Analysis
-
max time kernel
151s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20231023-en -
resource tags
arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system -
submitted
28-10-2023 00:53
Behavioral task
behavioral1
Sample
NEAS.477d6034f750724b1d67a54462a5a0c0_JC.exe
Resource
win7-20231020-en
9 signatures
150 seconds
Behavioral task
behavioral2
Sample
NEAS.477d6034f750724b1d67a54462a5a0c0_JC.exe
Resource
win10v2004-20231023-en
9 signatures
150 seconds
General
-
Target
NEAS.477d6034f750724b1d67a54462a5a0c0_JC.exe
-
Size
45KB
-
MD5
477d6034f750724b1d67a54462a5a0c0
-
SHA1
f8cdec66b3cb52289ed4123166e8ed0ded9566dd
-
SHA256
72015cb71c2e88a05fb146c1991803cda972ddf242198357eca06b7d564ed891
-
SHA512
b0454ea18d315d7aeaed9bedd2411c1cf13939902f8e6c9206a684b034d4d461ad8c51e36383ad7cfa1ec513e827de4265361b5d8862560b3cbe498af9b428aa
-
SSDEEP
768:ihP0kDE9N5dCA8J7VHXdrIniQaBTT+QQ+r1n4K8+C9TtIuCjaqUODvJVQ2f:OsWE9N5dFu53dsniQaB/xZ14n7zIF+qr
Score
10/10
Malware Config
Signatures
-
resource yara_rule behavioral2/memory/3016-0-0x0000000000400000-0x000000000041D000-memory.dmp upx -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BD3E44AA = "C:\\Users\\Admin\\AppData\\Roaming\\BD3E44AA\\bin.exe" winver.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2116 winver.exe 2116 winver.exe 2116 winver.exe 2116 winver.exe 2116 winver.exe 2116 winver.exe 2116 winver.exe 2116 winver.exe 2116 winver.exe 2116 winver.exe 2116 winver.exe 2116 winver.exe 2116 winver.exe 2116 winver.exe 2116 winver.exe 2116 winver.exe 2116 winver.exe 2116 winver.exe 2116 winver.exe 2116 winver.exe 2116 winver.exe 2116 winver.exe 2116 winver.exe 2116 winver.exe 2116 winver.exe 2116 winver.exe 2116 winver.exe 2116 winver.exe 2116 winver.exe 2116 winver.exe 2116 winver.exe 2116 winver.exe 2116 winver.exe 2116 winver.exe 2116 winver.exe 2116 winver.exe 2116 winver.exe 2116 winver.exe 2116 winver.exe 2116 winver.exe 2116 winver.exe 2116 winver.exe 2116 winver.exe 2116 winver.exe 2116 winver.exe 2116 winver.exe 2116 winver.exe 2116 winver.exe 2116 winver.exe 2116 winver.exe 2116 winver.exe 2116 winver.exe 2116 winver.exe 2116 winver.exe 2116 winver.exe 2116 winver.exe 2116 winver.exe 2116 winver.exe 2116 winver.exe 2116 winver.exe 2116 winver.exe 2116 winver.exe 2116 winver.exe 2116 winver.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3276 Explorer.EXE -
Suspicious use of AdjustPrivilegeToken 22 IoCs
description pid Process Token: SeShutdownPrivilege 3276 Explorer.EXE Token: SeCreatePagefilePrivilege 3276 Explorer.EXE Token: SeShutdownPrivilege 3276 Explorer.EXE Token: SeCreatePagefilePrivilege 3276 Explorer.EXE Token: SeShutdownPrivilege 3276 Explorer.EXE Token: SeCreatePagefilePrivilege 3276 Explorer.EXE Token: SeShutdownPrivilege 3276 Explorer.EXE Token: SeCreatePagefilePrivilege 3276 Explorer.EXE Token: SeShutdownPrivilege 3276 Explorer.EXE Token: SeCreatePagefilePrivilege 3276 Explorer.EXE Token: SeShutdownPrivilege 3276 Explorer.EXE Token: SeCreatePagefilePrivilege 3276 Explorer.EXE Token: SeShutdownPrivilege 3276 Explorer.EXE Token: SeCreatePagefilePrivilege 3276 Explorer.EXE Token: SeShutdownPrivilege 3276 Explorer.EXE Token: SeCreatePagefilePrivilege 3276 Explorer.EXE Token: SeShutdownPrivilege 3276 Explorer.EXE Token: SeCreatePagefilePrivilege 3276 Explorer.EXE Token: SeShutdownPrivilege 3276 Explorer.EXE Token: SeCreatePagefilePrivilege 3276 Explorer.EXE Token: SeShutdownPrivilege 3276 Explorer.EXE Token: SeCreatePagefilePrivilege 3276 Explorer.EXE -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2116 winver.exe -
Suspicious use of UnmapMainImage 2 IoCs
pid Process 3276 Explorer.EXE 3860 StartMenuExperienceHost.exe -
Suspicious use of WriteProcessMemory 22 IoCs
description pid Process procid_target PID 3016 wrote to memory of 2116 3016 NEAS.477d6034f750724b1d67a54462a5a0c0_JC.exe 88 PID 3016 wrote to memory of 2116 3016 NEAS.477d6034f750724b1d67a54462a5a0c0_JC.exe 88 PID 3016 wrote to memory of 2116 3016 NEAS.477d6034f750724b1d67a54462a5a0c0_JC.exe 88 PID 3016 wrote to memory of 2116 3016 NEAS.477d6034f750724b1d67a54462a5a0c0_JC.exe 88 PID 2116 wrote to memory of 3276 2116 winver.exe 56 PID 2116 wrote to memory of 2304 2116 winver.exe 68 PID 2116 wrote to memory of 2324 2116 winver.exe 67 PID 2116 wrote to memory of 2392 2116 winver.exe 26 PID 2116 wrote to memory of 3276 2116 winver.exe 56 PID 2116 wrote to memory of 3464 2116 winver.exe 29 PID 2116 wrote to memory of 3640 2116 winver.exe 55 PID 2116 wrote to memory of 3860 2116 winver.exe 54 PID 2116 wrote to memory of 3932 2116 winver.exe 30 PID 2116 wrote to memory of 4016 2116 winver.exe 53 PID 2116 wrote to memory of 3768 2116 winver.exe 52 PID 2116 wrote to memory of 1788 2116 winver.exe 50 PID 2116 wrote to memory of 4452 2116 winver.exe 32 PID 2116 wrote to memory of 1452 2116 winver.exe 36 PID 2116 wrote to memory of 1176 2116 winver.exe 34 PID 2116 wrote to memory of 2884 2116 winver.exe 87 PID 2116 wrote to memory of 3244 2116 winver.exe 89 PID 2116 wrote to memory of 2800 2116 winver.exe 96
Processes
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:2392
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3464
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3932
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵PID:4452
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca1⤵PID:1176
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppX53ypgrj20bgndg05hj3tc7z654myszwp.mca1⤵PID:1452
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:1788
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3768
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:4016
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
- Suspicious use of UnmapMainImage
PID:3860
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3640
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
PID:3276 -
C:\Users\Admin\AppData\Local\Temp\NEAS.477d6034f750724b1d67a54462a5a0c0_JC.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.477d6034f750724b1d67a54462a5a0c0_JC.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:3016 -
C:\Windows\SysWOW64\winver.exewinver3⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2116
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2324
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2304
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:2884
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3244
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵PID:2800