8f23846542c1e11e881a168e2961760e99a43d712451f48497ff195d6c595f26

Analysis

max time kernel
145s
max time network
163s
platform
windows7_x64
resource
win7-20231025-en
resource tags

arch:x64arch:x86image:win7-20231025-enlocale:en-usos:windows7-x64system
submitted
01-11-2023 13:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.3204621374b8b14d6b704363e5bcf3b0.exe
Size

355KB
MD5

3204621374b8b14d6b704363e5bcf3b0
SHA1

d01ad773d481d2920194967402fbe16b01e3f8b4
SHA256

8f23846542c1e11e881a168e2961760e99a43d712451f48497ff195d6c595f26
SHA512

2511f2ee43f97d988b6eab08ec7c7e8a976b1b4bc0e4eb219c84686c1de613ebcb387b2df21cc39a85fa7d6393fa6a964ee96ff195f2f600e704b8bf93ba655e
SSDEEP

6144:x3EmWPDNND9yRPzLq+YXFqaZiMLic9kzVd7EAC4TSs9EiS:2mWhND9yJz+b1FcMLmp2ATTSsdS

Score

10^/10

persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\apppatch\\svchost.exe,"	svchost.exe

Executes dropped EXE 1 IoCs

pid	Process
1968	svchost.exe

Loads dropped DLL 2 IoCs

pid	Process
800	NEAS.3204621374b8b14d6b704363e5bcf3b0.exe
800	NEAS.3204621374b8b14d6b704363e5bcf3b0.exe

Modifies WinLogon 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\d8f8a4ea = "\x1f\x03Ê\\4C¹9ô‡G¨LDÙw\x027{…Ð—÷Ñ\n"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\d8f8a4ea = "\x1f\x03Ê\\4C¹9ô‡G¨LDÙw\x027{…Ð—÷Ñ\n"	NEAS.3204621374b8b14d6b704363e5bcf3b0.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\apppatch\svchost.exe	NEAS.3204621374b8b14d6b704363e5bcf3b0.exe
File opened for modification	C:\Windows\apppatch\svchost.exe	NEAS.3204621374b8b14d6b704363e5bcf3b0.exe

Suspicious behavior: EnumeratesProcesses 61 IoCs

pid	Process
800	NEAS.3204621374b8b14d6b704363e5bcf3b0.exe
800	NEAS.3204621374b8b14d6b704363e5bcf3b0.exe
800	NEAS.3204621374b8b14d6b704363e5bcf3b0.exe
800	NEAS.3204621374b8b14d6b704363e5bcf3b0.exe
1968	svchost.exe
1968	svchost.exe
1968	svchost.exe
1968	svchost.exe
1968	svchost.exe
1968	svchost.exe
1968	svchost.exe
1968	svchost.exe
1968	svchost.exe
1968	svchost.exe
1968	svchost.exe
1968	svchost.exe
1968	svchost.exe
1968	svchost.exe
1968	svchost.exe
1968	svchost.exe
1968	svchost.exe
1968	svchost.exe
1968	svchost.exe
1968	svchost.exe
1968	svchost.exe
1968	svchost.exe
1968	svchost.exe
1968	svchost.exe
1968	svchost.exe
1968	svchost.exe
1968	svchost.exe
1968	svchost.exe
1968	svchost.exe
1968	svchost.exe
1968	svchost.exe
1968	svchost.exe
1968	svchost.exe
1968	svchost.exe
1968	svchost.exe
1968	svchost.exe
1968	svchost.exe
1968	svchost.exe
1968	svchost.exe
1968	svchost.exe
1968	svchost.exe
1968	svchost.exe
1968	svchost.exe
1968	svchost.exe
1968	svchost.exe
1968	svchost.exe
1968	svchost.exe
1968	svchost.exe
1968	svchost.exe
1968	svchost.exe
1968	svchost.exe
1968	svchost.exe
1968	svchost.exe
1968	svchost.exe
1968	svchost.exe
1968	svchost.exe
1968	svchost.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
800	NEAS.3204621374b8b14d6b704363e5bcf3b0.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 800 wrote to memory of 1968	800	NEAS.3204621374b8b14d6b704363e5bcf3b0.exe	28
PID 800 wrote to memory of 1968	800	NEAS.3204621374b8b14d6b704363e5bcf3b0.exe	28
PID 800 wrote to memory of 1968	800	NEAS.3204621374b8b14d6b704363e5bcf3b0.exe	28
PID 800 wrote to memory of 1968	800	NEAS.3204621374b8b14d6b704363e5bcf3b0.exe	28

C:\Users\Admin\AppData\Local\Temp\NEAS.3204621374b8b14d6b704363e5bcf3b0.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.3204621374b8b14d6b704363e5bcf3b0.exe"
1⤵
- Loads dropped DLL
- Modifies WinLogon
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:800
- C:\Windows\apppatch\svchost.exe
  "C:\Windows\apppatch\svchost.exe"
  2⤵
  - Modifies WinLogon for persistence
  - Executes dropped EXE
  - Modifies WinLogon
  - Suspicious behavior: EnumeratesProcesses
  PID:1968

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\88BF.tmp

Filesize
1KB

MD5
935ae4d57d0ca8d9b32e8708aa5de79c

SHA1
a8f2a0c3897cdf884c2ac450c47b63757a24ce0c

SHA256
345b569f7a7d04b14ee0a9473321cdbdab7dddc3fd15b72c2a223b8dfbe79ee2

SHA512
27a09ecd74f473b2103e9c9807ea7ef60f4154ff288e8e7d8b5280ab823fca0882e40f615699936c67e9c9c9af62212c35807b37ed7c1f4c0b8ca6dde8a90308

Download Submit
C:\Users\Admin\AppData\Local\Temp\894E.tmp

Filesize
22KB

MD5
761d6263d741f20dcb987c4f0e59d022

SHA1
f981c74104d9e2470626b2dc435084cb3af442e8

SHA256
be9424546ef8321c48a2d00de0c182be54dad7e1c357343f2b085ea82a407a4e

SHA512
90d634bdb58511f9d7a92464b69420b5aea8d2e0410c14894abdc4a6f7876d4ba5f3df3659bab24864bd7bc5935d3872e730006782968a4a80c7433bbc595df7

Download Submit
C:\Users\Admin\AppData\Local\Temp\8C9A.tmp

Filesize
2KB

MD5
134509445074f64913b83a1b8db21e5a

SHA1
80fb4aa51afa04b7ac56e399c7543519eb675bc9

SHA256
22f3363a98855a89cca2630cb0d4f9a9b8f0ceadfadc44890b09e99635877ae7

SHA512
40c7431a2b117dff40eca294cceeb97e164547125a5b6febb2b1e5e0bbfc690cc4f66dbf0479cc2fd0db95c543d91c8dac66f5207b5c4e4bccad514cee1150f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\9400.tmp

Filesize
42KB

MD5
e52a7ab7b5298217776f6a0e4b45611f

SHA1
1ddc1f1756ced40f8cc9104cc68b1e9f75543383

SHA256
5150703d6ba87f308d74e24493a15a6d41f9178b4f6e2887938e0b2d14bf8009

SHA512
60056e0c31e27f6522e9971ff568bf895ca53bdcf8b261c0ad22d287d2289ffe267017878283a9616f6b184a9c0dba20b62e4038e1a43368a270f59014947a3c

Download Submit
C:\Users\Admin\AppData\Local\Temp\9681.tmp

Filesize
481B

MD5
463b0387d0d101f41e39d1a5130734d1

SHA1
96cc0d06c41c949330b31f32dbcac37aa147096e

SHA256
93443ba0072394351ac79d5c21f4b06ed6d177f6b91b45149003e431f57ce4bf

SHA512
64ec4586afeff736f8e2301d01b08ed643620b320a975be416db3056082b967cef4ee2c4845b5d5800572b781f6a56e5d5b7257697afaf1e44ff15354d0c7d72

Download Submit
C:\Windows\AppPatch\svchost.exe

Filesize
355KB

MD5
e7120bf87618b2314103374918c4b106

SHA1
8ba38b2bca67ac5b6bdeb6c73755c0e6a0b547de

SHA256
c6514f69aba350ec6d99b735f7f231855ccb6d773513e990c7067557176e06d0

SHA512
840742072a98d6eeec89cc3fbee49a00e577e8d62e162709472f9e0c0a349b76c868c9d9688c752d6e2254a462c605655107792fba298c6f093d591c2af1c319

Download Submit
C:\Windows\AppPatch\svchost.exe

Filesize
355KB

MD5
e7120bf87618b2314103374918c4b106

SHA1
8ba38b2bca67ac5b6bdeb6c73755c0e6a0b547de

SHA256
c6514f69aba350ec6d99b735f7f231855ccb6d773513e990c7067557176e06d0

SHA512
840742072a98d6eeec89cc3fbee49a00e577e8d62e162709472f9e0c0a349b76c868c9d9688c752d6e2254a462c605655107792fba298c6f093d591c2af1c319

Download Submit
C:\Windows\apppatch\svchost.exe

Filesize
355KB

MD5
e7120bf87618b2314103374918c4b106

SHA1
8ba38b2bca67ac5b6bdeb6c73755c0e6a0b547de

SHA256
c6514f69aba350ec6d99b735f7f231855ccb6d773513e990c7067557176e06d0

SHA512
840742072a98d6eeec89cc3fbee49a00e577e8d62e162709472f9e0c0a349b76c868c9d9688c752d6e2254a462c605655107792fba298c6f093d591c2af1c319

Download Submit
\Windows\AppPatch\svchost.exe

Filesize
355KB

MD5
e7120bf87618b2314103374918c4b106

SHA1
8ba38b2bca67ac5b6bdeb6c73755c0e6a0b547de

SHA256
c6514f69aba350ec6d99b735f7f231855ccb6d773513e990c7067557176e06d0

SHA512
840742072a98d6eeec89cc3fbee49a00e577e8d62e162709472f9e0c0a349b76c868c9d9688c752d6e2254a462c605655107792fba298c6f093d591c2af1c319

Download Submit
\Windows\AppPatch\svchost.exe

Filesize
355KB

MD5
e7120bf87618b2314103374918c4b106

SHA1
8ba38b2bca67ac5b6bdeb6c73755c0e6a0b547de

SHA256
c6514f69aba350ec6d99b735f7f231855ccb6d773513e990c7067557176e06d0

SHA512
840742072a98d6eeec89cc3fbee49a00e577e8d62e162709472f9e0c0a349b76c868c9d9688c752d6e2254a462c605655107792fba298c6f093d591c2af1c319

Download Submit
memory/1968-47-0x00000000023D0000-0x0000000002486000-memory.dmp

Filesize
728KB

Download
memory/1968-52-0x00000000023D0000-0x0000000002486000-memory.dmp

Filesize
728KB

Download
memory/1968-23-0x0000000002050000-0x00000000020F8000-memory.dmp

Filesize
672KB

Download
memory/1968-25-0x00000000023D0000-0x0000000002486000-memory.dmp

Filesize
728KB

Download
memory/1968-27-0x00000000023D0000-0x0000000002486000-memory.dmp

Filesize
728KB

Download
memory/1968-29-0x00000000023D0000-0x0000000002486000-memory.dmp

Filesize
728KB

Download
memory/1968-33-0x00000000023D0000-0x0000000002486000-memory.dmp

Filesize
728KB

Download
memory/1968-31-0x00000000023D0000-0x0000000002486000-memory.dmp

Filesize
728KB

Download
memory/1968-34-0x00000000023D0000-0x0000000002486000-memory.dmp

Filesize
728KB

Download
memory/1968-32-0x00000000023D0000-0x0000000002486000-memory.dmp

Filesize
728KB

Download
memory/1968-35-0x00000000023D0000-0x0000000002486000-memory.dmp

Filesize
728KB

Download
memory/1968-36-0x00000000023D0000-0x0000000002486000-memory.dmp

Filesize
728KB

Download
memory/1968-37-0x00000000023D0000-0x0000000002486000-memory.dmp

Filesize
728KB

Download
memory/1968-38-0x00000000023D0000-0x0000000002486000-memory.dmp

Filesize
728KB

Download
memory/1968-39-0x00000000023D0000-0x0000000002486000-memory.dmp

Filesize
728KB

Download
memory/1968-40-0x00000000023D0000-0x0000000002486000-memory.dmp

Filesize
728KB

Download
memory/1968-41-0x00000000023D0000-0x0000000002486000-memory.dmp

Filesize
728KB

Download
memory/1968-42-0x00000000023D0000-0x0000000002486000-memory.dmp

Filesize
728KB

Download
memory/1968-43-0x00000000023D0000-0x0000000002486000-memory.dmp

Filesize
728KB

Download
memory/1968-44-0x00000000023D0000-0x0000000002486000-memory.dmp

Filesize
728KB

Download
memory/1968-45-0x00000000023D0000-0x0000000002486000-memory.dmp

Filesize
728KB

Download
memory/1968-46-0x00000000023D0000-0x0000000002486000-memory.dmp

Filesize
728KB

Download
memory/1968-19-0x0000000002050000-0x00000000020F8000-memory.dmp

Filesize
672KB

Download
memory/1968-48-0x00000000023D0000-0x0000000002486000-memory.dmp

Filesize
728KB

Download
memory/1968-49-0x00000000023D0000-0x0000000002486000-memory.dmp

Filesize
728KB

Download
memory/1968-50-0x00000000023D0000-0x0000000002486000-memory.dmp

Filesize
728KB

Download
memory/1968-53-0x00000000023D0000-0x0000000002486000-memory.dmp

Filesize
728KB

Download
memory/1968-21-0x0000000002050000-0x00000000020F8000-memory.dmp

Filesize
672KB

Download
memory/1968-51-0x00000000023D0000-0x0000000002486000-memory.dmp

Filesize
728KB

Download
memory/1968-54-0x00000000023D0000-0x0000000002486000-memory.dmp

Filesize
728KB

Download
memory/1968-55-0x00000000023D0000-0x0000000002486000-memory.dmp

Filesize
728KB

Download
memory/1968-56-0x00000000023D0000-0x0000000002486000-memory.dmp

Filesize
728KB

Download
memory/1968-57-0x00000000023D0000-0x0000000002486000-memory.dmp

Filesize
728KB

Download
memory/1968-58-0x00000000023D0000-0x0000000002486000-memory.dmp

Filesize
728KB

Download
memory/1968-59-0x00000000023D0000-0x0000000002486000-memory.dmp

Filesize
728KB

Download
memory/1968-60-0x00000000023D0000-0x0000000002486000-memory.dmp

Filesize
728KB

Download
memory/1968-61-0x00000000023D0000-0x0000000002486000-memory.dmp

Filesize
728KB

Download
memory/1968-62-0x00000000023D0000-0x0000000002486000-memory.dmp

Filesize
728KB

Download
memory/1968-63-0x00000000023D0000-0x0000000002486000-memory.dmp

Filesize
728KB

Download
memory/1968-64-0x00000000023D0000-0x0000000002486000-memory.dmp

Filesize
728KB

Download
memory/1968-65-0x00000000023D0000-0x0000000002486000-memory.dmp

Filesize
728KB

Download
memory/1968-66-0x00000000023D0000-0x0000000002486000-memory.dmp

Filesize
728KB

Download
memory/1968-70-0x00000000023D0000-0x0000000002486000-memory.dmp

Filesize
728KB

Download
memory/1968-69-0x00000000023D0000-0x0000000002486000-memory.dmp

Filesize
728KB

Download
memory/1968-68-0x00000000023D0000-0x0000000002486000-memory.dmp

Filesize
728KB

Download
memory/1968-67-0x00000000023D0000-0x0000000002486000-memory.dmp

Filesize
728KB

Download
memory/1968-71-0x00000000023D0000-0x0000000002486000-memory.dmp

Filesize
728KB

Download
memory/1968-72-0x00000000023D0000-0x0000000002486000-memory.dmp

Filesize
728KB

Download
memory/1968-73-0x00000000023D0000-0x0000000002486000-memory.dmp

Filesize
728KB

Download
memory/1968-74-0x00000000023D0000-0x0000000002486000-memory.dmp

Filesize
728KB

Download
memory/1968-17-0x0000000002050000-0x00000000020F8000-memory.dmp

Filesize
672KB

Download
memory/1968-15-0x0000000002050000-0x00000000020F8000-memory.dmp

Filesize
672KB

Download
memory/1968-13-0x0000000002050000-0x00000000020F8000-memory.dmp

Filesize
672KB

Download
memory/1968-77-0x00000000023D0000-0x0000000002486000-memory.dmp

Filesize
728KB

Download
memory/1968-78-0x00000000023D0000-0x0000000002486000-memory.dmp

Filesize
728KB

Download
memory/1968-220-0x00000000023D0000-0x0000000002486000-memory.dmp

Filesize
728KB

Download