81c5374a79ad066219e05ee447d65101024e6188d333701878c768338811f2b3

Analysis

max time kernel
148s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20231020-en
resource tags

arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
submitted
28/10/2023, 19:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.70ea1e771eb4d0eee0792ffa30bdde10.exe
Size

234KB
MD5

70ea1e771eb4d0eee0792ffa30bdde10
SHA1

4e79f2beffefcb140e72c978c28079231d4c1872
SHA256

81c5374a79ad066219e05ee447d65101024e6188d333701878c768338811f2b3
SHA512

e8f7fe13836688c394c26f2095b1ee0d83adb1085df6cd5f193facf9caa42fb0bd1bdf4f2e53efc067efa75996d43b3bc844a4539a3be3c7dce14fd6859a4e90
SSDEEP

6144:7ahWzc9wdYCkugfYfuTFu2LPTeKza4iDAqiEvnmTMZ/jL:7rc4YXQfek2LPVv4AqiEfGw

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
3868	compfo32.exe
3368	~9867.tmp
1892	DpiSSTAT.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\grpcunch = "C:\\Users\\Admin\\AppData\\Roaming\\provvate\\compfo32.exe"	NEAS.70ea1e771eb4d0eee0792ffa30bdde10.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\DpiSSTAT.exe	NEAS.70ea1e771eb4d0eee0792ffa30bdde10.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	Explorer.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3868	compfo32.exe
3868	compfo32.exe
3352	Explorer.EXE
3352	Explorer.EXE
3352	Explorer.EXE
3352	Explorer.EXE
3352	Explorer.EXE
3352	Explorer.EXE
3352	Explorer.EXE
3352	Explorer.EXE
3352	Explorer.EXE
3352	Explorer.EXE
3352	Explorer.EXE
3352	Explorer.EXE
3352	Explorer.EXE
3352	Explorer.EXE
3352	Explorer.EXE
3352	Explorer.EXE
3352	Explorer.EXE
3352	Explorer.EXE
3352	Explorer.EXE
3352	Explorer.EXE
3352	Explorer.EXE
3352	Explorer.EXE
3352	Explorer.EXE
3352	Explorer.EXE
3352	Explorer.EXE
3352	Explorer.EXE
3352	Explorer.EXE
3352	Explorer.EXE
3352	Explorer.EXE
3352	Explorer.EXE
3352	Explorer.EXE
3352	Explorer.EXE
3352	Explorer.EXE
3352	Explorer.EXE
3352	Explorer.EXE
3352	Explorer.EXE
3352	Explorer.EXE
3352	Explorer.EXE
3352	Explorer.EXE
3352	Explorer.EXE
3352	Explorer.EXE
3352	Explorer.EXE
3352	Explorer.EXE
3352	Explorer.EXE
3352	Explorer.EXE
3352	Explorer.EXE
3352	Explorer.EXE
3352	Explorer.EXE
3352	Explorer.EXE
3352	Explorer.EXE
3352	Explorer.EXE
3352	Explorer.EXE
3352	Explorer.EXE
3352	Explorer.EXE
3352	Explorer.EXE
3352	Explorer.EXE
3352	Explorer.EXE
3352	Explorer.EXE
3352	Explorer.EXE
3352	Explorer.EXE
3352	Explorer.EXE
3352	Explorer.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3352	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 21 IoCs

description	pid	Process
Token: SeDebugPrivilege	3868	compfo32.exe
Token: SeShutdownPrivilege	3352	Explorer.EXE
Token: SeCreatePagefilePrivilege	3352	Explorer.EXE
Token: SeShutdownPrivilege	3352	Explorer.EXE
Token: SeCreatePagefilePrivilege	3352	Explorer.EXE
Token: SeShutdownPrivilege	3352	Explorer.EXE
Token: SeCreatePagefilePrivilege	3352	Explorer.EXE
Token: SeShutdownPrivilege	3352	Explorer.EXE
Token: SeCreatePagefilePrivilege	3352	Explorer.EXE
Token: SeShutdownPrivilege	3352	Explorer.EXE
Token: SeCreatePagefilePrivilege	3352	Explorer.EXE
Token: SeShutdownPrivilege	3352	Explorer.EXE
Token: SeCreatePagefilePrivilege	3352	Explorer.EXE
Token: SeShutdownPrivilege	3352	Explorer.EXE
Token: SeCreatePagefilePrivilege	3352	Explorer.EXE
Token: SeShutdownPrivilege	3352	Explorer.EXE
Token: SeCreatePagefilePrivilege	3352	Explorer.EXE
Token: SeShutdownPrivilege	3352	Explorer.EXE
Token: SeCreatePagefilePrivilege	3352	Explorer.EXE
Token: SeShutdownPrivilege	3352	Explorer.EXE
Token: SeCreatePagefilePrivilege	3352	Explorer.EXE

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
3352	Explorer.EXE

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2796 wrote to memory of 3868	2796	NEAS.70ea1e771eb4d0eee0792ffa30bdde10.exe	89
PID 2796 wrote to memory of 3868	2796	NEAS.70ea1e771eb4d0eee0792ffa30bdde10.exe	89
PID 2796 wrote to memory of 3868	2796	NEAS.70ea1e771eb4d0eee0792ffa30bdde10.exe	89
PID 3868 wrote to memory of 3368	3868	compfo32.exe	91
PID 3868 wrote to memory of 3368	3868	compfo32.exe	91
PID 3368 wrote to memory of 3352	3368	~9867.tmp	58

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
PID:3352
- C:\Users\Admin\AppData\Local\Temp\NEAS.70ea1e771eb4d0eee0792ffa30bdde10.exe
  "C:\Users\Admin\AppData\Local\Temp\NEAS.70ea1e771eb4d0eee0792ffa30bdde10.exe"
  2⤵
  - Adds Run key to start application
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:2796
- - C:\Users\Admin\AppData\Roaming\provvate\compfo32.exe
    "C:\Users\Admin\AppData\Roaming\provvate"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3868
  - - C:\Users\Admin\AppData\Local\Temp\~9867.tmp
      3352 239624 3868 1
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:3368

C:\Windows\SysWOW64\DpiSSTAT.exe
C:\Windows\SysWOW64\DpiSSTAT.exe -s
1⤵
- Executes dropped EXE
PID:1892

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\~9867.tmp

Filesize
8KB

MD5
86dc243576cf5c7445451af37631eea9

SHA1
99a81c47c4c02f32c0ab456bfa23c306c7a09bf9

SHA256
25d2a671e1b5b5b95697ac0234ce4d46e0d0894919521b54aabebd9daecf994a

SHA512
c7310524f9b65f811146c1eb6ae944966351ac88a95fbc1ac422d8810730e5e212a7e28090ad758ea23c96ba38073e7fcf42460575e7f09dbc759a45c5d5a4a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\~9867.tmp

Filesize
8KB

MD5
86dc243576cf5c7445451af37631eea9

SHA1
99a81c47c4c02f32c0ab456bfa23c306c7a09bf9

SHA256
25d2a671e1b5b5b95697ac0234ce4d46e0d0894919521b54aabebd9daecf994a

SHA512
c7310524f9b65f811146c1eb6ae944966351ac88a95fbc1ac422d8810730e5e212a7e28090ad758ea23c96ba38073e7fcf42460575e7f09dbc759a45c5d5a4a4

Download Submit
C:\Users\Admin\AppData\Roaming\provvate\compfo32.exe

Filesize
234KB

MD5
bd2565dca2e215282d2ba84fcbb8f15b

SHA1
619a3afa1a81b61eece7183eb52bfb1f8e6674d4

SHA256
ee3b96c0c01657bee301cac73d08e33e7d8bd83f60d838f3880e273f10488b14

SHA512
a84af2d4bd75f4812beda97a33150bea9e501cc89807ce5597efc678bbb8635b09466f186ad7f1adecbf8c7ca3ad5928d829aa83f667af97728ac75f30716b5a

Download Submit
C:\Users\Admin\AppData\Roaming\provvate\compfo32.exe

Filesize
234KB

MD5
bd2565dca2e215282d2ba84fcbb8f15b

SHA1
619a3afa1a81b61eece7183eb52bfb1f8e6674d4

SHA256
ee3b96c0c01657bee301cac73d08e33e7d8bd83f60d838f3880e273f10488b14

SHA512
a84af2d4bd75f4812beda97a33150bea9e501cc89807ce5597efc678bbb8635b09466f186ad7f1adecbf8c7ca3ad5928d829aa83f667af97728ac75f30716b5a

Download Submit
C:\Windows\SysWOW64\DpiSSTAT.exe

Filesize
234KB

MD5
bd2565dca2e215282d2ba84fcbb8f15b

SHA1
619a3afa1a81b61eece7183eb52bfb1f8e6674d4

SHA256
ee3b96c0c01657bee301cac73d08e33e7d8bd83f60d838f3880e273f10488b14

SHA512
a84af2d4bd75f4812beda97a33150bea9e501cc89807ce5597efc678bbb8635b09466f186ad7f1adecbf8c7ca3ad5928d829aa83f667af97728ac75f30716b5a

Download Submit
C:\Windows\SysWOW64\DpiSSTAT.exe

Filesize
234KB

MD5
bd2565dca2e215282d2ba84fcbb8f15b

SHA1
619a3afa1a81b61eece7183eb52bfb1f8e6674d4

SHA256
ee3b96c0c01657bee301cac73d08e33e7d8bd83f60d838f3880e273f10488b14

SHA512
a84af2d4bd75f4812beda97a33150bea9e501cc89807ce5597efc678bbb8635b09466f186ad7f1adecbf8c7ca3ad5928d829aa83f667af97728ac75f30716b5a

Download Submit
memory/1892-17-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1892-30-0x0000000000440000-0x0000000000483000-memory.dmp

Filesize
268KB

Download
memory/1892-18-0x0000000000440000-0x0000000000483000-memory.dmp

Filesize
268KB

Download
memory/2796-0-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2796-1-0x0000000000640000-0x0000000000683000-memory.dmp

Filesize
268KB

Download
memory/2796-27-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3352-61-0x0000000003040000-0x0000000003050000-memory.dmp

Filesize
64KB

Download
memory/3352-66-0x0000000003040000-0x0000000003050000-memory.dmp

Filesize
64KB

Download
memory/3352-20-0x0000000002900000-0x000000000294A000-memory.dmp

Filesize
296KB

Download
memory/3352-25-0x0000000002950000-0x000000000295D000-memory.dmp

Filesize
52KB

Download
memory/3352-15-0x0000000002900000-0x000000000294A000-memory.dmp

Filesize
296KB

Download
memory/3352-115-0x0000000003040000-0x0000000003050000-memory.dmp

Filesize
64KB

Download
memory/3352-114-0x0000000003040000-0x0000000003050000-memory.dmp

Filesize
64KB

Download
memory/3352-113-0x0000000003040000-0x0000000003050000-memory.dmp

Filesize
64KB

Download
memory/3352-31-0x0000000003040000-0x0000000003050000-memory.dmp

Filesize
64KB

Download
memory/3352-32-0x0000000003040000-0x0000000003050000-memory.dmp

Filesize
64KB

Download
memory/3352-34-0x0000000003040000-0x0000000003050000-memory.dmp

Filesize
64KB

Download
memory/3352-33-0x00000000080E0000-0x00000000080F0000-memory.dmp

Filesize
64KB

Download
memory/3352-35-0x0000000003040000-0x0000000003050000-memory.dmp

Filesize
64KB

Download
memory/3352-37-0x0000000003040000-0x0000000003050000-memory.dmp

Filesize
64KB

Download
memory/3352-36-0x0000000003040000-0x0000000003050000-memory.dmp

Filesize
64KB

Download
memory/3352-40-0x0000000003040000-0x0000000003050000-memory.dmp

Filesize
64KB

Download
memory/3352-39-0x0000000003040000-0x0000000003050000-memory.dmp

Filesize
64KB

Download
memory/3352-38-0x0000000003040000-0x0000000003050000-memory.dmp

Filesize
64KB

Download
memory/3352-43-0x0000000003040000-0x0000000003050000-memory.dmp

Filesize
64KB

Download
memory/3352-42-0x0000000003040000-0x0000000003050000-memory.dmp

Filesize
64KB

Download
memory/3352-44-0x00000000080E0000-0x00000000080F0000-memory.dmp

Filesize
64KB

Download
memory/3352-45-0x0000000008A50000-0x0000000008A60000-memory.dmp

Filesize
64KB

Download
memory/3352-46-0x0000000003040000-0x0000000003050000-memory.dmp

Filesize
64KB

Download
memory/3352-47-0x0000000003040000-0x0000000003050000-memory.dmp

Filesize
64KB

Download
memory/3352-48-0x0000000003040000-0x0000000003050000-memory.dmp

Filesize
64KB

Download
memory/3352-49-0x0000000008A60000-0x0000000008A70000-memory.dmp

Filesize
64KB

Download
memory/3352-52-0x0000000003040000-0x0000000003050000-memory.dmp

Filesize
64KB

Download
memory/3352-50-0x0000000003040000-0x0000000003050000-memory.dmp

Filesize
64KB

Download
memory/3352-54-0x0000000003040000-0x0000000003050000-memory.dmp

Filesize
64KB

Download
memory/3352-56-0x0000000003040000-0x0000000003050000-memory.dmp

Filesize
64KB

Download
memory/3352-58-0x0000000003040000-0x0000000003050000-memory.dmp

Filesize
64KB

Download
memory/3352-57-0x0000000003040000-0x0000000003050000-memory.dmp

Filesize
64KB

Download
memory/3352-59-0x0000000003040000-0x0000000003050000-memory.dmp

Filesize
64KB

Download
memory/3352-60-0x0000000008A60000-0x0000000008A70000-memory.dmp

Filesize
64KB

Download
memory/3352-111-0x0000000003040000-0x0000000003050000-memory.dmp

Filesize
64KB

Download
memory/3352-63-0x0000000003040000-0x0000000003050000-memory.dmp

Filesize
64KB

Download
memory/3352-62-0x0000000003040000-0x0000000003050000-memory.dmp

Filesize
64KB

Download
memory/3352-64-0x0000000003040000-0x0000000003050000-memory.dmp

Filesize
64KB

Download
memory/3352-65-0x0000000003040000-0x0000000003050000-memory.dmp

Filesize
64KB

Download
memory/3352-68-0x0000000003040000-0x0000000003050000-memory.dmp

Filesize
64KB

Download
memory/3352-67-0x0000000003040000-0x0000000003050000-memory.dmp

Filesize
64KB

Download
memory/3352-23-0x0000000000DF0000-0x0000000000DF6000-memory.dmp

Filesize
24KB

Download
memory/3352-69-0x0000000003040000-0x0000000003050000-memory.dmp

Filesize
64KB

Download
memory/3352-70-0x0000000003040000-0x0000000003050000-memory.dmp

Filesize
64KB

Download
memory/3352-71-0x0000000001080000-0x0000000001090000-memory.dmp

Filesize
64KB

Download
memory/3352-72-0x0000000003040000-0x0000000003050000-memory.dmp

Filesize
64KB

Download
memory/3352-73-0x0000000003040000-0x0000000003050000-memory.dmp

Filesize
64KB

Download
memory/3352-74-0x0000000003040000-0x0000000003050000-memory.dmp

Filesize
64KB

Download
memory/3352-75-0x0000000003040000-0x0000000003050000-memory.dmp

Filesize
64KB

Download
memory/3352-78-0x0000000003040000-0x0000000003050000-memory.dmp

Filesize
64KB

Download
memory/3352-76-0x0000000003040000-0x0000000003050000-memory.dmp

Filesize
64KB

Download
memory/3352-80-0x0000000003040000-0x0000000003050000-memory.dmp

Filesize
64KB

Download
memory/3352-81-0x0000000003040000-0x0000000003050000-memory.dmp

Filesize
64KB

Download
memory/3352-82-0x0000000001090000-0x00000000010A0000-memory.dmp

Filesize
64KB

Download
memory/3352-83-0x0000000003040000-0x0000000003050000-memory.dmp

Filesize
64KB

Download
memory/3352-84-0x0000000003040000-0x0000000003050000-memory.dmp

Filesize
64KB

Download
memory/3352-85-0x0000000003040000-0x0000000003050000-memory.dmp

Filesize
64KB

Download
memory/3352-89-0x0000000003040000-0x0000000003050000-memory.dmp

Filesize
64KB

Download
memory/3352-87-0x0000000003040000-0x0000000003050000-memory.dmp

Filesize
64KB

Download
memory/3352-91-0x0000000003040000-0x0000000003050000-memory.dmp

Filesize
64KB

Download
memory/3352-93-0x0000000003040000-0x0000000003050000-memory.dmp

Filesize
64KB

Download
memory/3352-94-0x0000000003040000-0x0000000003050000-memory.dmp

Filesize
64KB

Download
memory/3352-95-0x0000000001090000-0x00000000010A0000-memory.dmp

Filesize
64KB

Download
memory/3352-96-0x0000000003040000-0x0000000003050000-memory.dmp

Filesize
64KB

Download
memory/3352-99-0x0000000003040000-0x0000000003050000-memory.dmp

Filesize
64KB

Download
memory/3352-98-0x0000000003040000-0x0000000003050000-memory.dmp

Filesize
64KB

Download
memory/3352-97-0x0000000003040000-0x0000000003050000-memory.dmp

Filesize
64KB

Download
memory/3352-102-0x0000000003040000-0x0000000003050000-memory.dmp

Filesize
64KB

Download
memory/3352-100-0x0000000003040000-0x0000000003050000-memory.dmp

Filesize
64KB

Download
memory/3352-103-0x0000000003040000-0x0000000003050000-memory.dmp

Filesize
64KB

Download
memory/3352-104-0x0000000003040000-0x0000000003050000-memory.dmp

Filesize
64KB

Download
memory/3352-105-0x0000000003040000-0x0000000003050000-memory.dmp

Filesize
64KB

Download
memory/3352-107-0x00000000010A0000-0x00000000010B0000-memory.dmp

Filesize
64KB

Download
memory/3352-106-0x0000000003040000-0x0000000003050000-memory.dmp

Filesize
64KB

Download
memory/3352-108-0x0000000003040000-0x0000000003050000-memory.dmp

Filesize
64KB

Download
memory/3352-109-0x0000000003040000-0x0000000003050000-memory.dmp

Filesize
64KB

Download
memory/3352-110-0x0000000003040000-0x0000000003050000-memory.dmp

Filesize
64KB

Download
memory/3868-8-0x0000000000660000-0x00000000006A3000-memory.dmp

Filesize
268KB

Download
memory/3868-10-0x00000000007D0000-0x00000000007D5000-memory.dmp

Filesize
20KB

Download
memory/3868-29-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3868-6-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download