dff6637bf2f141177e628ccccc03f2b903e2fe3dd6ab01273585ff0114674204

Analysis

max time kernel
144s
max time network
147s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
16/10/2023, 18:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.8ec6cbc74a6b64ad33239f4a6b8416b0.exe
Size

201KB
MD5

8ec6cbc74a6b64ad33239f4a6b8416b0
SHA1

c84b9a0906f392fab657b4e57c6510dc3721ff95
SHA256

dff6637bf2f141177e628ccccc03f2b903e2fe3dd6ab01273585ff0114674204
SHA512

54545ac30aa431ed5079ea9104de65d1221cbf53abda0c7e350068e16eabc641bec549ff2b18af45696dcfda262d7fe9c8e460dd474615c092d9e9bb86281257
SSDEEP

6144:ot++Jbojf5Vq5OC4qZhZcKYhc/ZfUozY:L+cff22qZhZcKYhc/

Score

10^/10

persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\apppatch\\svchost.exe,"	svchost.exe

Executes dropped EXE 1 IoCs

pid	Process
2208	svchost.exe

Loads dropped DLL 2 IoCs

pid	Process
2124	NEAS.8ec6cbc74a6b64ad33239f4a6b8416b0.exe
2124	NEAS.8ec6cbc74a6b64ad33239f4a6b8416b0.exe

Modifies WinLogon 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\84905d88 = "C:\\Windows\\apppatch\\svchost.exe"	NEAS.8ec6cbc74a6b64ad33239f4a6b8416b0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\84905d88 = "C:\\Windows\\apppatch\\svchost.exe"	svchost.exe

Drops file in Program Files directory 8 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows Defender\vonypom.com	svchost.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\vonypom.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\vocyzit.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\qetyfuv.com	svchost.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\vocyzit.com	svchost.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\qetyfuv.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\puzylyp.com	svchost.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\puzylyp.com	svchost.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\apppatch\svchost.exe	NEAS.8ec6cbc74a6b64ad33239f4a6b8416b0.exe
File opened for modification	C:\Windows\apppatch\svchost.exe	NEAS.8ec6cbc74a6b64ad33239f4a6b8416b0.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2208	svchost.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2124	NEAS.8ec6cbc74a6b64ad33239f4a6b8416b0.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2124 wrote to memory of 2208	2124	NEAS.8ec6cbc74a6b64ad33239f4a6b8416b0.exe	28
PID 2124 wrote to memory of 2208	2124	NEAS.8ec6cbc74a6b64ad33239f4a6b8416b0.exe	28
PID 2124 wrote to memory of 2208	2124	NEAS.8ec6cbc74a6b64ad33239f4a6b8416b0.exe	28
PID 2124 wrote to memory of 2208	2124	NEAS.8ec6cbc74a6b64ad33239f4a6b8416b0.exe	28

C:\Users\Admin\AppData\Local\Temp\NEAS.8ec6cbc74a6b64ad33239f4a6b8416b0.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.8ec6cbc74a6b64ad33239f4a6b8416b0.exe"
1⤵
- Loads dropped DLL
- Modifies WinLogon
- Drops file in Windows directory
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:2124
- C:\Windows\apppatch\svchost.exe
  "C:\Windows\apppatch\svchost.exe"
  2⤵
  - Modifies WinLogon for persistence
  - Executes dropped EXE
  - Modifies WinLogon
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  PID:2208

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Windows Defender\puzylyp.com

Filesize
2KB

MD5
9ee7efb13bd4f6835c9ad4a0cb85b792

SHA1
5af059be8da511ca995e24232a3f7fe1009cd287

SHA256
9fd63fbcec3b709e2e49759c0d50ceadd63c6dd7dd0168a63dd48fd31370b8b4

SHA512
6e150d99d09397c405a437cfb654b6a0025294844a9f35a9622f7803503057cbe4a7088760a5b0ab570393501f1f56628edfa7192ecb21b29d71ca56d0355b53

Download Submit
C:\Windows\AppPatch\svchost.exe

Filesize
201KB

MD5
48e81171e8ad2ff96d5c98146729268e

SHA1
45303704e1780ddd3b61d39098490a8fbe67c910

SHA256
77673adfa049b149bba7bf848e630a6ddee39d128e5fad899d01bae2d75d91cf

SHA512
48af7f4761ac92aa4f5217eec7590784918d9fdff3bc1f1f56de13f5ee82236c6379ec25657166f39e751319c07e0dee5dadc0a08eecccf295b2b1e8760e1f6d

Download Submit
C:\Windows\AppPatch\svchost.exe

Filesize
201KB

MD5
48e81171e8ad2ff96d5c98146729268e

SHA1
45303704e1780ddd3b61d39098490a8fbe67c910

SHA256
77673adfa049b149bba7bf848e630a6ddee39d128e5fad899d01bae2d75d91cf

SHA512
48af7f4761ac92aa4f5217eec7590784918d9fdff3bc1f1f56de13f5ee82236c6379ec25657166f39e751319c07e0dee5dadc0a08eecccf295b2b1e8760e1f6d

Download Submit
C:\Windows\apppatch\svchost.exe

Filesize
201KB

MD5
48e81171e8ad2ff96d5c98146729268e

SHA1
45303704e1780ddd3b61d39098490a8fbe67c910

SHA256
77673adfa049b149bba7bf848e630a6ddee39d128e5fad899d01bae2d75d91cf

SHA512
48af7f4761ac92aa4f5217eec7590784918d9fdff3bc1f1f56de13f5ee82236c6379ec25657166f39e751319c07e0dee5dadc0a08eecccf295b2b1e8760e1f6d

Download Submit
\Windows\AppPatch\svchost.exe

Filesize
201KB

MD5
48e81171e8ad2ff96d5c98146729268e

SHA1
45303704e1780ddd3b61d39098490a8fbe67c910

SHA256
77673adfa049b149bba7bf848e630a6ddee39d128e5fad899d01bae2d75d91cf

SHA512
48af7f4761ac92aa4f5217eec7590784918d9fdff3bc1f1f56de13f5ee82236c6379ec25657166f39e751319c07e0dee5dadc0a08eecccf295b2b1e8760e1f6d

Download Submit
\Windows\AppPatch\svchost.exe

Filesize
201KB

MD5
48e81171e8ad2ff96d5c98146729268e

SHA1
45303704e1780ddd3b61d39098490a8fbe67c910

SHA256
77673adfa049b149bba7bf848e630a6ddee39d128e5fad899d01bae2d75d91cf

SHA512
48af7f4761ac92aa4f5217eec7590784918d9fdff3bc1f1f56de13f5ee82236c6379ec25657166f39e751319c07e0dee5dadc0a08eecccf295b2b1e8760e1f6d

Download Submit
memory/2124-0-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2124-1-0x00000000002A0000-0x00000000002EF000-memory.dmp

Filesize
316KB

Download
memory/2124-2-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2124-18-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2124-16-0x00000000002A0000-0x00000000002EF000-memory.dmp

Filesize
316KB

Download
memory/2208-43-0x00000000025B0000-0x0000000002662000-memory.dmp

Filesize
712KB

Download
memory/2208-51-0x00000000025B0000-0x0000000002662000-memory.dmp

Filesize
712KB

Download
memory/2208-24-0x00000000022A0000-0x0000000002344000-memory.dmp

Filesize
656KB

Download
memory/2208-26-0x00000000022A0000-0x0000000002344000-memory.dmp

Filesize
656KB

Download
memory/2208-28-0x00000000022A0000-0x0000000002344000-memory.dmp

Filesize
656KB

Download
memory/2208-30-0x00000000022A0000-0x0000000002344000-memory.dmp

Filesize
656KB

Download
memory/2208-32-0x00000000025B0000-0x0000000002662000-memory.dmp

Filesize
712KB

Download
memory/2208-34-0x00000000025B0000-0x0000000002662000-memory.dmp

Filesize
712KB

Download
memory/2208-20-0x00000000022A0000-0x0000000002344000-memory.dmp

Filesize
656KB

Download
memory/2208-37-0x00000000025B0000-0x0000000002662000-memory.dmp

Filesize
712KB

Download
memory/2208-38-0x00000000025B0000-0x0000000002662000-memory.dmp

Filesize
712KB

Download
memory/2208-39-0x00000000025B0000-0x0000000002662000-memory.dmp

Filesize
712KB

Download
memory/2208-40-0x00000000025B0000-0x0000000002662000-memory.dmp

Filesize
712KB

Download
memory/2208-41-0x00000000025B0000-0x0000000002662000-memory.dmp

Filesize
712KB

Download
memory/2208-42-0x00000000025B0000-0x0000000002662000-memory.dmp

Filesize
712KB

Download
memory/2208-19-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2208-45-0x00000000025B0000-0x0000000002662000-memory.dmp

Filesize
712KB

Download
memory/2208-44-0x00000000025B0000-0x0000000002662000-memory.dmp

Filesize
712KB

Download
memory/2208-46-0x00000000025B0000-0x0000000002662000-memory.dmp

Filesize
712KB

Download
memory/2208-47-0x00000000025B0000-0x0000000002662000-memory.dmp

Filesize
712KB

Download
memory/2208-48-0x00000000025B0000-0x0000000002662000-memory.dmp

Filesize
712KB

Download
memory/2208-22-0x00000000022A0000-0x0000000002344000-memory.dmp

Filesize
656KB

Download
memory/2208-50-0x00000000025B0000-0x0000000002662000-memory.dmp

Filesize
712KB

Download
memory/2208-49-0x00000000025B0000-0x0000000002662000-memory.dmp

Filesize
712KB

Download
memory/2208-52-0x00000000025B0000-0x0000000002662000-memory.dmp

Filesize
712KB

Download
memory/2208-53-0x00000000025B0000-0x0000000002662000-memory.dmp

Filesize
712KB

Download
memory/2208-56-0x00000000025B0000-0x0000000002662000-memory.dmp

Filesize
712KB

Download
memory/2208-55-0x00000000025B0000-0x0000000002662000-memory.dmp

Filesize
712KB

Download
memory/2208-59-0x00000000025B0000-0x0000000002662000-memory.dmp

Filesize
712KB

Download
memory/2208-57-0x00000000025B0000-0x0000000002662000-memory.dmp

Filesize
712KB

Download
memory/2208-58-0x00000000025B0000-0x0000000002662000-memory.dmp

Filesize
712KB

Download
memory/2208-61-0x00000000025B0000-0x0000000002662000-memory.dmp

Filesize
712KB

Download
memory/2208-62-0x00000000025B0000-0x0000000002662000-memory.dmp

Filesize
712KB

Download
memory/2208-60-0x00000000025B0000-0x0000000002662000-memory.dmp

Filesize
712KB

Download
memory/2208-63-0x00000000025B0000-0x0000000002662000-memory.dmp

Filesize
712KB

Download
memory/2208-64-0x00000000025B0000-0x0000000002662000-memory.dmp

Filesize
712KB

Download
memory/2208-65-0x00000000025B0000-0x0000000002662000-memory.dmp

Filesize
712KB

Download
memory/2208-66-0x00000000025B0000-0x0000000002662000-memory.dmp

Filesize
712KB

Download
memory/2208-69-0x00000000025B0000-0x0000000002662000-memory.dmp

Filesize
712KB

Download
memory/2208-74-0x00000000025B0000-0x0000000002662000-memory.dmp

Filesize
712KB

Download
memory/2208-17-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2208-111-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download