2bfef15bc1bb1f0e062d305309ab363693ada9ece4e2dfdbcd9a25b3e3ce4f2e

Analysis

max time kernel
159s
max time network
167s
platform
windows10-2004_x64
resource
win10v2004-20231023-en
resource tags

arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
submitted
23/10/2023, 20:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.d25e8bd9849dc0ff1480b6a21df8c810_JC.exe
Size

395KB
MD5

d25e8bd9849dc0ff1480b6a21df8c810
SHA1

e0c0b59a7db31bdfaae0ca5f16271a60fca45bc9
SHA256

2bfef15bc1bb1f0e062d305309ab363693ada9ece4e2dfdbcd9a25b3e3ce4f2e
SHA512

91dfa4f3d45a1862531bf3f8e00f4e2d0d19129f095609d81399b99a96a99d81028ce09f82fa4747b732f8690e671cc00a9d08d7efcd642d5a69be6ae4f71af6
SSDEEP

6144:Hx+u5A7Mfqr3joHqqIJYaHlUAEgasjCNl8S0M7+Mgpjhb27/zxOPs:R+upqsHqqNI25g/jKuM5gpNS

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies firewall policy service 2 TTPs 4 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	NEAS.d25e8bd9849dc0ff1480b6a21df8c810_JC.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	NEAS.d25e8bd9849dc0ff1480b6a21df8c810_JC.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications	NEAS.d25e8bd9849dc0ff1480b6a21df8c810_JC.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\NEAS.d25e8bd9849dc0ff1480b6a21df8c810_JC.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NEAS.d25e8bd9849dc0ff1480b6a21df8c810_JC.exe:*:enabled:@shell32.dll,-1"	NEAS.d25e8bd9849dc0ff1480b6a21df8c810_JC.exe

Executes dropped EXE 1 IoCs

pid	Process
264	sysmgr.exe

Modifies WinLogon 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4"	sysmgr.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\Windows\sysmgr.exe	NEAS.d25e8bd9849dc0ff1480b6a21df8c810_JC.exe
File created	C:\Windows\svc.dat	NEAS.d25e8bd9849dc0ff1480b6a21df8c810_JC.exe
File opened for modification	C:\WINDOWS\SYSMGR.EXE	sysmgr.exe
File opened for modification	C:\Windows\conf.dat	sysmgr.exe
File created	C:\Windows\conf.dat	sysmgr.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
428	NEAS.d25e8bd9849dc0ff1480b6a21df8c810_JC.exe
428	NEAS.d25e8bd9849dc0ff1480b6a21df8c810_JC.exe

Suspicious behavior: MapViewOfSection 64 IoCs

pid	Process
428	NEAS.d25e8bd9849dc0ff1480b6a21df8c810_JC.exe
428	NEAS.d25e8bd9849dc0ff1480b6a21df8c810_JC.exe
428	NEAS.d25e8bd9849dc0ff1480b6a21df8c810_JC.exe
428	NEAS.d25e8bd9849dc0ff1480b6a21df8c810_JC.exe
428	NEAS.d25e8bd9849dc0ff1480b6a21df8c810_JC.exe
428	NEAS.d25e8bd9849dc0ff1480b6a21df8c810_JC.exe
428	NEAS.d25e8bd9849dc0ff1480b6a21df8c810_JC.exe
428	NEAS.d25e8bd9849dc0ff1480b6a21df8c810_JC.exe
428	NEAS.d25e8bd9849dc0ff1480b6a21df8c810_JC.exe
428	NEAS.d25e8bd9849dc0ff1480b6a21df8c810_JC.exe
428	NEAS.d25e8bd9849dc0ff1480b6a21df8c810_JC.exe
428	NEAS.d25e8bd9849dc0ff1480b6a21df8c810_JC.exe
428	NEAS.d25e8bd9849dc0ff1480b6a21df8c810_JC.exe
428	NEAS.d25e8bd9849dc0ff1480b6a21df8c810_JC.exe
428	NEAS.d25e8bd9849dc0ff1480b6a21df8c810_JC.exe
428	NEAS.d25e8bd9849dc0ff1480b6a21df8c810_JC.exe
428	NEAS.d25e8bd9849dc0ff1480b6a21df8c810_JC.exe
428	NEAS.d25e8bd9849dc0ff1480b6a21df8c810_JC.exe
428	NEAS.d25e8bd9849dc0ff1480b6a21df8c810_JC.exe
428	NEAS.d25e8bd9849dc0ff1480b6a21df8c810_JC.exe
428	NEAS.d25e8bd9849dc0ff1480b6a21df8c810_JC.exe
428	NEAS.d25e8bd9849dc0ff1480b6a21df8c810_JC.exe
428	NEAS.d25e8bd9849dc0ff1480b6a21df8c810_JC.exe
428	NEAS.d25e8bd9849dc0ff1480b6a21df8c810_JC.exe
428	NEAS.d25e8bd9849dc0ff1480b6a21df8c810_JC.exe
428	NEAS.d25e8bd9849dc0ff1480b6a21df8c810_JC.exe
428	NEAS.d25e8bd9849dc0ff1480b6a21df8c810_JC.exe
428	NEAS.d25e8bd9849dc0ff1480b6a21df8c810_JC.exe
428	NEAS.d25e8bd9849dc0ff1480b6a21df8c810_JC.exe
428	NEAS.d25e8bd9849dc0ff1480b6a21df8c810_JC.exe
428	NEAS.d25e8bd9849dc0ff1480b6a21df8c810_JC.exe
428	NEAS.d25e8bd9849dc0ff1480b6a21df8c810_JC.exe
428	NEAS.d25e8bd9849dc0ff1480b6a21df8c810_JC.exe
428	NEAS.d25e8bd9849dc0ff1480b6a21df8c810_JC.exe
428	NEAS.d25e8bd9849dc0ff1480b6a21df8c810_JC.exe
428	NEAS.d25e8bd9849dc0ff1480b6a21df8c810_JC.exe
428	NEAS.d25e8bd9849dc0ff1480b6a21df8c810_JC.exe
428	NEAS.d25e8bd9849dc0ff1480b6a21df8c810_JC.exe
428	NEAS.d25e8bd9849dc0ff1480b6a21df8c810_JC.exe
428	NEAS.d25e8bd9849dc0ff1480b6a21df8c810_JC.exe
428	NEAS.d25e8bd9849dc0ff1480b6a21df8c810_JC.exe
428	NEAS.d25e8bd9849dc0ff1480b6a21df8c810_JC.exe
428	NEAS.d25e8bd9849dc0ff1480b6a21df8c810_JC.exe
428	NEAS.d25e8bd9849dc0ff1480b6a21df8c810_JC.exe
428	NEAS.d25e8bd9849dc0ff1480b6a21df8c810_JC.exe
428	NEAS.d25e8bd9849dc0ff1480b6a21df8c810_JC.exe
428	NEAS.d25e8bd9849dc0ff1480b6a21df8c810_JC.exe
428	NEAS.d25e8bd9849dc0ff1480b6a21df8c810_JC.exe
428	NEAS.d25e8bd9849dc0ff1480b6a21df8c810_JC.exe
428	NEAS.d25e8bd9849dc0ff1480b6a21df8c810_JC.exe
428	NEAS.d25e8bd9849dc0ff1480b6a21df8c810_JC.exe
428	NEAS.d25e8bd9849dc0ff1480b6a21df8c810_JC.exe
428	NEAS.d25e8bd9849dc0ff1480b6a21df8c810_JC.exe
428	NEAS.d25e8bd9849dc0ff1480b6a21df8c810_JC.exe
428	NEAS.d25e8bd9849dc0ff1480b6a21df8c810_JC.exe
428	NEAS.d25e8bd9849dc0ff1480b6a21df8c810_JC.exe
428	NEAS.d25e8bd9849dc0ff1480b6a21df8c810_JC.exe
428	NEAS.d25e8bd9849dc0ff1480b6a21df8c810_JC.exe
428	NEAS.d25e8bd9849dc0ff1480b6a21df8c810_JC.exe
428	NEAS.d25e8bd9849dc0ff1480b6a21df8c810_JC.exe
428	NEAS.d25e8bd9849dc0ff1480b6a21df8c810_JC.exe
428	NEAS.d25e8bd9849dc0ff1480b6a21df8c810_JC.exe
428	NEAS.d25e8bd9849dc0ff1480b6a21df8c810_JC.exe
428	NEAS.d25e8bd9849dc0ff1480b6a21df8c810_JC.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	428	NEAS.d25e8bd9849dc0ff1480b6a21df8c810_JC.exe
Token: SeTakeOwnershipPrivilege	264	sysmgr.exe
Token: SeRestorePrivilege	264	sysmgr.exe
Token: SeBackupPrivilege	264	sysmgr.exe
Token: SeChangeNotifyPrivilege	264	sysmgr.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 428 wrote to memory of 264	428	NEAS.d25e8bd9849dc0ff1480b6a21df8c810_JC.exe	82
PID 428 wrote to memory of 264	428	NEAS.d25e8bd9849dc0ff1480b6a21df8c810_JC.exe	82
PID 428 wrote to memory of 264	428	NEAS.d25e8bd9849dc0ff1480b6a21df8c810_JC.exe	82
PID 428 wrote to memory of 632	428	NEAS.d25e8bd9849dc0ff1480b6a21df8c810_JC.exe	2
PID 428 wrote to memory of 632	428	NEAS.d25e8bd9849dc0ff1480b6a21df8c810_JC.exe	2
PID 428 wrote to memory of 632	428	NEAS.d25e8bd9849dc0ff1480b6a21df8c810_JC.exe	2
PID 428 wrote to memory of 632	428	NEAS.d25e8bd9849dc0ff1480b6a21df8c810_JC.exe	2
PID 428 wrote to memory of 632	428	NEAS.d25e8bd9849dc0ff1480b6a21df8c810_JC.exe	2
PID 428 wrote to memory of 632	428	NEAS.d25e8bd9849dc0ff1480b6a21df8c810_JC.exe	2
PID 428 wrote to memory of 684	428	NEAS.d25e8bd9849dc0ff1480b6a21df8c810_JC.exe	5
PID 428 wrote to memory of 684	428	NEAS.d25e8bd9849dc0ff1480b6a21df8c810_JC.exe	5
PID 428 wrote to memory of 684	428	NEAS.d25e8bd9849dc0ff1480b6a21df8c810_JC.exe	5
PID 428 wrote to memory of 684	428	NEAS.d25e8bd9849dc0ff1480b6a21df8c810_JC.exe	5
PID 428 wrote to memory of 684	428	NEAS.d25e8bd9849dc0ff1480b6a21df8c810_JC.exe	5
PID 428 wrote to memory of 684	428	NEAS.d25e8bd9849dc0ff1480b6a21df8c810_JC.exe	5
PID 428 wrote to memory of 780	428	NEAS.d25e8bd9849dc0ff1480b6a21df8c810_JC.exe	25
PID 428 wrote to memory of 780	428	NEAS.d25e8bd9849dc0ff1480b6a21df8c810_JC.exe	25
PID 428 wrote to memory of 780	428	NEAS.d25e8bd9849dc0ff1480b6a21df8c810_JC.exe	25
PID 428 wrote to memory of 780	428	NEAS.d25e8bd9849dc0ff1480b6a21df8c810_JC.exe	25
PID 428 wrote to memory of 780	428	NEAS.d25e8bd9849dc0ff1480b6a21df8c810_JC.exe	25
PID 428 wrote to memory of 780	428	NEAS.d25e8bd9849dc0ff1480b6a21df8c810_JC.exe	25
PID 428 wrote to memory of 788	428	NEAS.d25e8bd9849dc0ff1480b6a21df8c810_JC.exe	19
PID 428 wrote to memory of 788	428	NEAS.d25e8bd9849dc0ff1480b6a21df8c810_JC.exe	19
PID 428 wrote to memory of 788	428	NEAS.d25e8bd9849dc0ff1480b6a21df8c810_JC.exe	19
PID 428 wrote to memory of 788	428	NEAS.d25e8bd9849dc0ff1480b6a21df8c810_JC.exe	19
PID 428 wrote to memory of 788	428	NEAS.d25e8bd9849dc0ff1480b6a21df8c810_JC.exe	19
PID 428 wrote to memory of 788	428	NEAS.d25e8bd9849dc0ff1480b6a21df8c810_JC.exe	19
PID 428 wrote to memory of 800	428	NEAS.d25e8bd9849dc0ff1480b6a21df8c810_JC.exe	18
PID 428 wrote to memory of 800	428	NEAS.d25e8bd9849dc0ff1480b6a21df8c810_JC.exe	18
PID 428 wrote to memory of 800	428	NEAS.d25e8bd9849dc0ff1480b6a21df8c810_JC.exe	18
PID 428 wrote to memory of 800	428	NEAS.d25e8bd9849dc0ff1480b6a21df8c810_JC.exe	18
PID 428 wrote to memory of 800	428	NEAS.d25e8bd9849dc0ff1480b6a21df8c810_JC.exe	18
PID 428 wrote to memory of 800	428	NEAS.d25e8bd9849dc0ff1480b6a21df8c810_JC.exe	18
PID 428 wrote to memory of 920	428	NEAS.d25e8bd9849dc0ff1480b6a21df8c810_JC.exe	17
PID 428 wrote to memory of 920	428	NEAS.d25e8bd9849dc0ff1480b6a21df8c810_JC.exe	17
PID 428 wrote to memory of 920	428	NEAS.d25e8bd9849dc0ff1480b6a21df8c810_JC.exe	17
PID 428 wrote to memory of 920	428	NEAS.d25e8bd9849dc0ff1480b6a21df8c810_JC.exe	17
PID 428 wrote to memory of 920	428	NEAS.d25e8bd9849dc0ff1480b6a21df8c810_JC.exe	17
PID 428 wrote to memory of 920	428	NEAS.d25e8bd9849dc0ff1480b6a21df8c810_JC.exe	17
PID 428 wrote to memory of 972	428	NEAS.d25e8bd9849dc0ff1480b6a21df8c810_JC.exe	9
PID 428 wrote to memory of 972	428	NEAS.d25e8bd9849dc0ff1480b6a21df8c810_JC.exe	9
PID 428 wrote to memory of 972	428	NEAS.d25e8bd9849dc0ff1480b6a21df8c810_JC.exe	9
PID 428 wrote to memory of 972	428	NEAS.d25e8bd9849dc0ff1480b6a21df8c810_JC.exe	9
PID 428 wrote to memory of 972	428	NEAS.d25e8bd9849dc0ff1480b6a21df8c810_JC.exe	9
PID 428 wrote to memory of 972	428	NEAS.d25e8bd9849dc0ff1480b6a21df8c810_JC.exe	9
PID 428 wrote to memory of 340	428	NEAS.d25e8bd9849dc0ff1480b6a21df8c810_JC.exe	8
PID 428 wrote to memory of 340	428	NEAS.d25e8bd9849dc0ff1480b6a21df8c810_JC.exe	8
PID 428 wrote to memory of 340	428	NEAS.d25e8bd9849dc0ff1480b6a21df8c810_JC.exe	8
PID 428 wrote to memory of 340	428	NEAS.d25e8bd9849dc0ff1480b6a21df8c810_JC.exe	8
PID 428 wrote to memory of 340	428	NEAS.d25e8bd9849dc0ff1480b6a21df8c810_JC.exe	8
PID 428 wrote to memory of 340	428	NEAS.d25e8bd9849dc0ff1480b6a21df8c810_JC.exe	8
PID 428 wrote to memory of 548	428	NEAS.d25e8bd9849dc0ff1480b6a21df8c810_JC.exe	11
PID 428 wrote to memory of 548	428	NEAS.d25e8bd9849dc0ff1480b6a21df8c810_JC.exe	11
PID 428 wrote to memory of 548	428	NEAS.d25e8bd9849dc0ff1480b6a21df8c810_JC.exe	11
PID 428 wrote to memory of 548	428	NEAS.d25e8bd9849dc0ff1480b6a21df8c810_JC.exe	11
PID 428 wrote to memory of 548	428	NEAS.d25e8bd9849dc0ff1480b6a21df8c810_JC.exe	11
PID 428 wrote to memory of 548	428	NEAS.d25e8bd9849dc0ff1480b6a21df8c810_JC.exe	11
PID 428 wrote to memory of 608	428	NEAS.d25e8bd9849dc0ff1480b6a21df8c810_JC.exe	10
PID 428 wrote to memory of 608	428	NEAS.d25e8bd9849dc0ff1480b6a21df8c810_JC.exe	10
PID 428 wrote to memory of 608	428	NEAS.d25e8bd9849dc0ff1480b6a21df8c810_JC.exe	10
PID 428 wrote to memory of 608	428	NEAS.d25e8bd9849dc0ff1480b6a21df8c810_JC.exe	10
PID 428 wrote to memory of 608	428	NEAS.d25e8bd9849dc0ff1480b6a21df8c810_JC.exe	10
PID 428 wrote to memory of 608	428	NEAS.d25e8bd9849dc0ff1480b6a21df8c810_JC.exe	10
PID 428 wrote to memory of 1048	428	NEAS.d25e8bd9849dc0ff1480b6a21df8c810_JC.exe	12

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:632
- C:\Windows\system32\dwm.exe
  "dwm.exe"
  2⤵
  PID:340
- C:\Windows\system32\fontdrvhost.exe
  "fontdrvhost.exe"
  2⤵
  PID:788

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:684

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
1⤵
PID:972

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
1⤵
PID:608

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
1⤵
PID:548

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
1⤵
PID:1048

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
1⤵
PID:1056

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
1⤵
PID:1168

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
1⤵
PID:1152
- C:\Windows\system32\taskhostw.exe
  taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
  2⤵
  PID:2940

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork -p
1⤵
PID:1072

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k RPCSS -p
1⤵
PID:920

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p
1⤵
PID:800
- C:\Windows\system32\wbem\unsecapp.exe
  C:\Windows\system32\wbem\unsecapp.exe -Embedding
  2⤵
  PID:2544
- C:\Windows\System32\RuntimeBroker.exe
  C:\Windows\System32\RuntimeBroker.exe -Embedding
  2⤵
  PID:4072
- C:\Windows\system32\backgroundTaskHost.exe
  "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppX53ypgrj20bgndg05hj3tc7z654myszwp.mca
  2⤵
  PID:2732
- C:\Windows\system32\backgroundTaskHost.exe
  "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca
  2⤵
  PID:3124
- C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
  "C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca
  2⤵
  PID:4284
- C:\Windows\system32\DllHost.exe
  C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
  2⤵
  PID:4188
- C:\Windows\system32\SppExtComObj.exe
  C:\Windows\system32\SppExtComObj.exe -Embedding
  2⤵
  PID:4432
- C:\Windows\System32\RuntimeBroker.exe
  C:\Windows\System32\RuntimeBroker.exe -Embedding
  2⤵
  PID:4132
- C:\Windows\System32\RuntimeBroker.exe
  C:\Windows\System32\RuntimeBroker.exe -Embedding
  2⤵
  PID:4044
- C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
  "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
  2⤵
  PID:3780
- C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
  "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
  2⤵
  PID:3988
- C:\Windows\system32\DllHost.exe
  C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
  2⤵
  PID:3748

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
1⤵
PID:1228

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
1⤵
PID:1340

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
1⤵
PID:1420
- C:\Windows\system32\sihost.exe
  sihost.exe
  2⤵
  PID:2760

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
1⤵
PID:1360

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
1⤵
PID:1288

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
1⤵
PID:780

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
1⤵
PID:1568

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
1⤵
PID:1632

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
1⤵
PID:1576

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
1⤵
PID:1700

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
1⤵
PID:1728

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
1⤵
PID:1800

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1820

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
1⤵
PID:1916

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1924

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
1⤵
PID:1972

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
1⤵
PID:1992

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:1620

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetworkFirewall -p
1⤵
PID:1140

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
1⤵
PID:2104

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
1⤵
PID:2220

C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
1⤵
PID:2536

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
1⤵
PID:2588

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
1⤵
PID:2628

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2836

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
1⤵
PID:2600

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
1⤵
PID:2496

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker
1⤵
PID:1528

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
1⤵
PID:3312

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
1⤵
PID:2420

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
1⤵
PID:2380

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3564

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3324
- C:\Users\Admin\AppData\Local\Temp\NEAS.d25e8bd9849dc0ff1480b6a21df8c810_JC.exe
  "C:\Users\Admin\AppData\Local\Temp\NEAS.d25e8bd9849dc0ff1480b6a21df8c810_JC.exe"
  2⤵
  - Modifies firewall policy service
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:428
- - C:\Windows\sysmgr.exe
    "C:\Windows\sysmgr.exe"
    3⤵
    - Executes dropped EXE
    - Modifies WinLogon
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    PID:264
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:4776

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
1⤵
PID:4460

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo
1⤵
PID:5000

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p
1⤵
PID:2252

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s camsvc
1⤵
PID:2204

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
1⤵
PID:5024

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
PID:3516

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
1⤵
PID:2692

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
1⤵
PID:2280

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
1⤵
PID:2372

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\svc.dat

Filesize
2KB

MD5
51c9759c479c8f0452e3d01ddc4f1319

SHA1
d3c563f7c7c64767b6dc84030740ae981bbaae6d

SHA256
1c7e3bebe8bcb6722a3b007ab630c8ff473aa6b2c81e608d1f4ae9faacd874ee

SHA512
4a1798cc576cc77fb41ee7f72b58f1430c0484d06865554ceb5679c0796593f8a0ca396ff8af43f1ae55baeeee09545141bb0b56ca3663f9d191f71059fa1727

Download Submit
C:\Windows\sysmgr.exe

Filesize
36KB

MD5
2373dfbdba70b54164d4fe163f7f59f1

SHA1
fbc51778f9e4868ddce4763d0bef4cb48090e3f6

SHA256
e506e529d2d1d80ba433d4dec9fcbf07506112c8d0a130bed322f03346640456

SHA512
32e48c596def05ddd1c987ae54cb069f750e0e4a993aa9f5c1d69e11c49ca90f6d324dfb4fa7c29c7d642eb2d939b2efe9332e0f4f4cbc5a0b2893adbf8598ec

Download Submit
C:\Windows\sysmgr.exe

Filesize
36KB

MD5
2373dfbdba70b54164d4fe163f7f59f1

SHA1
fbc51778f9e4868ddce4763d0bef4cb48090e3f6

SHA256
e506e529d2d1d80ba433d4dec9fcbf07506112c8d0a130bed322f03346640456

SHA512
32e48c596def05ddd1c987ae54cb069f750e0e4a993aa9f5c1d69e11c49ca90f6d324dfb4fa7c29c7d642eb2d939b2efe9332e0f4f4cbc5a0b2893adbf8598ec

Download Submit
memory/264-12-0x000000007FE20000-0x000000007FE4A000-memory.dmp

Filesize
168KB

Download
memory/428-7-0x0000000077E02000-0x0000000077E03000-memory.dmp

Filesize
4KB

Download
memory/428-17-0x000000007FE20000-0x000000007FE4A000-memory.dmp

Filesize
168KB

Download
memory/428-8-0x0000000077E03000-0x0000000077E04000-memory.dmp

Filesize
4KB

Download
memory/428-6-0x000000007FE20000-0x000000007FE4A000-memory.dmp

Filesize
168KB

Download
memory/428-0-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/428-13-0x000000007FE20000-0x000000007FE4A000-memory.dmp

Filesize
168KB

Download
memory/428-16-0x000000007FE20000-0x000000007FE4A000-memory.dmp

Filesize
168KB

Download
memory/428-9-0x000000007FE20000-0x000000007FE4A000-memory.dmp

Filesize
168KB

Download
memory/428-18-0x00000000051D0000-0x00000000051D1000-memory.dmp

Filesize
4KB

Download
memory/428-20-0x000000007FE20000-0x000000007FE4A000-memory.dmp

Filesize
168KB

Download
memory/428-21-0x000000007FE20000-0x000000007FE4A000-memory.dmp

Filesize
168KB

Download
memory/428-22-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/428-23-0x000000007FE20000-0x000000007FE4A000-memory.dmp

Filesize
168KB

Download
memory/428-24-0x000000007FE20000-0x000000007FE4A000-memory.dmp

Filesize
168KB

Download