c84570d525f7bb3e8aef57d922c05021b992cc4de5bd4ea9f82fce602f352cf0

Analysis

max time kernel
139s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20231020-en
resource tags

arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
submitted
21/10/2023, 21:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.120a7decd96d722a10e9e65963cc1570.exe
Size

355KB
MD5

120a7decd96d722a10e9e65963cc1570
SHA1

372ed1d0c8eccc0004aa87ed65108b509fa5d8b9
SHA256

c84570d525f7bb3e8aef57d922c05021b992cc4de5bd4ea9f82fce602f352cf0
SHA512

5f9bac198181cf7707338a4c6dfbf257c54d2f89562da069593f49a3a888a8760c170d7be8e291a3b0c101e2b951b7785b91723abedcf978057b15ca3a398227
SSDEEP

6144:I3EmWPDNND9yRPzLq+YXFqaZiMLic9kzVd7EAC4TSs9EiS:TmWhND9yJz+b1FcMLmp2ATTSsdS

Score

10^/10

persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\apppatch\\svchost.exe,"	svchost.exe

Executes dropped EXE 1 IoCs

pid	Process
3036	svchost.exe

Modifies WinLogon 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\3173ebc1 = "CcJ6¬\x03ggÔ˜\u008f±½¡\u009daó\x1c^Á\x15µX\x1fÇþä(À/°Ùø·ØÕÓµ€.F½gà5€WÆÇ•e %\x7f¶Ø\u00ad•³í\u0081}Øè0i¸©ûŸ\x06‘»Oàù‰€\x0f\x7fõ\x13Û=ggÐ>×•9£xÍ¥uÐ\u0090ýQ\x05ð&Oyk×ÈE#H`žåÍ'{0\x7f\u008d0Ï\x18ÆÛ\u008fk½o/>\x05ÍfÕH»h0¨-cè\u00a0\x0eXµF/‹0«ø¯=X\x1d\vî"	NEAS.120a7decd96d722a10e9e65963cc1570.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\3173ebc1 = "CcJ6¬\x03ggÔ˜\u008f±½¡\u009daó\x1c^Á\x15µX\x1fÇþä(À/°Ùø·ØÕÓµ€.F½gà5€WÆÇ•e %\x7f¶Ø\u00ad•³í\u0081}Øè0i¸©ûŸ\x06‘»Oàù‰€\x0f\x7fõ\x13Û=ggÐ>×•9£xÍ¥uÐ\u0090ýQ\x05ð&Oyk×ÈE#H`žåÍ'{0\x7f\u008d0Ï\x18ÆÛ\u008fk½o/>\x05ÍfÕH»h0¨-cè\u00a0\x0eXµF/‹0«ø¯=X\x1d\vî"	svchost.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\apppatch\svchost.exe	NEAS.120a7decd96d722a10e9e65963cc1570.exe
File opened for modification	C:\Windows\apppatch\svchost.exe	NEAS.120a7decd96d722a10e9e65963cc1570.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4160	NEAS.120a7decd96d722a10e9e65963cc1570.exe
4160	NEAS.120a7decd96d722a10e9e65963cc1570.exe
4160	NEAS.120a7decd96d722a10e9e65963cc1570.exe
4160	NEAS.120a7decd96d722a10e9e65963cc1570.exe
4160	NEAS.120a7decd96d722a10e9e65963cc1570.exe
4160	NEAS.120a7decd96d722a10e9e65963cc1570.exe
4160	NEAS.120a7decd96d722a10e9e65963cc1570.exe
4160	NEAS.120a7decd96d722a10e9e65963cc1570.exe
3036	svchost.exe
3036	svchost.exe
3036	svchost.exe
3036	svchost.exe
3036	svchost.exe
3036	svchost.exe
3036	svchost.exe
3036	svchost.exe
3036	svchost.exe
3036	svchost.exe
3036	svchost.exe
3036	svchost.exe
3036	svchost.exe
3036	svchost.exe
3036	svchost.exe
3036	svchost.exe
3036	svchost.exe
3036	svchost.exe
3036	svchost.exe
3036	svchost.exe
3036	svchost.exe
3036	svchost.exe
3036	svchost.exe
3036	svchost.exe
3036	svchost.exe
3036	svchost.exe
3036	svchost.exe
3036	svchost.exe
3036	svchost.exe
3036	svchost.exe
3036	svchost.exe
3036	svchost.exe
3036	svchost.exe
3036	svchost.exe
3036	svchost.exe
3036	svchost.exe
3036	svchost.exe
3036	svchost.exe
3036	svchost.exe
3036	svchost.exe
3036	svchost.exe
3036	svchost.exe
3036	svchost.exe
3036	svchost.exe
3036	svchost.exe
3036	svchost.exe
3036	svchost.exe
3036	svchost.exe
3036	svchost.exe
3036	svchost.exe
3036	svchost.exe
3036	svchost.exe
3036	svchost.exe
3036	svchost.exe
3036	svchost.exe
3036	svchost.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
4160	NEAS.120a7decd96d722a10e9e65963cc1570.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4160 wrote to memory of 3036	4160	NEAS.120a7decd96d722a10e9e65963cc1570.exe	83
PID 4160 wrote to memory of 3036	4160	NEAS.120a7decd96d722a10e9e65963cc1570.exe	83
PID 4160 wrote to memory of 3036	4160	NEAS.120a7decd96d722a10e9e65963cc1570.exe	83

C:\Users\Admin\AppData\Local\Temp\NEAS.120a7decd96d722a10e9e65963cc1570.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.120a7decd96d722a10e9e65963cc1570.exe"
1⤵
- Modifies WinLogon
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:4160
- C:\Windows\apppatch\svchost.exe
  "C:\Windows\apppatch\svchost.exe"
  2⤵
  - Modifies WinLogon for persistence
  - Executes dropped EXE
  - Modifies WinLogon
  - Suspicious behavior: EnumeratesProcesses
  PID:3036

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\12AD.tmp

Filesize
2KB

MD5
4cc5938998ab3124397a9e2771886a9c

SHA1
7552f653e0e5931f7a073bf572fcca9687bdafe3

SHA256
4658f69868a2e4bbc19c1834a0b2035fbc5882866d13e60fec6156995972949d

SHA512
24978df2cbec8b6c598e7c2b06971e9640dbd6dc71e361a7e8bd7504f02599f92ec253f27e5a1ea315fdfcccb83a2669e220a50f35678151b3daa2c30c8b04ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\136E.tmp

Filesize
481B

MD5
48677df82b0e0ddb406809776e4f74b3

SHA1
addaea85eb13b9363dbdb5249cca0610049f8850

SHA256
98b582ddd5ac33043e2094f23625f59855d6e9359eb1cb987ecaa9a1649eb80b

SHA512
10a6cccbe1b1698520c1030529b4b811f9afba03ff96d71999b3872f2fc6572dc717897190834ed370fe3172389656686209991eab00486b8eeb8e33aedd915f

Download Submit
C:\Users\Admin\AppData\Local\Temp\44A3.tmp

Filesize
12KB

MD5
1639705c0468ff5b89d563cc785c9374

SHA1
f6807f616bab661123da67196ca7d5015df9ea82

SHA256
4788bc2f12f5ef35a1e86ba33d4ecd9efcc89446502465d7e8320a36c6a0e25c

SHA512
d50f65b6100586ddda7d62a8d21d013e0c5d4c52a2fc5d53867ba086571116dac992eefd2fb55873196f3516bac91c9cff8da5f4b8f91e5f9c13240e5622d768

Download Submit
C:\Users\Admin\AppData\Local\Temp\4688.tmp

Filesize
1KB

MD5
5dac311dd79e4e1a1abec1ef8088d03d

SHA1
2746e6fcd9b1591f59aab58ec1ae656ced920286

SHA256
bd4f27aa1f1780dbdfa574b4c4492db6bd9ca2a46037f2351a32cfea51e90990

SHA512
3f8592df53609195be73a7937d26bf93b75a0bd4c19f7a7888551fde7796c182f3dedf22c87c682c4ea299f56e49b01eb44c1c77b7108fa4e32a498f2211d213

Download Submit
C:\Users\Admin\AppData\Local\Temp\5D6E.tmp

Filesize
593B

MD5
926512864979bc27cf187f1de3f57aff

SHA1
acdeb9d6187932613c7fa08eaf28f0cd8116f4b5

SHA256
b3e893a653ec06c05ee90f2f6e98cc052a92f6616d7cca8c416420e178dcc73f

SHA512
f6f9fd3ca9305bec879cfcd38e64111a18e65e30d25c49e9f2cd546cbab9b2dcd03eca81952f6b77c0eaab20192ef7bef0d8d434f6f371811929e75f8620633b

Download Submit
C:\Users\Admin\AppData\Local\Temp\88D.tmp

Filesize
2KB

MD5
2cf8c2bb7cb680bd565cb9ee76f8a596

SHA1
0c18115c726b84ea7dd97585facbf7c2332f5684

SHA256
d86e799784b642f98d8b910ae608504107a59e1a55279ae594a62426809270fa

SHA512
d9939da9f552b4c9efb6567ca63da25453afbfcdf2c3031063e0e5f635c2d5d48b84913f0ad531fd93dc814439733b7434c55c7bc317cb0dc500a88c061aaa32

Download Submit
C:\Windows\apppatch\svchost.exe

Filesize
355KB

MD5
6c380f42fdb3fdeb5ff9cc8202623bd0

SHA1
17f67d856b0e189bdc68aa49058a9ccd0c29ead0

SHA256
91da3b97e89e44dcdaa0d020db2951576badd38059372cc48991b37203ac7493

SHA512
6760d1c02ac0fadacc5a21983a953f29d5bf3582761b8cc2ce21182dc077d7c1f66d85531b15b0c5f83aee535815100328b583086b9f973b83ff4deb37ae386a

Download Submit
C:\Windows\apppatch\svchost.exe

Filesize
355KB

MD5
6c380f42fdb3fdeb5ff9cc8202623bd0

SHA1
17f67d856b0e189bdc68aa49058a9ccd0c29ead0

SHA256
91da3b97e89e44dcdaa0d020db2951576badd38059372cc48991b37203ac7493

SHA512
6760d1c02ac0fadacc5a21983a953f29d5bf3582761b8cc2ce21182dc077d7c1f66d85531b15b0c5f83aee535815100328b583086b9f973b83ff4deb37ae386a

Download Submit
C:\Windows\apppatch\svchost.exe

Filesize
355KB

MD5
6c380f42fdb3fdeb5ff9cc8202623bd0

SHA1
17f67d856b0e189bdc68aa49058a9ccd0c29ead0

SHA256
91da3b97e89e44dcdaa0d020db2951576badd38059372cc48991b37203ac7493

SHA512
6760d1c02ac0fadacc5a21983a953f29d5bf3582761b8cc2ce21182dc077d7c1f66d85531b15b0c5f83aee535815100328b583086b9f973b83ff4deb37ae386a

Download Submit
memory/3036-33-0x0000000002B40000-0x0000000002BF6000-memory.dmp

Filesize
728KB

Download
memory/3036-46-0x0000000002B40000-0x0000000002BF6000-memory.dmp

Filesize
728KB

Download
memory/3036-15-0x0000000002B40000-0x0000000002BF6000-memory.dmp

Filesize
728KB

Download
memory/3036-16-0x0000000002B40000-0x0000000002BF6000-memory.dmp

Filesize
728KB

Download
memory/3036-17-0x0000000002B40000-0x0000000002BF6000-memory.dmp

Filesize
728KB

Download
memory/3036-18-0x0000000002B40000-0x0000000002BF6000-memory.dmp

Filesize
728KB

Download
memory/3036-19-0x0000000002B40000-0x0000000002BF6000-memory.dmp

Filesize
728KB

Download
memory/3036-20-0x0000000002B40000-0x0000000002BF6000-memory.dmp

Filesize
728KB

Download
memory/3036-23-0x0000000002B40000-0x0000000002BF6000-memory.dmp

Filesize
728KB

Download
memory/3036-22-0x0000000002B40000-0x0000000002BF6000-memory.dmp

Filesize
728KB

Download
memory/3036-21-0x0000000002B40000-0x0000000002BF6000-memory.dmp

Filesize
728KB

Download
memory/3036-25-0x0000000002B40000-0x0000000002BF6000-memory.dmp

Filesize
728KB

Download
memory/3036-27-0x0000000002B40000-0x0000000002BF6000-memory.dmp

Filesize
728KB

Download
memory/3036-29-0x0000000002B40000-0x0000000002BF6000-memory.dmp

Filesize
728KB

Download
memory/3036-30-0x0000000002B40000-0x0000000002BF6000-memory.dmp

Filesize
728KB

Download
memory/3036-11-0x0000000002B40000-0x0000000002BF6000-memory.dmp

Filesize
728KB

Download
memory/3036-37-0x0000000002B40000-0x0000000002BF6000-memory.dmp

Filesize
728KB

Download
memory/3036-38-0x0000000002B40000-0x0000000002BF6000-memory.dmp

Filesize
728KB

Download
memory/3036-44-0x0000000002B40000-0x0000000002BF6000-memory.dmp

Filesize
728KB

Download
memory/3036-41-0x0000000002B40000-0x0000000002BF6000-memory.dmp

Filesize
728KB

Download
memory/3036-35-0x0000000002B40000-0x0000000002BF6000-memory.dmp

Filesize
728KB

Download
memory/3036-13-0x0000000002B40000-0x0000000002BF6000-memory.dmp

Filesize
728KB

Download
memory/3036-48-0x0000000002B40000-0x0000000002BF6000-memory.dmp

Filesize
728KB

Download
memory/3036-51-0x0000000002B40000-0x0000000002BF6000-memory.dmp

Filesize
728KB

Download
memory/3036-53-0x0000000002B40000-0x0000000002BF6000-memory.dmp

Filesize
728KB

Download
memory/3036-56-0x0000000002B40000-0x0000000002BF6000-memory.dmp

Filesize
728KB

Download
memory/3036-54-0x0000000002B40000-0x0000000002BF6000-memory.dmp

Filesize
728KB

Download
memory/3036-58-0x0000000002B40000-0x0000000002BF6000-memory.dmp

Filesize
728KB

Download
memory/3036-60-0x0000000002B40000-0x0000000002BF6000-memory.dmp

Filesize
728KB

Download
memory/3036-62-0x0000000002B40000-0x0000000002BF6000-memory.dmp

Filesize
728KB

Download
memory/3036-63-0x0000000002B40000-0x0000000002BF6000-memory.dmp

Filesize
728KB

Download
memory/3036-66-0x0000000002B40000-0x0000000002BF6000-memory.dmp

Filesize
728KB

Download
memory/3036-67-0x0000000002B40000-0x0000000002BF6000-memory.dmp

Filesize
728KB

Download
memory/3036-68-0x0000000002B40000-0x0000000002BF6000-memory.dmp

Filesize
728KB

Download
memory/3036-69-0x0000000002B40000-0x0000000002BF6000-memory.dmp

Filesize
728KB

Download
memory/3036-70-0x0000000002B40000-0x0000000002BF6000-memory.dmp

Filesize
728KB

Download
memory/3036-71-0x0000000002B40000-0x0000000002BF6000-memory.dmp

Filesize
728KB

Download
memory/3036-9-0x0000000002720000-0x00000000027C8000-memory.dmp

Filesize
672KB

Download
memory/3036-72-0x0000000002B40000-0x0000000002BF6000-memory.dmp

Filesize
728KB

Download
memory/3036-73-0x0000000002B40000-0x0000000002BF6000-memory.dmp

Filesize
728KB

Download
memory/3036-174-0x0000000002B40000-0x0000000002BF6000-memory.dmp

Filesize
728KB

Download