cd79608321a1becdcc82fe211bde93beaa23a30a25caf2891735321c4cd00842

Analysis

max time kernel
153s
max time network
130s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
10-10-2023 19:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.0725711c51b2cc803034687d063fe940_JC.exe
Size

135KB
MD5

0725711c51b2cc803034687d063fe940
SHA1

bfa7b5c017dba6ad1bd3bf5e2e1b398d944a2194
SHA256

cd79608321a1becdcc82fe211bde93beaa23a30a25caf2891735321c4cd00842
SHA512

f92ed477df6ced9fd3705fb71bfa2a49e382bbebd9025207a4bde416f8c2eacc720f144cf472c4857a388c215835a842695f024c64badd5082b149f37f77a4d9
SSDEEP

1536:XfsEqouTRcG/Mzvgf7xEuvnXNTRdUzwTekUOisZ1yDDajtXbg5hs3wwwwwwwwwwa:XVqoCl/YgjxEufVU0TbTyDDalTG

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	svchost.exe

Executes dropped EXE 4 IoCs

pid	Process
2616	explorer.exe
2760	spoolsv.exe
2628	svchost.exe
2640	spoolsv.exe

Loads dropped DLL 4 IoCs

pid	Process
2304	NEAS.0725711c51b2cc803034687d063fe940_JC.exe
2616	explorer.exe
2760	spoolsv.exe
2628	svchost.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	svchost.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\explorer.exe	svchost.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\resources\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\resources\svchost.exe	spoolsv.exe
File opened for modification	C:\Windows\Resources\tjud.exe	explorer.exe
File opened for modification	\??\c:\windows\resources\themes\explorer.exe	NEAS.0725711c51b2cc803034687d063fe940_JC.exe

Creates scheduled task(s) 1 TTPs 3 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2520	schtasks.exe
2560	schtasks.exe
2176	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2304	NEAS.0725711c51b2cc803034687d063fe940_JC.exe
2304	NEAS.0725711c51b2cc803034687d063fe940_JC.exe
2304	NEAS.0725711c51b2cc803034687d063fe940_JC.exe
2304	NEAS.0725711c51b2cc803034687d063fe940_JC.exe
2304	NEAS.0725711c51b2cc803034687d063fe940_JC.exe
2304	NEAS.0725711c51b2cc803034687d063fe940_JC.exe
2304	NEAS.0725711c51b2cc803034687d063fe940_JC.exe
2304	NEAS.0725711c51b2cc803034687d063fe940_JC.exe
2304	NEAS.0725711c51b2cc803034687d063fe940_JC.exe
2304	NEAS.0725711c51b2cc803034687d063fe940_JC.exe
2304	NEAS.0725711c51b2cc803034687d063fe940_JC.exe
2304	NEAS.0725711c51b2cc803034687d063fe940_JC.exe
2304	NEAS.0725711c51b2cc803034687d063fe940_JC.exe
2304	NEAS.0725711c51b2cc803034687d063fe940_JC.exe
2304	NEAS.0725711c51b2cc803034687d063fe940_JC.exe
2304	NEAS.0725711c51b2cc803034687d063fe940_JC.exe
2304	NEAS.0725711c51b2cc803034687d063fe940_JC.exe
2616	explorer.exe
2616	explorer.exe
2616	explorer.exe
2616	explorer.exe
2616	explorer.exe
2616	explorer.exe
2616	explorer.exe
2616	explorer.exe
2616	explorer.exe
2616	explorer.exe
2616	explorer.exe
2616	explorer.exe
2616	explorer.exe
2616	explorer.exe
2616	explorer.exe
2616	explorer.exe
2628	svchost.exe
2628	svchost.exe
2628	svchost.exe
2628	svchost.exe
2628	svchost.exe
2628	svchost.exe
2628	svchost.exe
2628	svchost.exe
2628	svchost.exe
2628	svchost.exe
2628	svchost.exe
2628	svchost.exe
2628	svchost.exe
2628	svchost.exe
2628	svchost.exe
2628	svchost.exe
2616	explorer.exe
2616	explorer.exe
2616	explorer.exe
2616	explorer.exe
2616	explorer.exe
2628	svchost.exe
2628	svchost.exe
2616	explorer.exe
2628	svchost.exe
2616	explorer.exe
2628	svchost.exe
2616	explorer.exe
2628	svchost.exe
2616	explorer.exe
2628	svchost.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
2616	explorer.exe
2628	svchost.exe

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
2304	NEAS.0725711c51b2cc803034687d063fe940_JC.exe
2304	NEAS.0725711c51b2cc803034687d063fe940_JC.exe
2616	explorer.exe
2616	explorer.exe
2760	spoolsv.exe
2760	spoolsv.exe
2628	svchost.exe
2628	svchost.exe
2640	spoolsv.exe
2640	spoolsv.exe

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 2304 wrote to memory of 2616	2304	NEAS.0725711c51b2cc803034687d063fe940_JC.exe	28
PID 2304 wrote to memory of 2616	2304	NEAS.0725711c51b2cc803034687d063fe940_JC.exe	28
PID 2304 wrote to memory of 2616	2304	NEAS.0725711c51b2cc803034687d063fe940_JC.exe	28
PID 2304 wrote to memory of 2616	2304	NEAS.0725711c51b2cc803034687d063fe940_JC.exe	28
PID 2616 wrote to memory of 2760	2616	explorer.exe	29
PID 2616 wrote to memory of 2760	2616	explorer.exe	29
PID 2616 wrote to memory of 2760	2616	explorer.exe	29
PID 2616 wrote to memory of 2760	2616	explorer.exe	29
PID 2760 wrote to memory of 2628	2760	spoolsv.exe	30
PID 2760 wrote to memory of 2628	2760	spoolsv.exe	30
PID 2760 wrote to memory of 2628	2760	spoolsv.exe	30
PID 2760 wrote to memory of 2628	2760	spoolsv.exe	30
PID 2628 wrote to memory of 2640	2628	svchost.exe	31
PID 2628 wrote to memory of 2640	2628	svchost.exe	31
PID 2628 wrote to memory of 2640	2628	svchost.exe	31
PID 2628 wrote to memory of 2640	2628	svchost.exe	31
PID 2616 wrote to memory of 2544	2616	explorer.exe	32
PID 2616 wrote to memory of 2544	2616	explorer.exe	32
PID 2616 wrote to memory of 2544	2616	explorer.exe	32
PID 2616 wrote to memory of 2544	2616	explorer.exe	32
PID 2628 wrote to memory of 2520	2628	svchost.exe	33
PID 2628 wrote to memory of 2520	2628	svchost.exe	33
PID 2628 wrote to memory of 2520	2628	svchost.exe	33
PID 2628 wrote to memory of 2520	2628	svchost.exe	33
PID 2628 wrote to memory of 2560	2628	svchost.exe	38
PID 2628 wrote to memory of 2560	2628	svchost.exe	38
PID 2628 wrote to memory of 2560	2628	svchost.exe	38
PID 2628 wrote to memory of 2560	2628	svchost.exe	38
PID 2628 wrote to memory of 2176	2628	svchost.exe	40
PID 2628 wrote to memory of 2176	2628	svchost.exe	40
PID 2628 wrote to memory of 2176	2628	svchost.exe	40
PID 2628 wrote to memory of 2176	2628	svchost.exe	40

C:\Users\Admin\AppData\Local\Temp\NEAS.0725711c51b2cc803034687d063fe940_JC.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.0725711c51b2cc803034687d063fe940_JC.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2304
- \??\c:\windows\resources\themes\explorer.exe
  c:\windows\resources\themes\explorer.exe
  2⤵
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2616
- - \??\c:\windows\resources\spoolsv.exe
    c:\windows\resources\spoolsv.exe SE
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2760
  - - \??\c:\windows\resources\svchost.exe
      c:\windows\resources\svchost.exe
      4⤵
      Modifies visiblity of hidden/system files in Explorer
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      Drops file in System32 directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2628
    - - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe PR
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2640
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 19:07 /f
        5⤵
        Creates scheduled task(s)
        
        PID:2520
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 19:08 /f
        5⤵
        Creates scheduled task(s)
        
        PID:2560
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 19:09 /f
        5⤵
        Creates scheduled task(s)
        
        PID:2176
- - C:\Windows\Explorer.exe
    C:\Windows\Explorer.exe
    3⤵
    PID:2544

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Resources\Themes\explorer.exe

Filesize
135KB

MD5
62698fe219a2a1fa6ad19225a8f04937

SHA1
051d9ffe06e2f3f003c9bb379f5ede9aeb28eb95

SHA256
aed0dd1204534cd992f4885545ca8720870a1e4f56d2d3fad18e1e2241b31546

SHA512
474385577f131ecb07f09da8dfec25ce96ac552570a97be004779e549a2f3bb432ae7e7dc7bf7a361604c92dc11085d86f32d8d947871d0843206f2f25aa685e

Download Submit
C:\Windows\Resources\spoolsv.exe

Filesize
135KB

MD5
2fb3dbd7d2aef356dcb5cd7a5118f821

SHA1
c12d9e5562674c3f9c4298a6097e783e526ee0dc

SHA256
40a4fa836ea5cc162eebb534adb0bc398b1ca91c2cdea8ccf5fd5d5799065eb2

SHA512
a88231cce8e3850940d13993043350222df61c6641091ed1a5ea267c3186ecef103027bd76f4ed6fa12328d333b4b9fad6fa66a0461145d8dd596b814e964c63

Download Submit
C:\Windows\Resources\spoolsv.exe

Filesize
135KB

MD5
2fb3dbd7d2aef356dcb5cd7a5118f821

SHA1
c12d9e5562674c3f9c4298a6097e783e526ee0dc

SHA256
40a4fa836ea5cc162eebb534adb0bc398b1ca91c2cdea8ccf5fd5d5799065eb2

SHA512
a88231cce8e3850940d13993043350222df61c6641091ed1a5ea267c3186ecef103027bd76f4ed6fa12328d333b4b9fad6fa66a0461145d8dd596b814e964c63

Download Submit
C:\Windows\Resources\spoolsv.exe

Filesize
135KB

MD5
2fb3dbd7d2aef356dcb5cd7a5118f821

SHA1
c12d9e5562674c3f9c4298a6097e783e526ee0dc

SHA256
40a4fa836ea5cc162eebb534adb0bc398b1ca91c2cdea8ccf5fd5d5799065eb2

SHA512
a88231cce8e3850940d13993043350222df61c6641091ed1a5ea267c3186ecef103027bd76f4ed6fa12328d333b4b9fad6fa66a0461145d8dd596b814e964c63

Download Submit
C:\Windows\Resources\svchost.exe

Filesize
135KB

MD5
53b8cdc9f5c43df123aacb1ffaafe6d9

SHA1
968e6a9d62e273518368bcd2f18f7582219ddce1

SHA256
f738bc1ed0143d56bf2ba4ceebc8dc4e8c4b2e48b356e4410340f814a06a6549

SHA512
9d91c1fd72cff651df536432707a78f273a8072d271ec282a99c2b2f48a19007f908e1f8a690311fd259139189a8abb67f3ac05b0e1b3d583a8f5aef93b029dc

Download Submit
\??\c:\windows\resources\spoolsv.exe

Filesize
135KB

MD5
2fb3dbd7d2aef356dcb5cd7a5118f821

SHA1
c12d9e5562674c3f9c4298a6097e783e526ee0dc

SHA256
40a4fa836ea5cc162eebb534adb0bc398b1ca91c2cdea8ccf5fd5d5799065eb2

SHA512
a88231cce8e3850940d13993043350222df61c6641091ed1a5ea267c3186ecef103027bd76f4ed6fa12328d333b4b9fad6fa66a0461145d8dd596b814e964c63

Download Submit
\??\c:\windows\resources\svchost.exe

Filesize
135KB

MD5
53b8cdc9f5c43df123aacb1ffaafe6d9

SHA1
968e6a9d62e273518368bcd2f18f7582219ddce1

SHA256
f738bc1ed0143d56bf2ba4ceebc8dc4e8c4b2e48b356e4410340f814a06a6549

SHA512
9d91c1fd72cff651df536432707a78f273a8072d271ec282a99c2b2f48a19007f908e1f8a690311fd259139189a8abb67f3ac05b0e1b3d583a8f5aef93b029dc

Download Submit
\??\c:\windows\resources\themes\explorer.exe

Filesize
135KB

MD5
62698fe219a2a1fa6ad19225a8f04937

SHA1
051d9ffe06e2f3f003c9bb379f5ede9aeb28eb95

SHA256
aed0dd1204534cd992f4885545ca8720870a1e4f56d2d3fad18e1e2241b31546

SHA512
474385577f131ecb07f09da8dfec25ce96ac552570a97be004779e549a2f3bb432ae7e7dc7bf7a361604c92dc11085d86f32d8d947871d0843206f2f25aa685e

Download Submit
\Windows\Resources\Themes\explorer.exe

Filesize
135KB

MD5
62698fe219a2a1fa6ad19225a8f04937

SHA1
051d9ffe06e2f3f003c9bb379f5ede9aeb28eb95

SHA256
aed0dd1204534cd992f4885545ca8720870a1e4f56d2d3fad18e1e2241b31546

SHA512
474385577f131ecb07f09da8dfec25ce96ac552570a97be004779e549a2f3bb432ae7e7dc7bf7a361604c92dc11085d86f32d8d947871d0843206f2f25aa685e

Download Submit
\Windows\Resources\spoolsv.exe

Filesize
135KB

MD5
2fb3dbd7d2aef356dcb5cd7a5118f821

SHA1
c12d9e5562674c3f9c4298a6097e783e526ee0dc

SHA256
40a4fa836ea5cc162eebb534adb0bc398b1ca91c2cdea8ccf5fd5d5799065eb2

SHA512
a88231cce8e3850940d13993043350222df61c6641091ed1a5ea267c3186ecef103027bd76f4ed6fa12328d333b4b9fad6fa66a0461145d8dd596b814e964c63

Download Submit
\Windows\Resources\spoolsv.exe

Filesize
135KB

MD5
2fb3dbd7d2aef356dcb5cd7a5118f821

SHA1
c12d9e5562674c3f9c4298a6097e783e526ee0dc

SHA256
40a4fa836ea5cc162eebb534adb0bc398b1ca91c2cdea8ccf5fd5d5799065eb2

SHA512
a88231cce8e3850940d13993043350222df61c6641091ed1a5ea267c3186ecef103027bd76f4ed6fa12328d333b4b9fad6fa66a0461145d8dd596b814e964c63

Download Submit
\Windows\Resources\svchost.exe

Filesize
135KB

MD5
53b8cdc9f5c43df123aacb1ffaafe6d9

SHA1
968e6a9d62e273518368bcd2f18f7582219ddce1

SHA256
f738bc1ed0143d56bf2ba4ceebc8dc4e8c4b2e48b356e4410340f814a06a6549

SHA512
9d91c1fd72cff651df536432707a78f273a8072d271ec282a99c2b2f48a19007f908e1f8a690311fd259139189a8abb67f3ac05b0e1b3d583a8f5aef93b029dc

Download Submit
memory/2304-0-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2304-42-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2616-43-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2628-44-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2640-40-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2760-30-0x00000000002F0000-0x000000000030F000-memory.dmp

Filesize
124KB

Download
memory/2760-41-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download