8c407c42ab90e8ccffd55b917c9b7bae3210de515519ded70f1d7df3fe6784db

General

Target

NEAS.01b94eaa99f2e998d7cb882ce673f620_JC.exe
Size

216KB
MD5

01b94eaa99f2e998d7cb882ce673f620
SHA1

5e3a8514ae4ac4232c48f5ce24891cdd96a3133d
SHA256

8c407c42ab90e8ccffd55b917c9b7bae3210de515519ded70f1d7df3fe6784db
SHA512

69f1457a6919a7496c95fdee93b5061e2fb85a1a5f730041bf51a04f6db00409381230a86ee0cbfc1c36352717e50198ae8aa994970f2857b5f9f16f756f132d
SSDEEP

6144:pDn0J/fNQ4bc3wT994Th6rC2dzT/Y7BNandXg:hefN3o3wT994Th6rC2dI7radQ

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "2"	svchost.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "2"	svchost.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\Control Panel\International\Geo\Nation	NEAS.01b94eaa99f2e998d7cb882ce673f620_JC.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\Control Panel\International\Geo\Nation	svchost.exe

Executes dropped EXE 1 IoCs

pid	Process
3168	svchost.exe

Loads dropped DLL 2 IoCs

pid	Process
3632	NEAS.01b94eaa99f2e998d7cb882ce673f620_JC.exe
3168	svchost.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SoundMax = "C:\\Users\\Admin\\userinit.exe"	svchost.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\K:	svchost.exe
File opened (read-only)	\??\M:	svchost.exe
File opened (read-only)	\??\O:	svchost.exe
File opened (read-only)	\??\W:	svchost.exe
File opened (read-only)	\??\Y:	svchost.exe
File opened (read-only)	\??\H:	svchost.exe
File opened (read-only)	\??\J:	svchost.exe
File opened (read-only)	\??\L:	svchost.exe
File opened (read-only)	\??\N:	svchost.exe
File opened (read-only)	\??\T:	svchost.exe
File opened (read-only)	\??\V:	svchost.exe
File opened (read-only)	\??\G:	svchost.exe
File opened (read-only)	\??\S:	svchost.exe
File opened (read-only)	\??\X:	svchost.exe
File opened (read-only)	\??\Z:	svchost.exe
File opened (read-only)	\??\E:	svchost.exe
File opened (read-only)	\??\P:	svchost.exe
File opened (read-only)	\??\Q:	svchost.exe
File opened (read-only)	\??\R:	svchost.exe
File opened (read-only)	\??\U:	svchost.exe
File opened (read-only)	\??\I:	svchost.exe

Drops autorun.inf file 1 TTPs 4 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File created	C:\Autorun.inf	svchost.exe
File opened for modification	C:\Autorun.inf	svchost.exe
File created	F:\Autorun.inf	svchost.exe
File opened for modification	F:\Autorun.inf	svchost.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\wmdrtc32.dll	NEAS.01b94eaa99f2e998d7cb882ce673f620_JC.exe
File opened for modification	C:\Windows\SysWOW64\wmdrtc32.dl_	svchost.exe
File created	C:\Windows\SysWOW64\wmdrtc32.dll	svchost.exe
File created	C:\Windows\SysWOW64\wmdrtc32.dl_	NEAS.01b94eaa99f2e998d7cb882ce673f620_JC.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Common Files\Microsoft Shared\MSshare.exe	svchost.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\MSshare.exe	svchost.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SYSTEM.INI	NEAS.01b94eaa99f2e998d7cb882ce673f620_JC.exe
File created	C:\Windows\Web\OfficeUpdate.exe	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
3632	NEAS.01b94eaa99f2e998d7cb882ce673f620_JC.exe
3168	svchost.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3632 wrote to memory of 3168	3632	NEAS.01b94eaa99f2e998d7cb882ce673f620_JC.exe	89
PID 3632 wrote to memory of 3168	3632	NEAS.01b94eaa99f2e998d7cb882ce673f620_JC.exe	89
PID 3632 wrote to memory of 3168	3632	NEAS.01b94eaa99f2e998d7cb882ce673f620_JC.exe	89
PID 3168 wrote to memory of 1516	3168	svchost.exe	97
PID 3168 wrote to memory of 1516	3168	svchost.exe	97
PID 3168 wrote to memory of 1516	3168	svchost.exe	97
PID 3168 wrote to memory of 852	3168	svchost.exe	99
PID 3168 wrote to memory of 852	3168	svchost.exe	99
PID 3168 wrote to memory of 852	3168	svchost.exe	99
PID 3168 wrote to memory of 3868	3168	svchost.exe	101
PID 3168 wrote to memory of 3868	3168	svchost.exe	101
PID 3168 wrote to memory of 3868	3168	svchost.exe	101

System policy modification 1 TTPs 1 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Nofolderoptions = "1"	svchost.exe

C:\Users\Admin\AppData\Local\Temp\NEAS.01b94eaa99f2e998d7cb882ce673f620_JC.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.01b94eaa99f2e998d7cb882ce673f620_JC.exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3632
- C:\Users\Admin\AppData\Local\Temp\svchost.exe
  "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Enumerates connected drives
  - Drops autorun.inf file
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:3168
- - C:\Windows\SysWOW64\at.exe
    "C:\Windows\System32\at.exe" /delete /yes
    3⤵
    PID:1516
- - C:\Windows\SysWOW64\at.exe
    "C:\Windows\System32\at.exe" 20:30 /every:M,T,W,TH,F,S,SU C:\Windows\Web\OfficeUpdate.exe
    3⤵
    PID:852
- - C:\Windows\SysWOW64\at.exe
    "C:\Windows\System32\at.exe" 11:30 /every:M,T,W,TH,F,S,SU C:\Windows\Web\OfficeUpdate.exe
    3⤵
    PID:3868

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

1

T1091

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Hide Artifacts

2

T1564

Hidden Files and Directories

Modify Registry

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

3

T1082

Lateral Movement

Replication Through Removable Media

1

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\svchost.exe

Filesize
216KB

MD5
01b94eaa99f2e998d7cb882ce673f620

SHA1
5e3a8514ae4ac4232c48f5ce24891cdd96a3133d

SHA256
8c407c42ab90e8ccffd55b917c9b7bae3210de515519ded70f1d7df3fe6784db

SHA512
69f1457a6919a7496c95fdee93b5061e2fb85a1a5f730041bf51a04f6db00409381230a86ee0cbfc1c36352717e50198ae8aa994970f2857b5f9f16f756f132d

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost.exe

Filesize
216KB

MD5
01b94eaa99f2e998d7cb882ce673f620

SHA1
5e3a8514ae4ac4232c48f5ce24891cdd96a3133d

SHA256
8c407c42ab90e8ccffd55b917c9b7bae3210de515519ded70f1d7df3fe6784db

SHA512
69f1457a6919a7496c95fdee93b5061e2fb85a1a5f730041bf51a04f6db00409381230a86ee0cbfc1c36352717e50198ae8aa994970f2857b5f9f16f756f132d

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost.exe

Filesize
216KB

MD5
01b94eaa99f2e998d7cb882ce673f620

SHA1
5e3a8514ae4ac4232c48f5ce24891cdd96a3133d

SHA256
8c407c42ab90e8ccffd55b917c9b7bae3210de515519ded70f1d7df3fe6784db

SHA512
69f1457a6919a7496c95fdee93b5061e2fb85a1a5f730041bf51a04f6db00409381230a86ee0cbfc1c36352717e50198ae8aa994970f2857b5f9f16f756f132d

Download Submit
C:\Windows\SYSTEM.INI

Filesize
258B

MD5
4cdd9439bba18801b91b362a15a26688

SHA1
03a06d51ed9562daf402c772e9ff329f879d8b8f

SHA256
bc9b9f3215a84db712055d84b7e2caef143b4ac2640324287f84a38bae789595

SHA512
a63d295b967fb986e94d5280b3aecb6ea1bbf72b1cd28f592799072da1b52660af2ddb6150024046073317fc8c2de9966489f4728865a47ee9f575e43d83e1d1

Download Submit
C:\Windows\SysWOW64\wmdrtc32.dl_

Filesize
25KB

MD5
fed957eb1ba973775cf98404c51ddb91

SHA1
f8855c34695dd7414e57a2156adea98909dcf598

SHA256
33e71d67ed8322d05542d4587fbc91a0aa309c45f41d1a35d493336751fdc644

SHA512
79da603974b773e03d1c8e7b5acf131f379e54adee81d632ce46a5cb466e0736e01215abee61cba98fd6f23d7048bab9970861716757a19ea9976ad769f3fb0b

Download Submit
C:\Windows\SysWOW64\wmdrtc32.dll

Filesize
40KB

MD5
03ebc053c8eec6b4f4afbbb5dc64b169

SHA1
9ed172dbce1a6a1dd20e08a9720afba210eee79c

SHA256
ad25714f5c7eb2e27742b5e0886e865fc8884e8b65cb863d2aeba0c6dbff2d02

SHA512
40eab99574ea6614341b869239b014a74cdc24da0c4be69681eaab18de72bbef14ad4cf36215e39eff4978b8ed074762ce25bb85a042219ac5db5cb46390e9ff

Download Submit
C:\Windows\SysWOW64\wmdrtc32.dll

Filesize
40KB

MD5
03ebc053c8eec6b4f4afbbb5dc64b169

SHA1
9ed172dbce1a6a1dd20e08a9720afba210eee79c

SHA256
ad25714f5c7eb2e27742b5e0886e865fc8884e8b65cb863d2aeba0c6dbff2d02

SHA512
40eab99574ea6614341b869239b014a74cdc24da0c4be69681eaab18de72bbef14ad4cf36215e39eff4978b8ed074762ce25bb85a042219ac5db5cb46390e9ff

Download Submit
C:\Windows\SysWOW64\wmdrtc32.dll

Filesize
40KB

MD5
03ebc053c8eec6b4f4afbbb5dc64b169

SHA1
9ed172dbce1a6a1dd20e08a9720afba210eee79c

SHA256
ad25714f5c7eb2e27742b5e0886e865fc8884e8b65cb863d2aeba0c6dbff2d02

SHA512
40eab99574ea6614341b869239b014a74cdc24da0c4be69681eaab18de72bbef14ad4cf36215e39eff4978b8ed074762ce25bb85a042219ac5db5cb46390e9ff

Download Submit
memory/3168-25-0x0000000010000000-0x0000000010015000-memory.dmp

Filesize
84KB

Download
memory/3168-17-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3168-58-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3168-59-0x0000000010000000-0x0000000010015000-memory.dmp

Filesize
84KB

Download
memory/3632-0-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3632-26-0x0000000010000000-0x0000000010015000-memory.dmp

Filesize
84KB

Download
memory/3632-24-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3632-7-0x0000000010000000-0x0000000010015000-memory.dmp

Filesize
84KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads