28360f99c2a7c863c49863527a1754dd0efcf343f50d41afc1f8e050b7cedff3

Analysis

max time kernel
142s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
12-10-2023 17:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.0bb3ccf16acce19c0425f1c837584820_JC.exe
Size

391KB
MD5

0bb3ccf16acce19c0425f1c837584820
SHA1

255c5bb5f807465f426853a89a38c3a588294fc8
SHA256

28360f99c2a7c863c49863527a1754dd0efcf343f50d41afc1f8e050b7cedff3
SHA512

e39c95f171b07e406c0360b138abefb6b5d62b3df04d9c0cdab53a934613d0ecb7e4663de32e3cb04dc33bc08439d37fc932f7beca0b6dfff079e5c843fbaf11
SSDEEP

6144:dC4umWphVf4j27zo1zK4f+dP9+xCOwTdzi1IcX45yV4:H9WphJx7kzlfUFGwTdnyVu

Score

10^/10

persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe sychost.exe"	NEAS.0bb3ccf16acce19c0425f1c837584820_JC.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WinIcons = "C:\\Windows\\system32\\winicons.exe"	reg.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\winicons.exe	NEAS.0bb3ccf16acce19c0425f1c837584820_JC.exe
File opened for modification	C:\Windows\SysWOW64\winicons.exe	NEAS.0bb3ccf16acce19c0425f1c837584820_JC.exe
File created	C:\Windows\SysWOW64\sychost.exe	NEAS.0bb3ccf16acce19c0425f1c837584820_JC.exe

Drops file in Program Files directory 58 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\7-Zip\7zG.exe	NEAS.0bb3ccf16acce19c0425f1c837584820_JC.exe
File opened for modification	C:\Program Files\7-Zip\Lang\br.txt	NEAS.0bb3ccf16acce19c0425f1c837584820_JC.exe
File opened for modification	C:\Program Files\7-Zip\Lang\de.txt	NEAS.0bb3ccf16acce19c0425f1c837584820_JC.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hi.txt	NEAS.0bb3ccf16acce19c0425f1c837584820_JC.exe
File opened for modification	C:\Program Files\7-Zip\Lang\gu.txt	NEAS.0bb3ccf16acce19c0425f1c837584820_JC.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ko.txt	NEAS.0bb3ccf16acce19c0425f1c837584820_JC.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	NEAS.0bb3ccf16acce19c0425f1c837584820_JC.exe
File opened for modification	C:\Program Files\7-Zip\Lang\bn.txt	NEAS.0bb3ccf16acce19c0425f1c837584820_JC.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ga.txt	NEAS.0bb3ccf16acce19c0425f1c837584820_JC.exe
File opened for modification	C:\Program Files\7-Zip\Lang\kaa.txt	NEAS.0bb3ccf16acce19c0425f1c837584820_JC.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ky.txt	NEAS.0bb3ccf16acce19c0425f1c837584820_JC.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ast.txt	NEAS.0bb3ccf16acce19c0425f1c837584820_JC.exe
File opened for modification	C:\Program Files\7-Zip\Lang\be.txt	NEAS.0bb3ccf16acce19c0425f1c837584820_JC.exe
File opened for modification	C:\Program Files\7-Zip\Lang\et.txt	NEAS.0bb3ccf16acce19c0425f1c837584820_JC.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ku-ckb.txt	NEAS.0bb3ccf16acce19c0425f1c837584820_JC.exe
File opened for modification	C:\Program Files\7-Zip\Lang\is.txt	NEAS.0bb3ccf16acce19c0425f1c837584820_JC.exe
File opened for modification	C:\Program Files\7-Zip\Lang\lij.txt	NEAS.0bb3ccf16acce19c0425f1c837584820_JC.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ja.txt	NEAS.0bb3ccf16acce19c0425f1c837584820_JC.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mng.txt	NEAS.0bb3ccf16acce19c0425f1c837584820_JC.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	NEAS.0bb3ccf16acce19c0425f1c837584820_JC.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ca.txt	NEAS.0bb3ccf16acce19c0425f1c837584820_JC.exe
File opened for modification	C:\Program Files\7-Zip\Lang\cs.txt	NEAS.0bb3ccf16acce19c0425f1c837584820_JC.exe
File opened for modification	C:\Program Files\7-Zip\Lang\eo.txt	NEAS.0bb3ccf16acce19c0425f1c837584820_JC.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fr.txt	NEAS.0bb3ccf16acce19c0425f1c837584820_JC.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ba.txt	NEAS.0bb3ccf16acce19c0425f1c837584820_JC.exe
File opened for modification	C:\Program Files\7-Zip\Lang\gl.txt	NEAS.0bb3ccf16acce19c0425f1c837584820_JC.exe
File opened for modification	C:\Program Files\7-Zip\Lang\he.txt	NEAS.0bb3ccf16acce19c0425f1c837584820_JC.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mn.txt	NEAS.0bb3ccf16acce19c0425f1c837584820_JC.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hu.txt	NEAS.0bb3ccf16acce19c0425f1c837584820_JC.exe
File opened for modification	C:\Program Files\7-Zip\History.txt	NEAS.0bb3ccf16acce19c0425f1c837584820_JC.exe
File opened for modification	C:\Program Files\7-Zip\Lang\bg.txt	NEAS.0bb3ccf16acce19c0425f1c837584820_JC.exe
File opened for modification	C:\Program Files\7-Zip\Lang\cy.txt	NEAS.0bb3ccf16acce19c0425f1c837584820_JC.exe
File opened for modification	C:\Program Files\7-Zip\Lang\el.txt	NEAS.0bb3ccf16acce19c0425f1c837584820_JC.exe
File opened for modification	C:\Program Files\7-Zip\Lang\es.txt	NEAS.0bb3ccf16acce19c0425f1c837584820_JC.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ar.txt	NEAS.0bb3ccf16acce19c0425f1c837584820_JC.exe
File opened for modification	C:\Program Files\7-Zip\Lang\eu.txt	NEAS.0bb3ccf16acce19c0425f1c837584820_JC.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ext.txt	NEAS.0bb3ccf16acce19c0425f1c837584820_JC.exe
File opened for modification	C:\Program Files\7-Zip\Lang\lv.txt	NEAS.0bb3ccf16acce19c0425f1c837584820_JC.exe
File opened for modification	C:\Program Files\7-Zip\Lang\id.txt	NEAS.0bb3ccf16acce19c0425f1c837584820_JC.exe
File opened for modification	C:\Program Files\7-Zip\Lang\af.txt	NEAS.0bb3ccf16acce19c0425f1c837584820_JC.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fy.txt	NEAS.0bb3ccf16acce19c0425f1c837584820_JC.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ka.txt	NEAS.0bb3ccf16acce19c0425f1c837584820_JC.exe
File opened for modification	C:\Program Files\7-Zip\Lang\lt.txt	NEAS.0bb3ccf16acce19c0425f1c837584820_JC.exe
File opened for modification	C:\Program Files\7-Zip\Lang\an.txt	NEAS.0bb3ccf16acce19c0425f1c837584820_JC.exe
File opened for modification	C:\Program Files\7-Zip\Lang\da.txt	NEAS.0bb3ccf16acce19c0425f1c837584820_JC.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hr.txt	NEAS.0bb3ccf16acce19c0425f1c837584820_JC.exe
File opened for modification	C:\Program Files\7-Zip\Lang\kab.txt	NEAS.0bb3ccf16acce19c0425f1c837584820_JC.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ku.txt	NEAS.0bb3ccf16acce19c0425f1c837584820_JC.exe
File opened for modification	C:\Program Files\7-Zip\Lang\kk.txt	NEAS.0bb3ccf16acce19c0425f1c837584820_JC.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fi.txt	NEAS.0bb3ccf16acce19c0425f1c837584820_JC.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fur.txt	NEAS.0bb3ccf16acce19c0425f1c837584820_JC.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hy.txt	NEAS.0bb3ccf16acce19c0425f1c837584820_JC.exe
File opened for modification	C:\Program Files\7-Zip\Lang\io.txt	NEAS.0bb3ccf16acce19c0425f1c837584820_JC.exe
File opened for modification	C:\Program Files\7-Zip\Lang\it.txt	NEAS.0bb3ccf16acce19c0425f1c837584820_JC.exe
File opened for modification	C:\Program Files\7-Zip\Lang\az.txt	NEAS.0bb3ccf16acce19c0425f1c837584820_JC.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mk.txt	NEAS.0bb3ccf16acce19c0425f1c837584820_JC.exe
File opened for modification	C:\Program Files\7-Zip\Lang\co.txt	NEAS.0bb3ccf16acce19c0425f1c837584820_JC.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fa.txt	NEAS.0bb3ccf16acce19c0425f1c837584820_JC.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
4168	NEAS.0bb3ccf16acce19c0425f1c837584820_JC.exe
4168	NEAS.0bb3ccf16acce19c0425f1c837584820_JC.exe
4168	NEAS.0bb3ccf16acce19c0425f1c837584820_JC.exe
4168	NEAS.0bb3ccf16acce19c0425f1c837584820_JC.exe
4168	NEAS.0bb3ccf16acce19c0425f1c837584820_JC.exe
4168	NEAS.0bb3ccf16acce19c0425f1c837584820_JC.exe
4168	NEAS.0bb3ccf16acce19c0425f1c837584820_JC.exe
4168	NEAS.0bb3ccf16acce19c0425f1c837584820_JC.exe
4168	NEAS.0bb3ccf16acce19c0425f1c837584820_JC.exe
4168	NEAS.0bb3ccf16acce19c0425f1c837584820_JC.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4168 wrote to memory of 1684	4168	NEAS.0bb3ccf16acce19c0425f1c837584820_JC.exe	82
PID 4168 wrote to memory of 1684	4168	NEAS.0bb3ccf16acce19c0425f1c837584820_JC.exe	82
PID 4168 wrote to memory of 1684	4168	NEAS.0bb3ccf16acce19c0425f1c837584820_JC.exe	82
PID 1684 wrote to memory of 1428	1684	cmd.exe	84
PID 1684 wrote to memory of 1428	1684	cmd.exe	84
PID 1684 wrote to memory of 1428	1684	cmd.exe	84

C:\Users\Admin\AppData\Local\Temp\NEAS.0bb3ccf16acce19c0425f1c837584820_JC.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.0bb3ccf16acce19c0425f1c837584820_JC.exe"
1⤵
- Modifies WinLogon for persistence
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4168
- C:\Windows\SysWOW64\cmd.exe
  cmd /c reg ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v WinIcons /t REG_SZ /d C:\Windows\system32\winicons.exe /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1684
- - C:\Windows\SysWOW64\reg.exe
    reg ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v WinIcons /t REG_SZ /d C:\Windows\system32\winicons.exe /f
    3⤵
    - Adds Run key to start application
    PID:1428

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\sychost.exe

Filesize
391KB

MD5
0bb3ccf16acce19c0425f1c837584820

SHA1
255c5bb5f807465f426853a89a38c3a588294fc8

SHA256
28360f99c2a7c863c49863527a1754dd0efcf343f50d41afc1f8e050b7cedff3

SHA512
e39c95f171b07e406c0360b138abefb6b5d62b3df04d9c0cdab53a934613d0ecb7e4663de32e3cb04dc33bc08439d37fc932f7beca0b6dfff079e5c843fbaf11

Download Submit
C:\log.txt

Filesize
57B

MD5
d6f300355ce7081b1f111572f0eb54af

SHA1
e263a6afae2203d7642e4fcb2ca74026fe167af2

SHA256
d9f6d3bb986eb1dce74f116e24e4d0582b1659db50d33a82f363336ba51e1df4

SHA512
c4e1037673d13240581fa6ce0f98e09d2da41c4d4415ab2003661409946c770946204ec0413fad9812b07016645ed9776918fdeafffb704cb29f6b1734cea465

Download Submit
C:\log.txt

Filesize
108B

MD5
ecbfef9d3703cf9becf80fbb09ce7375

SHA1
4d9f46c9595bb91814eed3c9deda1bd110f889cf

SHA256
bd90cf755f082fa797d520c3db44458c9f8c32229074061db9f6e79fc605cf4a

SHA512
79c9a14f4833fb396a998c59f756ac27a67a4919a3a5e530b0437895581ff52d65b2645ab1362b48113fcc782a009f180edae1f48c8e1ba8c3f04018a6826a4c

Download Submit
memory/4168-14-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/4168-71-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/4168-72-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/4168-73-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/4168-89-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/4168-91-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/4168-93-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/4168-96-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/4168-97-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/4168-98-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download