97c1090c561faa9c4eb1a468af9034aca8b6197f983845078e4adeeeec620412

Analysis

max time kernel
151s
max time network
124s
platform
windows7_x64
resource
win7-20231020-en
resource tags

arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system
submitted
22/10/2023, 14:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.16b3d570258918d02abe6719f41b71f0_JC.exe
Size

100KB
MD5

16b3d570258918d02abe6719f41b71f0
SHA1

0f4979919e54e60319ad0ee87126b2ea8b0bde48
SHA256

97c1090c561faa9c4eb1a468af9034aca8b6197f983845078e4adeeeec620412
SHA512

7c70e4b10eff2d4858026f898574752c6577afe759dab46231d7ce816ce18fa6d6a9315a3ff565d5c2264f4a138324aa386cea4900ffcd6ad7f9c2151b704475
SSDEEP

1536:3iWlcX220mQ/oexJKIRGWcOUP7vXArnY1ZqAefzyeshNIjnZZ:ypQ/mNAfzyemCnb

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3837739534-3148647840-3445085216-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	jkfow.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3837739534-3148647840-3445085216-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	NEAS.16b3d570258918d02abe6719f41b71f0_JC.exe

Executes dropped EXE 1 IoCs

pid	Process
3064	jkfow.exe

Loads dropped DLL 2 IoCs

pid	Process
1740	NEAS.16b3d570258918d02abe6719f41b71f0_JC.exe
1740	NEAS.16b3d570258918d02abe6719f41b71f0_JC.exe

Adds Run key to start application 2 TTPs 52 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3837739534-3148647840-3445085216-1000\Software\Microsoft\Windows\CurrentVersion\Run\jkfow = "C:\\Users\\Admin\\jkfow.exe /Q"	jkfow.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3837739534-3148647840-3445085216-1000\Software\Microsoft\Windows\CurrentVersion\Run\jkfow = "C:\\Users\\Admin\\jkfow.exe /z"	jkfow.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3837739534-3148647840-3445085216-1000\Software\Microsoft\Windows\CurrentVersion\Run\jkfow = "C:\\Users\\Admin\\jkfow.exe /C"	jkfow.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3837739534-3148647840-3445085216-1000\Software\Microsoft\Windows\CurrentVersion\Run\jkfow = "C:\\Users\\Admin\\jkfow.exe /W"	jkfow.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3837739534-3148647840-3445085216-1000\Software\Microsoft\Windows\CurrentVersion\Run\jkfow = "C:\\Users\\Admin\\jkfow.exe /p"	jkfow.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3837739534-3148647840-3445085216-1000\Software\Microsoft\Windows\CurrentVersion\Run\jkfow = "C:\\Users\\Admin\\jkfow.exe /l"	jkfow.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3837739534-3148647840-3445085216-1000\Software\Microsoft\Windows\CurrentVersion\Run\jkfow = "C:\\Users\\Admin\\jkfow.exe /w"	jkfow.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3837739534-3148647840-3445085216-1000\Software\Microsoft\Windows\CurrentVersion\Run\jkfow = "C:\\Users\\Admin\\jkfow.exe /D"	jkfow.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3837739534-3148647840-3445085216-1000\Software\Microsoft\Windows\CurrentVersion\Run\jkfow = "C:\\Users\\Admin\\jkfow.exe /g"	jkfow.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3837739534-3148647840-3445085216-1000\Software\Microsoft\Windows\CurrentVersion\Run\jkfow = "C:\\Users\\Admin\\jkfow.exe /B"	jkfow.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3837739534-3148647840-3445085216-1000\Software\Microsoft\Windows\CurrentVersion\Run\jkfow = "C:\\Users\\Admin\\jkfow.exe /j"	jkfow.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3837739534-3148647840-3445085216-1000\Software\Microsoft\Windows\CurrentVersion\Run\jkfow = "C:\\Users\\Admin\\jkfow.exe /G"	jkfow.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3837739534-3148647840-3445085216-1000\Software\Microsoft\Windows\CurrentVersion\Run\jkfow = "C:\\Users\\Admin\\jkfow.exe /v"	jkfow.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3837739534-3148647840-3445085216-1000\Software\Microsoft\Windows\CurrentVersion\Run\jkfow = "C:\\Users\\Admin\\jkfow.exe /x"	jkfow.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3837739534-3148647840-3445085216-1000\Software\Microsoft\Windows\CurrentVersion\Run\jkfow = "C:\\Users\\Admin\\jkfow.exe /L"	jkfow.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3837739534-3148647840-3445085216-1000\Software\Microsoft\Windows\CurrentVersion\Run\jkfow = "C:\\Users\\Admin\\jkfow.exe /c"	jkfow.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3837739534-3148647840-3445085216-1000\Software\Microsoft\Windows\CurrentVersion\Run\jkfow = "C:\\Users\\Admin\\jkfow.exe /K"	jkfow.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3837739534-3148647840-3445085216-1000\Software\Microsoft\Windows\CurrentVersion\Run\jkfow = "C:\\Users\\Admin\\jkfow.exe /N"	jkfow.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3837739534-3148647840-3445085216-1000\Software\Microsoft\Windows\CurrentVersion\Run\jkfow = "C:\\Users\\Admin\\jkfow.exe /o"	jkfow.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3837739534-3148647840-3445085216-1000\Software\Microsoft\Windows\CurrentVersion\Run\jkfow = "C:\\Users\\Admin\\jkfow.exe /u"	jkfow.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3837739534-3148647840-3445085216-1000\Software\Microsoft\Windows\CurrentVersion\Run\jkfow = "C:\\Users\\Admin\\jkfow.exe /P"	jkfow.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3837739534-3148647840-3445085216-1000\Software\Microsoft\Windows\CurrentVersion\Run\jkfow = "C:\\Users\\Admin\\jkfow.exe /d"	jkfow.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3837739534-3148647840-3445085216-1000\Software\Microsoft\Windows\CurrentVersion\Run\jkfow = "C:\\Users\\Admin\\jkfow.exe /R"	jkfow.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3837739534-3148647840-3445085216-1000\Software\Microsoft\Windows\CurrentVersion\Run\jkfow = "C:\\Users\\Admin\\jkfow.exe /Y"	jkfow.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3837739534-3148647840-3445085216-1000\Software\Microsoft\Windows\CurrentVersion\Run\jkfow = "C:\\Users\\Admin\\jkfow.exe /U"	jkfow.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3837739534-3148647840-3445085216-1000\Software\Microsoft\Windows\CurrentVersion\Run\jkfow = "C:\\Users\\Admin\\jkfow.exe /b"	jkfow.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3837739534-3148647840-3445085216-1000\Software\Microsoft\Windows\CurrentVersion\Run\jkfow = "C:\\Users\\Admin\\jkfow.exe /s"	jkfow.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3837739534-3148647840-3445085216-1000\Software\Microsoft\Windows\CurrentVersion\Run\jkfow = "C:\\Users\\Admin\\jkfow.exe /F"	jkfow.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3837739534-3148647840-3445085216-1000\Software\Microsoft\Windows\CurrentVersion\Run\jkfow = "C:\\Users\\Admin\\jkfow.exe /m"	jkfow.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3837739534-3148647840-3445085216-1000\Software\Microsoft\Windows\CurrentVersion\Run\jkfow = "C:\\Users\\Admin\\jkfow.exe /E"	jkfow.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3837739534-3148647840-3445085216-1000\Software\Microsoft\Windows\CurrentVersion\Run\jkfow = "C:\\Users\\Admin\\jkfow.exe /M"	jkfow.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3837739534-3148647840-3445085216-1000\Software\Microsoft\Windows\CurrentVersion\Run\jkfow = "C:\\Users\\Admin\\jkfow.exe /k"	jkfow.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3837739534-3148647840-3445085216-1000\Software\Microsoft\Windows\CurrentVersion\Run\jkfow = "C:\\Users\\Admin\\jkfow.exe /a"	jkfow.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3837739534-3148647840-3445085216-1000\Software\Microsoft\Windows\CurrentVersion\Run\jkfow = "C:\\Users\\Admin\\jkfow.exe /n"	jkfow.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3837739534-3148647840-3445085216-1000\Software\Microsoft\Windows\CurrentVersion\Run\jkfow = "C:\\Users\\Admin\\jkfow.exe /Z"	jkfow.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3837739534-3148647840-3445085216-1000\Software\Microsoft\Windows\CurrentVersion\Run\jkfow = "C:\\Users\\Admin\\jkfow.exe /q"	jkfow.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3837739534-3148647840-3445085216-1000\Software\Microsoft\Windows\CurrentVersion\Run\jkfow = "C:\\Users\\Admin\\jkfow.exe /H"	jkfow.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3837739534-3148647840-3445085216-1000\Software\Microsoft\Windows\CurrentVersion\Run\jkfow = "C:\\Users\\Admin\\jkfow.exe /e"	jkfow.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3837739534-3148647840-3445085216-1000\Software\Microsoft\Windows\CurrentVersion\Run\jkfow = "C:\\Users\\Admin\\jkfow.exe /S"	jkfow.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3837739534-3148647840-3445085216-1000\Software\Microsoft\Windows\CurrentVersion\Run\jkfow = "C:\\Users\\Admin\\jkfow.exe /r"	jkfow.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3837739534-3148647840-3445085216-1000\Software\Microsoft\Windows\CurrentVersion\Run\jkfow = "C:\\Users\\Admin\\jkfow.exe /Z"	NEAS.16b3d570258918d02abe6719f41b71f0_JC.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3837739534-3148647840-3445085216-1000\Software\Microsoft\Windows\CurrentVersion\Run\jkfow = "C:\\Users\\Admin\\jkfow.exe /V"	jkfow.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3837739534-3148647840-3445085216-1000\Software\Microsoft\Windows\CurrentVersion\Run\jkfow = "C:\\Users\\Admin\\jkfow.exe /A"	jkfow.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3837739534-3148647840-3445085216-1000\Software\Microsoft\Windows\CurrentVersion\Run\jkfow = "C:\\Users\\Admin\\jkfow.exe /O"	jkfow.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3837739534-3148647840-3445085216-1000\Software\Microsoft\Windows\CurrentVersion\Run\jkfow = "C:\\Users\\Admin\\jkfow.exe /i"	jkfow.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3837739534-3148647840-3445085216-1000\Software\Microsoft\Windows\CurrentVersion\Run\jkfow = "C:\\Users\\Admin\\jkfow.exe /f"	jkfow.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3837739534-3148647840-3445085216-1000\Software\Microsoft\Windows\CurrentVersion\Run\jkfow = "C:\\Users\\Admin\\jkfow.exe /I"	jkfow.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3837739534-3148647840-3445085216-1000\Software\Microsoft\Windows\CurrentVersion\Run\jkfow = "C:\\Users\\Admin\\jkfow.exe /T"	jkfow.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3837739534-3148647840-3445085216-1000\Software\Microsoft\Windows\CurrentVersion\Run\jkfow = "C:\\Users\\Admin\\jkfow.exe /X"	jkfow.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3837739534-3148647840-3445085216-1000\Software\Microsoft\Windows\CurrentVersion\Run\jkfow = "C:\\Users\\Admin\\jkfow.exe /t"	jkfow.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3837739534-3148647840-3445085216-1000\Software\Microsoft\Windows\CurrentVersion\Run\jkfow = "C:\\Users\\Admin\\jkfow.exe /h"	jkfow.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3837739534-3148647840-3445085216-1000\Software\Microsoft\Windows\CurrentVersion\Run\jkfow = "C:\\Users\\Admin\\jkfow.exe /J"	jkfow.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1740	NEAS.16b3d570258918d02abe6719f41b71f0_JC.exe
3064	jkfow.exe
3064	jkfow.exe
3064	jkfow.exe
3064	jkfow.exe
3064	jkfow.exe
3064	jkfow.exe
3064	jkfow.exe
3064	jkfow.exe
3064	jkfow.exe
3064	jkfow.exe
3064	jkfow.exe
3064	jkfow.exe
3064	jkfow.exe
3064	jkfow.exe
3064	jkfow.exe
3064	jkfow.exe
3064	jkfow.exe
3064	jkfow.exe
3064	jkfow.exe
3064	jkfow.exe
3064	jkfow.exe
3064	jkfow.exe
3064	jkfow.exe
3064	jkfow.exe
3064	jkfow.exe
3064	jkfow.exe
3064	jkfow.exe
3064	jkfow.exe
3064	jkfow.exe
3064	jkfow.exe
3064	jkfow.exe
3064	jkfow.exe
3064	jkfow.exe
3064	jkfow.exe
3064	jkfow.exe
3064	jkfow.exe
3064	jkfow.exe
3064	jkfow.exe
3064	jkfow.exe
3064	jkfow.exe
3064	jkfow.exe
3064	jkfow.exe
3064	jkfow.exe
3064	jkfow.exe
3064	jkfow.exe
3064	jkfow.exe
3064	jkfow.exe
3064	jkfow.exe
3064	jkfow.exe
3064	jkfow.exe
3064	jkfow.exe
3064	jkfow.exe
3064	jkfow.exe
3064	jkfow.exe
3064	jkfow.exe
3064	jkfow.exe
3064	jkfow.exe
3064	jkfow.exe
3064	jkfow.exe
3064	jkfow.exe
3064	jkfow.exe
3064	jkfow.exe
3064	jkfow.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1740	NEAS.16b3d570258918d02abe6719f41b71f0_JC.exe
3064	jkfow.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1740 wrote to memory of 3064	1740	NEAS.16b3d570258918d02abe6719f41b71f0_JC.exe	28
PID 1740 wrote to memory of 3064	1740	NEAS.16b3d570258918d02abe6719f41b71f0_JC.exe	28
PID 1740 wrote to memory of 3064	1740	NEAS.16b3d570258918d02abe6719f41b71f0_JC.exe	28
PID 1740 wrote to memory of 3064	1740	NEAS.16b3d570258918d02abe6719f41b71f0_JC.exe	28

C:\Users\Admin\AppData\Local\Temp\NEAS.16b3d570258918d02abe6719f41b71f0_JC.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.16b3d570258918d02abe6719f41b71f0_JC.exe"
1⤵
- Modifies visiblity of hidden/system files in Explorer
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1740
- C:\Users\Admin\jkfow.exe
  "C:\Users\Admin\jkfow.exe"
  2⤵
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:3064

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\jkfow.exe

Filesize
100KB

MD5
d14cdacd8fb4770a32eb6387a0a0cf45

SHA1
9fb8a8e6890ea08009a9939cce86d13e1cab68c4

SHA256
8035d04f0fa1044218229322f99fba52e3d3673cf77cf31e9b0a3978cf1d022a

SHA512
2cf39e318ae40ac70e8154f1ededd6d2f9fdc0b9de5f04bc71cd07b0e60d84c917eb7bbc8cbf430db5dc2c7ffc5895ea7e952028bf22df134767adab4ff4785d

Download Submit
C:\Users\Admin\jkfow.exe

Filesize
100KB

MD5
d14cdacd8fb4770a32eb6387a0a0cf45

SHA1
9fb8a8e6890ea08009a9939cce86d13e1cab68c4

SHA256
8035d04f0fa1044218229322f99fba52e3d3673cf77cf31e9b0a3978cf1d022a

SHA512
2cf39e318ae40ac70e8154f1ededd6d2f9fdc0b9de5f04bc71cd07b0e60d84c917eb7bbc8cbf430db5dc2c7ffc5895ea7e952028bf22df134767adab4ff4785d

Download Submit
C:\Users\Admin\jkfow.exe

Filesize
100KB

MD5
d14cdacd8fb4770a32eb6387a0a0cf45

SHA1
9fb8a8e6890ea08009a9939cce86d13e1cab68c4

SHA256
8035d04f0fa1044218229322f99fba52e3d3673cf77cf31e9b0a3978cf1d022a

SHA512
2cf39e318ae40ac70e8154f1ededd6d2f9fdc0b9de5f04bc71cd07b0e60d84c917eb7bbc8cbf430db5dc2c7ffc5895ea7e952028bf22df134767adab4ff4785d

Download Submit
\Users\Admin\jkfow.exe

Filesize
100KB

MD5
d14cdacd8fb4770a32eb6387a0a0cf45

SHA1
9fb8a8e6890ea08009a9939cce86d13e1cab68c4

SHA256
8035d04f0fa1044218229322f99fba52e3d3673cf77cf31e9b0a3978cf1d022a

SHA512
2cf39e318ae40ac70e8154f1ededd6d2f9fdc0b9de5f04bc71cd07b0e60d84c917eb7bbc8cbf430db5dc2c7ffc5895ea7e952028bf22df134767adab4ff4785d

Download Submit
\Users\Admin\jkfow.exe

Filesize
100KB

MD5
d14cdacd8fb4770a32eb6387a0a0cf45

SHA1
9fb8a8e6890ea08009a9939cce86d13e1cab68c4

SHA256
8035d04f0fa1044218229322f99fba52e3d3673cf77cf31e9b0a3978cf1d022a

SHA512
2cf39e318ae40ac70e8154f1ededd6d2f9fdc0b9de5f04bc71cd07b0e60d84c917eb7bbc8cbf430db5dc2c7ffc5895ea7e952028bf22df134767adab4ff4785d

Download Submit
memory/1740-0-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1740-15-0x0000000002C10000-0x0000000002C3E000-memory.dmp

Filesize
184KB

Download
memory/1740-9-0x0000000002C10000-0x0000000002C3E000-memory.dmp

Filesize
184KB

Download
memory/1740-19-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/3064-20-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download