895cc5010ad35ce741ca0b0c8aa231bb230e8b225e9a0a2119ec79175237f0cc

Analysis

max time kernel
142s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20231020-en
resource tags

arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
submitted
03-11-2023 03:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.068b83f680d3ab641976172c38e4b2e0_JC.exe
Size

328KB
MD5

068b83f680d3ab641976172c38e4b2e0
SHA1

c2b38e59a84c493ab06ce0cc4cd2a769fc67ba6d
SHA256

895cc5010ad35ce741ca0b0c8aa231bb230e8b225e9a0a2119ec79175237f0cc
SHA512

4336d6df1665476ec06643282721df0b7770a1008bb0dcfe71e8b9c0dd550d59890d1489e4af4a3f6fa48301858f9359d9927433fb9161f99caf77ae9ebe37a1
SSDEEP

6144:syWOeLm+tkxoGQvT+W4+HMc+MEGRQ6saHSMf3z0AzbLUG50Tpm+MmvbWdlL0d5aU:sCemx0vN3HKGi6sYjJLUGGtedud5tr7

Score

8^/10

adware discovery exploit persistence stealer

Malware Config

Signatures

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\drivers\7405666e.sys	NEAS.068b83f680d3ab641976172c38e4b2e0_JC.exe

Possible privilege escalation attempt 4 IoCs

exploit

pid	Process
1048	takeown.exe
684	icacls.exe
1444	takeown.exe
4824	icacls.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\7405666e\ImagePath = "\\??\\C:\\Windows\\SysWOW64\\drivers\\7405666e.sys"	NEAS.068b83f680d3ab641976172c38e4b2e0_JC.exe

Modifies file permissions 1 TTPs 4 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
1444	takeown.exe
4824	icacls.exe
1048	takeown.exe
684	icacls.exe

Installs/modifies Browser Helper Object 2 TTPs 3 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA}	NEAS.068b83f680d3ab641976172c38e4b2e0_JC.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}	NEAS.068b83f680d3ab641976172c38e4b2e0_JC.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects	NEAS.068b83f680d3ab641976172c38e4b2e0_JC.exe

Maps connected drives based on registry 3 TTPs 3 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	NEAS.068b83f680d3ab641976172c38e4b2e0_JC.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum	NEAS.068b83f680d3ab641976172c38e4b2e0_JC.exe
Key value enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum	NEAS.068b83f680d3ab641976172c38e4b2e0_JC.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\midimap.dll	NEAS.068b83f680d3ab641976172c38e4b2e0_JC.exe
File created	C:\Windows\SysWOW64\ws2tcpip.dll	NEAS.068b83f680d3ab641976172c38e4b2e0_JC.exe
File opened for modification	C:\Windows\SysWOW64\ws2tcpip.dll	NEAS.068b83f680d3ab641976172c38e4b2e0_JC.exe
File created	C:\Windows\SysWOW64\wshtcpip.dll	NEAS.068b83f680d3ab641976172c38e4b2e0_JC.exe

Modifies registry class 4 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\HOOK_ID	NEAS.068b83f680d3ab641976172c38e4b2e0_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\HOOK_ID\name = "NEAS.068b83f680d3ab641976172c38e4b2e0_JC.exe"	NEAS.068b83f680d3ab641976172c38e4b2e0_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\SYS_DLL	NEAS.068b83f680d3ab641976172c38e4b2e0_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\SYS_DLL\name = "2f8wRubj.dll"	NEAS.068b83f680d3ab641976172c38e4b2e0_JC.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1792	NEAS.068b83f680d3ab641976172c38e4b2e0_JC.exe
1792	NEAS.068b83f680d3ab641976172c38e4b2e0_JC.exe
1792	NEAS.068b83f680d3ab641976172c38e4b2e0_JC.exe
1792	NEAS.068b83f680d3ab641976172c38e4b2e0_JC.exe
1792	NEAS.068b83f680d3ab641976172c38e4b2e0_JC.exe
1792	NEAS.068b83f680d3ab641976172c38e4b2e0_JC.exe
1792	NEAS.068b83f680d3ab641976172c38e4b2e0_JC.exe
1792	NEAS.068b83f680d3ab641976172c38e4b2e0_JC.exe
1792	NEAS.068b83f680d3ab641976172c38e4b2e0_JC.exe
1792	NEAS.068b83f680d3ab641976172c38e4b2e0_JC.exe
1792	NEAS.068b83f680d3ab641976172c38e4b2e0_JC.exe
1792	NEAS.068b83f680d3ab641976172c38e4b2e0_JC.exe
1792	NEAS.068b83f680d3ab641976172c38e4b2e0_JC.exe
1792	NEAS.068b83f680d3ab641976172c38e4b2e0_JC.exe
1792	NEAS.068b83f680d3ab641976172c38e4b2e0_JC.exe
1792	NEAS.068b83f680d3ab641976172c38e4b2e0_JC.exe
1792	NEAS.068b83f680d3ab641976172c38e4b2e0_JC.exe
1792	NEAS.068b83f680d3ab641976172c38e4b2e0_JC.exe
1792	NEAS.068b83f680d3ab641976172c38e4b2e0_JC.exe
1792	NEAS.068b83f680d3ab641976172c38e4b2e0_JC.exe
1792	NEAS.068b83f680d3ab641976172c38e4b2e0_JC.exe
1792	NEAS.068b83f680d3ab641976172c38e4b2e0_JC.exe
1792	NEAS.068b83f680d3ab641976172c38e4b2e0_JC.exe
1792	NEAS.068b83f680d3ab641976172c38e4b2e0_JC.exe
1792	NEAS.068b83f680d3ab641976172c38e4b2e0_JC.exe
1792	NEAS.068b83f680d3ab641976172c38e4b2e0_JC.exe
1792	NEAS.068b83f680d3ab641976172c38e4b2e0_JC.exe
1792	NEAS.068b83f680d3ab641976172c38e4b2e0_JC.exe
1792	NEAS.068b83f680d3ab641976172c38e4b2e0_JC.exe
1792	NEAS.068b83f680d3ab641976172c38e4b2e0_JC.exe
1792	NEAS.068b83f680d3ab641976172c38e4b2e0_JC.exe
1792	NEAS.068b83f680d3ab641976172c38e4b2e0_JC.exe
1792	NEAS.068b83f680d3ab641976172c38e4b2e0_JC.exe
1792	NEAS.068b83f680d3ab641976172c38e4b2e0_JC.exe
1792	NEAS.068b83f680d3ab641976172c38e4b2e0_JC.exe
1792	NEAS.068b83f680d3ab641976172c38e4b2e0_JC.exe
1792	NEAS.068b83f680d3ab641976172c38e4b2e0_JC.exe
1792	NEAS.068b83f680d3ab641976172c38e4b2e0_JC.exe
1792	NEAS.068b83f680d3ab641976172c38e4b2e0_JC.exe
1792	NEAS.068b83f680d3ab641976172c38e4b2e0_JC.exe
1792	NEAS.068b83f680d3ab641976172c38e4b2e0_JC.exe
1792	NEAS.068b83f680d3ab641976172c38e4b2e0_JC.exe
1792	NEAS.068b83f680d3ab641976172c38e4b2e0_JC.exe
1792	NEAS.068b83f680d3ab641976172c38e4b2e0_JC.exe
1792	NEAS.068b83f680d3ab641976172c38e4b2e0_JC.exe
1792	NEAS.068b83f680d3ab641976172c38e4b2e0_JC.exe
1792	NEAS.068b83f680d3ab641976172c38e4b2e0_JC.exe
1792	NEAS.068b83f680d3ab641976172c38e4b2e0_JC.exe
1792	NEAS.068b83f680d3ab641976172c38e4b2e0_JC.exe
1792	NEAS.068b83f680d3ab641976172c38e4b2e0_JC.exe
1792	NEAS.068b83f680d3ab641976172c38e4b2e0_JC.exe
1792	NEAS.068b83f680d3ab641976172c38e4b2e0_JC.exe
1792	NEAS.068b83f680d3ab641976172c38e4b2e0_JC.exe
1792	NEAS.068b83f680d3ab641976172c38e4b2e0_JC.exe
1792	NEAS.068b83f680d3ab641976172c38e4b2e0_JC.exe
1792	NEAS.068b83f680d3ab641976172c38e4b2e0_JC.exe
1792	NEAS.068b83f680d3ab641976172c38e4b2e0_JC.exe
1792	NEAS.068b83f680d3ab641976172c38e4b2e0_JC.exe
1792	NEAS.068b83f680d3ab641976172c38e4b2e0_JC.exe
1792	NEAS.068b83f680d3ab641976172c38e4b2e0_JC.exe
1792	NEAS.068b83f680d3ab641976172c38e4b2e0_JC.exe
1792	NEAS.068b83f680d3ab641976172c38e4b2e0_JC.exe
1792	NEAS.068b83f680d3ab641976172c38e4b2e0_JC.exe
1792	NEAS.068b83f680d3ab641976172c38e4b2e0_JC.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
676	Process not Found
1792	NEAS.068b83f680d3ab641976172c38e4b2e0_JC.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1792	NEAS.068b83f680d3ab641976172c38e4b2e0_JC.exe
Token: SeTakeOwnershipPrivilege	1048	takeown.exe
Token: SeTakeOwnershipPrivilege	1444	takeown.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 1792 wrote to memory of 4336	1792	NEAS.068b83f680d3ab641976172c38e4b2e0_JC.exe	99
PID 1792 wrote to memory of 4336	1792	NEAS.068b83f680d3ab641976172c38e4b2e0_JC.exe	99
PID 1792 wrote to memory of 4336	1792	NEAS.068b83f680d3ab641976172c38e4b2e0_JC.exe	99
PID 4336 wrote to memory of 1048	4336	cmd.exe	101
PID 4336 wrote to memory of 1048	4336	cmd.exe	101
PID 4336 wrote to memory of 1048	4336	cmd.exe	101
PID 4336 wrote to memory of 684	4336	cmd.exe	102
PID 4336 wrote to memory of 684	4336	cmd.exe	102
PID 4336 wrote to memory of 684	4336	cmd.exe	102
PID 1792 wrote to memory of 940	1792	NEAS.068b83f680d3ab641976172c38e4b2e0_JC.exe	103
PID 1792 wrote to memory of 940	1792	NEAS.068b83f680d3ab641976172c38e4b2e0_JC.exe	103
PID 1792 wrote to memory of 940	1792	NEAS.068b83f680d3ab641976172c38e4b2e0_JC.exe	103
PID 940 wrote to memory of 1444	940	cmd.exe	105
PID 940 wrote to memory of 1444	940	cmd.exe	105
PID 940 wrote to memory of 1444	940	cmd.exe	105
PID 940 wrote to memory of 4824	940	cmd.exe	106
PID 940 wrote to memory of 4824	940	cmd.exe	106
PID 940 wrote to memory of 4824	940	cmd.exe	106
PID 1792 wrote to memory of 768	1792	NEAS.068b83f680d3ab641976172c38e4b2e0_JC.exe	107
PID 1792 wrote to memory of 768	1792	NEAS.068b83f680d3ab641976172c38e4b2e0_JC.exe	107
PID 1792 wrote to memory of 768	1792	NEAS.068b83f680d3ab641976172c38e4b2e0_JC.exe	107

C:\Users\Admin\AppData\Local\Temp\NEAS.068b83f680d3ab641976172c38e4b2e0_JC.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.068b83f680d3ab641976172c38e4b2e0_JC.exe"
1⤵
- Drops file in Drivers directory
- Sets service image path in registry
- Installs/modifies Browser Helper Object
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1792
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c takeown /f C:\Windows\SysWOW64\wshtcpip.dll && icacls C:\Windows\SysWOW64\wshtcpip.dll /grant administrators:F
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4336
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f C:\Windows\SysWOW64\wshtcpip.dll
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:1048
- - C:\Windows\SysWOW64\icacls.exe
    icacls C:\Windows\SysWOW64\wshtcpip.dll /grant administrators:F
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:684
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c takeown /f C:\Windows\SysWOW64\midimap.dll && icacls C:\Windows\SysWOW64\midimap.dll /grant administrators:F
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:940
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f C:\Windows\SysWOW64\midimap.dll
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:1444
- - C:\Windows\SysWOW64\icacls.exe
    icacls C:\Windows\SysWOW64\midimap.dll /grant administrators:F
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:4824
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ahnmove.bat
  2⤵
  PID:768

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Browser Extensions

T1176

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

File and Directory Permissions Modification

T1222

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ahnmove.bat

Filesize
181B

MD5
3852f0bec77a47054045588662ab0303

SHA1
c5ecfabeb935b1baaff2dae8394e1e09bd3d782b

SHA256
82bd4f26b5df0d73881c95583536f5149701e945359e30d0b16b391f6c86db5c

SHA512
8c1a2d858a57489b7e86d8bf5395b2a18a8d378b1207366fdc672690e389f85620357d5768144fe105b1ab4654a1cb51284459c6859d8aa8a3fe848bf6836754

Download Submit
memory/1792-0-0x0000000001000000-0x000000000116A000-memory.dmp

Filesize
1.4MB

Download
memory/1792-1-0x0000000000D30000-0x0000000000D50000-memory.dmp

Filesize
128KB

Download
memory/1792-5-0x0000000001000000-0x000000000116A000-memory.dmp

Filesize
1.4MB

Download
memory/1792-24-0x0000000001000000-0x000000000116A000-memory.dmp

Filesize
1.4MB

Download