168b6f5290b4597c9906d53224cee5ddda5489c4f1062fd6bb94f9c31bf081c1

Analysis

max time kernel
122s
max time network
126s
platform
windows7_x64
resource
win7-20231023-en
resource tags

arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system
submitted
02/11/2023, 13:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.44f5bf12b9401bd846da987a5897c320_JC.exe
Size

1.3MB
MD5

44f5bf12b9401bd846da987a5897c320
SHA1

14affd6bfd65cc42a5ba63fe3565b04c442befbd
SHA256

168b6f5290b4597c9906d53224cee5ddda5489c4f1062fd6bb94f9c31bf081c1
SHA512

54683940232e946451b3b22d5dca3f95f93f42521120903c1c7f982c04e72da47a37d5302de4fd0edc37f182b4a95fc4685680984841442e007def37dcb760c8
SSDEEP

24576:Z9ypVnBJhpRCSK1nwHI7njknrk+ctdTavxxaLIdJBV1Ls2wBP:Z9U2P14OIn4FT6xxaLsJBV1Ls2wB

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\DOMStorage\cheathappens.com\NumberOfSubdomains = "1"	NEAS.44f5bf12b9401bd846da987a5897c320_JC.exe
Key created	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\Main	NEAS.44f5bf12b9401bd846da987a5897c320_JC.exe
Key created	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\DOMStorage\cheathappens.com	NEAS.44f5bf12b9401bd846da987a5897c320_JC.exe
Key created	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\DOMStorage	NEAS.44f5bf12b9401bd846da987a5897c320_JC.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	NEAS.44f5bf12b9401bd846da987a5897c320_JC.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	NEAS.44f5bf12b9401bd846da987a5897c320_JC.exe

Suspicious use of AdjustPrivilegeToken 41 IoCs

description	pid	Process
Token: SeDebugPrivilege	2572	NEAS.44f5bf12b9401bd846da987a5897c320_JC.exe
Token: SeIncreaseQuotaPrivilege	2496	wmic.exe
Token: SeSecurityPrivilege	2496	wmic.exe
Token: SeTakeOwnershipPrivilege	2496	wmic.exe
Token: SeLoadDriverPrivilege	2496	wmic.exe
Token: SeSystemProfilePrivilege	2496	wmic.exe
Token: SeSystemtimePrivilege	2496	wmic.exe
Token: SeProfSingleProcessPrivilege	2496	wmic.exe
Token: SeIncBasePriorityPrivilege	2496	wmic.exe
Token: SeCreatePagefilePrivilege	2496	wmic.exe
Token: SeBackupPrivilege	2496	wmic.exe
Token: SeRestorePrivilege	2496	wmic.exe
Token: SeShutdownPrivilege	2496	wmic.exe
Token: SeDebugPrivilege	2496	wmic.exe
Token: SeSystemEnvironmentPrivilege	2496	wmic.exe
Token: SeRemoteShutdownPrivilege	2496	wmic.exe
Token: SeUndockPrivilege	2496	wmic.exe
Token: SeManageVolumePrivilege	2496	wmic.exe
Token: 33	2496	wmic.exe
Token: 34	2496	wmic.exe
Token: 35	2496	wmic.exe
Token: SeIncreaseQuotaPrivilege	2496	wmic.exe
Token: SeSecurityPrivilege	2496	wmic.exe
Token: SeTakeOwnershipPrivilege	2496	wmic.exe
Token: SeLoadDriverPrivilege	2496	wmic.exe
Token: SeSystemProfilePrivilege	2496	wmic.exe
Token: SeSystemtimePrivilege	2496	wmic.exe
Token: SeProfSingleProcessPrivilege	2496	wmic.exe
Token: SeIncBasePriorityPrivilege	2496	wmic.exe
Token: SeCreatePagefilePrivilege	2496	wmic.exe
Token: SeBackupPrivilege	2496	wmic.exe
Token: SeRestorePrivilege	2496	wmic.exe
Token: SeShutdownPrivilege	2496	wmic.exe
Token: SeDebugPrivilege	2496	wmic.exe
Token: SeSystemEnvironmentPrivilege	2496	wmic.exe
Token: SeRemoteShutdownPrivilege	2496	wmic.exe
Token: SeUndockPrivilege	2496	wmic.exe
Token: SeManageVolumePrivilege	2496	wmic.exe
Token: 33	2496	wmic.exe
Token: 34	2496	wmic.exe
Token: 35	2496	wmic.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2572	NEAS.44f5bf12b9401bd846da987a5897c320_JC.exe
2572	NEAS.44f5bf12b9401bd846da987a5897c320_JC.exe
2572	NEAS.44f5bf12b9401bd846da987a5897c320_JC.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2572 wrote to memory of 2496	2572	NEAS.44f5bf12b9401bd846da987a5897c320_JC.exe	28
PID 2572 wrote to memory of 2496	2572	NEAS.44f5bf12b9401bd846da987a5897c320_JC.exe	28
PID 2572 wrote to memory of 2496	2572	NEAS.44f5bf12b9401bd846da987a5897c320_JC.exe	28

C:\Users\Admin\AppData\Local\Temp\NEAS.44f5bf12b9401bd846da987a5897c320_JC.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.44f5bf12b9401bd846da987a5897c320_JC.exe"
1⤵
- Modifies Internet Explorer settings
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2572
- C:\Windows\System32\Wbem\wmic.exe
  "wmic" /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2496

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F59A01A8B782D93EA6991BC172CEFFB1

Filesize
867B

MD5
c5dfb849ca051355ee2dba1ac33eb028

SHA1
d69b561148f01c77c54578c10926df5b856976ad

SHA256
cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b

SHA512
88289cdd2c2dd1f5f4c13ab2cf9bc601fc634b5945309bedf9fc5b96bf21697b4cd6da2f383497825e02272816befbac4f44955282ffbbd4dd0ddc52281082da

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
8ab1b854288de4aaeaf6a06c6825f097

SHA1
3e8db226afab578c53e88f98d41eef6aa38e05f0

SHA256
f4d19d6e60247aa8aa14c8703fe94ba403b8e188622023d0b82b8ab6e9df6c18

SHA512
a89a9eaec6ed20078343c6a1d5c400a40baafbe23b200024713d9141321b7eea0e786777effcd9f0a12302934e0997ae9ff23825ab29de64d482198a18fd4b3a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
d2f21c1b6b16e82ed053b7cbe2f63833

SHA1
faa171f0a5531c3b9d3102aeb0a9004d322c9780

SHA256
ceb4bd1a25e472ecca7531031bdce84b88fbc0e05b589030a2d3e58cbf3ca03f

SHA512
2df2d109f264827a5363759782b62e6fe68b44c5002cdb8adc34bb0d9c502d00372c25f25cf22b0c2536c988983c55d101c8c03ef88f1daef9ef886c4b9dbbe3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
e73d0ba3e37b6d27dc5a287d8c75d4b3

SHA1
7a28afc03cb04eead252d34c20eb48dd1b28f1a8

SHA256
e9867a0a42b0663693ad93cdf95d07dfc9696eba3b984812930482b239e00a25

SHA512
a8154bdca6ae7eb6720b3da6072ff0a450683b10c1086b10ff53b58d5d2a33d68a285416267ee5529ae1a59274c0859155c6bacca5748e5eee3ef80e0138acb5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
68bd950c5a1cc279ab050d85bb317b0e

SHA1
e404dab119aef46442ef7057ae81734d2be6774d

SHA256
db5ba0af893dbcaf65961214f9da192b1d220e604a621139da687ac051b7cff5

SHA512
0dc6f69b507b0ae9b84a2b9c1d96c3c3e9fedfc93895ac62caa9dad63f73fb6af76c1d874c4d32e094c33ac782a8d131d079bfca9805eab2467cdb9651270fd5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
183b625cc21e54d54eda25973e400e15

SHA1
18ebf42f0bbc14ee702411c1d86b366284bc3e22

SHA256
9be9d49d2b949308f4366bd5aa4c6d7738891b83deee29a6698786d1fd73b0bb

SHA512
295950757e7f673a6ddad60325a006b10e74efd1d20f3db465dfb3d5d9df5da692243406de7c365b157145275928da093166367ac262c7935cbf905faac205b3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
e1d5c00b0a8ae1a07f21083a4bf1cd5f

SHA1
39f312b1026322aabb77fd4f888a485bbb9ca55f

SHA256
d4ec98bd69d3c972f34c37ae78a4fc01477b36d976ae8c88be607f6fe0676666

SHA512
3e15ae88d9701e769cfa7e99a279883d9958a36261ab91c36ada5826d05202ceb058e103c989b4de521feb658af42cda8458fb5ea103abb115c75dba0e42386d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
034342e7dab68afcb0c1e37e732148d3

SHA1
42b99566224b7ed07e85ffa4afc25bf9689ab950

SHA256
2e82956c5052103cc79dd3c5d741d93ff253776da45c7ed7cb964414eeab2c27

SHA512
8c6211881f4fe3ac65a234c217ed9da17a35045a9afda7429e71c308ece2c25daf8a6aefdccdf09b0ab49407e12d7b09f049b61cc6ca1d32cc734c9282f8e76f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F59A01A8B782D93EA6991BC172CEFFB1

Filesize
242B

MD5
750eb98aafc0c3ca9e9c61892d2dc760

SHA1
90d4c7b40379695137ecf73c53972e044c702da1

SHA256
102c294add4073a0190e33d3c2fdef8e5874d0461cea184c56d603551ca4f105

SHA512
db0b7591dd8380339477f56f38064b1d5c04697cad8ae5af95a13bb76846f32e7495a4363847c2881f617dd5ecbff991a43e47a91299a8a038796d9c65f716fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab766A.tmp

Filesize
61KB

MD5
f3441b8572aae8801c04f3060b550443

SHA1
4ef0a35436125d6821831ef36c28ffaf196cda15

SHA256
6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf

SHA512
5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar768C.tmp

Filesize
163KB

MD5
9441737383d21192400eca82fda910ec

SHA1
725e0d606a4fc9ba44aa8ffde65bed15e65367e4

SHA256
bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5

SHA512
7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads