29a1f972f996a86d630cef166fc9e43f0808a46d34065f101e8a4340af5e1927

Analysis

max time kernel
153s
max time network
160s
platform
windows10-2004_x64
resource
win10v2004-20231023-en
resource tags

arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
submitted
31/10/2023, 16:46

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

NEAS.6072383ec2e6baeaec5693a1db712e60_JC.exe
Size

208KB
MD5

6072383ec2e6baeaec5693a1db712e60
SHA1

9cd510927facc62570436a09a9d0d12ea36b86a6
SHA256

29a1f972f996a86d630cef166fc9e43f0808a46d34065f101e8a4340af5e1927
SHA512

f210f647fa6c3b30971631e9aeef92e6945df32239552c5d3c6c8578088907f85abecc86ea4aca7ee61f9469bff6ea507c203576d9ccde4f6689a25fb503e306
SSDEEP

6144:Ba1oB/yvpK0JCmRcRRR8N0e2kXfCqNidkfk:BbapK0JCmRcU9vVokf

Score

10^/10

persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\apppatch\\svchost.exe,"	svchost.exe

Executes dropped EXE 1 IoCs

pid	Process
4320	svchost.exe

Modifies WinLogon 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\9b00332d = "ÇÛKµf56Xø\x10\x17=á©ü\x127R®\x1d`•`ÿ‘ø¸ß\x13J!É´^¢A\"›WâŒ±ÌƒKÆSoü;&cz2ié„¾ºT\x1bûi§›ßN\x1fÁƒFã¤£+\x04Û¹\x12cz'–SÄ‹“Ë;‚\aNã&®£‘û¤þãzK´â$é\x19òošA³y3§\x19AwŸ—#´›Ÿ«É\x19·»‹[§‹c:›\v\x1bb¤9Ô‰Ù\"ìÓò‹®Y™[sïj?ü)&ä$#ë\x7fä\|³„™\x03¿†ãf‡1’\x04\x13û7ËÊ+—¬s·k[þ\vë´^>ë'CC#‹CŸ’£\x13\x13Ó{NÏÓSüóô\x1c³[÷i\x1e\x02¬ƒS\aRþÌ\x1b3{k\x1eÞ\x1b\fûÑLD\x13ªaó³#Fc\x03\x14‚ŸëÖ‘"	NEAS.6072383ec2e6baeaec5693a1db712e60_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\9b00332d = "ÇÛKµf56Xø\x10\x17=á©ü\x127R®\x1d`•`ÿ‘ø¸ß\x13J!É´^¢A\"›WâŒ±ÌƒKÆSoü;&cz2ié„¾ºT\x1bûi§›ßN\x1fÁƒFã¤£+\x04Û¹\x12cz'–SÄ‹“Ë;‚\aNã&®£‘û¤þãzK´â$é\x19òošA³y3§\x19AwŸ—#´›Ÿ«É\x19·»‹[§‹c:›\v\x1bb¤9Ô‰Ù\"ìÓò‹®Y™[sïj?ü)&ä$#ë\x7fä\|³„™\x03¿†ãf‡1’\x04\x13û7ËÊ+—¬s·k[þ\vë´^>ë'CC#‹CŸ’£\x13\x13Ó{NÏÓSüóô\x1c³[÷i\x1e\x02¬ƒS\aRþÌ\x1b3{k\x1eÞ\x1b\fûÑLD\x13ªaó³#Fc\x03\x14‚ŸëÖ‘"	svchost.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\apppatch\svchost.exe	NEAS.6072383ec2e6baeaec5693a1db712e60_JC.exe
File opened for modification	C:\Windows\apppatch\svchost.exe	NEAS.6072383ec2e6baeaec5693a1db712e60_JC.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3688	NEAS.6072383ec2e6baeaec5693a1db712e60_JC.exe
3688	NEAS.6072383ec2e6baeaec5693a1db712e60_JC.exe
3688	NEAS.6072383ec2e6baeaec5693a1db712e60_JC.exe
3688	NEAS.6072383ec2e6baeaec5693a1db712e60_JC.exe
3688	NEAS.6072383ec2e6baeaec5693a1db712e60_JC.exe
3688	NEAS.6072383ec2e6baeaec5693a1db712e60_JC.exe
3688	NEAS.6072383ec2e6baeaec5693a1db712e60_JC.exe
3688	NEAS.6072383ec2e6baeaec5693a1db712e60_JC.exe
4320	svchost.exe
4320	svchost.exe
4320	svchost.exe
4320	svchost.exe
4320	svchost.exe
4320	svchost.exe
4320	svchost.exe
4320	svchost.exe
4320	svchost.exe
4320	svchost.exe
4320	svchost.exe
4320	svchost.exe
4320	svchost.exe
4320	svchost.exe
4320	svchost.exe
4320	svchost.exe
4320	svchost.exe
4320	svchost.exe
4320	svchost.exe
4320	svchost.exe
4320	svchost.exe
4320	svchost.exe
4320	svchost.exe
4320	svchost.exe
4320	svchost.exe
4320	svchost.exe
4320	svchost.exe
4320	svchost.exe
4320	svchost.exe
4320	svchost.exe
4320	svchost.exe
4320	svchost.exe
4320	svchost.exe
4320	svchost.exe
4320	svchost.exe
4320	svchost.exe
4320	svchost.exe
4320	svchost.exe
4320	svchost.exe
4320	svchost.exe
4320	svchost.exe
4320	svchost.exe
4320	svchost.exe
4320	svchost.exe
4320	svchost.exe
4320	svchost.exe
4320	svchost.exe
4320	svchost.exe
4320	svchost.exe
4320	svchost.exe
4320	svchost.exe
4320	svchost.exe
4320	svchost.exe
4320	svchost.exe
4320	svchost.exe
4320	svchost.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
3688	NEAS.6072383ec2e6baeaec5693a1db712e60_JC.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3688 wrote to memory of 4320	3688	NEAS.6072383ec2e6baeaec5693a1db712e60_JC.exe	88
PID 3688 wrote to memory of 4320	3688	NEAS.6072383ec2e6baeaec5693a1db712e60_JC.exe	88
PID 3688 wrote to memory of 4320	3688	NEAS.6072383ec2e6baeaec5693a1db712e60_JC.exe	88

C:\Users\Admin\AppData\Local\Temp\NEAS.6072383ec2e6baeaec5693a1db712e60_JC.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.6072383ec2e6baeaec5693a1db712e60_JC.exe"
1⤵
- Modifies WinLogon
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:3688
- C:\Windows\apppatch\svchost.exe
  "C:\Windows\apppatch\svchost.exe"
  2⤵
  - Modifies WinLogon for persistence
  - Executes dropped EXE
  - Modifies WinLogon
  - Suspicious behavior: EnumeratesProcesses
  PID:4320

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\43C8.tmp

Filesize
12KB

MD5
1639705c0468ff5b89d563cc785c9374

SHA1
f6807f616bab661123da67196ca7d5015df9ea82

SHA256
4788bc2f12f5ef35a1e86ba33d4ecd9efcc89446502465d7e8320a36c6a0e25c

SHA512
d50f65b6100586ddda7d62a8d21d013e0c5d4c52a2fc5d53867ba086571116dac992eefd2fb55873196f3516bac91c9cff8da5f4b8f91e5f9c13240e5622d768

Download Submit
C:\Users\Admin\AppData\Local\Temp\4530.tmp

Filesize
1KB

MD5
fea272f3a69c7724156a510e8b4501dc

SHA1
b86c10b7107acf665933f7353cda116e8cfc5634

SHA256
7f456d56237af30dc3525791b248964df6822212c411c24505119ed1657680b1

SHA512
b746d12b176db6cfeb703b7b143df33cc000d0187b390e3d6286ade8b57090498e05dd8222b0abab1ae2c27db6c8bb868552ed0997d14f691f802ac8e044f7ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\5D3F.tmp

Filesize
593B

MD5
926512864979bc27cf187f1de3f57aff

SHA1
acdeb9d6187932613c7fa08eaf28f0cd8116f4b5

SHA256
b3e893a653ec06c05ee90f2f6e98cc052a92f6616d7cca8c416420e178dcc73f

SHA512
f6f9fd3ca9305bec879cfcd38e64111a18e65e30d25c49e9f2cd546cbab9b2dcd03eca81952f6b77c0eaab20192ef7bef0d8d434f6f371811929e75f8620633b

Download Submit
C:\Users\Admin\AppData\Local\Temp\6522.tmp

Filesize
2KB

MD5
a8fdd0012e6998420474a0c0669327c4

SHA1
aa0b687e766c259a247c16677f4c631ce542fc6e

SHA256
85a0119ffb919c7b1157dabbc8e40897f97ce6544f89931e503564966057d5d6

SHA512
bd834b7119f51ef0c741d2c0696e449e13a003140ad631f5e272130cac2d30f8cb25a5e76cc415ddf6208ee920efed6c7c33519b8f1bd02dd4ae8d3f39e926f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\A9FF.tmp

Filesize
22KB

MD5
d5134902fc0d1b30e5505e835acb5b59

SHA1
5fc43d9c8c2ccbe9cb36c96f4845bc831d927aa1

SHA256
ae0579a99d843cf21911cbe0e5163e85d279bf512d1839b95bbd83a5b5b91174

SHA512
f92bfe2048b3d68658e2606a77ff41f99edfc5ef8d0e9f9c44754eb42e0b379c2e2afaf2775c35b1192649db2af2d8d7059e0119a22a2c8716883a2835e310b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\ADDA.tmp

Filesize
2KB

MD5
2b43435a2b79f2b2848ed2bc45da7085

SHA1
dd71bb49db1c083bcf37513c345d6603fb67a305

SHA256
85b3d58d169883cc83ba65b2a40b7c812a1fa03456a95cef89df9882e98e2b25

SHA512
fe36995cb0d17ad12a008f34705cfd0cb4f87c1aa79edd591c28f996a565391c85b7b7caaba56a8629535e375c7b11a9c4e5f6fe23784b659b4f868853912b9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\B532.tmp

Filesize
40KB

MD5
e3b29d4734fa5ffd44d500a353baeb1d

SHA1
3d6117700b038ad8825de5cf41c7588b083bb020

SHA256
3c1e4ab90792c62af398822901939577ee663681a33ee3022fa7d3b6993a6cfc

SHA512
453b99a9ee53373cfce979b672913891d80b48357dc22fe4efe1de7f6127ad19f7b7b4a4050c97d89328ff79edb6357eb8caf4f2f4af953e1c95733b9b270c58

Download Submit
C:\Users\Admin\AppData\Local\Temp\E574.tmp

Filesize
2KB

MD5
95f843c40b2a15e58f9ecb3e517ca413

SHA1
54c6aa679f7dcb22775fba569f063036c4cfa415

SHA256
704a939a155034f712281812d5b6877ab52430e38aefce3b0218b9782bf37875

SHA512
255483a76b435bd9dd5c97787fcb37c2f5fbd021085560cf60b2c614b4ff3bdd5d123282f1a97f6a6f1af8f59f0c97a1aca1784482cfded3d036683ddd27f9a3

Download Submit
C:\Windows\apppatch\svchost.exe

Filesize
208KB

MD5
6575cf2adaaddcbce4f2254344a773e2

SHA1
2e3f90c9bc1cda150225e8ce44863800f95fde33

SHA256
b40f0cdda55c6f52ea60409df7513a7d9d486c2b372076d3dad69533ddf12f68

SHA512
109b60dbf90135c74dce3da51729bcd84c48fb48812523c12d5378470d336ef059e9b24d2d63b030d3dcd68ffae57aa0419f2bd5ff28e1bbd5fc2632a60c9e1c

Download Submit
C:\Windows\apppatch\svchost.exe

Filesize
208KB

MD5
6575cf2adaaddcbce4f2254344a773e2

SHA1
2e3f90c9bc1cda150225e8ce44863800f95fde33

SHA256
b40f0cdda55c6f52ea60409df7513a7d9d486c2b372076d3dad69533ddf12f68

SHA512
109b60dbf90135c74dce3da51729bcd84c48fb48812523c12d5378470d336ef059e9b24d2d63b030d3dcd68ffae57aa0419f2bd5ff28e1bbd5fc2632a60c9e1c

Download Submit
C:\Windows\apppatch\svchost.exe

Filesize
208KB

MD5
6575cf2adaaddcbce4f2254344a773e2

SHA1
2e3f90c9bc1cda150225e8ce44863800f95fde33

SHA256
b40f0cdda55c6f52ea60409df7513a7d9d486c2b372076d3dad69533ddf12f68

SHA512
109b60dbf90135c74dce3da51729bcd84c48fb48812523c12d5378470d336ef059e9b24d2d63b030d3dcd68ffae57aa0419f2bd5ff28e1bbd5fc2632a60c9e1c

Download Submit
memory/3688-13-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/3688-12-0x00000000021C0000-0x00000000021C3000-memory.dmp

Filesize
12KB

Download
memory/3688-1-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/3688-0-0x00000000021C0000-0x00000000021C3000-memory.dmp

Filesize
12KB

Download
memory/4320-44-0x0000000002BB0000-0x0000000002C66000-memory.dmp

Filesize
728KB

Download
memory/4320-60-0x0000000002BB0000-0x0000000002C66000-memory.dmp

Filesize
728KB

Download
memory/4320-25-0x0000000002BB0000-0x0000000002C66000-memory.dmp

Filesize
728KB

Download
memory/4320-26-0x0000000002BB0000-0x0000000002C66000-memory.dmp

Filesize
728KB

Download
memory/4320-27-0x0000000002BB0000-0x0000000002C66000-memory.dmp

Filesize
728KB

Download
memory/4320-28-0x0000000002BB0000-0x0000000002C66000-memory.dmp

Filesize
728KB

Download
memory/4320-30-0x0000000002BB0000-0x0000000002C66000-memory.dmp

Filesize
728KB

Download
memory/4320-31-0x0000000002BB0000-0x0000000002C66000-memory.dmp

Filesize
728KB

Download
memory/4320-33-0x0000000002BB0000-0x0000000002C66000-memory.dmp

Filesize
728KB

Download
memory/4320-34-0x0000000002BB0000-0x0000000002C66000-memory.dmp

Filesize
728KB

Download
memory/4320-36-0x0000000002BB0000-0x0000000002C66000-memory.dmp

Filesize
728KB

Download
memory/4320-39-0x0000000002BB0000-0x0000000002C66000-memory.dmp

Filesize
728KB

Download
memory/4320-42-0x0000000002BB0000-0x0000000002C66000-memory.dmp

Filesize
728KB

Download
memory/4320-22-0x0000000002BB0000-0x0000000002C66000-memory.dmp

Filesize
728KB

Download
memory/4320-46-0x0000000002BB0000-0x0000000002C66000-memory.dmp

Filesize
728KB

Download
memory/4320-47-0x0000000002BB0000-0x0000000002C66000-memory.dmp

Filesize
728KB

Download
memory/4320-49-0x0000000002BB0000-0x0000000002C66000-memory.dmp

Filesize
728KB

Download
memory/4320-54-0x0000000002BB0000-0x0000000002C66000-memory.dmp

Filesize
728KB

Download
memory/4320-56-0x0000000002BB0000-0x0000000002C66000-memory.dmp

Filesize
728KB

Download
memory/4320-58-0x0000000002BB0000-0x0000000002C66000-memory.dmp

Filesize
728KB

Download
memory/4320-59-0x0000000002BB0000-0x0000000002C66000-memory.dmp

Filesize
728KB

Download
memory/4320-24-0x0000000002BB0000-0x0000000002C66000-memory.dmp

Filesize
728KB

Download
memory/4320-62-0x0000000002BB0000-0x0000000002C66000-memory.dmp

Filesize
728KB

Download
memory/4320-63-0x0000000002BB0000-0x0000000002C66000-memory.dmp

Filesize
728KB

Download
memory/4320-69-0x0000000002BB0000-0x0000000002C66000-memory.dmp

Filesize
728KB

Download
memory/4320-68-0x0000000002BB0000-0x0000000002C66000-memory.dmp

Filesize
728KB

Download
memory/4320-72-0x0000000002BB0000-0x0000000002C66000-memory.dmp

Filesize
728KB

Download
memory/4320-66-0x0000000002BB0000-0x0000000002C66000-memory.dmp

Filesize
728KB

Download
memory/4320-73-0x0000000002BB0000-0x0000000002C66000-memory.dmp

Filesize
728KB

Download
memory/4320-75-0x0000000002BB0000-0x0000000002C66000-memory.dmp

Filesize
728KB

Download
memory/4320-76-0x0000000002BB0000-0x0000000002C66000-memory.dmp

Filesize
728KB

Download
memory/4320-23-0x0000000002BB0000-0x0000000002C66000-memory.dmp

Filesize
728KB

Download
memory/4320-21-0x0000000002BB0000-0x0000000002C66000-memory.dmp

Filesize
728KB

Download
memory/4320-78-0x0000000002BB0000-0x0000000002C66000-memory.dmp

Filesize
728KB

Download
memory/4320-184-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4320-186-0x0000000002BB0000-0x0000000002C66000-memory.dmp

Filesize
728KB

Download
memory/4320-20-0x0000000002BB0000-0x0000000002C66000-memory.dmp

Filesize
728KB

Download
memory/4320-18-0x0000000002BB0000-0x0000000002C66000-memory.dmp

Filesize
728KB

Download
memory/4320-16-0x0000000002BB0000-0x0000000002C66000-memory.dmp

Filesize
728KB

Download
memory/4320-14-0x0000000002A00000-0x0000000002AA8000-memory.dmp

Filesize
672KB

Download
memory/4320-11-0x00000000005D0000-0x00000000005D3000-memory.dmp

Filesize
12KB

Download