8b84a7455b746db7b652a43c68439722e1a923e8fa429cfd1c30e86858902eec

Analysis

max time kernel
3s
max time network
3s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
21/10/2023, 21:27

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

NEAS.9f8b3f6716c91974ff3fdd79aeaa0830.exe
Size

206KB
MD5

9f8b3f6716c91974ff3fdd79aeaa0830
SHA1

374ae4a9301ab5670fad177276153a1684ff1def
SHA256

8b84a7455b746db7b652a43c68439722e1a923e8fa429cfd1c30e86858902eec
SHA512

16c36982f815093538fd25589362afaa9587c1f7165d6f67cca5b7ed33139a147b62de42996c84c780b9aeddfee025f86a54c62c14deab04f07ae373511691a8
SSDEEP

6144:5vEN2U+T6i5LirrllHy4HUcMQY6Whhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhht:RENN+T5xYrllrU7QY6Whhhhhhhhhhhh3

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	svchost.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	svchost.exe

Modifies Installed Components in the registry 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	svchost.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	svchost.exe

Executes dropped EXE 4 IoCs

pid	Process
1456	explorer.exe
2560	spoolsv.exe
2520	svchost.exe
2516	spoolsv.exe

Loads dropped DLL 8 IoCs

pid	Process
2028	NEAS.9f8b3f6716c91974ff3fdd79aeaa0830.exe
2028	NEAS.9f8b3f6716c91974ff3fdd79aeaa0830.exe
1456	explorer.exe
1456	explorer.exe
2560	spoolsv.exe
2560	spoolsv.exe
2520	svchost.exe
2520	svchost.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	svchost.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\system\svchost.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	\??\c:\windows\system\svchost.exe	svchost.exe
File opened for modification	\??\c:\windows\system\explorer.exe	NEAS.9f8b3f6716c91974ff3fdd79aeaa0830.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	explorer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 30 IoCs

pid	Process
2028	NEAS.9f8b3f6716c91974ff3fdd79aeaa0830.exe
1456	explorer.exe
1456	explorer.exe
1456	explorer.exe
1456	explorer.exe
1456	explorer.exe
1456	explorer.exe
1456	explorer.exe
2520	svchost.exe
2520	svchost.exe
1456	explorer.exe
2520	svchost.exe
1456	explorer.exe
2520	svchost.exe
1456	explorer.exe
2520	svchost.exe
1456	explorer.exe
2520	svchost.exe
1456	explorer.exe
2520	svchost.exe
1456	explorer.exe
2520	svchost.exe
1456	explorer.exe
2520	svchost.exe
1456	explorer.exe
2520	svchost.exe
1456	explorer.exe
2520	svchost.exe
1456	explorer.exe
2520	svchost.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
2028	NEAS.9f8b3f6716c91974ff3fdd79aeaa0830.exe
2028	NEAS.9f8b3f6716c91974ff3fdd79aeaa0830.exe
1456	explorer.exe
1456	explorer.exe
2560	spoolsv.exe
2560	spoolsv.exe
2520	svchost.exe
2520	svchost.exe
2516	spoolsv.exe
2516	spoolsv.exe
1456	explorer.exe
1456	explorer.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2028 wrote to memory of 1456	2028	NEAS.9f8b3f6716c91974ff3fdd79aeaa0830.exe	28
PID 2028 wrote to memory of 1456	2028	NEAS.9f8b3f6716c91974ff3fdd79aeaa0830.exe	28
PID 2028 wrote to memory of 1456	2028	NEAS.9f8b3f6716c91974ff3fdd79aeaa0830.exe	28
PID 2028 wrote to memory of 1456	2028	NEAS.9f8b3f6716c91974ff3fdd79aeaa0830.exe	28
PID 1456 wrote to memory of 2560	1456	explorer.exe	29
PID 1456 wrote to memory of 2560	1456	explorer.exe	29
PID 1456 wrote to memory of 2560	1456	explorer.exe	29
PID 1456 wrote to memory of 2560	1456	explorer.exe	29
PID 2560 wrote to memory of 2520	2560	spoolsv.exe	30
PID 2560 wrote to memory of 2520	2560	spoolsv.exe	30
PID 2560 wrote to memory of 2520	2560	spoolsv.exe	30
PID 2560 wrote to memory of 2520	2560	spoolsv.exe	30
PID 2520 wrote to memory of 2516	2520	svchost.exe	31
PID 2520 wrote to memory of 2516	2520	svchost.exe	31
PID 2520 wrote to memory of 2516	2520	svchost.exe	31
PID 2520 wrote to memory of 2516	2520	svchost.exe	31
PID 2520 wrote to memory of 2452	2520	svchost.exe	32
PID 2520 wrote to memory of 2452	2520	svchost.exe	32
PID 2520 wrote to memory of 2452	2520	svchost.exe	32
PID 2520 wrote to memory of 2452	2520	svchost.exe	32

C:\Users\Admin\AppData\Local\Temp\NEAS.9f8b3f6716c91974ff3fdd79aeaa0830.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.9f8b3f6716c91974ff3fdd79aeaa0830.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2028
- \??\c:\windows\system\explorer.exe
  c:\windows\system\explorer.exe
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visiblity of hidden/system files in Explorer
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1456
- - \??\c:\windows\system\spoolsv.exe
    c:\windows\system\spoolsv.exe SE
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2560
  - - \??\c:\windows\system\svchost.exe
      c:\windows\system\svchost.exe
      4⤵
      Modifies WinLogon for persistence
      Modifies visiblity of hidden/system files in Explorer
      Modifies Installed Components in the registry
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2520
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe PR
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2516
    - - C:\Windows\SysWOW64\at.exe
        
        at 02:43 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
        5⤵
        
        PID:2452

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\mrsys.exe

Filesize
206KB

MD5
a13e2d97c2802bf8fd6d6b3e80f51d04

SHA1
4b05ea7b6a05e3a94d1943a4abecb6e18abef062

SHA256
67144bdc5172b815609d8270a37352a0449a9b72778c2a6d3b494cac18f8a4e3

SHA512
856383e49551777fc8c470823fa4cc1c424b4a9a73f9106b54fa6dbe36fa5113953e35a47c1ceec6c17c6d3ecc9b8372a0a21bd72afc33f060ab8a4dc7598417

Download Submit
C:\Windows\system\explorer.exe

Filesize
206KB

MD5
b092fab243d524c662e01ad00c52e19a

SHA1
fb74c0f2c90cdc59d39efde6800fc8bd2f8a5120

SHA256
e4cf2d1b84e776180097021f5bb77d1b6c19800527687a78755195fbe9334182

SHA512
941e5d6dbd92e44790955008bdc7a1adbe6ab36d92157626057f08dec0ad0591f71ae68091c9c45adce42bb6ee029b96e529b19c1eacc0581ec5e0460dec5694

Download Submit
C:\Windows\system\explorer.exe

Filesize
206KB

MD5
b092fab243d524c662e01ad00c52e19a

SHA1
fb74c0f2c90cdc59d39efde6800fc8bd2f8a5120

SHA256
e4cf2d1b84e776180097021f5bb77d1b6c19800527687a78755195fbe9334182

SHA512
941e5d6dbd92e44790955008bdc7a1adbe6ab36d92157626057f08dec0ad0591f71ae68091c9c45adce42bb6ee029b96e529b19c1eacc0581ec5e0460dec5694

Download Submit
C:\Windows\system\spoolsv.exe

Filesize
206KB

MD5
79518a292d3bedceb42c0046e0f1c2ce

SHA1
c8b1ae77988bf5e8f12c0c8705a1a84143861432

SHA256
3e5740ca42ea334be601f2321fd516677095625db66ada4b6a7c3e5745b673c0

SHA512
ca80981a582d54270e31ad79b1e9bbd64ac6b937cd29b5e94b4ae9a43fc5ac9e74f8d8d503d45e3c2f57e939d1ba4ff8bb7404ab364dd276649a2762cec0d597

Download Submit
C:\Windows\system\spoolsv.exe

Filesize
206KB

MD5
79518a292d3bedceb42c0046e0f1c2ce

SHA1
c8b1ae77988bf5e8f12c0c8705a1a84143861432

SHA256
3e5740ca42ea334be601f2321fd516677095625db66ada4b6a7c3e5745b673c0

SHA512
ca80981a582d54270e31ad79b1e9bbd64ac6b937cd29b5e94b4ae9a43fc5ac9e74f8d8d503d45e3c2f57e939d1ba4ff8bb7404ab364dd276649a2762cec0d597

Download Submit
C:\Windows\system\svchost.exe

Filesize
206KB

MD5
f37f89cc2f8c1c092447a5f7c05649bd

SHA1
fd0e24410bd26e2c914a11db4dac0ef1e82cefeb

SHA256
f99afb61b2c36ff0957817b7ceca2593081a80dd966c95d1c6e07ffdaa8c80f9

SHA512
02a5cba1c520da5bd9e4ebbe67ad619e04184105241642af9a0cb4330590c65f9db90a4209a5984f3c3e335a8b4faa330e4e0aff3a9855855be4593005530c03

Download Submit
\??\c:\windows\system\explorer.exe

Filesize
206KB

MD5
b092fab243d524c662e01ad00c52e19a

SHA1
fb74c0f2c90cdc59d39efde6800fc8bd2f8a5120

SHA256
e4cf2d1b84e776180097021f5bb77d1b6c19800527687a78755195fbe9334182

SHA512
941e5d6dbd92e44790955008bdc7a1adbe6ab36d92157626057f08dec0ad0591f71ae68091c9c45adce42bb6ee029b96e529b19c1eacc0581ec5e0460dec5694

Download Submit
\??\c:\windows\system\spoolsv.exe

Filesize
206KB

MD5
79518a292d3bedceb42c0046e0f1c2ce

SHA1
c8b1ae77988bf5e8f12c0c8705a1a84143861432

SHA256
3e5740ca42ea334be601f2321fd516677095625db66ada4b6a7c3e5745b673c0

SHA512
ca80981a582d54270e31ad79b1e9bbd64ac6b937cd29b5e94b4ae9a43fc5ac9e74f8d8d503d45e3c2f57e939d1ba4ff8bb7404ab364dd276649a2762cec0d597

Download Submit
\??\c:\windows\system\svchost.exe

Filesize
206KB

MD5
f37f89cc2f8c1c092447a5f7c05649bd

SHA1
fd0e24410bd26e2c914a11db4dac0ef1e82cefeb

SHA256
f99afb61b2c36ff0957817b7ceca2593081a80dd966c95d1c6e07ffdaa8c80f9

SHA512
02a5cba1c520da5bd9e4ebbe67ad619e04184105241642af9a0cb4330590c65f9db90a4209a5984f3c3e335a8b4faa330e4e0aff3a9855855be4593005530c03

Download Submit
\Windows\system\explorer.exe

Filesize
206KB

MD5
b092fab243d524c662e01ad00c52e19a

SHA1
fb74c0f2c90cdc59d39efde6800fc8bd2f8a5120

SHA256
e4cf2d1b84e776180097021f5bb77d1b6c19800527687a78755195fbe9334182

SHA512
941e5d6dbd92e44790955008bdc7a1adbe6ab36d92157626057f08dec0ad0591f71ae68091c9c45adce42bb6ee029b96e529b19c1eacc0581ec5e0460dec5694

Download Submit
\Windows\system\explorer.exe

Filesize
206KB

MD5
b092fab243d524c662e01ad00c52e19a

SHA1
fb74c0f2c90cdc59d39efde6800fc8bd2f8a5120

SHA256
e4cf2d1b84e776180097021f5bb77d1b6c19800527687a78755195fbe9334182

SHA512
941e5d6dbd92e44790955008bdc7a1adbe6ab36d92157626057f08dec0ad0591f71ae68091c9c45adce42bb6ee029b96e529b19c1eacc0581ec5e0460dec5694

Download Submit
\Windows\system\spoolsv.exe

Filesize
206KB

MD5
79518a292d3bedceb42c0046e0f1c2ce

SHA1
c8b1ae77988bf5e8f12c0c8705a1a84143861432

SHA256
3e5740ca42ea334be601f2321fd516677095625db66ada4b6a7c3e5745b673c0

SHA512
ca80981a582d54270e31ad79b1e9bbd64ac6b937cd29b5e94b4ae9a43fc5ac9e74f8d8d503d45e3c2f57e939d1ba4ff8bb7404ab364dd276649a2762cec0d597

Download Submit
\Windows\system\spoolsv.exe

Filesize
206KB

MD5
79518a292d3bedceb42c0046e0f1c2ce

SHA1
c8b1ae77988bf5e8f12c0c8705a1a84143861432

SHA256
3e5740ca42ea334be601f2321fd516677095625db66ada4b6a7c3e5745b673c0

SHA512
ca80981a582d54270e31ad79b1e9bbd64ac6b937cd29b5e94b4ae9a43fc5ac9e74f8d8d503d45e3c2f57e939d1ba4ff8bb7404ab364dd276649a2762cec0d597

Download Submit
\Windows\system\spoolsv.exe

Filesize
206KB

MD5
79518a292d3bedceb42c0046e0f1c2ce

SHA1
c8b1ae77988bf5e8f12c0c8705a1a84143861432

SHA256
3e5740ca42ea334be601f2321fd516677095625db66ada4b6a7c3e5745b673c0

SHA512
ca80981a582d54270e31ad79b1e9bbd64ac6b937cd29b5e94b4ae9a43fc5ac9e74f8d8d503d45e3c2f57e939d1ba4ff8bb7404ab364dd276649a2762cec0d597

Download Submit
\Windows\system\spoolsv.exe

Filesize
206KB

MD5
79518a292d3bedceb42c0046e0f1c2ce

SHA1
c8b1ae77988bf5e8f12c0c8705a1a84143861432

SHA256
3e5740ca42ea334be601f2321fd516677095625db66ada4b6a7c3e5745b673c0

SHA512
ca80981a582d54270e31ad79b1e9bbd64ac6b937cd29b5e94b4ae9a43fc5ac9e74f8d8d503d45e3c2f57e939d1ba4ff8bb7404ab364dd276649a2762cec0d597

Download Submit
\Windows\system\svchost.exe

Filesize
206KB

MD5
f37f89cc2f8c1c092447a5f7c05649bd

SHA1
fd0e24410bd26e2c914a11db4dac0ef1e82cefeb

SHA256
f99afb61b2c36ff0957817b7ceca2593081a80dd966c95d1c6e07ffdaa8c80f9

SHA512
02a5cba1c520da5bd9e4ebbe67ad619e04184105241642af9a0cb4330590c65f9db90a4209a5984f3c3e335a8b4faa330e4e0aff3a9855855be4593005530c03

Download Submit
\Windows\system\svchost.exe

Filesize
206KB

MD5
f37f89cc2f8c1c092447a5f7c05649bd

SHA1
fd0e24410bd26e2c914a11db4dac0ef1e82cefeb

SHA256
f99afb61b2c36ff0957817b7ceca2593081a80dd966c95d1c6e07ffdaa8c80f9

SHA512
02a5cba1c520da5bd9e4ebbe67ad619e04184105241642af9a0cb4330590c65f9db90a4209a5984f3c3e335a8b4faa330e4e0aff3a9855855be4593005530c03

Download Submit
memory/1456-15-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2028-0-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2028-14-0x0000000002AF0000-0x0000000002B30000-memory.dmp

Filesize
256KB

Download
memory/2028-56-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2028-12-0x0000000002AF0000-0x0000000002B30000-memory.dmp

Filesize
256KB

Download
memory/2516-52-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2560-53-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download