Overview

overview

10

Static

static

3

NEAS.893e7...JC.exe

windows7-x64

10

NEAS.893e7...JC.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20231020-en
  • resource tags

    arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system
  • submitted
    03/11/2023, 20:54

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    NEAS.893e7a46262f9cf0dae3ff1ed592b530_JC.exe

  • Size

    211KB

  • MD5

    893e7a46262f9cf0dae3ff1ed592b530

  • SHA1

    3779cfde6bd05cdde6ba999c0bb31816be43a689

  • SHA256

    6a45ebc74ce0884b088015f7a02835d3bdbb6e35d5d81bf3a65b143e92972cf9

  • SHA512

    82717664ee2d4f5d3d89a52f05d4ca4d0a7f0cee72e0a057f5171fc97a9d65d19a6ac965eef9f11b30905fe333264f23689471f4080b9561b06de20d963fe51f

  • SSDEEP

    3072:JD6Xtx68yygRBE52mxkEOHLRMpZ4deth8PEAjAfIbAYGPhz6sPJBInxZqOY:Jh8cBzHLRMpZ4d1ZY

Score
10/10
evasionpersistence

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
    persistence
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
    evasion
  • Modifies Installed Components in the registry 2 TTPs 8 IoCs
    persistence
  • Executes dropped EXE 4 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Drops file in System32 directory 1 IoCs
  • Drops file in Windows directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of SetWindowsHookEx 12 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\NEAS.893e7a46262f9cf0dae3ff1ed592b530_JC.exe
    "C:\Users\Admin\AppData\Local\Temp\NEAS.893e7a46262f9cf0dae3ff1ed592b530_JC.exe"
    1⤵
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3036
    • \??\c:\windows\userinit.exe
      c:\windows\userinit.exe
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visiblity of hidden/system files in Explorer
      • Modifies Installed Components in the registry
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops file in System32 directory
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2840
      • \??\c:\windows\spoolsw.exe
        c:\windows\spoolsw.exe SE
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:3068
        • \??\c:\windows\swchost.exe
          c:\windows\swchost.exe
          4⤵
          • Modifies WinLogon for persistence
          • Modifies visiblity of hidden/system files in Explorer
          • Modifies Installed Components in the registry
          • Executes dropped EXE
          • Adds Run key to start application
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:2608
          • \??\c:\windows\spoolsw.exe
            c:\windows\spoolsw.exe PR
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetWindowsHookEx
            PID:2564

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\mrsys.exe
          Filesize

          211KB

          MD5

          8b12450b9b91f36fb3d362e420bf8677

          SHA1

          bd7eb07291b8d71e2edbe6749c52d5c180034354

          SHA256

          6f03420b87aba608dd77e2d0ab0613b93ae13689c2d860bb8bd91bee8862c17e

          SHA512

          24c3a4d46ff98ebe7b417c43e721f5a73697f52d05d6009fe849e26fb52969ad1f22b1ee82a1a66b282ca30f0c24c6e0bf1fa19b616c2282cfc2257206ee665d

          Download Submit

        • C:\Windows\spoolsw.exe
          Filesize

          211KB

          MD5

          6ac051a3c6c33df3a1f8e6f372a252af

          SHA1

          0d37f56ac74767310bd1c45564f2ffd1c267a644

          SHA256

          26a2cf50a7571799a9378001198a84e36a2858b20fbf03e06aa7ae6acb20100b

          SHA512

          8ef8223d7221a00e3f06ba562bc3ec5cf8a0ac5059eba82595d0fa5219dbb402515d8a64af80790330a5f4780a0f46017c45af7362f73b70ffe49a11004c970d

          Download Submit

        • C:\Windows\spoolsw.exe
          Filesize

          211KB

          MD5

          6ac051a3c6c33df3a1f8e6f372a252af

          SHA1

          0d37f56ac74767310bd1c45564f2ffd1c267a644

          SHA256

          26a2cf50a7571799a9378001198a84e36a2858b20fbf03e06aa7ae6acb20100b

          SHA512

          8ef8223d7221a00e3f06ba562bc3ec5cf8a0ac5059eba82595d0fa5219dbb402515d8a64af80790330a5f4780a0f46017c45af7362f73b70ffe49a11004c970d

          Download Submit

        • C:\Windows\swchost.exe
          Filesize

          211KB

          MD5

          2ebc3448dbe897dd2315faf9ebcbbb7a

          SHA1

          28d1e9a0ca054db5fed7acdbfa18bd885ea266c9

          SHA256

          03ff8a1e342d7e9e418e8a8f93e1754bd8258cd690f14624bb3f8d55c08b0baa

          SHA512

          05f897b8f3aa4c05ed0eb6afff060c65901d7715fe15d802c84b19927aaf0fea1ddeb1208c28496b0b65f1d66a0af0cd79d592f0d56c1cb49bf4063697ea5ae4

          Download Submit

        • C:\Windows\userinit.exe
          Filesize

          211KB

          MD5

          c65103524967009916f2dd277c2f6730

          SHA1

          92d4da2e38f83c739f28bd6cb50a18ac1aac8f31

          SHA256

          065b175a049369e81e9313d0843d871f7904a0026b2cef49eab1ee8660e734ea

          SHA512

          32774f07deed03fa60386667acb198fbc746ad9bb418481c6d2b214e18f633ffc76add1ce05828bc306b90d988a36ad1b208d168a30c2c268fcf9efaee5b0b15

          Download Submit

        • C:\Windows\userinit.exe
          Filesize

          211KB

          MD5

          c65103524967009916f2dd277c2f6730

          SHA1

          92d4da2e38f83c739f28bd6cb50a18ac1aac8f31

          SHA256

          065b175a049369e81e9313d0843d871f7904a0026b2cef49eab1ee8660e734ea

          SHA512

          32774f07deed03fa60386667acb198fbc746ad9bb418481c6d2b214e18f633ffc76add1ce05828bc306b90d988a36ad1b208d168a30c2c268fcf9efaee5b0b15

          Download Submit

        • \??\c:\windows\spoolsw.exe
          Filesize

          211KB

          MD5

          6ac051a3c6c33df3a1f8e6f372a252af

          SHA1

          0d37f56ac74767310bd1c45564f2ffd1c267a644

          SHA256

          26a2cf50a7571799a9378001198a84e36a2858b20fbf03e06aa7ae6acb20100b

          SHA512

          8ef8223d7221a00e3f06ba562bc3ec5cf8a0ac5059eba82595d0fa5219dbb402515d8a64af80790330a5f4780a0f46017c45af7362f73b70ffe49a11004c970d

          Download Submit

        • \??\c:\windows\swchost.exe
          Filesize

          211KB

          MD5

          2ebc3448dbe897dd2315faf9ebcbbb7a

          SHA1

          28d1e9a0ca054db5fed7acdbfa18bd885ea266c9

          SHA256

          03ff8a1e342d7e9e418e8a8f93e1754bd8258cd690f14624bb3f8d55c08b0baa

          SHA512

          05f897b8f3aa4c05ed0eb6afff060c65901d7715fe15d802c84b19927aaf0fea1ddeb1208c28496b0b65f1d66a0af0cd79d592f0d56c1cb49bf4063697ea5ae4

          Download Submit

        • \??\c:\windows\userinit.exe
          Filesize

          211KB

          MD5

          c65103524967009916f2dd277c2f6730

          SHA1

          92d4da2e38f83c739f28bd6cb50a18ac1aac8f31

          SHA256

          065b175a049369e81e9313d0843d871f7904a0026b2cef49eab1ee8660e734ea

          SHA512

          32774f07deed03fa60386667acb198fbc746ad9bb418481c6d2b214e18f633ffc76add1ce05828bc306b90d988a36ad1b208d168a30c2c268fcf9efaee5b0b15

          Download Submit