4902ce17df26b7af593d0723ced2ae7df8687deacdfdc15ce5cd991a1a464641

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20231020-en
resource tags

arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
submitted
03-11-2023 02:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.077eff31875f8cae7d4529f3eb576ac0_JC.exe
Size

70KB
MD5

077eff31875f8cae7d4529f3eb576ac0
SHA1

989633f0ab553c531268a65e3d67c6ed824ec612
SHA256

4902ce17df26b7af593d0723ced2ae7df8687deacdfdc15ce5cd991a1a464641
SHA512

c2506e5c6b902edbb2ee9359ac9b049ff6263629aaa38b5246e0f75122f08c1825ebd8621314301d7505f8d78f842be823cb485a732ed736cf00da1ff91d9709
SSDEEP

1536:Eq7lXJMYYfHsJr4RYCMRPoOYir9Vq7vnTIc:VXwfHA4RYCM5RYKsEc

Score

10^/10

evasion persistence upx

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	svchost.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	svchost.exe

Modifies Installed Components in the registry 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	svchost.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	svchost.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}	svchost.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	explorer.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	svchost.exe

Executes dropped EXE 4 IoCs

pid	Process
2220	explorer.exe
3956	spoolsv.exe
1900	svchost.exe
1772	spoolsv.exe

UPX packed file 16 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4372-0-0x0000000000400000-0x0000000000433000-memory.dmp	upx
behavioral2/files/0x0007000000022e27-7.dat	upx
behavioral2/files/0x0007000000022e27-8.dat	upx
behavioral2/files/0x0007000000022e28-13.dat	upx
behavioral2/files/0x0007000000022e28-15.dat	upx
behavioral2/files/0x0007000000022e28-16.dat	upx
behavioral2/files/0x0007000000022e2a-23.dat	upx
behavioral2/files/0x0007000000022e2a-24.dat	upx
behavioral2/files/0x0007000000022e28-28.dat	upx
behavioral2/memory/1772-32-0x0000000000400000-0x0000000000433000-memory.dmp	upx
behavioral2/memory/3956-36-0x0000000000400000-0x0000000000433000-memory.dmp	upx
behavioral2/memory/4372-35-0x0000000000400000-0x0000000000433000-memory.dmp	upx
behavioral2/files/0x0008000000022e29-37.dat	upx
behavioral2/memory/2220-38-0x0000000000400000-0x0000000000433000-memory.dmp	upx
behavioral2/memory/1900-39-0x0000000000400000-0x0000000000433000-memory.dmp	upx
behavioral2/memory/2220-52-0x0000000000400000-0x0000000000433000-memory.dmp	upx

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	svchost.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system\udsys.exe	explorer.exe
File opened for modification	\??\c:\windows\system\explorer.exe	NEAS.077eff31875f8cae7d4529f3eb576ac0_JC.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\system\svchost.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	\??\c:\windows\system\svchost.exe	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4372	NEAS.077eff31875f8cae7d4529f3eb576ac0_JC.exe
4372	NEAS.077eff31875f8cae7d4529f3eb576ac0_JC.exe
2220	explorer.exe
2220	explorer.exe
2220	explorer.exe
2220	explorer.exe
2220	explorer.exe
2220	explorer.exe
2220	explorer.exe
2220	explorer.exe
2220	explorer.exe
2220	explorer.exe
2220	explorer.exe
1900	svchost.exe
2220	explorer.exe
1900	svchost.exe
1900	svchost.exe
1900	svchost.exe
2220	explorer.exe
1900	svchost.exe
2220	explorer.exe
1900	svchost.exe
2220	explorer.exe
1900	svchost.exe
2220	explorer.exe
1900	svchost.exe
1900	svchost.exe
2220	explorer.exe
1900	svchost.exe
2220	explorer.exe
2220	explorer.exe
2220	explorer.exe
1900	svchost.exe
1900	svchost.exe
2220	explorer.exe
2220	explorer.exe
1900	svchost.exe
1900	svchost.exe
2220	explorer.exe
2220	explorer.exe
1900	svchost.exe
1900	svchost.exe
2220	explorer.exe
2220	explorer.exe
1900	svchost.exe
1900	svchost.exe
2220	explorer.exe
2220	explorer.exe
1900	svchost.exe
1900	svchost.exe
2220	explorer.exe
2220	explorer.exe
1900	svchost.exe
1900	svchost.exe
2220	explorer.exe
2220	explorer.exe
1900	svchost.exe
1900	svchost.exe
2220	explorer.exe
2220	explorer.exe
1900	svchost.exe
1900	svchost.exe
2220	explorer.exe
2220	explorer.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
2220	explorer.exe
1900	svchost.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
4372	NEAS.077eff31875f8cae7d4529f3eb576ac0_JC.exe
4372	NEAS.077eff31875f8cae7d4529f3eb576ac0_JC.exe
2220	explorer.exe
2220	explorer.exe
3956	spoolsv.exe
3956	spoolsv.exe
1900	svchost.exe
1900	svchost.exe
1772	spoolsv.exe
1772	spoolsv.exe
2220	explorer.exe
2220	explorer.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 4372 wrote to memory of 2220	4372	NEAS.077eff31875f8cae7d4529f3eb576ac0_JC.exe	87
PID 4372 wrote to memory of 2220	4372	NEAS.077eff31875f8cae7d4529f3eb576ac0_JC.exe	87
PID 4372 wrote to memory of 2220	4372	NEAS.077eff31875f8cae7d4529f3eb576ac0_JC.exe	87
PID 2220 wrote to memory of 3956	2220	explorer.exe	88
PID 2220 wrote to memory of 3956	2220	explorer.exe	88
PID 2220 wrote to memory of 3956	2220	explorer.exe	88
PID 3956 wrote to memory of 1900	3956	spoolsv.exe	89
PID 3956 wrote to memory of 1900	3956	spoolsv.exe	89
PID 3956 wrote to memory of 1900	3956	spoolsv.exe	89
PID 1900 wrote to memory of 1772	1900	svchost.exe	91
PID 1900 wrote to memory of 1772	1900	svchost.exe	91
PID 1900 wrote to memory of 1772	1900	svchost.exe	91
PID 1900 wrote to memory of 2280	1900	svchost.exe	92
PID 1900 wrote to memory of 2280	1900	svchost.exe	92
PID 1900 wrote to memory of 2280	1900	svchost.exe	92
PID 1900 wrote to memory of 684	1900	svchost.exe	104
PID 1900 wrote to memory of 684	1900	svchost.exe	104
PID 1900 wrote to memory of 684	1900	svchost.exe	104
PID 1900 wrote to memory of 1892	1900	svchost.exe	114
PID 1900 wrote to memory of 1892	1900	svchost.exe	114
PID 1900 wrote to memory of 1892	1900	svchost.exe	114

C:\Users\Admin\AppData\Local\Temp\NEAS.077eff31875f8cae7d4529f3eb576ac0_JC.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.077eff31875f8cae7d4529f3eb576ac0_JC.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4372
- \??\c:\windows\system\explorer.exe
  c:\windows\system\explorer.exe
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visiblity of hidden/system files in Explorer
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2220
- - \??\c:\windows\system\spoolsv.exe
    c:\windows\system\spoolsv.exe SE
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3956
  - - \??\c:\windows\system\svchost.exe
      c:\windows\system\svchost.exe
      4⤵
      Modifies WinLogon for persistence
      Modifies visiblity of hidden/system files in Explorer
      Modifies Installed Components in the registry
      Executes dropped EXE
      Adds Run key to start application
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1900
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe PR
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1772
    - - C:\Windows\SysWOW64\at.exe
        
        at 02:41 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
        5⤵
        
        PID:2280
    - - C:\Windows\SysWOW64\at.exe
        
        at 02:42 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
        5⤵
        
        PID:684
    - - C:\Windows\SysWOW64\at.exe
        
        at 02:43 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
        5⤵
        
        PID:1892

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\mrsys.exe

Filesize
70KB

MD5
84608a51c293bc101968d44247acce7d

SHA1
852b9cac9b34574a8799d297f21652c075389ff7

SHA256
59d5737ad7e0c9286f2f9aa27dd59a5c4010e085f62240287c155e39479434d0

SHA512
a10823698669c288b931f7f70d6b7bb83b9dbcff9ead157db7c818bfbe57f0a2bab593ec7df84e5c83d55482a8c034bace685e9d0f72a4bb403d283403d7f497

Download Submit
C:\Windows\System\explorer.exe

Filesize
70KB

MD5
84d3f04bb277741c488d09a62008379e

SHA1
598ca5dd09fade2f6e9fe0973a16126dbf9bebaf

SHA256
4e45cea2b0740832347a6962ed2d72103bccfe3233efd1b6d32524cab47dc82d

SHA512
eb2611d2abb6ea466bdb8563b0918cfa4a669f45372f40e875f25c2453fda44f1afc564d7b23d0a86515c4f328ef01aa028f872f9b21aada431691804bf914a7

Download Submit
C:\Windows\System\spoolsv.exe

Filesize
70KB

MD5
6e8f14e0ea4b10dfe4e7796b1f016095

SHA1
99af91fb6f7598944d11ba55ca532b79af6f2e21

SHA256
2c197d9ca56eb5243b0af28e8970cc505af7e16e570680f19ae91611ccccd251

SHA512
0eec8b124cef78e326ae799a99493f45b2fd164752b853d3aefe0fa3c2dc717c86cd3e06e72eacefac15f773bdee9780c7ee73bf70db34d78c0463da153306ad

Download Submit
C:\Windows\System\spoolsv.exe

Filesize
70KB

MD5
6e8f14e0ea4b10dfe4e7796b1f016095

SHA1
99af91fb6f7598944d11ba55ca532b79af6f2e21

SHA256
2c197d9ca56eb5243b0af28e8970cc505af7e16e570680f19ae91611ccccd251

SHA512
0eec8b124cef78e326ae799a99493f45b2fd164752b853d3aefe0fa3c2dc717c86cd3e06e72eacefac15f773bdee9780c7ee73bf70db34d78c0463da153306ad

Download Submit
C:\Windows\System\spoolsv.exe

Filesize
70KB

MD5
6e8f14e0ea4b10dfe4e7796b1f016095

SHA1
99af91fb6f7598944d11ba55ca532b79af6f2e21

SHA256
2c197d9ca56eb5243b0af28e8970cc505af7e16e570680f19ae91611ccccd251

SHA512
0eec8b124cef78e326ae799a99493f45b2fd164752b853d3aefe0fa3c2dc717c86cd3e06e72eacefac15f773bdee9780c7ee73bf70db34d78c0463da153306ad

Download Submit
C:\Windows\System\svchost.exe

Filesize
70KB

MD5
44e7633c23ba2f1f2471f483d8d39313

SHA1
bc031f6860955d1827cf9db15bbdc93a72a58310

SHA256
8efaa082f53efe284ece74ff9f132e4e89986043a298a5ef1e347524b9247d21

SHA512
62bf67f1e597d2a787953739e9551d5cbe991061c75ad8974755dac747d530bce608b6ce33aec097ba6339a00a8c08aff0df22b6334e935828333beb828a26ea

Download Submit
\??\c:\windows\system\explorer.exe

Filesize
70KB

MD5
84d3f04bb277741c488d09a62008379e

SHA1
598ca5dd09fade2f6e9fe0973a16126dbf9bebaf

SHA256
4e45cea2b0740832347a6962ed2d72103bccfe3233efd1b6d32524cab47dc82d

SHA512
eb2611d2abb6ea466bdb8563b0918cfa4a669f45372f40e875f25c2453fda44f1afc564d7b23d0a86515c4f328ef01aa028f872f9b21aada431691804bf914a7

Download Submit
\??\c:\windows\system\spoolsv.exe

Filesize
70KB

MD5
6e8f14e0ea4b10dfe4e7796b1f016095

SHA1
99af91fb6f7598944d11ba55ca532b79af6f2e21

SHA256
2c197d9ca56eb5243b0af28e8970cc505af7e16e570680f19ae91611ccccd251

SHA512
0eec8b124cef78e326ae799a99493f45b2fd164752b853d3aefe0fa3c2dc717c86cd3e06e72eacefac15f773bdee9780c7ee73bf70db34d78c0463da153306ad

Download Submit
\??\c:\windows\system\svchost.exe

Filesize
70KB

MD5
44e7633c23ba2f1f2471f483d8d39313

SHA1
bc031f6860955d1827cf9db15bbdc93a72a58310

SHA256
8efaa082f53efe284ece74ff9f132e4e89986043a298a5ef1e347524b9247d21

SHA512
62bf67f1e597d2a787953739e9551d5cbe991061c75ad8974755dac747d530bce608b6ce33aec097ba6339a00a8c08aff0df22b6334e935828333beb828a26ea

Download Submit
memory/1772-32-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1900-39-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2220-38-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2220-52-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3956-36-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4372-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4372-35-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download