c3fd1c5f5797c026c2e8c81774740ae7d2139d4c7d169a007e99fd618612030f

General

Target

NEAS.5c8fd363a2a03ce6178682dda623e450.exe
Size

355KB
MD5

5c8fd363a2a03ce6178682dda623e450
SHA1

1096c79f755e6cc1cd27c8c57dd21d3b51eeadfe
SHA256

c3fd1c5f5797c026c2e8c81774740ae7d2139d4c7d169a007e99fd618612030f
SHA512

3f8da75b2acf2efeb0c0c7926b629b79888d8a4b0d6752fdb16ecdaad183948e6f88152774ef75aaefe80de4af859d9b94ab333af3b4c49112651beec4b362bb
SSDEEP

6144:vI3EmWPDNND9yRPzLq+YXFqaZiMLic9kzVd7EAC4TSs9EiS:vTmWhND9yJz+b1FcMLmp2ATTSsdS

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2564	svchost.exe

Loads dropped DLL 6 IoCs

pid	Process
2956	NEAS.5c8fd363a2a03ce6178682dda623e450.exe
2956	NEAS.5c8fd363a2a03ce6178682dda623e450.exe
3028	WerFault.exe
3028	WerFault.exe
3028	WerFault.exe
3028	WerFault.exe

Modifies WinLogon 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\b9a7ad84 = "°\x01GŒZ-GräàÜ\x19ÞP\x05ˆÈEó¬mÍfKó\u009dŸ¥ë\x01ð=\u009dV\x1bàäEî£\x1a*Î\x06 ^\x02sâ\x18ƒ“ËëiÎ¾±8\n¹Æ\x1c~\x12»ÊÛr+ž´p¢rÅ\x1dûÎ\u0081•¦Éã$Uû$s0¢ë“ƒØ’\x11\"1I+úÕåóú…æ»ËŽq°:úøKY1\x18È\"F²\u009dØÞ\n+{#&\u008d™‹"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\b9a7ad84 = "°\x01GŒZ-GräàÜ\x19ÞP\x05ˆÈEó¬mÍfKó\u009dŸ¥ë\x01ð=\u009dV\x1bàäEî£\x1a*Î\x06 ^\x02sâ\x18ƒ“ËëiÎ¾±8\n¹Æ\x1c~\x12»ÊÛr+ž´p¢rÅ\x1dûÎ\u0081•¦Éã$Uû$s0¢ë“ƒØ’\x11\"1I+úÕåóú…æ»ËŽq°:úøKY1\x18È\"F²\u009dØÞ\n+{#&\u008d™‹"	NEAS.5c8fd363a2a03ce6178682dda623e450.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\apppatch\svchost.exe	NEAS.5c8fd363a2a03ce6178682dda623e450.exe
File opened for modification	C:\Windows\apppatch\svchost.exe	NEAS.5c8fd363a2a03ce6178682dda623e450.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3028	2564	WerFault.exe	28

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
2956	NEAS.5c8fd363a2a03ce6178682dda623e450.exe
2956	NEAS.5c8fd363a2a03ce6178682dda623e450.exe
2956	NEAS.5c8fd363a2a03ce6178682dda623e450.exe
2956	NEAS.5c8fd363a2a03ce6178682dda623e450.exe
2564	svchost.exe
2564	svchost.exe
2564	svchost.exe
2564	svchost.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2956	NEAS.5c8fd363a2a03ce6178682dda623e450.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2956 wrote to memory of 2564	2956	NEAS.5c8fd363a2a03ce6178682dda623e450.exe	28
PID 2956 wrote to memory of 2564	2956	NEAS.5c8fd363a2a03ce6178682dda623e450.exe	28
PID 2956 wrote to memory of 2564	2956	NEAS.5c8fd363a2a03ce6178682dda623e450.exe	28
PID 2956 wrote to memory of 2564	2956	NEAS.5c8fd363a2a03ce6178682dda623e450.exe	28
PID 2564 wrote to memory of 3028	2564	svchost.exe	29
PID 2564 wrote to memory of 3028	2564	svchost.exe	29
PID 2564 wrote to memory of 3028	2564	svchost.exe	29
PID 2564 wrote to memory of 3028	2564	svchost.exe	29

C:\Users\Admin\AppData\Local\Temp\NEAS.5c8fd363a2a03ce6178682dda623e450.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.5c8fd363a2a03ce6178682dda623e450.exe"
1⤵
- Loads dropped DLL
- Modifies WinLogon
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:2956
- C:\Windows\apppatch\svchost.exe
  "C:\Windows\apppatch\svchost.exe"
  2⤵
  - Executes dropped EXE
  - Modifies WinLogon
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2564
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2564 -s 212
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:3028

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\AppPatch\svchost.exe

Filesize
355KB

MD5
b735066eeb5b8128aefc9f74ec595f82

SHA1
b05149f533d0b511c67bed5b09fd9902a72edd3d

SHA256
11968d0176c12a0d9f095eed82bbb2999e65d1b68fff1942f6858554fa20bac6

SHA512
809f5acc087507ee01d6c117c219d3dda04c9bebcef4f3a3428391d34ea6f5de2d6ddcaf9c0e72f68de5a75f05f7f1d409863fafcd4b1ced0d5225a96f468fcf

Download Submit
C:\Windows\AppPatch\svchost.exe

Filesize
355KB

MD5
b735066eeb5b8128aefc9f74ec595f82

SHA1
b05149f533d0b511c67bed5b09fd9902a72edd3d

SHA256
11968d0176c12a0d9f095eed82bbb2999e65d1b68fff1942f6858554fa20bac6

SHA512
809f5acc087507ee01d6c117c219d3dda04c9bebcef4f3a3428391d34ea6f5de2d6ddcaf9c0e72f68de5a75f05f7f1d409863fafcd4b1ced0d5225a96f468fcf

Download Submit
\Windows\AppPatch\svchost.exe

Filesize
355KB

MD5
b735066eeb5b8128aefc9f74ec595f82

SHA1
b05149f533d0b511c67bed5b09fd9902a72edd3d

SHA256
11968d0176c12a0d9f095eed82bbb2999e65d1b68fff1942f6858554fa20bac6

SHA512
809f5acc087507ee01d6c117c219d3dda04c9bebcef4f3a3428391d34ea6f5de2d6ddcaf9c0e72f68de5a75f05f7f1d409863fafcd4b1ced0d5225a96f468fcf

Download Submit
\Windows\AppPatch\svchost.exe

Filesize
355KB

MD5
b735066eeb5b8128aefc9f74ec595f82

SHA1
b05149f533d0b511c67bed5b09fd9902a72edd3d

SHA256
11968d0176c12a0d9f095eed82bbb2999e65d1b68fff1942f6858554fa20bac6

SHA512
809f5acc087507ee01d6c117c219d3dda04c9bebcef4f3a3428391d34ea6f5de2d6ddcaf9c0e72f68de5a75f05f7f1d409863fafcd4b1ced0d5225a96f468fcf

Download Submit
\Windows\AppPatch\svchost.exe

Filesize
355KB

MD5
b735066eeb5b8128aefc9f74ec595f82

SHA1
b05149f533d0b511c67bed5b09fd9902a72edd3d

SHA256
11968d0176c12a0d9f095eed82bbb2999e65d1b68fff1942f6858554fa20bac6

SHA512
809f5acc087507ee01d6c117c219d3dda04c9bebcef4f3a3428391d34ea6f5de2d6ddcaf9c0e72f68de5a75f05f7f1d409863fafcd4b1ced0d5225a96f468fcf

Download Submit
\Windows\AppPatch\svchost.exe

Filesize
355KB

MD5
b735066eeb5b8128aefc9f74ec595f82

SHA1
b05149f533d0b511c67bed5b09fd9902a72edd3d

SHA256
11968d0176c12a0d9f095eed82bbb2999e65d1b68fff1942f6858554fa20bac6

SHA512
809f5acc087507ee01d6c117c219d3dda04c9bebcef4f3a3428391d34ea6f5de2d6ddcaf9c0e72f68de5a75f05f7f1d409863fafcd4b1ced0d5225a96f468fcf

Download Submit
\Windows\AppPatch\svchost.exe

Filesize
355KB

MD5
b735066eeb5b8128aefc9f74ec595f82

SHA1
b05149f533d0b511c67bed5b09fd9902a72edd3d

SHA256
11968d0176c12a0d9f095eed82bbb2999e65d1b68fff1942f6858554fa20bac6

SHA512
809f5acc087507ee01d6c117c219d3dda04c9bebcef4f3a3428391d34ea6f5de2d6ddcaf9c0e72f68de5a75f05f7f1d409863fafcd4b1ced0d5225a96f468fcf

Download Submit
\Windows\AppPatch\svchost.exe

Filesize
355KB

MD5
b735066eeb5b8128aefc9f74ec595f82

SHA1
b05149f533d0b511c67bed5b09fd9902a72edd3d

SHA256
11968d0176c12a0d9f095eed82bbb2999e65d1b68fff1942f6858554fa20bac6

SHA512
809f5acc087507ee01d6c117c219d3dda04c9bebcef4f3a3428391d34ea6f5de2d6ddcaf9c0e72f68de5a75f05f7f1d409863fafcd4b1ced0d5225a96f468fcf

Download Submit
memory/2564-16-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/2564-17-0x0000000001F20000-0x0000000001FC8000-memory.dmp

Filesize
672KB

Download
memory/2564-24-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/2956-9-0x0000000000460000-0x00000000004BF000-memory.dmp

Filesize
380KB

Download
memory/2956-0-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/2956-14-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/2956-23-0x0000000000460000-0x00000000004BF000-memory.dmp

Filesize
380KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads