63c290f51fb9d3f5d98afd739b4a13ff1181998d166ace43858e1319237280f0

Analysis

max time kernel
117s
max time network
120s
platform
windows7_x64
resource
win7-20231020-en
resource tags

arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system
submitted
02/11/2023, 06:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.003861e95704b5b0a032f0ef15f5cd50_JC.exe
Size

32KB
MD5

003861e95704b5b0a032f0ef15f5cd50
SHA1

57ac88047fa3d4115bdc58b0c01db1b2ac1e03b6
SHA256

63c290f51fb9d3f5d98afd739b4a13ff1181998d166ace43858e1319237280f0
SHA512

dcdee638eeee9fb0516e72d6bf2eac013ccd2c47600713764347f0a65fdbfb3a5b0c5bfcbc0864242baf9cc0f1b63d27de395a16e321735c2ae1e59f6868379b
SSDEEP

384:f98xUHQjrKWyGUJGy4/q8zLeiXerXnfaw9+ZuWVA+iX8/L3tLvb6g:WwABqop2N+A7kL39vb6g

Score

6^/10

persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Windows\CurrentVersion\Run\PolicyAgent = "C:\\Users\\Admin\\AppData\\Local\\PolicyAgent.exe"	regedit.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2508 set thread context of 1732	2508	NEAS.003861e95704b5b0a032f0ef15f5cd50_JC.exe	29

Runs .reg file with regedit 1 IoCs

pid	Process
1780	regedit.exe

Suspicious behavior: RenamesItself 2 IoCs

pid	Process
2508	NEAS.003861e95704b5b0a032f0ef15f5cd50_JC.exe
2508	NEAS.003861e95704b5b0a032f0ef15f5cd50_JC.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2508 wrote to memory of 1780	2508	NEAS.003861e95704b5b0a032f0ef15f5cd50_JC.exe	28
PID 2508 wrote to memory of 1780	2508	NEAS.003861e95704b5b0a032f0ef15f5cd50_JC.exe	28
PID 2508 wrote to memory of 1780	2508	NEAS.003861e95704b5b0a032f0ef15f5cd50_JC.exe	28
PID 2508 wrote to memory of 1780	2508	NEAS.003861e95704b5b0a032f0ef15f5cd50_JC.exe	28
PID 2508 wrote to memory of 1780	2508	NEAS.003861e95704b5b0a032f0ef15f5cd50_JC.exe	28
PID 2508 wrote to memory of 1780	2508	NEAS.003861e95704b5b0a032f0ef15f5cd50_JC.exe	28
PID 2508 wrote to memory of 1780	2508	NEAS.003861e95704b5b0a032f0ef15f5cd50_JC.exe	28
PID 2508 wrote to memory of 1732	2508	NEAS.003861e95704b5b0a032f0ef15f5cd50_JC.exe	29
PID 2508 wrote to memory of 1732	2508	NEAS.003861e95704b5b0a032f0ef15f5cd50_JC.exe	29
PID 2508 wrote to memory of 1732	2508	NEAS.003861e95704b5b0a032f0ef15f5cd50_JC.exe	29
PID 2508 wrote to memory of 1732	2508	NEAS.003861e95704b5b0a032f0ef15f5cd50_JC.exe	29
PID 2508 wrote to memory of 1732	2508	NEAS.003861e95704b5b0a032f0ef15f5cd50_JC.exe	29
PID 2508 wrote to memory of 1732	2508	NEAS.003861e95704b5b0a032f0ef15f5cd50_JC.exe	29
PID 2508 wrote to memory of 1732	2508	NEAS.003861e95704b5b0a032f0ef15f5cd50_JC.exe	29
PID 2508 wrote to memory of 1732	2508	NEAS.003861e95704b5b0a032f0ef15f5cd50_JC.exe	29
PID 2508 wrote to memory of 1732	2508	NEAS.003861e95704b5b0a032f0ef15f5cd50_JC.exe	29

C:\Users\Admin\AppData\Local\Temp\NEAS.003861e95704b5b0a032f0ef15f5cd50_JC.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.003861e95704b5b0a032f0ef15f5cd50_JC.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:2508
- C:\Windows\SysWOW64\regedit.exe
  regedit.exe /s C:\Users\Admin\AppData\Local\Temp\~dfds3.reg
  2⤵
  - Adds Run key to start application
  - Runs .reg file with regedit
  PID:1780
- C:\Windows\SysWOW64\svchost.exe
  svchost.exe
  2⤵
  PID:1732

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\PolicyAgent.exe

Filesize
32KB

MD5
b416d343fd142c578732c147692f0177

SHA1
c605f904d40ce3a50eec3f85c17c5f07aca09975

SHA256
06991abc1db0e8f3e0858712647828a8216eadd87e9efaa73b83f39e1b0d575d

SHA512
bfa0803dda83e0d3fda5488acbd78c60e2e55ac7b23340b6ab8ab61216b9122d30d0717d065cbd13e1e4cd5fde71d806cbcc77d4bbebcdd4f7a19e1c9788380f

Download Submit
C:\Users\Admin\AppData\Local\Temp\~dfds3.reg

Filesize
174B

MD5
2a63d29d1acad01766bf53667bbc534d

SHA1
3aa6444caeee7d3b84f1c377c5d4ab56e18fe25d

SHA256
b9c9532faf62195ce337663a40522d316bda94ee407bb3e9d9cf38e6cfb7112d

SHA512
5cafbc90539a62af3fcb9bc22ad6a4330f823fa42f047e8c735172d82d3624f64b55aac24d479779ee2ac11dcab6f066526707b1f9042193548c9b6f3c727dd6

Download Submit
memory/1732-4-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1732-6-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/1732-8-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/2508-0-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2508-1-0x0000000000020000-0x0000000000028000-memory.dmp

Filesize
32KB

Download
memory/2508-17-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads