ec7d5fce0da7f0940b8b5d7c96414362392999a45714c573210046a8d9450d7e

Analysis

max time kernel
150s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20231020-en
resource tags

arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
submitted
22/10/2023, 17:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.521b06aa293edcd182bb96d327762360.exe
Size

207KB
MD5

521b06aa293edcd182bb96d327762360
SHA1

31849c52defe64aaba55d04c07d42579aef8cfd1
SHA256

ec7d5fce0da7f0940b8b5d7c96414362392999a45714c573210046a8d9450d7e
SHA512

e5f0894bd79b361491f4b4eb007ff9c86a6bcbb497b4ca248d639b1ef28d204da5c7f6eebacc9ad0b9179655d023bc8ee9b9b794ed8e9c1de60eaca3dfff2154
SSDEEP

3072:MvEfVUzSLhIVbV6i5LirrlZrHyrUHUckoMQ2RN6unW:MvEN2U+T6i5LirrllHy4HUcMQY6d

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	svchost.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-356073083-3299209671-3108880702-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-356073083-3299209671-3108880702-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	svchost.exe

Modifies Installed Components in the registry 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	explorer.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	svchost.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	svchost.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	svchost.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}	svchost.exe

Executes dropped EXE 4 IoCs

pid	Process
1060	explorer.exe
4776	spoolsv.exe
3340	svchost.exe
3156	spoolsv.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	svchost.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\system\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\system\svchost.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	\??\c:\windows\system\svchost.exe	svchost.exe
File opened for modification	C:\Windows\system\udsys.exe	explorer.exe
File opened for modification	\??\c:\windows\system\explorer.exe	NEAS.521b06aa293edcd182bb96d327762360.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4012	NEAS.521b06aa293edcd182bb96d327762360.exe
4012	NEAS.521b06aa293edcd182bb96d327762360.exe
1060	explorer.exe
1060	explorer.exe
1060	explorer.exe
1060	explorer.exe
1060	explorer.exe
1060	explorer.exe
1060	explorer.exe
1060	explorer.exe
1060	explorer.exe
1060	explorer.exe
3340	svchost.exe
3340	svchost.exe
3340	svchost.exe
3340	svchost.exe
1060	explorer.exe
1060	explorer.exe
3340	svchost.exe
3340	svchost.exe
1060	explorer.exe
1060	explorer.exe
3340	svchost.exe
3340	svchost.exe
1060	explorer.exe
1060	explorer.exe
3340	svchost.exe
3340	svchost.exe
1060	explorer.exe
1060	explorer.exe
3340	svchost.exe
3340	svchost.exe
1060	explorer.exe
1060	explorer.exe
3340	svchost.exe
3340	svchost.exe
1060	explorer.exe
1060	explorer.exe
3340	svchost.exe
3340	svchost.exe
1060	explorer.exe
1060	explorer.exe
3340	svchost.exe
3340	svchost.exe
1060	explorer.exe
1060	explorer.exe
3340	svchost.exe
3340	svchost.exe
1060	explorer.exe
1060	explorer.exe
3340	svchost.exe
3340	svchost.exe
1060	explorer.exe
1060	explorer.exe
3340	svchost.exe
3340	svchost.exe
1060	explorer.exe
1060	explorer.exe
3340	svchost.exe
3340	svchost.exe
1060	explorer.exe
1060	explorer.exe
3340	svchost.exe
3340	svchost.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
1060	explorer.exe
3340	svchost.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
4012	NEAS.521b06aa293edcd182bb96d327762360.exe
4012	NEAS.521b06aa293edcd182bb96d327762360.exe
1060	explorer.exe
1060	explorer.exe
4776	spoolsv.exe
4776	spoolsv.exe
3340	svchost.exe
3340	svchost.exe
3156	spoolsv.exe
3156	spoolsv.exe
1060	explorer.exe
1060	explorer.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 4012 wrote to memory of 1060	4012	NEAS.521b06aa293edcd182bb96d327762360.exe	82
PID 4012 wrote to memory of 1060	4012	NEAS.521b06aa293edcd182bb96d327762360.exe	82
PID 4012 wrote to memory of 1060	4012	NEAS.521b06aa293edcd182bb96d327762360.exe	82
PID 1060 wrote to memory of 4776	1060	explorer.exe	83
PID 1060 wrote to memory of 4776	1060	explorer.exe	83
PID 1060 wrote to memory of 4776	1060	explorer.exe	83
PID 4776 wrote to memory of 3340	4776	spoolsv.exe	85
PID 4776 wrote to memory of 3340	4776	spoolsv.exe	85
PID 4776 wrote to memory of 3340	4776	spoolsv.exe	85
PID 3340 wrote to memory of 3156	3340	svchost.exe	86
PID 3340 wrote to memory of 3156	3340	svchost.exe	86
PID 3340 wrote to memory of 3156	3340	svchost.exe	86
PID 3340 wrote to memory of 1156	3340	svchost.exe	88
PID 3340 wrote to memory of 1156	3340	svchost.exe	88
PID 3340 wrote to memory of 1156	3340	svchost.exe	88
PID 3340 wrote to memory of 5092	3340	svchost.exe	95
PID 3340 wrote to memory of 5092	3340	svchost.exe	95
PID 3340 wrote to memory of 5092	3340	svchost.exe	95
PID 3340 wrote to memory of 2464	3340	svchost.exe	97
PID 3340 wrote to memory of 2464	3340	svchost.exe	97
PID 3340 wrote to memory of 2464	3340	svchost.exe	97

C:\Users\Admin\AppData\Local\Temp\NEAS.521b06aa293edcd182bb96d327762360.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.521b06aa293edcd182bb96d327762360.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4012
- \??\c:\windows\system\explorer.exe
  c:\windows\system\explorer.exe
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visiblity of hidden/system files in Explorer
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1060
- - \??\c:\windows\system\spoolsv.exe
    c:\windows\system\spoolsv.exe SE
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4776
  - - \??\c:\windows\system\svchost.exe
      c:\windows\system\svchost.exe
      4⤵
      Modifies WinLogon for persistence
      Modifies visiblity of hidden/system files in Explorer
      Modifies Installed Components in the registry
      Executes dropped EXE
      Adds Run key to start application
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:3340
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe PR
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3156
    - - C:\Windows\SysWOW64\at.exe
        
        at 19:48 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
        5⤵
        
        PID:1156
    - - C:\Windows\SysWOW64\at.exe
        
        at 19:49 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
        5⤵
        
        PID:5092
    - - C:\Windows\SysWOW64\at.exe
        
        at 19:50 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
        5⤵
        
        PID:2464

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\mrsys.exe

Filesize
206KB

MD5
3941e83a00348a8eb781d683f5d72f80

SHA1
5d065b3b6f7e0cfbc3ff7ea3b1034ef9da93a07d

SHA256
abc7e2905ee8e007911112b7ad3278b18baf41c5e09cb1eeee397b41af1192b2

SHA512
7f6e4453254063a37faed7cafd373b92cd193d9196c9395f32461d5bfe93d3b79bfeccf4cc5405f7ffc93769347b007566d723cd769fd4109e79e18e6efdce5d

Download Submit
C:\Windows\System\explorer.exe

Filesize
206KB

MD5
99320e4be2ca44775170fb86421d5f4d

SHA1
cc4a42c4a963c40c4fe7c17214def2570f742b5c

SHA256
ebcacef6fec00be47e95cbacef0c7dfbec871ffdff143256ce846dd5163461e3

SHA512
10ee87570b4fe20e6b3ee38b8e38927afa9a9ad9a112f1cf2dfac95412efe4defed6f95e0900101fe088e4a073a9e2da3ff2de4264f4c9078103f3c7f6ccd95a

Download Submit
C:\Windows\System\spoolsv.exe

Filesize
206KB

MD5
9bf29700ae4b0c6df652b96c3b7a1139

SHA1
2cdb498ebd9f60489ac9d038db11b49fa433821f

SHA256
9fb8ea1b2d3bfb5291e1041a277d0f166cf59228732eaeb8701ef13d7e81aeaf

SHA512
a3cdeed4a984bc79d771b99cb75a2f236166f3174583660430d4968c862e5087e76d8fdf73ae7afa8122079dfed5deefd39c9eaf35ea7096e9e33f92c5cddc98

Download Submit
C:\Windows\System\spoolsv.exe

Filesize
206KB

MD5
9bf29700ae4b0c6df652b96c3b7a1139

SHA1
2cdb498ebd9f60489ac9d038db11b49fa433821f

SHA256
9fb8ea1b2d3bfb5291e1041a277d0f166cf59228732eaeb8701ef13d7e81aeaf

SHA512
a3cdeed4a984bc79d771b99cb75a2f236166f3174583660430d4968c862e5087e76d8fdf73ae7afa8122079dfed5deefd39c9eaf35ea7096e9e33f92c5cddc98

Download Submit
C:\Windows\System\spoolsv.exe

Filesize
206KB

MD5
9bf29700ae4b0c6df652b96c3b7a1139

SHA1
2cdb498ebd9f60489ac9d038db11b49fa433821f

SHA256
9fb8ea1b2d3bfb5291e1041a277d0f166cf59228732eaeb8701ef13d7e81aeaf

SHA512
a3cdeed4a984bc79d771b99cb75a2f236166f3174583660430d4968c862e5087e76d8fdf73ae7afa8122079dfed5deefd39c9eaf35ea7096e9e33f92c5cddc98

Download Submit
C:\Windows\System\svchost.exe

Filesize
207KB

MD5
0187e31ca4c6603427e9459f18810261

SHA1
15bd689d67ebd48b7fabf7374ef8c34e443bdf21

SHA256
73e1e12fa869cdf2eba42b0d431dd7b1b2b41ac4e7a21c6f6886df433437ea12

SHA512
9ceef735db0b44f9f60bdf8f7529f87aef4615c8821f8999ac079139af3bfb8aba3a2fa9cbb42d823b0c9dc46da31fbf98cb72c7263c6db0c368455ca70a148c

Download Submit
\??\c:\windows\system\explorer.exe

Filesize
206KB

MD5
99320e4be2ca44775170fb86421d5f4d

SHA1
cc4a42c4a963c40c4fe7c17214def2570f742b5c

SHA256
ebcacef6fec00be47e95cbacef0c7dfbec871ffdff143256ce846dd5163461e3

SHA512
10ee87570b4fe20e6b3ee38b8e38927afa9a9ad9a112f1cf2dfac95412efe4defed6f95e0900101fe088e4a073a9e2da3ff2de4264f4c9078103f3c7f6ccd95a

Download Submit
\??\c:\windows\system\spoolsv.exe

Filesize
206KB

MD5
9bf29700ae4b0c6df652b96c3b7a1139

SHA1
2cdb498ebd9f60489ac9d038db11b49fa433821f

SHA256
9fb8ea1b2d3bfb5291e1041a277d0f166cf59228732eaeb8701ef13d7e81aeaf

SHA512
a3cdeed4a984bc79d771b99cb75a2f236166f3174583660430d4968c862e5087e76d8fdf73ae7afa8122079dfed5deefd39c9eaf35ea7096e9e33f92c5cddc98

Download Submit
\??\c:\windows\system\svchost.exe

Filesize
207KB

MD5
0187e31ca4c6603427e9459f18810261

SHA1
15bd689d67ebd48b7fabf7374ef8c34e443bdf21

SHA256
73e1e12fa869cdf2eba42b0d431dd7b1b2b41ac4e7a21c6f6886df433437ea12

SHA512
9ceef735db0b44f9f60bdf8f7529f87aef4615c8821f8999ac079139af3bfb8aba3a2fa9cbb42d823b0c9dc46da31fbf98cb72c7263c6db0c368455ca70a148c

Download Submit
memory/1060-38-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3156-32-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3340-39-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4012-0-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4012-36-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4776-35-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download