cd79608321a1becdcc82fe211bde93beaa23a30a25caf2891735321c4cd00842

Analysis

max time kernel
162s
max time network
167s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
10/10/2023, 19:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.0725711c51b2cc803034687d063fe940_JC.exe
Size

135KB
MD5

0725711c51b2cc803034687d063fe940
SHA1

bfa7b5c017dba6ad1bd3bf5e2e1b398d944a2194
SHA256

cd79608321a1becdcc82fe211bde93beaa23a30a25caf2891735321c4cd00842
SHA512

f92ed477df6ced9fd3705fb71bfa2a49e382bbebd9025207a4bde416f8c2eacc720f144cf472c4857a388c215835a842695f024c64badd5082b149f37f77a4d9
SSDEEP

1536:XfsEqouTRcG/Mzvgf7xEuvnXNTRdUzwTekUOisZ1yDDajtXbg5hs3wwwwwwwwwwa:XVqoCl/YgjxEufVU0TbTyDDalTG

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	svchost.exe

Executes dropped EXE 4 IoCs

pid	Process
3912	explorer.exe
3568	spoolsv.exe
2328	svchost.exe
392	spoolsv.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	explorer.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\explorer.exe	svchost.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\resources\themes\explorer.exe	NEAS.0725711c51b2cc803034687d063fe940_JC.exe
File opened for modification	\??\c:\windows\resources\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\resources\svchost.exe	spoolsv.exe
File opened for modification	C:\Windows\Resources\tjud.exe	explorer.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4324	NEAS.0725711c51b2cc803034687d063fe940_JC.exe
4324	NEAS.0725711c51b2cc803034687d063fe940_JC.exe
4324	NEAS.0725711c51b2cc803034687d063fe940_JC.exe
4324	NEAS.0725711c51b2cc803034687d063fe940_JC.exe
4324	NEAS.0725711c51b2cc803034687d063fe940_JC.exe
4324	NEAS.0725711c51b2cc803034687d063fe940_JC.exe
4324	NEAS.0725711c51b2cc803034687d063fe940_JC.exe
4324	NEAS.0725711c51b2cc803034687d063fe940_JC.exe
4324	NEAS.0725711c51b2cc803034687d063fe940_JC.exe
4324	NEAS.0725711c51b2cc803034687d063fe940_JC.exe
4324	NEAS.0725711c51b2cc803034687d063fe940_JC.exe
4324	NEAS.0725711c51b2cc803034687d063fe940_JC.exe
4324	NEAS.0725711c51b2cc803034687d063fe940_JC.exe
4324	NEAS.0725711c51b2cc803034687d063fe940_JC.exe
4324	NEAS.0725711c51b2cc803034687d063fe940_JC.exe
4324	NEAS.0725711c51b2cc803034687d063fe940_JC.exe
4324	NEAS.0725711c51b2cc803034687d063fe940_JC.exe
4324	NEAS.0725711c51b2cc803034687d063fe940_JC.exe
4324	NEAS.0725711c51b2cc803034687d063fe940_JC.exe
4324	NEAS.0725711c51b2cc803034687d063fe940_JC.exe
4324	NEAS.0725711c51b2cc803034687d063fe940_JC.exe
4324	NEAS.0725711c51b2cc803034687d063fe940_JC.exe
4324	NEAS.0725711c51b2cc803034687d063fe940_JC.exe
4324	NEAS.0725711c51b2cc803034687d063fe940_JC.exe
4324	NEAS.0725711c51b2cc803034687d063fe940_JC.exe
4324	NEAS.0725711c51b2cc803034687d063fe940_JC.exe
4324	NEAS.0725711c51b2cc803034687d063fe940_JC.exe
4324	NEAS.0725711c51b2cc803034687d063fe940_JC.exe
4324	NEAS.0725711c51b2cc803034687d063fe940_JC.exe
4324	NEAS.0725711c51b2cc803034687d063fe940_JC.exe
4324	NEAS.0725711c51b2cc803034687d063fe940_JC.exe
4324	NEAS.0725711c51b2cc803034687d063fe940_JC.exe
4324	NEAS.0725711c51b2cc803034687d063fe940_JC.exe
4324	NEAS.0725711c51b2cc803034687d063fe940_JC.exe
3912	explorer.exe
3912	explorer.exe
3912	explorer.exe
3912	explorer.exe
3912	explorer.exe
3912	explorer.exe
3912	explorer.exe
3912	explorer.exe
3912	explorer.exe
3912	explorer.exe
3912	explorer.exe
3912	explorer.exe
3912	explorer.exe
3912	explorer.exe
3912	explorer.exe
3912	explorer.exe
3912	explorer.exe
3912	explorer.exe
3912	explorer.exe
3912	explorer.exe
3912	explorer.exe
3912	explorer.exe
3912	explorer.exe
3912	explorer.exe
3912	explorer.exe
3912	explorer.exe
3912	explorer.exe
3912	explorer.exe
3912	explorer.exe
3912	explorer.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
3912	explorer.exe
2328	svchost.exe

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
4324	NEAS.0725711c51b2cc803034687d063fe940_JC.exe
4324	NEAS.0725711c51b2cc803034687d063fe940_JC.exe
3912	explorer.exe
3912	explorer.exe
3568	spoolsv.exe
3568	spoolsv.exe
2328	svchost.exe
2328	svchost.exe
392	spoolsv.exe
392	spoolsv.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 4324 wrote to memory of 3912	4324	NEAS.0725711c51b2cc803034687d063fe940_JC.exe	89
PID 4324 wrote to memory of 3912	4324	NEAS.0725711c51b2cc803034687d063fe940_JC.exe	89
PID 4324 wrote to memory of 3912	4324	NEAS.0725711c51b2cc803034687d063fe940_JC.exe	89
PID 3912 wrote to memory of 3568	3912	explorer.exe	91
PID 3912 wrote to memory of 3568	3912	explorer.exe	91
PID 3912 wrote to memory of 3568	3912	explorer.exe	91
PID 3568 wrote to memory of 2328	3568	spoolsv.exe	92
PID 3568 wrote to memory of 2328	3568	spoolsv.exe	92
PID 3568 wrote to memory of 2328	3568	spoolsv.exe	92
PID 2328 wrote to memory of 392	2328	svchost.exe	93
PID 2328 wrote to memory of 392	2328	svchost.exe	93
PID 2328 wrote to memory of 392	2328	svchost.exe	93

C:\Users\Admin\AppData\Local\Temp\NEAS.0725711c51b2cc803034687d063fe940_JC.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.0725711c51b2cc803034687d063fe940_JC.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4324
- \??\c:\windows\resources\themes\explorer.exe
  c:\windows\resources\themes\explorer.exe
  2⤵
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3912
- - \??\c:\windows\resources\spoolsv.exe
    c:\windows\resources\spoolsv.exe SE
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3568
  - - \??\c:\windows\resources\svchost.exe
      c:\windows\resources\svchost.exe
      4⤵
      Modifies visiblity of hidden/system files in Explorer
      Executes dropped EXE
      Adds Run key to start application
      Drops file in System32 directory
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2328
    - - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe PR
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:392

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Resources\Themes\explorer.exe

Filesize
135KB

MD5
9304453c5be40e0edbe612c3ba2b512d

SHA1
0d14c6051532913ce9fa6f5e6c7dc06ae3c6634d

SHA256
a9b336a68271e69d9b55776f998dd6eb84c8875caec7e6400ce73b595f311ec9

SHA512
fbfc438a93f9dfafff2537be0222f3d3ef44c43bec8811f8128a7adebd667c807dde995b973043771f27f9a7f75d9a9f9142e2eea7a7a23a3c23e7062889d98a

Download Submit
C:\Windows\Resources\spoolsv.exe

Filesize
135KB

MD5
ed50ea7b2f4e598dc63ebcb4547bd4cc

SHA1
df54383f7820bebb00b653129429fd3be0063694

SHA256
ceaa7bd4026cd2ef625050e22d78cd0bcce56728e77fe198f5ef102e2984fa6b

SHA512
b983103033c01c35886a9eb11dd6917afb67e4c40f8234b3ce7c168d631da0541c52153adbbc870edd6bd76f1ab98b2db50faeb3ad4c5478ceab44c8dce1206f

Download Submit
C:\Windows\Resources\spoolsv.exe

Filesize
135KB

MD5
ed50ea7b2f4e598dc63ebcb4547bd4cc

SHA1
df54383f7820bebb00b653129429fd3be0063694

SHA256
ceaa7bd4026cd2ef625050e22d78cd0bcce56728e77fe198f5ef102e2984fa6b

SHA512
b983103033c01c35886a9eb11dd6917afb67e4c40f8234b3ce7c168d631da0541c52153adbbc870edd6bd76f1ab98b2db50faeb3ad4c5478ceab44c8dce1206f

Download Submit
C:\Windows\Resources\spoolsv.exe

Filesize
135KB

MD5
ed50ea7b2f4e598dc63ebcb4547bd4cc

SHA1
df54383f7820bebb00b653129429fd3be0063694

SHA256
ceaa7bd4026cd2ef625050e22d78cd0bcce56728e77fe198f5ef102e2984fa6b

SHA512
b983103033c01c35886a9eb11dd6917afb67e4c40f8234b3ce7c168d631da0541c52153adbbc870edd6bd76f1ab98b2db50faeb3ad4c5478ceab44c8dce1206f

Download Submit
C:\Windows\Resources\svchost.exe

Filesize
135KB

MD5
e54c7d3a9079caafadd48eaec290f8e4

SHA1
68c838a9e77a7f1dfb85a704215a6c88bb950b61

SHA256
85f91acf099e3b0a21b5adcf25f8bb107bb16418c1f2bbe7a157b351c9ee4e78

SHA512
93febc2348f3f1ce124256a37551bef446deccb81c49374f83e497e92e342b6822b72fb77bc3a274fa4cdb5b99a6a67cfa0e6cfc788a3f87cf2899eb84dcee9f

Download Submit
\??\c:\windows\resources\spoolsv.exe

Filesize
135KB

MD5
ed50ea7b2f4e598dc63ebcb4547bd4cc

SHA1
df54383f7820bebb00b653129429fd3be0063694

SHA256
ceaa7bd4026cd2ef625050e22d78cd0bcce56728e77fe198f5ef102e2984fa6b

SHA512
b983103033c01c35886a9eb11dd6917afb67e4c40f8234b3ce7c168d631da0541c52153adbbc870edd6bd76f1ab98b2db50faeb3ad4c5478ceab44c8dce1206f

Download Submit
\??\c:\windows\resources\svchost.exe

Filesize
135KB

MD5
e54c7d3a9079caafadd48eaec290f8e4

SHA1
68c838a9e77a7f1dfb85a704215a6c88bb950b61

SHA256
85f91acf099e3b0a21b5adcf25f8bb107bb16418c1f2bbe7a157b351c9ee4e78

SHA512
93febc2348f3f1ce124256a37551bef446deccb81c49374f83e497e92e342b6822b72fb77bc3a274fa4cdb5b99a6a67cfa0e6cfc788a3f87cf2899eb84dcee9f

Download Submit
\??\c:\windows\resources\themes\explorer.exe

Filesize
135KB

MD5
9304453c5be40e0edbe612c3ba2b512d

SHA1
0d14c6051532913ce9fa6f5e6c7dc06ae3c6634d

SHA256
a9b336a68271e69d9b55776f998dd6eb84c8875caec7e6400ce73b595f311ec9

SHA512
fbfc438a93f9dfafff2537be0222f3d3ef44c43bec8811f8128a7adebd667c807dde995b973043771f27f9a7f75d9a9f9142e2eea7a7a23a3c23e7062889d98a

Download Submit
memory/392-34-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2328-36-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3568-33-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3912-35-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4324-0-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4324-32-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download