Analysis

  • max time kernel
    150s
  • max time network
    124s
  • platform
    windows7_x64
  • resource
    win7-20231020-en
  • resource tags

    arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system
  • submitted
    23-10-2023 20:07

General

  • Target

    NEAS.d25e8bd9849dc0ff1480b6a21df8c810_JC.exe

  • Size

    395KB

  • MD5

    d25e8bd9849dc0ff1480b6a21df8c810

  • SHA1

    e0c0b59a7db31bdfaae0ca5f16271a60fca45bc9

  • SHA256

    2bfef15bc1bb1f0e062d305309ab363693ada9ece4e2dfdbcd9a25b3e3ce4f2e

  • SHA512

    91dfa4f3d45a1862531bf3f8e00f4e2d0d19129f095609d81399b99a96a99d81028ce09f82fa4747b732f8690e671cc00a9d08d7efcd642d5a69be6ae4f71af6

  • SSDEEP

    6144:Hx+u5A7Mfqr3joHqqIJYaHlUAEgasjCNl8S0M7+Mgpjhb27/zxOPs:R+upqsHqqNI25g/jKuM5gpNS

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Modifies WinLogon 2 TTPs 1 IoCs
  • Drops file in Windows directory 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious behavior: MapViewOfSection 23 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\system32\winlogon.exe
    winlogon.exe
    1⤵
      PID:424
    • C:\Windows\system32\csrss.exe
      %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
      1⤵
        PID:388
        • C:\Windows\system32\conhost.exe
          \??\C:\Windows\system32\conhost.exe "-53076823-1954220958-1558946427823308727-1342384603-369351459-10926354301257626784"
          2⤵
            PID:2780
        • C:\Windows\system32\wininit.exe
          wininit.exe
          1⤵
            PID:376
            • C:\Windows\system32\services.exe
              C:\Windows\system32\services.exe
              2⤵
                PID:468
                • C:\Windows\system32\svchost.exe
                  C:\Windows\system32\svchost.exe -k NetworkService
                  3⤵
                    PID:272
                  • C:\Windows\System32\spoolsv.exe
                    C:\Windows\System32\spoolsv.exe
                    3⤵
                      PID:920
                    • C:\Windows\system32\svchost.exe
                      C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
                      3⤵
                        PID:1096
                      • C:\Windows\system32\taskhost.exe
                        "taskhost.exe"
                        3⤵
                          PID:1104
                        • C:\Windows\system32\sppsvc.exe
                          C:\Windows\system32\sppsvc.exe
                          3⤵
                            PID:3064
                          • C:\Windows\system32\svchost.exe
                            C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
                            3⤵
                              PID:2992
                            • C:\Windows\system32\svchost.exe
                              C:\Windows\system32\svchost.exe -k LocalService
                              3⤵
                                PID:976
                              • C:\Windows\system32\svchost.exe
                                C:\Windows\system32\svchost.exe -k netsvcs
                                3⤵
                                  PID:856
                                • C:\Windows\System32\svchost.exe
                                  C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
                                  3⤵
                                    PID:820
                                  • C:\Windows\System32\svchost.exe
                                    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
                                    3⤵
                                      PID:768
                                    • C:\Windows\system32\svchost.exe
                                      C:\Windows\system32\svchost.exe -k RPCSS
                                      3⤵
                                        PID:680
                                      • C:\Windows\system32\svchost.exe
                                        C:\Windows\system32\svchost.exe -k DcomLaunch
                                        3⤵
                                          PID:604
                                      • C:\Windows\system32\lsass.exe
                                        C:\Windows\system32\lsass.exe
                                        2⤵
                                          PID:484
                                        • C:\Windows\system32\lsm.exe
                                          C:\Windows\system32\lsm.exe
                                          2⤵
                                            PID:492
                                        • C:\Windows\system32\Dwm.exe
                                          "C:\Windows\system32\Dwm.exe"
                                          1⤵
                                            PID:1172
                                          • C:\Windows\Explorer.EXE
                                            C:\Windows\Explorer.EXE
                                            1⤵
                                              PID:1200
                                              • C:\Users\Admin\AppData\Local\Temp\NEAS.d25e8bd9849dc0ff1480b6a21df8c810_JC.exe
                                                "C:\Users\Admin\AppData\Local\Temp\NEAS.d25e8bd9849dc0ff1480b6a21df8c810_JC.exe"
                                                2⤵
                                                • Drops file in Windows directory
                                                • Suspicious behavior: EnumeratesProcesses
                                                • Suspicious behavior: MapViewOfSection
                                                • Suspicious use of AdjustPrivilegeToken
                                                • Suspicious use of WriteProcessMemory
                                                PID:2024
                                                • C:\Windows\sysmgr.exe
                                                  "C:\Windows\sysmgr.exe"
                                                  3⤵
                                                  • Executes dropped EXE
                                                  • Modifies WinLogon
                                                  • Drops file in Windows directory
                                                  • Suspicious use of AdjustPrivilegeToken
                                                  PID:2680
                                            • C:\Windows\system32\DllHost.exe
                                              C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
                                              1⤵
                                                PID:1588

                                              Network

                                              MITRE ATT&CK Enterprise v15

                                              Replay Monitor

                                              Loading Replay Monitor...

                                              Downloads

                                              • C:\WINDOWS\SYSMGR.EXE

                                                Filesize

                                                36KB

                                                MD5

                                                2373dfbdba70b54164d4fe163f7f59f1

                                                SHA1

                                                fbc51778f9e4868ddce4763d0bef4cb48090e3f6

                                                SHA256

                                                e506e529d2d1d80ba433d4dec9fcbf07506112c8d0a130bed322f03346640456

                                                SHA512

                                                32e48c596def05ddd1c987ae54cb069f750e0e4a993aa9f5c1d69e11c49ca90f6d324dfb4fa7c29c7d642eb2d939b2efe9332e0f4f4cbc5a0b2893adbf8598ec

                                              • C:\Windows\svc.dat

                                                Filesize

                                                2KB

                                                MD5

                                                cc122d75c5811a9a402125ba0fd549f8

                                                SHA1

                                                feace8ad120da38f2e19e5f503af6b75f77e2fc3

                                                SHA256

                                                1a0742ce4833d7400459e8c5178f2c0c4112980316b444271c72c6fe480ca6a3

                                                SHA512

                                                a8bdd97f342f2d1e4356a9cda2f1840daa5f18d414e6b715296c2972f4b25341786bccb1287b98bb34b893567fd8933b87e5c4359e1e72c55e9a191f542292be

                                              • C:\Windows\sysmgr.exe

                                                Filesize

                                                36KB

                                                MD5

                                                2373dfbdba70b54164d4fe163f7f59f1

                                                SHA1

                                                fbc51778f9e4868ddce4763d0bef4cb48090e3f6

                                                SHA256

                                                e506e529d2d1d80ba433d4dec9fcbf07506112c8d0a130bed322f03346640456

                                                SHA512

                                                32e48c596def05ddd1c987ae54cb069f750e0e4a993aa9f5c1d69e11c49ca90f6d324dfb4fa7c29c7d642eb2d939b2efe9332e0f4f4cbc5a0b2893adbf8598ec

                                              • C:\Windows\sysmgr.exe

                                                Filesize

                                                36KB

                                                MD5

                                                2373dfbdba70b54164d4fe163f7f59f1

                                                SHA1

                                                fbc51778f9e4868ddce4763d0bef4cb48090e3f6

                                                SHA256

                                                e506e529d2d1d80ba433d4dec9fcbf07506112c8d0a130bed322f03346640456

                                                SHA512

                                                32e48c596def05ddd1c987ae54cb069f750e0e4a993aa9f5c1d69e11c49ca90f6d324dfb4fa7c29c7d642eb2d939b2efe9332e0f4f4cbc5a0b2893adbf8598ec

                                              • memory/2024-0-0x0000000000400000-0x0000000000466000-memory.dmp

                                                Filesize

                                                408KB

                                              • memory/2024-8-0x0000000077E9F000-0x0000000077EA0000-memory.dmp

                                                Filesize

                                                4KB

                                              • memory/2024-9-0x0000000077EA0000-0x0000000077EA1000-memory.dmp

                                                Filesize

                                                4KB

                                              • memory/2024-14-0x0000000000400000-0x0000000000466000-memory.dmp

                                                Filesize

                                                408KB

                                              • memory/2680-10-0x000000007EF80000-0x000000007EFAA000-memory.dmp

                                                Filesize

                                                168KB

                                              • memory/2680-15-0x000000007EF80000-0x000000007EFAA000-memory.dmp

                                                Filesize

                                                168KB