bbdd4456950281665578e1bbdd033e2b4a27ce04371e3e16ea0abc10983d0222

Analysis

max time kernel
151s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
14/10/2023, 19:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.c96248b7921f6ae5d527809c94112c70.exe
Size

201KB
MD5

c96248b7921f6ae5d527809c94112c70
SHA1

a8815206cce598db59ef7e6e075113a158530ec3
SHA256

bbdd4456950281665578e1bbdd033e2b4a27ce04371e3e16ea0abc10983d0222
SHA512

016a8b0c16687a3d2ae4cf2f85e13afb67e387c1f2e9bea844fa639e30a69aa3729aad1758d9b1d62beb43ec38d375f77c5c9cc8ac6f7ed7629c48c890e7ef41
SSDEEP

6144:Lt++Jbojf5Vq5OC4qZhZcKYhc/ZfUozY:g+cff22qZhZcKYhc/

Score

10^/10

persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\apppatch\\svchost.exe,"	svchost.exe

Executes dropped EXE 1 IoCs

pid	Process
2180	svchost.exe

Modifies WinLogon 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\cccba624 = "C:\\Windows\\apppatch\\svchost.exe"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\cccba624 = "C:\\Windows\\apppatch\\svchost.exe"	NEAS.c96248b7921f6ae5d527809c94112c70.exe

Drops file in Program Files directory 44 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows Defender\pupydeq.com	svchost.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\pupydeq.com	svchost.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\lyxynyx.com	svchost.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\puzylyp.com	svchost.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\vonypom.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\pupycag.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\galyqaz.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\lysyfyj.com	svchost.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\vofycot.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\purylev.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\pumyjig.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\qetyfuv.com	svchost.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\qetyfuv.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\puzylyp.com	svchost.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\volykit.com	svchost.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\pupycag.com	svchost.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\gadyciz.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\qetyhyg.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\volykit.com	svchost.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\lymyxid.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\vonypom.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\lyrysor.com	svchost.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\gatyhub.com	svchost.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\lygyvuj.com	svchost.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\lyrysor.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\galynuh.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\gatyhub.com	svchost.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\purylev.com	svchost.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\qetyhyg.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\lygyvuj.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\vonyket.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\qegyval.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\vofycot.com	svchost.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\pumyjig.com	svchost.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\lysyfyj.com	svchost.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\galynuh.com	svchost.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\qegyval.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\lyxynyx.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\gadyciz.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\vocyzit.com	svchost.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\vocyzit.com	svchost.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\vonyket.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\lymyxid.com	svchost.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\galyqaz.com	svchost.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\apppatch\svchost.exe	NEAS.c96248b7921f6ae5d527809c94112c70.exe
File created	C:\Windows\apppatch\svchost.exe	NEAS.c96248b7921f6ae5d527809c94112c70.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2180	svchost.exe
2180	svchost.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1764	NEAS.c96248b7921f6ae5d527809c94112c70.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1764 wrote to memory of 2180	1764	NEAS.c96248b7921f6ae5d527809c94112c70.exe	84
PID 1764 wrote to memory of 2180	1764	NEAS.c96248b7921f6ae5d527809c94112c70.exe	84
PID 1764 wrote to memory of 2180	1764	NEAS.c96248b7921f6ae5d527809c94112c70.exe	84

C:\Users\Admin\AppData\Local\Temp\NEAS.c96248b7921f6ae5d527809c94112c70.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.c96248b7921f6ae5d527809c94112c70.exe"
1⤵
- Modifies WinLogon
- Drops file in Windows directory
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:1764
- C:\Windows\apppatch\svchost.exe
  "C:\Windows\apppatch\svchost.exe"
  2⤵
  - Modifies WinLogon for persistence
  - Executes dropped EXE
  - Modifies WinLogon
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  PID:2180

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Windows Defender\galynuh.com

Filesize
593B

MD5
926512864979bc27cf187f1de3f57aff

SHA1
acdeb9d6187932613c7fa08eaf28f0cd8116f4b5

SHA256
b3e893a653ec06c05ee90f2f6e98cc052a92f6616d7cca8c416420e178dcc73f

SHA512
f6f9fd3ca9305bec879cfcd38e64111a18e65e30d25c49e9f2cd546cbab9b2dcd03eca81952f6b77c0eaab20192ef7bef0d8d434f6f371811929e75f8620633b

Download Submit
C:\Program Files (x86)\Windows Defender\galyqaz.com

Filesize
40KB

MD5
06a63755c2d64cd1711b0a416c12b061

SHA1
38a27a0307f5761e9adbaa9b7558626aefa25075

SHA256
55bb00595c18405e11e232f4425e10e691ac7368d6d0bc13f0fa29aa686c99d0

SHA512
a4f4519d3fd9d3b5f83a224a415fcdb3cfbc4064bf7718470e7a56cb557cb7fb5f0b9467594453d534a3ddd6b30d389e336e8515bec105f9bae82dddd9246e92

Download Submit
C:\Program Files (x86)\Windows Defender\lyrysor.com

Filesize
1KB

MD5
d0bd0ad1450792e24e7a4564f385517d

SHA1
481337c723f170382243cf3e90412211e34064a5

SHA256
fee884063a081fecf761009943a86245caf74680081f036b33b36d543562a8ce

SHA512
49ce04f78f34a7993962bf3f5113a26bded2a9da8908beba704192cae1230049d6b1c7e25e8d7ce70ce3814ae896e6596b34d38c0600d22a2de43c9ef8a80ff7

Download Submit
C:\Program Files (x86)\Windows Defender\lyxynyx.com

Filesize
300B

MD5
329bbaf4bc901cef31f2bcbdede724ff

SHA1
04cce205806d24f4ca5d0358c6c722e366dac928

SHA256
6f2a68b19eeb648efdb4b2ba6c8f6f8678f868d985c7b1387d211e9c50c7f298

SHA512
c6d306b317c088e0fb18f57d83704b2cf32a0926f367b279de1719e5ce355ce6a36d7383edbde24dc9ad903f11e7736a3c872d04d2c56fb3cf1d0dd20759fbaa

Download Submit
C:\Program Files (x86)\Windows Defender\pumyjig.com

Filesize
300B

MD5
e95e8528ee8df3f9b0859549826667d6

SHA1
5a2be78e720ee1848c1e95ac024f28f552678632

SHA256
6cecc76647062409700d0e05b956d0f52f672e419c517cb399faa53dc17e722b

SHA512
f78658d29b6feea65e78f30b4b1df114ea2cb57effc909acdafc49910d0ad776bc53125e8055b98fa8d2ea3631d1939794da5a9dd8e66eda36656b519b22ff31

Download Submit
C:\Program Files (x86)\Windows Defender\pupydeq.com

Filesize
12KB

MD5
1639705c0468ff5b89d563cc785c9374

SHA1
f6807f616bab661123da67196ca7d5015df9ea82

SHA256
4788bc2f12f5ef35a1e86ba33d4ecd9efcc89446502465d7e8320a36c6a0e25c

SHA512
d50f65b6100586ddda7d62a8d21d013e0c5d4c52a2fc5d53867ba086571116dac992eefd2fb55873196f3516bac91c9cff8da5f4b8f91e5f9c13240e5622d768

Download Submit
C:\Program Files (x86)\Windows Defender\puzylyp.com

Filesize
2KB

MD5
320ad3d2b056058e8ba57fcc872d5174

SHA1
364305644389eaa427d324cc56c7ab144d93f405

SHA256
16e3642b41378f6637742d9fac72f1c25daf93ccb675b5e3dd98c7f8eddf7f34

SHA512
ebd0224a7abef1ef5080eb897992023e7b6d7744d0cf076adb6d042fef47350be9b81a9ae75a2bb9b25fd6544f3b6165f23e48e4699ecd0c8e285d2058aaa668

Download Submit
C:\Program Files (x86)\Windows Defender\qegyval.com

Filesize
300B

MD5
876f62d9d409542dbfbf8594a68477bc

SHA1
326fb2760d0d80a2b8a29f773a568030dfdf7bdd

SHA256
42b45b147d7d6c5ce4c7ea8554f31701ace306b5a66ef309a25a80d75fe77c7c

SHA512
58c869954675268e15ba116d37d46550c6b3197d12868db5a32f2c58dded7508e694b92f0a7bbff729862317f38080e974af952a0fae957937180f9b5e0132d7

Download Submit
C:\Program Files (x86)\Windows Defender\vofycot.com

Filesize
302B

MD5
7a71e318763884c9140f366cba072dfa

SHA1
14787c0882c93d82283edce092a5e53ab47ea3b9

SHA256
a785ea49a7cfdea608a4ed623f2cc4cffbe8839b894a2447165910e5481aff95

SHA512
07d3ab77d6c87abe721551540d50b3476689e05f923ff5c3ea849877faea76f645e29c1b428108453f65d8d6999a066b64834d5e2a41a4cf29fe9d1280c2d4e9

Download Submit
C:\Program Files (x86)\Windows Defender\volykit.com

Filesize
2KB

MD5
2339701ff81e86882e6165f9d0eceda6

SHA1
834705059bb09b69310d2138ea3ed7751084d8eb

SHA256
b9337a1f1a3d705cb746a7bbff14cd9dc3694ee2b1e8b03e5b7f2087ce3d74c0

SHA512
8e4003f92d1830efe66a0eccc6082cd9ba56d74035df3117652ff24c30ef295114ac12159fe167719602a5fb46e69cdc1353f443d5379783d280fe1d8156daa9

Download Submit
C:\Program Files (x86)\Windows Defender\vonyket.com

Filesize
302B

MD5
5e4cf99e4915af563c86960824917da1

SHA1
6d4bf5c9679c3ee9bf431cddac24c8de1e8026f2

SHA256
0ddb21a0dfa3d580cbedd59d864d3bad599b1dab4e56378abfcc39f274476171

SHA512
4bcaae14bf78199942257777d510d046a31ebc37c045627a5f43bd37d90ad70c4343c0fda2710a1393989a0fff1f30dc96e0062af07fa14693e543313bca2239

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\YQR9M4BX\login[3].htm

Filesize
168B

MD5
d57e3a550060f85d44a175139ea23021

SHA1
2c5cb3428a322c9709a34d04dd86fe7628f8f0a6

SHA256
43edf068d34276e8ade4113d4d7207de19fc98a2ae1c07298e593edae2a8774c

SHA512
0364fe6a010fce7a3f4a6344c84468c64b20fd131f3160fc649db78f1075ba52d8a1c4496e50dbe27c357e01ee52e94cdcda8f7927cba28d5f2f45b9da690063

Download Submit
C:\Windows\apppatch\svchost.exe

Filesize
201KB

MD5
a31edf9a6a5d61f7e4c47bc28fdd4c71

SHA1
50380955254316da7af2a337253af84984e25ea9

SHA256
87eded38111443ea4f4e85ac07881a9d9160764ffc14ad56924093a9b63c53a7

SHA512
8a5e54b422bc9ba5971438f88ef6932d1d6406fd3f25ea1bc9314b77fc21717852908cba7564433497a3f1fe01815704093646973622870dd847a29f6eb2cc09

Download Submit
C:\Windows\apppatch\svchost.exe

Filesize
201KB

MD5
a31edf9a6a5d61f7e4c47bc28fdd4c71

SHA1
50380955254316da7af2a337253af84984e25ea9

SHA256
87eded38111443ea4f4e85ac07881a9d9160764ffc14ad56924093a9b63c53a7

SHA512
8a5e54b422bc9ba5971438f88ef6932d1d6406fd3f25ea1bc9314b77fc21717852908cba7564433497a3f1fe01815704093646973622870dd847a29f6eb2cc09

Download Submit
C:\Windows\apppatch\svchost.exe

Filesize
201KB

MD5
a31edf9a6a5d61f7e4c47bc28fdd4c71

SHA1
50380955254316da7af2a337253af84984e25ea9

SHA256
87eded38111443ea4f4e85ac07881a9d9160764ffc14ad56924093a9b63c53a7

SHA512
8a5e54b422bc9ba5971438f88ef6932d1d6406fd3f25ea1bc9314b77fc21717852908cba7564433497a3f1fe01815704093646973622870dd847a29f6eb2cc09

Download Submit
memory/1764-10-0x00000000021F0000-0x000000000223F000-memory.dmp

Filesize
316KB

Download
memory/1764-8-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/1764-2-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/1764-1-0x00000000021F0000-0x000000000223F000-memory.dmp

Filesize
316KB

Download
memory/1764-0-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2180-44-0x0000000002BD0000-0x0000000002C82000-memory.dmp

Filesize
712KB

Download
memory/2180-63-0x0000000002BD0000-0x0000000002C82000-memory.dmp

Filesize
712KB

Download
memory/2180-29-0x0000000002BD0000-0x0000000002C82000-memory.dmp

Filesize
712KB

Download
memory/2180-30-0x0000000002BD0000-0x0000000002C82000-memory.dmp

Filesize
712KB

Download
memory/2180-31-0x0000000002BD0000-0x0000000002C82000-memory.dmp

Filesize
712KB

Download
memory/2180-32-0x0000000002BD0000-0x0000000002C82000-memory.dmp

Filesize
712KB

Download
memory/2180-34-0x0000000002BD0000-0x0000000002C82000-memory.dmp

Filesize
712KB

Download
memory/2180-33-0x0000000002BD0000-0x0000000002C82000-memory.dmp

Filesize
712KB

Download
memory/2180-36-0x0000000002BD0000-0x0000000002C82000-memory.dmp

Filesize
712KB

Download
memory/2180-37-0x0000000002BD0000-0x0000000002C82000-memory.dmp

Filesize
712KB

Download
memory/2180-39-0x0000000002BD0000-0x0000000002C82000-memory.dmp

Filesize
712KB

Download
memory/2180-40-0x0000000002BD0000-0x0000000002C82000-memory.dmp

Filesize
712KB

Download
memory/2180-41-0x0000000002BD0000-0x0000000002C82000-memory.dmp

Filesize
712KB

Download
memory/2180-43-0x0000000002BD0000-0x0000000002C82000-memory.dmp

Filesize
712KB

Download
memory/2180-27-0x0000000002BD0000-0x0000000002C82000-memory.dmp

Filesize
712KB

Download
memory/2180-45-0x0000000002BD0000-0x0000000002C82000-memory.dmp

Filesize
712KB

Download
memory/2180-48-0x0000000002BD0000-0x0000000002C82000-memory.dmp

Filesize
712KB

Download
memory/2180-49-0x0000000002BD0000-0x0000000002C82000-memory.dmp

Filesize
712KB

Download
memory/2180-47-0x0000000002BD0000-0x0000000002C82000-memory.dmp

Filesize
712KB

Download
memory/2180-54-0x0000000002BD0000-0x0000000002C82000-memory.dmp

Filesize
712KB

Download
memory/2180-56-0x0000000002BD0000-0x0000000002C82000-memory.dmp

Filesize
712KB

Download
memory/2180-58-0x0000000002BD0000-0x0000000002C82000-memory.dmp

Filesize
712KB

Download
memory/2180-61-0x0000000002BD0000-0x0000000002C82000-memory.dmp

Filesize
712KB

Download
memory/2180-62-0x0000000002BD0000-0x0000000002C82000-memory.dmp

Filesize
712KB

Download
memory/2180-53-0x0000000002BD0000-0x0000000002C82000-memory.dmp

Filesize
712KB

Download
memory/2180-28-0x0000000002BD0000-0x0000000002C82000-memory.dmp

Filesize
712KB

Download
memory/2180-64-0x0000000002BD0000-0x0000000002C82000-memory.dmp

Filesize
712KB

Download
memory/2180-67-0x0000000002BD0000-0x0000000002C82000-memory.dmp

Filesize
712KB

Download
memory/2180-66-0x0000000002BD0000-0x0000000002C82000-memory.dmp

Filesize
712KB

Download
memory/2180-68-0x0000000002BD0000-0x0000000002C82000-memory.dmp

Filesize
712KB

Download
memory/2180-69-0x0000000002BD0000-0x0000000002C82000-memory.dmp

Filesize
712KB

Download
memory/2180-70-0x0000000002BD0000-0x0000000002C82000-memory.dmp

Filesize
712KB

Download
memory/2180-65-0x0000000002BD0000-0x0000000002C82000-memory.dmp

Filesize
712KB

Download
memory/2180-71-0x0000000002BD0000-0x0000000002C82000-memory.dmp

Filesize
712KB

Download
memory/2180-72-0x0000000002BD0000-0x0000000002C82000-memory.dmp

Filesize
712KB

Download
memory/2180-74-0x0000000002BD0000-0x0000000002C82000-memory.dmp

Filesize
712KB

Download
memory/2180-75-0x0000000002BD0000-0x0000000002C82000-memory.dmp

Filesize
712KB

Download
memory/2180-176-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2180-179-0x0000000002BD0000-0x0000000002C82000-memory.dmp

Filesize
712KB

Download
memory/2180-26-0x0000000002BD0000-0x0000000002C82000-memory.dmp

Filesize
712KB

Download
memory/2180-25-0x0000000002BD0000-0x0000000002C82000-memory.dmp

Filesize
712KB

Download
memory/2180-24-0x0000000002BD0000-0x0000000002C82000-memory.dmp

Filesize
712KB

Download
memory/2180-23-0x0000000002BD0000-0x0000000002C82000-memory.dmp

Filesize
712KB

Download
memory/2180-22-0x0000000002BD0000-0x0000000002C82000-memory.dmp

Filesize
712KB

Download
memory/2180-21-0x0000000002BD0000-0x0000000002C82000-memory.dmp

Filesize
712KB

Download
memory/2180-19-0x0000000002BD0000-0x0000000002C82000-memory.dmp

Filesize
712KB

Download
memory/2180-17-0x0000000002BD0000-0x0000000002C82000-memory.dmp

Filesize
712KB

Download
memory/2180-16-0x00000000029E0000-0x0000000002A84000-memory.dmp

Filesize
656KB

Download
memory/2180-15-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download