bb77f56d39e46871a59e44d12ea41c5ba4a99409f757ac93bd1dfd4d7b0da574

Analysis

max time kernel
120s
max time network
131s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
11-10-2023 17:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.0d499b527c64438aa701855a7200c450_JC.exe
Size

119KB
MD5

0d499b527c64438aa701855a7200c450
SHA1

7ce24fd2f5264f5d6df4f9718cac095795c5579d
SHA256

bb77f56d39e46871a59e44d12ea41c5ba4a99409f757ac93bd1dfd4d7b0da574
SHA512

70483a715166df0621e5ec7e0d57f615abb73262d2e8c9c14db23b34d520351e57610ef531ce52184ecfea1e8ae4bea687a12ceeb91a53121795294d77c01d06
SSDEEP

3072:7kHvKztqFLCOd397CSoHrXM5eUzXFELGM54Zhx1:Kv0tqFLt5xoLMJLNMiz

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
3672	N4bpokUHPYwFn3b.exe
4976	spoolsv.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\spoolsv.exe"	NEAS.0d499b527c64438aa701855a7200c450_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\spoolsv.exe"	spoolsv.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\spoolsv.exe	NEAS.0d499b527c64438aa701855a7200c450_JC.exe
File created	C:\Windows\spoolsv.exe	spoolsv.exe

NTFS ADS 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Local\Temp\https:\www.google.com	NEAS.0d499b527c64438aa701855a7200c450_JC.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temp\https:\www.google.com	spoolsv.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2304	NEAS.0d499b527c64438aa701855a7200c450_JC.exe
Token: SeDebugPrivilege	4976	spoolsv.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 2304 wrote to memory of 3672	2304	NEAS.0d499b527c64438aa701855a7200c450_JC.exe	85
PID 2304 wrote to memory of 3672	2304	NEAS.0d499b527c64438aa701855a7200c450_JC.exe	85
PID 2304 wrote to memory of 4976	2304	NEAS.0d499b527c64438aa701855a7200c450_JC.exe	86
PID 2304 wrote to memory of 4976	2304	NEAS.0d499b527c64438aa701855a7200c450_JC.exe	86
PID 2304 wrote to memory of 4976	2304	NEAS.0d499b527c64438aa701855a7200c450_JC.exe	86

C:\Users\Admin\AppData\Local\Temp\NEAS.0d499b527c64438aa701855a7200c450_JC.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.0d499b527c64438aa701855a7200c450_JC.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2304
- C:\Users\Admin\AppData\Local\Temp\N4bpokUHPYwFn3b.exe
  C:\Users\Admin\AppData\Local\Temp\N4bpokUHPYwFn3b.exe
  2⤵
  - Executes dropped EXE
  PID:3672
- C:\Windows\spoolsv.exe
  "C:\Windows\spoolsv.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Windows directory
  - NTFS ADS
  - Suspicious use of AdjustPrivilegeToken
  PID:4976

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xml

Filesize
348KB

MD5
ddad79d79e1964f82fa69e2dfe3d1bb5

SHA1
646b439706bcc20484b6bb1acac5da6c099e302d

SHA256
912fbfdf0da97681ca3cdc46b051bf5e5d9bd335e633307cde8afe7f5d606b32

SHA512
ccd4b709cd11495e2b677ac6a41f70abe1993fc0b1b8b71eae8b64f01ecd1e324bb7c0a78f160980c1a5bb1238145a85fb1ed1fd439f17cf32f8a7d3712b786f

Download Submit
C:\Users\Admin\AppData\Local\Temp\N4bpokUHPYwFn3b.exe

Filesize
94KB

MD5
9a821d8d62f4c60232b856e98cba7e4f

SHA1
4ec5dcbd43ad3b0178b26a57b8a2f41e33a48df5

SHA256
a5b3bf53bcd3c0296498383837e8f9eb7d610c535521315a96aa740cf769f525

SHA512
1b5273a52973dac77ad0ef7aa1dda929a782d762ab8489eb90dff1062dd4cc01e4f7f4157266a2abcf8941e91cf4aa5603de1dd8ee871524748e0989ebaa37d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\N4bpokUHPYwFn3b.exe

Filesize
94KB

MD5
9a821d8d62f4c60232b856e98cba7e4f

SHA1
4ec5dcbd43ad3b0178b26a57b8a2f41e33a48df5

SHA256
a5b3bf53bcd3c0296498383837e8f9eb7d610c535521315a96aa740cf769f525

SHA512
1b5273a52973dac77ad0ef7aa1dda929a782d762ab8489eb90dff1062dd4cc01e4f7f4157266a2abcf8941e91cf4aa5603de1dd8ee871524748e0989ebaa37d3

Download Submit
C:\Windows\spoolsv.exe

Filesize
25KB

MD5
a1211ced2ed68ff60b804ccd12971b22

SHA1
48a9490672c5dcc2e06ca345bc6116107b60f673

SHA256
25595722313f14e0e90b11aa0efee287f11d36138bd3466443798e55211298f5

SHA512
1d63e09ed2c817528b196fed7d8c2bee7a0fb4ef965d48d70129338997b8eaa4c284a2b6661a71dc3a9f0601cdd2e7ef92e0c7499f89aa8385e15d3022898f7f

Download Submit
C:\Windows\spoolsv.exe

Filesize
25KB

MD5
a1211ced2ed68ff60b804ccd12971b22

SHA1
48a9490672c5dcc2e06ca345bc6116107b60f673

SHA256
25595722313f14e0e90b11aa0efee287f11d36138bd3466443798e55211298f5

SHA512
1d63e09ed2c817528b196fed7d8c2bee7a0fb4ef965d48d70129338997b8eaa4c284a2b6661a71dc3a9f0601cdd2e7ef92e0c7499f89aa8385e15d3022898f7f

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads