

              756c8798212cebb4c11fd1757b0fc7c125d6e896a2cf7ea558475eeea5c762e2556ef6d2083c68b5b4a01f5c9e31d65867326487ce77000f9868739780f5f5ff

              Download Submit

            • C:\Users\Admin\AppData\Local\lsass.exe
              Filesize

              176KB

              MD5

              817671c243db6a0476d13f91e7a64af0

              SHA1

              3b1f3cf6b41c1916a1b1eeb45bf8f1c8c0a7685b

              SHA256

              b6fc8b2b4e0cb9bc4a23a381510f655c3717ac6a1d129f4dd9bae8e3f76922d7

              SHA512

              756c8798212cebb4c11fd1757b0fc7c125d6e896a2cf7ea558475eeea5c762e2556ef6d2083c68b5b4a01f5c9e31d65867326487ce77000f9868739780f5f5ff

              Download Submit

            • C:\Users\Admin\AppData\Local\services.exe
              Filesize

              63KB

              MD5

              3d34aae5d1b1fba1cf66cf06961e6209

              SHA1

              f27e2e8795cdf41693446e107953158cd7b25a05

              SHA256

              be0526e6a397e6e5c708e842d312baba747c752f9021a140fa7c4775d0d0416f

              SHA512

              50ddf19465cc00fba879f802080396bdde16a01ba6770961cd47f8d0d1ae0a7bec7339783eac05fe953ed5ddc158b5f1f1e4707c248020e0678325d0a6572967

              Download Submit

            • C:\Users\Admin\AppData\Local\services.exe
              Filesize

              176KB

              MD5

              817671c243db6a0476d13f91e7a64af0

              SHA1

              3b1f3cf6b41c1916a1b1eeb45bf8f1c8c0a7685b

              SHA256

              b6fc8b2b4e0cb9bc4a23a381510f655c3717ac6a1d129f4dd9bae8e3f76922d7

              SHA512

              756c8798212cebb4c11fd1757b0fc7c125d6e896a2cf7ea558475eeea5c762e2556ef6d2083c68b5b4a01f5c9e31d65867326487ce77000f9868739780f5f5ff

              Download Submit

            • C:\Users\Admin\AppData\Local\services.exe
              Filesize

              176KB

              MD5

              817671c243db6a0476d13f91e7a64af0

              SHA1

              3b1f3cf6b41c1916a1b1eeb45bf8f1c8c0a7685b

              SHA256

              b6fc8b2b4e0cb9bc4a23a381510f655c3717ac6a1d129f4dd9bae8e3f76922d7

              SHA512

              756c8798212cebb4c11fd1757b0fc7c125d6e896a2cf7ea558475eeea5c762e2556ef6d2083c68b5b4a01f5c9e31d65867326487ce77000f9868739780f5f5ff

              Download Submit

            • C:\Users\Admin\AppData\Local\services.exe
              Filesize

              176KB

              MD5

              817671c243db6a0476d13f91e7a64af0

              SHA1

              3b1f3cf6b41c1916a1b1eeb45bf8f1c8c0a7685b

              SHA256

              b6fc8b2b4e0cb9bc4a23a381510f655c3717ac6a1d129f4dd9bae8e3f76922d7

              SHA512

              756c8798212cebb4c11fd1757b0fc7c125d6e896a2cf7ea558475eeea5c762e2556ef6d2083c68b5b4a01f5c9e31d65867326487ce77000f9868739780f5f5ff

              Download Submit

            • C:\Users\Admin\AppData\Local\smss.exe
              Filesize

              176KB

              MD5

              817671c243db6a0476d13f91e7a64af0

              SHA1

              3b1f3cf6b41c1916a1b1eeb45bf8f1c8c0a7685b

              SHA256

              b6fc8b2b4e0cb9bc4a23a381510f655c3717ac6a1d129f4dd9bae8e3f76922d7

              SHA512

              756c8798212cebb4c11fd1757b0fc7c125d6e896a2cf7ea558475eeea5c762e2556ef6d2083c68b5b4a01f5c9e31d65867326487ce77000f9868739780f5f5ff

              Download Submit

            • C:\Users\Admin\AppData\Local\smss.exe
              Filesize

              176KB

              MD5

              817671c243db6a0476d13f91e7a64af0

              SHA1

              3b1f3cf6b41c1916a1b1eeb45bf8f1c8c0a7685b

              SHA256

              b6fc8b2b4e0cb9bc4a23a381510f655c3717ac6a1d129f4dd9bae8e3f76922d7

              SHA512

              756c8798212cebb4c11fd1757b0fc7c125d6e896a2cf7ea558475eeea5c762e2556ef6d2083c68b5b4a01f5c9e31d65867326487ce77000f9868739780f5f5ff

              Download Submit

            • C:\Users\Admin\AppData\Local\smss.exe
              Filesize

              176KB

              MD5

              817671c243db6a0476d13f91e7a64af0

              SHA1

              3b1f3cf6b41c1916a1b1eeb45bf8f1c8c0a7685b

              SHA256

              b6fc8b2b4e0cb9bc4a23a381510f655c3717ac6a1d129f4dd9bae8e3f76922d7

              SHA512

              756c8798212cebb4c11fd1757b0fc7c125d6e896a2cf7ea558475eeea5c762e2556ef6d2083c68b5b4a01f5c9e31d65867326487ce77000f9868739780f5f5ff

              Download Submit

            • C:\Users\Admin\AppData\Local\winlogon.exe
              Filesize

              176KB

              MD5

              817671c243db6a0476d13f91e7a64af0

              SHA1

              3b1f3cf6b41c1916a1b1eeb45bf8f1c8c0a7685b

              SHA256

              b6fc8b2b4e0cb9bc4a23a381510f655c3717ac6a1d129f4dd9bae8e3f76922d7

              SHA512

              756c8798212cebb4c11fd1757b0fc7c125d6e896a2cf7ea558475eeea5c762e2556ef6d2083c68b5b4a01f5c9e31d65867326487ce77000f9868739780f5f5ff

              Download Submit

            • C:\Users\Admin\AppData\Local\winlogon.exe
              Filesize

              176KB

              MD5

              817671c243db6a0476d13f91e7a64af0

              SHA1

              3b1f3cf6b41c1916a1b1eeb45bf8f1c8c0a7685b

              SHA256

              b6fc8b2b4e0cb9bc4a23a381510f655c3717ac6a1d129f4dd9bae8e3f76922d7

              SHA512

              756c8798212cebb4c11fd1757b0fc7c125d6e896a2cf7ea558475eeea5c762e2556ef6d2083c68b5b4a01f5c9e31d65867326487ce77000f9868739780f5f5ff

              Download Submit

            • C:\Windows\ShellNew\ElnorB.exe
              Filesize

              176KB

              MD5

              817671c243db6a0476d13f91e7a64af0

              SHA1

              3b1f3cf6b41c1916a1b1eeb45bf8f1c8c0a7685b

              SHA256

              b6fc8b2b4e0cb9bc4a23a381510f655c3717ac6a1d129f4dd9bae8e3f76922d7

              SHA512

              756c8798212cebb4c11fd1757b0fc7c125d6e896a2cf7ea558475eeea5c762e2556ef6d2083c68b5b4a01f5c9e31d65867326487ce77000f9868739780f5f5ff

              Download Submit

            • C:\Windows\ShellNew\ElnorB.exe
              Filesize

              176KB

              MD5

              817671c243db6a0476d13f91e7a64af0

              SHA1

              3b1f3cf6b41c1916a1b1eeb45bf8f1c8c0a7685b

              SHA256

              b6fc8b2b4e0cb9bc4a23a381510f655c3717ac6a1d129f4dd9bae8e3f76922d7

              SHA512

              756c8798212cebb4c11fd1757b0fc7c125d6e896a2cf7ea558475eeea5c762e2556ef6d2083c68b5b4a01f5c9e31d65867326487ce77000f9868739780f5f5ff

              Download Submit

            • C:\Windows\ShellNew\ElnorB.exe
              Filesize

              176KB

              MD5

              817671c243db6a0476d13f91e7a64af0

              SHA1

              3b1f3cf6b41c1916a1b1eeb45bf8f1c8c0a7685b

              SHA256

              b6fc8b2b4e0cb9bc4a23a381510f655c3717ac6a1d129f4dd9bae8e3f76922d7

              SHA512

              756c8798212cebb4c11fd1757b0fc7c125d6e896a2cf7ea558475eeea5c762e2556ef6d2083c68b5b4a01f5c9e31d65867326487ce77000f9868739780f5f5ff

              Download Submit

            • memory/2424-123-0x0000000000400000-0x000000000042D000-memory.dmp

              Filesize

              180KB

              Download

            • memory/3380-125-0x0000000000400000-0x000000000042D000-memory.dmp

              Filesize

              180KB

              Download

            • memory/4520-0-0x0000000000400000-0x000000000042D000-memory.dmp

              Filesize

              180KB

              Download

            • memory/4520-114-0x0000000000400000-0x000000000042D000-memory.dmp

              Filesize

              180KB

              Download

            • memory/4552-88-0x0000000000400000-0x000000000042D000-memory.dmp

              Filesize

              180KB

              Download

            • memory/4552-126-0x0000000000400000-0x000000000042D000-memory.dmp

              Filesize

              180KB

              Download

            • memory/4604-113-0x0000000000400000-0x000000000042D000-memory.dmp

              Filesize

              180KB

              Download

            • memory/4840-124-0x0000000000400000-0x000000000042D000-memory.dmp

              Filesize

              180KB

              Download