37b74647f6268f2ac1c8fdf729da27871af55d0fac0874e3568f75a8d44e35bb

Analysis

max time kernel
193s
max time network
202s
platform
windows10-2004_x64
resource
win10v2004-20231020-en
resource tags

arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
submitted
22/10/2023, 17:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.b63ceee432db98368c63d184cc5b43e0.exe
Size

436KB
MD5

b63ceee432db98368c63d184cc5b43e0
SHA1

d65f91820b8a1bcb184f74bd29b1064318bd1df5
SHA256

37b74647f6268f2ac1c8fdf729da27871af55d0fac0874e3568f75a8d44e35bb
SHA512

c534dcd220f67078c34c6ca0391c34d357669dfaa05578e26b4663edc97d9bab93125f3f2ed460cfe76c4be1eeea8faf3280b44d8e7d646e70f31b4232a8cbaf
SSDEEP

6144:8vEN2U+T6i5LirrllHy4HUcMQY6Pj5q8deoJVP6Y0YB3YFy:OENN+T5xYrllrU7QY6U8zVP6Y53B

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	svchost.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1511405631-3522522280-778892991-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1511405631-3522522280-778892991-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	svchost.exe

Modifies Installed Components in the registry 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	explorer.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	svchost.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	svchost.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	svchost.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}	svchost.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	explorer.exe

Executes dropped EXE 4 IoCs

pid	Process
3796	explorer.exe
648	spoolsv.exe
412	svchost.exe
4324	spoolsv.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	svchost.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\system\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\system\svchost.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	\??\c:\windows\system\svchost.exe	svchost.exe
File opened for modification	C:\Windows\system\udsys.exe	explorer.exe
File opened for modification	\??\c:\windows\system\explorer.exe	NEAS.b63ceee432db98368c63d184cc5b43e0.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3392	NEAS.b63ceee432db98368c63d184cc5b43e0.exe
3392	NEAS.b63ceee432db98368c63d184cc5b43e0.exe
3796	explorer.exe
3796	explorer.exe
3796	explorer.exe
3796	explorer.exe
3796	explorer.exe
3796	explorer.exe
412	svchost.exe
412	svchost.exe
412	svchost.exe
412	svchost.exe
3796	explorer.exe
3796	explorer.exe
412	svchost.exe
412	svchost.exe
3796	explorer.exe
3796	explorer.exe
412	svchost.exe
412	svchost.exe
3796	explorer.exe
3796	explorer.exe
412	svchost.exe
3796	explorer.exe
3796	explorer.exe
412	svchost.exe
3796	explorer.exe
3796	explorer.exe
412	svchost.exe
412	svchost.exe
3796	explorer.exe
3796	explorer.exe
412	svchost.exe
412	svchost.exe
3796	explorer.exe
3796	explorer.exe
412	svchost.exe
412	svchost.exe
3796	explorer.exe
3796	explorer.exe
412	svchost.exe
412	svchost.exe
3796	explorer.exe
3796	explorer.exe
412	svchost.exe
412	svchost.exe
3796	explorer.exe
3796	explorer.exe
412	svchost.exe
412	svchost.exe
3796	explorer.exe
3796	explorer.exe
412	svchost.exe
412	svchost.exe
3796	explorer.exe
3796	explorer.exe
412	svchost.exe
412	svchost.exe
3796	explorer.exe
3796	explorer.exe
412	svchost.exe
412	svchost.exe
3796	explorer.exe
3796	explorer.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
3796	explorer.exe
412	svchost.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
3392	NEAS.b63ceee432db98368c63d184cc5b43e0.exe
3392	NEAS.b63ceee432db98368c63d184cc5b43e0.exe
3796	explorer.exe
3796	explorer.exe
648	spoolsv.exe
648	spoolsv.exe
412	svchost.exe
412	svchost.exe
4324	spoolsv.exe
4324	spoolsv.exe
3796	explorer.exe
3796	explorer.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 3392 wrote to memory of 3796	3392	NEAS.b63ceee432db98368c63d184cc5b43e0.exe	89
PID 3392 wrote to memory of 3796	3392	NEAS.b63ceee432db98368c63d184cc5b43e0.exe	89
PID 3392 wrote to memory of 3796	3392	NEAS.b63ceee432db98368c63d184cc5b43e0.exe	89
PID 3796 wrote to memory of 648	3796	explorer.exe	91
PID 3796 wrote to memory of 648	3796	explorer.exe	91
PID 3796 wrote to memory of 648	3796	explorer.exe	91
PID 648 wrote to memory of 412	648	spoolsv.exe	92
PID 648 wrote to memory of 412	648	spoolsv.exe	92
PID 648 wrote to memory of 412	648	spoolsv.exe	92
PID 412 wrote to memory of 4324	412	svchost.exe	93
PID 412 wrote to memory of 4324	412	svchost.exe	93
PID 412 wrote to memory of 4324	412	svchost.exe	93
PID 412 wrote to memory of 1792	412	svchost.exe	95
PID 412 wrote to memory of 1792	412	svchost.exe	95
PID 412 wrote to memory of 1792	412	svchost.exe	95
PID 412 wrote to memory of 3060	412	svchost.exe	100
PID 412 wrote to memory of 3060	412	svchost.exe	100
PID 412 wrote to memory of 3060	412	svchost.exe	100
PID 412 wrote to memory of 2212	412	svchost.exe	102
PID 412 wrote to memory of 2212	412	svchost.exe	102
PID 412 wrote to memory of 2212	412	svchost.exe	102

C:\Users\Admin\AppData\Local\Temp\NEAS.b63ceee432db98368c63d184cc5b43e0.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.b63ceee432db98368c63d184cc5b43e0.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3392
- \??\c:\windows\system\explorer.exe
  c:\windows\system\explorer.exe
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visiblity of hidden/system files in Explorer
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3796
- - \??\c:\windows\system\spoolsv.exe
    c:\windows\system\spoolsv.exe SE
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:648
  - - \??\c:\windows\system\svchost.exe
      c:\windows\system\svchost.exe
      4⤵
      Modifies WinLogon for persistence
      Modifies visiblity of hidden/system files in Explorer
      Modifies Installed Components in the registry
      Executes dropped EXE
      Adds Run key to start application
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:412
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe PR
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4324
    - - C:\Windows\SysWOW64\at.exe
        
        at 22:43 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
        5⤵
        
        PID:1792
    - - C:\Windows\SysWOW64\at.exe
        
        at 22:44 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
        5⤵
        
        PID:3060
    - - C:\Windows\SysWOW64\at.exe
        
        at 22:45 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
        5⤵
        
        PID:2212

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\mrsys.exe

Filesize
436KB

MD5
0f733a832d99fcc57bf27e6c660d8e78

SHA1
75177fa940d003dab7ab3cab289f82207874441b

SHA256
ea25e75738dc466e37c164313a914d47f66cb90d7676d61e34befd8a45ac11a1

SHA512
b08827704c347c2fbfd3a632cca0212dd4c2fd8c89a787d64f4ee6c1dce7b0cf31c45c6b0aeca69be2d7fba2a5d1c108192874706baaa3e90a5af0e4fffc18ee

Download Submit
C:\Windows\System\explorer.exe

Filesize
436KB

MD5
4c823369734a6e24f20ed3bfc6982317

SHA1
b73436b110898196845307d8ff1e54a0d71a5911

SHA256
cbaafb7cb7e2388c19251616e37143306973f5e9b956f958ce4e288742cb68a3

SHA512
e7b5cef0503871517c9afa162e44d757ab40d954dc803ac36e78bc646d1edd73b3a78a6f336c76975d5cecd708094b22d8eab19bc9ac8fce7b31204096638704

Download Submit
C:\Windows\System\spoolsv.exe

Filesize
436KB

MD5
d40144e316ffdbc501e52ee4c9f39909

SHA1
a9a2d6cc89c64699f88eb31ad5abee64a674a47f

SHA256
879739df76d5dde221d8c1bcb274bf40c964f115301c702d8636b5ab80e9a86d

SHA512
97b1c6b1e91f5a97292b69b09c899bd867384bf7a05dd7e10c2c83ef597507a6bb861e8b4d0085c8ea15c0e247f48fbd4a0ddcb7d969aa2023275f89eefac034

Download Submit
C:\Windows\System\spoolsv.exe

Filesize
436KB

MD5
d40144e316ffdbc501e52ee4c9f39909

SHA1
a9a2d6cc89c64699f88eb31ad5abee64a674a47f

SHA256
879739df76d5dde221d8c1bcb274bf40c964f115301c702d8636b5ab80e9a86d

SHA512
97b1c6b1e91f5a97292b69b09c899bd867384bf7a05dd7e10c2c83ef597507a6bb861e8b4d0085c8ea15c0e247f48fbd4a0ddcb7d969aa2023275f89eefac034

Download Submit
C:\Windows\System\spoolsv.exe

Filesize
436KB

MD5
d40144e316ffdbc501e52ee4c9f39909

SHA1
a9a2d6cc89c64699f88eb31ad5abee64a674a47f

SHA256
879739df76d5dde221d8c1bcb274bf40c964f115301c702d8636b5ab80e9a86d

SHA512
97b1c6b1e91f5a97292b69b09c899bd867384bf7a05dd7e10c2c83ef597507a6bb861e8b4d0085c8ea15c0e247f48fbd4a0ddcb7d969aa2023275f89eefac034

Download Submit
C:\Windows\System\svchost.exe

Filesize
436KB

MD5
706786031f25ff3d929f675b722a4bec

SHA1
ef0592f43a14eb12604dcfd83c5d2dc5812c9b32

SHA256
81f616b0644e72050f5d349f91a4902a8358854262d18bbd47e193bca151398f

SHA512
bc3f2bfee35cc7b68dfadcb82677c2ba0e00953e54b851bb18f324479f6a347c58f21c5ef1d658db8ac476cf00ab0c3a475d298002b98cbc7a2fe98dd023fee3

Download Submit
\??\c:\windows\system\explorer.exe

Filesize
436KB

MD5
4c823369734a6e24f20ed3bfc6982317

SHA1
b73436b110898196845307d8ff1e54a0d71a5911

SHA256
cbaafb7cb7e2388c19251616e37143306973f5e9b956f958ce4e288742cb68a3

SHA512
e7b5cef0503871517c9afa162e44d757ab40d954dc803ac36e78bc646d1edd73b3a78a6f336c76975d5cecd708094b22d8eab19bc9ac8fce7b31204096638704

Download Submit
\??\c:\windows\system\spoolsv.exe

Filesize
436KB

MD5
d40144e316ffdbc501e52ee4c9f39909

SHA1
a9a2d6cc89c64699f88eb31ad5abee64a674a47f

SHA256
879739df76d5dde221d8c1bcb274bf40c964f115301c702d8636b5ab80e9a86d

SHA512
97b1c6b1e91f5a97292b69b09c899bd867384bf7a05dd7e10c2c83ef597507a6bb861e8b4d0085c8ea15c0e247f48fbd4a0ddcb7d969aa2023275f89eefac034

Download Submit
\??\c:\windows\system\svchost.exe

Filesize
436KB

MD5
706786031f25ff3d929f675b722a4bec

SHA1
ef0592f43a14eb12604dcfd83c5d2dc5812c9b32

SHA256
81f616b0644e72050f5d349f91a4902a8358854262d18bbd47e193bca151398f

SHA512
bc3f2bfee35cc7b68dfadcb82677c2ba0e00953e54b851bb18f324479f6a347c58f21c5ef1d658db8ac476cf00ab0c3a475d298002b98cbc7a2fe98dd023fee3

Download Submit