a9f4447a61809548a3a16e22a6fb30bdbf717b1ad9f7a3c7a4a4f0bf741ac606

Analysis

max time kernel
149s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20231023-en
resource tags

arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
submitted
01/11/2023, 02:53

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

NEAS.a0c466c97dd009a8d10c0c595876f310.exe
Size

196KB
MD5

a0c466c97dd009a8d10c0c595876f310
SHA1

79932fb8958850fde9305fc22e11e81bb0eeb034
SHA256

a9f4447a61809548a3a16e22a6fb30bdbf717b1ad9f7a3c7a4a4f0bf741ac606
SHA512

4cd04d5aa614fe12a97347e2274dd8a2a1063d75017b1e7af7b4c5101161844e20cf2b55a2cefac815ddfe5f7af06b253135a5fc35f17bcf3335f40d6d1a0161
SSDEEP

6144:Bc6BtUaNMtLLowRg4uLhuMXUk4m5xnt0Vu:BjuaWLJgzLMkvou

Score

10^/10

persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\apppatch\\svchost.exe,"	svchost.exe

Executes dropped EXE 1 IoCs

pid	Process
4088	svchost.exe

Modifies WinLogon 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\c0dc7c40 = "C:\\Windows\\apppatch\\svchost.exe"	NEAS.a0c466c97dd009a8d10c0c595876f310.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\c0dc7c40 = "C:\\Windows\\apppatch\\svchost.exe"	svchost.exe

Drops file in Program Files directory 44 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Windows Defender\lymyxid.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\puzylyp.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\pupydeq.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\pupycag.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\galynuh.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\qexyhuv.com	svchost.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\lyxynyx.com	svchost.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\vonypom.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\volykit.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\gatyhub.com	svchost.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\puzylyp.com	svchost.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\qexyhuv.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\gadyciz.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\pumyjig.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\lygyvuj.com	svchost.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\qetyfuv.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\galyqaz.com	svchost.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\vofycot.com	svchost.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\lyvyxor.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\vocyzit.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\lysyfyj.com	svchost.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\lysyfyj.com	svchost.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\pupycag.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\vofycot.com	svchost.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\qetyhyg.com	svchost.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\gatyhub.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\lyvyxor.com	svchost.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\lygyvuj.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\vonypom.com	svchost.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\galyqaz.com	svchost.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\galynuh.com	svchost.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\gadyciz.com	svchost.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\vocyzit.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\lymyxid.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\lyrysor.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\purylev.com	svchost.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\pumyjig.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\qetyhyg.com	svchost.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\volykit.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\qetyfuv.com	svchost.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\purylev.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\lyxynyx.com	svchost.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\pupydeq.com	svchost.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\lyrysor.com	svchost.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\apppatch\svchost.exe	NEAS.a0c466c97dd009a8d10c0c595876f310.exe
File opened for modification	C:\Windows\apppatch\svchost.exe	NEAS.a0c466c97dd009a8d10c0c595876f310.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4088	svchost.exe
4088	svchost.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
3216	NEAS.a0c466c97dd009a8d10c0c595876f310.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3216 wrote to memory of 4088	3216	NEAS.a0c466c97dd009a8d10c0c595876f310.exe	89
PID 3216 wrote to memory of 4088	3216	NEAS.a0c466c97dd009a8d10c0c595876f310.exe	89
PID 3216 wrote to memory of 4088	3216	NEAS.a0c466c97dd009a8d10c0c595876f310.exe	89

C:\Users\Admin\AppData\Local\Temp\NEAS.a0c466c97dd009a8d10c0c595876f310.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.a0c466c97dd009a8d10c0c595876f310.exe"
1⤵
- Modifies WinLogon
- Drops file in Windows directory
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:3216
- C:\Windows\apppatch\svchost.exe
  "C:\Windows\apppatch\svchost.exe"
  2⤵
  - Modifies WinLogon for persistence
  - Executes dropped EXE
  - Modifies WinLogon
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  PID:4088

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Windows Defender\galynuh.com

Filesize
593B

MD5
926512864979bc27cf187f1de3f57aff

SHA1
acdeb9d6187932613c7fa08eaf28f0cd8116f4b5

SHA256
b3e893a653ec06c05ee90f2f6e98cc052a92f6616d7cca8c416420e178dcc73f

SHA512
f6f9fd3ca9305bec879cfcd38e64111a18e65e30d25c49e9f2cd546cbab9b2dcd03eca81952f6b77c0eaab20192ef7bef0d8d434f6f371811929e75f8620633b

Download Submit
C:\Program Files (x86)\Windows Defender\galyqaz.com

Filesize
22KB

MD5
a591b609bb412ed55ba1ed37c334c40b

SHA1
2fb4ca3c0da2ede81a8c726bd05995cfa8f95e7a

SHA256
4d2a3dba31fe94c31f862e1807dab815baff983b854b2482864767ea9db1e2cc

SHA512
b9b167bd650b8a1f095c3b91a0ff2a93f7329cf0bcac759435cc9904e43043019e8f9947ce542c973f9255b9ffce18f315fd776cb122bbf18b7644164a7c00e2

Download Submit
C:\Program Files (x86)\Windows Defender\gatyhub.com

Filesize
1KB

MD5
9a5e22a0855e2d1c24849f8a6e57eb4c

SHA1
6dddd80d9a00a504cbcda197ca498e49472ddc54

SHA256
e8dbd400e92ff57f0dd68f1f0f394da32028ab5f8fe336aa399a1b3e728314c5

SHA512
5e303c2d672e8e7adcf93ed6e4509f774a232152a2810930429bc576b52660a510f424fe2357ceba6c15ed6306ff2d82fba9eb8e9865146e587f190b9c972004

Download Submit
C:\Program Files (x86)\Windows Defender\lyrysor.com

Filesize
1KB

MD5
74522c759ed3ecf88d245670cf2027b4

SHA1
78adbe9f2c126dd8159581c0640b327ee03eaebd

SHA256
2544a5379dab74b7d096515c60f52508391dd1eea6bf721f8c056fe655ea6e78

SHA512
15a747608b9e72fe80b5abde309621e330784d9a76dde5fb96e3d96cb09aacae03dfe74d6b5efb80a897ac091fd0bd3951ec800ffb6d606fae35b7599ae8951a

Download Submit
C:\Program Files (x86)\Windows Defender\lysyfyj.com

Filesize
481B

MD5
de753fcc944c1f861a79c6593032a2e0

SHA1
4b849e5ad232913e60e81d263b3aaeca67ec3b39

SHA256
d34176dea944b25abed59ed06e5a647855c009273b10552a3eb1322aa292eb44

SHA512
7e9c555ae77132749a65a6d44d228b296be939fb9c77f916b4c9a15bf82a92dafe8d7d75ccb8f6f2f263fba27d37bdac992204cdfef459129951dbeef8e33c59

Download Submit
C:\Program Files (x86)\Windows Defender\lyxynyx.com

Filesize
303B

MD5
69529aff43108d033cf2af65d9a83b66

SHA1
51b0cc0407318ac0adabd9bbb08352cdc48f483a

SHA256
17348baba94e4d201a024b6ebdffbd7fc11a64f979d3809253d304efc1555f95

SHA512
7f9a66fc42ddfdfc33ada0d21466f6a1b845176345cd5f1cea976fcb50d693cb0f461304cdb71f79c6c909209a4d7d248da63cad1237e73832aca9a0c1499dc3

Download Submit
C:\Program Files (x86)\Windows Defender\pumyjig.com

Filesize
302B

MD5
e302aea8c1de8fda20bbfe4160ae7d58

SHA1
5c728bf2454f837505a50b0fba82ce7a1d89a85e

SHA256
edbfed5c9b35bc065705335df6480430ca5dd9efa324ea372dc91aa16c0e4a51

SHA512
45df3186e7f8fc84a214ca78f604ce532009e34ba8af0bbda811c9ae02a26c4f4549f2da9fd0db199b70834d61b22ed6b1865bdec82d5d5992f5718ec7a4d06a

Download Submit
C:\Program Files (x86)\Windows Defender\pupydeq.com

Filesize
12KB

MD5
1639705c0468ff5b89d563cc785c9374

SHA1
f6807f616bab661123da67196ca7d5015df9ea82

SHA256
4788bc2f12f5ef35a1e86ba33d4ecd9efcc89446502465d7e8320a36c6a0e25c

SHA512
d50f65b6100586ddda7d62a8d21d013e0c5d4c52a2fc5d53867ba086571116dac992eefd2fb55873196f3516bac91c9cff8da5f4b8f91e5f9c13240e5622d768

Download Submit
C:\Program Files (x86)\Windows Defender\qexyhuv.com

Filesize
302B

MD5
2c0968a1113f84b3b6a68232aafeacf1

SHA1
ab55cb6dcae0be2c6b60592e1a90261e467de4d2

SHA256
f214606042e32c8b7ee21181e85692930fccbbfe3319f14441311bac64e97e20

SHA512
1c665b7e70902f86a3f9811dfaf9f6f1277b8f467afae5eb2d93489ed06d4799f037e0819847f997f37428fd51938004437ee2abfbed647edc984c204abbeebc

Download Submit
C:\Program Files (x86)\Windows Defender\volykit.com

Filesize
2KB

MD5
e17876d2379a419d94df1cd9c6a8d65e

SHA1
efb81b6ecebf0cb17b06cc2228f8d6b89c9b976d

SHA256
b16051db6f6988bf207b044fe9a7eb61efec7e7c03fc4240446932d1afb0a81b

SHA512
544233cd3f4289c4ccb924ec3015eca8ac278d2b52e16dc559f30b83458b2df2eecb27cc162e7941f3da00944653171acc9ad517efb2481ada6ec8611a754504

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\OAM0FGD0\login[3].htm

Filesize
168B

MD5
d57e3a550060f85d44a175139ea23021

SHA1
2c5cb3428a322c9709a34d04dd86fe7628f8f0a6

SHA256
43edf068d34276e8ade4113d4d7207de19fc98a2ae1c07298e593edae2a8774c

SHA512
0364fe6a010fce7a3f4a6344c84468c64b20fd131f3160fc649db78f1075ba52d8a1c4496e50dbe27c357e01ee52e94cdcda8f7927cba28d5f2f45b9da690063

Download Submit
C:\Windows\apppatch\svchost.exe

Filesize
196KB

MD5
7250ec05abd4018bcd75bbb0deb9568f

SHA1
2bb3375e73d186e78e55d49d288cf5bdaf749dd2

SHA256
e45b011f3951d1213c03704bdd6f9922dbe26b984b613bc033d38fcfddf9e381

SHA512
8792b0fbe0bfccf0f0a9438a41e4c5f0046d18a8edfc5780e93dcf227ddc5f6bc5d1afd4e06e5bc387e02cc80b4e09018fe00f5cf36f6b55a71726e9f83956d1

Download Submit
C:\Windows\apppatch\svchost.exe

Filesize
196KB

MD5
7250ec05abd4018bcd75bbb0deb9568f

SHA1
2bb3375e73d186e78e55d49d288cf5bdaf749dd2

SHA256
e45b011f3951d1213c03704bdd6f9922dbe26b984b613bc033d38fcfddf9e381

SHA512
8792b0fbe0bfccf0f0a9438a41e4c5f0046d18a8edfc5780e93dcf227ddc5f6bc5d1afd4e06e5bc387e02cc80b4e09018fe00f5cf36f6b55a71726e9f83956d1

Download Submit
C:\Windows\apppatch\svchost.exe

Filesize
196KB

MD5
7250ec05abd4018bcd75bbb0deb9568f

SHA1
2bb3375e73d186e78e55d49d288cf5bdaf749dd2

SHA256
e45b011f3951d1213c03704bdd6f9922dbe26b984b613bc033d38fcfddf9e381

SHA512
8792b0fbe0bfccf0f0a9438a41e4c5f0046d18a8edfc5780e93dcf227ddc5f6bc5d1afd4e06e5bc387e02cc80b4e09018fe00f5cf36f6b55a71726e9f83956d1

Download Submit
memory/3216-0-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/3216-14-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/3216-12-0x00000000020A0000-0x00000000020EF000-memory.dmp

Filesize
316KB

Download
memory/3216-2-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/3216-1-0x00000000020A0000-0x00000000020EF000-memory.dmp

Filesize
316KB

Download
memory/4088-45-0x0000000002BB0000-0x0000000002C62000-memory.dmp

Filesize
712KB

Download
memory/4088-58-0x0000000002BB0000-0x0000000002C62000-memory.dmp

Filesize
712KB

Download
memory/4088-29-0x0000000002BB0000-0x0000000002C62000-memory.dmp

Filesize
712KB

Download
memory/4088-30-0x0000000002BB0000-0x0000000002C62000-memory.dmp

Filesize
712KB

Download
memory/4088-31-0x0000000002BB0000-0x0000000002C62000-memory.dmp

Filesize
712KB

Download
memory/4088-32-0x0000000002BB0000-0x0000000002C62000-memory.dmp

Filesize
712KB

Download
memory/4088-33-0x0000000002BB0000-0x0000000002C62000-memory.dmp

Filesize
712KB

Download
memory/4088-34-0x0000000002BB0000-0x0000000002C62000-memory.dmp

Filesize
712KB

Download
memory/4088-36-0x0000000002BB0000-0x0000000002C62000-memory.dmp

Filesize
712KB

Download
memory/4088-37-0x0000000002BB0000-0x0000000002C62000-memory.dmp

Filesize
712KB

Download
memory/4088-39-0x0000000002BB0000-0x0000000002C62000-memory.dmp

Filesize
712KB

Download
memory/4088-38-0x0000000002BB0000-0x0000000002C62000-memory.dmp

Filesize
712KB

Download
memory/4088-42-0x0000000002BB0000-0x0000000002C62000-memory.dmp

Filesize
712KB

Download
memory/4088-43-0x0000000002BB0000-0x0000000002C62000-memory.dmp

Filesize
712KB

Download
memory/4088-44-0x0000000002BB0000-0x0000000002C62000-memory.dmp

Filesize
712KB

Download
memory/4088-24-0x0000000002BB0000-0x0000000002C62000-memory.dmp

Filesize
712KB

Download
memory/4088-46-0x0000000002BB0000-0x0000000002C62000-memory.dmp

Filesize
712KB

Download
memory/4088-47-0x0000000002BB0000-0x0000000002C62000-memory.dmp

Filesize
712KB

Download
memory/4088-48-0x0000000002BB0000-0x0000000002C62000-memory.dmp

Filesize
712KB

Download
memory/4088-50-0x0000000002BB0000-0x0000000002C62000-memory.dmp

Filesize
712KB

Download
memory/4088-51-0x0000000002BB0000-0x0000000002C62000-memory.dmp

Filesize
712KB

Download
memory/4088-53-0x0000000002BB0000-0x0000000002C62000-memory.dmp

Filesize
712KB

Download
memory/4088-54-0x0000000002BB0000-0x0000000002C62000-memory.dmp

Filesize
712KB

Download
memory/4088-55-0x0000000002BB0000-0x0000000002C62000-memory.dmp

Filesize
712KB

Download
memory/4088-56-0x0000000002BB0000-0x0000000002C62000-memory.dmp

Filesize
712KB

Download
memory/4088-28-0x0000000002BB0000-0x0000000002C62000-memory.dmp

Filesize
712KB

Download
memory/4088-59-0x0000000002BB0000-0x0000000002C62000-memory.dmp

Filesize
712KB

Download
memory/4088-60-0x0000000002BB0000-0x0000000002C62000-memory.dmp

Filesize
712KB

Download
memory/4088-63-0x0000000002BB0000-0x0000000002C62000-memory.dmp

Filesize
712KB

Download
memory/4088-64-0x0000000002BB0000-0x0000000002C62000-memory.dmp

Filesize
712KB

Download
memory/4088-65-0x0000000002BB0000-0x0000000002C62000-memory.dmp

Filesize
712KB

Download
memory/4088-66-0x0000000002BB0000-0x0000000002C62000-memory.dmp

Filesize
712KB

Download
memory/4088-70-0x0000000002BB0000-0x0000000002C62000-memory.dmp

Filesize
712KB

Download
memory/4088-71-0x0000000002BB0000-0x0000000002C62000-memory.dmp

Filesize
712KB

Download
memory/4088-73-0x0000000002BB0000-0x0000000002C62000-memory.dmp

Filesize
712KB

Download
memory/4088-75-0x0000000002BB0000-0x0000000002C62000-memory.dmp

Filesize
712KB

Download
memory/4088-76-0x0000000002BB0000-0x0000000002C62000-memory.dmp

Filesize
712KB

Download
memory/4088-27-0x0000000002BB0000-0x0000000002C62000-memory.dmp

Filesize
712KB

Download
memory/4088-78-0x0000000002BB0000-0x0000000002C62000-memory.dmp

Filesize
712KB

Download
memory/4088-259-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/4088-26-0x0000000002BB0000-0x0000000002C62000-memory.dmp

Filesize
712KB

Download
memory/4088-25-0x0000000002BB0000-0x0000000002C62000-memory.dmp

Filesize
712KB

Download
memory/4088-335-0x0000000002BB0000-0x0000000002C62000-memory.dmp

Filesize
712KB

Download
memory/4088-23-0x0000000002BB0000-0x0000000002C62000-memory.dmp

Filesize
712KB

Download
memory/4088-22-0x0000000002BB0000-0x0000000002C62000-memory.dmp

Filesize
712KB

Download
memory/4088-20-0x0000000002BB0000-0x0000000002C62000-memory.dmp

Filesize
712KB

Download
memory/4088-18-0x0000000002BB0000-0x0000000002C62000-memory.dmp

Filesize
712KB

Download
memory/4088-16-0x0000000002A00000-0x0000000002AA4000-memory.dmp

Filesize
656KB

Download
memory/4088-15-0x00000000023D0000-0x000000000241F000-memory.dmp

Filesize
316KB

Download
memory/4088-13-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download