84fd0df9d663923def1df601513a04eb15dcb2ff900da32848e2399f27a6a6b1

Analysis

max time kernel
169s
max time network
177s
platform
windows10-2004_x64
resource
win10v2004-20231023-en
resource tags

arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
submitted
02/11/2023, 16:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.79a1b90431319340535a9f40dba9ef90.exe
Size

135KB
MD5

79a1b90431319340535a9f40dba9ef90
SHA1

5ffccde270c41685f714add89d5555ae88519aac
SHA256

84fd0df9d663923def1df601513a04eb15dcb2ff900da32848e2399f27a6a6b1
SHA512

ae0eec8f1fee12618eb71467fd7c5ffca5a62ab4a676836cfb22b83a25dc8e72c05da3dbcf342044adc1bccd10e646352f1f8201aa94d0fdb0e72ae16ee47796
SSDEEP

1536:UfsEqouTRcG/Mzvgf7xEuvnXNTRdUzwTekUOisZ1yDDajtXbVXH:UVqoCl/YgjxEufVU0TbTyDDalRH

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	svchost.exe

Executes dropped EXE 4 IoCs

pid	Process
4772	explorer.exe
1348	spoolsv.exe
2092	svchost.exe
4976	spoolsv.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	svchost.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\explorer.exe	svchost.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\resources\svchost.exe	spoolsv.exe
File opened for modification	C:\Windows\Resources\tjud.exe	explorer.exe
File opened for modification	\??\c:\windows\resources\themes\explorer.exe	NEAS.79a1b90431319340535a9f40dba9ef90.exe
File opened for modification	\??\c:\windows\resources\spoolsv.exe	explorer.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3692	NEAS.79a1b90431319340535a9f40dba9ef90.exe
3692	NEAS.79a1b90431319340535a9f40dba9ef90.exe
3692	NEAS.79a1b90431319340535a9f40dba9ef90.exe
3692	NEAS.79a1b90431319340535a9f40dba9ef90.exe
3692	NEAS.79a1b90431319340535a9f40dba9ef90.exe
3692	NEAS.79a1b90431319340535a9f40dba9ef90.exe
3692	NEAS.79a1b90431319340535a9f40dba9ef90.exe
3692	NEAS.79a1b90431319340535a9f40dba9ef90.exe
3692	NEAS.79a1b90431319340535a9f40dba9ef90.exe
3692	NEAS.79a1b90431319340535a9f40dba9ef90.exe
3692	NEAS.79a1b90431319340535a9f40dba9ef90.exe
3692	NEAS.79a1b90431319340535a9f40dba9ef90.exe
3692	NEAS.79a1b90431319340535a9f40dba9ef90.exe
3692	NEAS.79a1b90431319340535a9f40dba9ef90.exe
3692	NEAS.79a1b90431319340535a9f40dba9ef90.exe
3692	NEAS.79a1b90431319340535a9f40dba9ef90.exe
3692	NEAS.79a1b90431319340535a9f40dba9ef90.exe
3692	NEAS.79a1b90431319340535a9f40dba9ef90.exe
3692	NEAS.79a1b90431319340535a9f40dba9ef90.exe
3692	NEAS.79a1b90431319340535a9f40dba9ef90.exe
3692	NEAS.79a1b90431319340535a9f40dba9ef90.exe
3692	NEAS.79a1b90431319340535a9f40dba9ef90.exe
3692	NEAS.79a1b90431319340535a9f40dba9ef90.exe
3692	NEAS.79a1b90431319340535a9f40dba9ef90.exe
3692	NEAS.79a1b90431319340535a9f40dba9ef90.exe
3692	NEAS.79a1b90431319340535a9f40dba9ef90.exe
3692	NEAS.79a1b90431319340535a9f40dba9ef90.exe
3692	NEAS.79a1b90431319340535a9f40dba9ef90.exe
3692	NEAS.79a1b90431319340535a9f40dba9ef90.exe
3692	NEAS.79a1b90431319340535a9f40dba9ef90.exe
3692	NEAS.79a1b90431319340535a9f40dba9ef90.exe
3692	NEAS.79a1b90431319340535a9f40dba9ef90.exe
3692	NEAS.79a1b90431319340535a9f40dba9ef90.exe
3692	NEAS.79a1b90431319340535a9f40dba9ef90.exe
4772	explorer.exe
4772	explorer.exe
4772	explorer.exe
4772	explorer.exe
4772	explorer.exe
4772	explorer.exe
4772	explorer.exe
4772	explorer.exe
4772	explorer.exe
4772	explorer.exe
4772	explorer.exe
4772	explorer.exe
4772	explorer.exe
4772	explorer.exe
4772	explorer.exe
4772	explorer.exe
4772	explorer.exe
4772	explorer.exe
4772	explorer.exe
4772	explorer.exe
4772	explorer.exe
4772	explorer.exe
4772	explorer.exe
4772	explorer.exe
4772	explorer.exe
4772	explorer.exe
4772	explorer.exe
4772	explorer.exe
4772	explorer.exe
4772	explorer.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
4772	explorer.exe
2092	svchost.exe

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
3692	NEAS.79a1b90431319340535a9f40dba9ef90.exe
3692	NEAS.79a1b90431319340535a9f40dba9ef90.exe
4772	explorer.exe
4772	explorer.exe
1348	spoolsv.exe
1348	spoolsv.exe
2092	svchost.exe
2092	svchost.exe
4976	spoolsv.exe
4976	spoolsv.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3692 wrote to memory of 4772	3692	NEAS.79a1b90431319340535a9f40dba9ef90.exe	96
PID 3692 wrote to memory of 4772	3692	NEAS.79a1b90431319340535a9f40dba9ef90.exe	96
PID 3692 wrote to memory of 4772	3692	NEAS.79a1b90431319340535a9f40dba9ef90.exe	96
PID 4772 wrote to memory of 1348	4772	explorer.exe	97
PID 4772 wrote to memory of 1348	4772	explorer.exe	97
PID 4772 wrote to memory of 1348	4772	explorer.exe	97
PID 1348 wrote to memory of 2092	1348	spoolsv.exe	98
PID 1348 wrote to memory of 2092	1348	spoolsv.exe	98
PID 1348 wrote to memory of 2092	1348	spoolsv.exe	98
PID 2092 wrote to memory of 4976	2092	svchost.exe	99
PID 2092 wrote to memory of 4976	2092	svchost.exe	99
PID 2092 wrote to memory of 4976	2092	svchost.exe	99

C:\Users\Admin\AppData\Local\Temp\NEAS.79a1b90431319340535a9f40dba9ef90.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.79a1b90431319340535a9f40dba9ef90.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3692
- \??\c:\windows\resources\themes\explorer.exe
  c:\windows\resources\themes\explorer.exe
  2⤵
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4772
- - \??\c:\windows\resources\spoolsv.exe
    c:\windows\resources\spoolsv.exe SE
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1348
  - - \??\c:\windows\resources\svchost.exe
      c:\windows\resources\svchost.exe
      4⤵
      Modifies visiblity of hidden/system files in Explorer
      Executes dropped EXE
      Adds Run key to start application
      Drops file in System32 directory
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2092
    - - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe PR
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4976

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Resources\Themes\explorer.exe

Filesize
135KB

MD5
7b977e8d9af088f5e6ac20fb4120a91c

SHA1
a82378edc475dd6258a40a4de52640f8e69bb8ef

SHA256
99298446873f7d7633749b37606b57137fd68be492f5896865aeff3c6bde06c0

SHA512
5b8761b9f12ee05b350085951011b6e60994c0a51a21a1ea81f9aa0834418af3474285510af8f11b971ba0e88fd254e9ab423e7847815486e6e9d4e4b4dbf1a8

Download Submit
C:\Windows\Resources\spoolsv.exe

Filesize
135KB

MD5
b3d941b0fae662c6f10b436798ccfaa4

SHA1
494db5ccd2a239928c51b449cbdbb9c38cbf476e

SHA256
46aca7341eb336e693be5eee570a6609065ae8ce28ec4f0b609374f9a2507a83

SHA512
8e8a5f144ff6d3f05bde278abd0c41265db0f6e103cfc542bb8cb93304462a829a6e525590e26595441d4b81d6ab6ed5a85d02ebff3b9def83ee4b868e727be4

Download Submit
C:\Windows\Resources\spoolsv.exe

Filesize
135KB

MD5
b3d941b0fae662c6f10b436798ccfaa4

SHA1
494db5ccd2a239928c51b449cbdbb9c38cbf476e

SHA256
46aca7341eb336e693be5eee570a6609065ae8ce28ec4f0b609374f9a2507a83

SHA512
8e8a5f144ff6d3f05bde278abd0c41265db0f6e103cfc542bb8cb93304462a829a6e525590e26595441d4b81d6ab6ed5a85d02ebff3b9def83ee4b868e727be4

Download Submit
C:\Windows\Resources\spoolsv.exe

Filesize
135KB

MD5
b3d941b0fae662c6f10b436798ccfaa4

SHA1
494db5ccd2a239928c51b449cbdbb9c38cbf476e

SHA256
46aca7341eb336e693be5eee570a6609065ae8ce28ec4f0b609374f9a2507a83

SHA512
8e8a5f144ff6d3f05bde278abd0c41265db0f6e103cfc542bb8cb93304462a829a6e525590e26595441d4b81d6ab6ed5a85d02ebff3b9def83ee4b868e727be4

Download Submit
C:\Windows\Resources\svchost.exe

Filesize
135KB

MD5
5b2d8044c4f6742c3b74ee071f055e1a

SHA1
e4bf02f1b98c65ad9ac605bc336ac35826d2da3c

SHA256
6aa0259be1f1422402cc03d22f8d092ee1db1755c78f66a407179988997852df

SHA512
722dd0c3891bba76c0f20fe279eb352d83667aa649cd375d446ef3c55fe71844976e1bcb3d6696fd6d94240791d7e6e7064f2cc7a5485ed9cb2b7648ef6c70d3

Download Submit
\??\c:\windows\resources\spoolsv.exe

Filesize
135KB

MD5
b3d941b0fae662c6f10b436798ccfaa4

SHA1
494db5ccd2a239928c51b449cbdbb9c38cbf476e

SHA256
46aca7341eb336e693be5eee570a6609065ae8ce28ec4f0b609374f9a2507a83

SHA512
8e8a5f144ff6d3f05bde278abd0c41265db0f6e103cfc542bb8cb93304462a829a6e525590e26595441d4b81d6ab6ed5a85d02ebff3b9def83ee4b868e727be4

Download Submit
\??\c:\windows\resources\svchost.exe

Filesize
135KB

MD5
5b2d8044c4f6742c3b74ee071f055e1a

SHA1
e4bf02f1b98c65ad9ac605bc336ac35826d2da3c

SHA256
6aa0259be1f1422402cc03d22f8d092ee1db1755c78f66a407179988997852df

SHA512
722dd0c3891bba76c0f20fe279eb352d83667aa649cd375d446ef3c55fe71844976e1bcb3d6696fd6d94240791d7e6e7064f2cc7a5485ed9cb2b7648ef6c70d3

Download Submit
\??\c:\windows\resources\themes\explorer.exe

Filesize
135KB

MD5
7b977e8d9af088f5e6ac20fb4120a91c

SHA1
a82378edc475dd6258a40a4de52640f8e69bb8ef

SHA256
99298446873f7d7633749b37606b57137fd68be492f5896865aeff3c6bde06c0

SHA512
5b8761b9f12ee05b350085951011b6e60994c0a51a21a1ea81f9aa0834418af3474285510af8f11b971ba0e88fd254e9ab423e7847815486e6e9d4e4b4dbf1a8

Download Submit
memory/1348-33-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2092-36-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3692-0-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3692-34-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4772-35-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4976-32-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download