9c2e03316821804c8f21dda28c1bd2c93a7539133ded5af5e9b307cd2fc7b0d6

Analysis

max time kernel
172s
max time network
182s
platform
windows10-2004_x64
resource
win10v2004-20231023-en
resource tags

arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
submitted
04/11/2023, 19:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.4af88ea026da3d82dcea879ec94b7d10_JC.exe
Size

1.0MB
MD5

4af88ea026da3d82dcea879ec94b7d10
SHA1

7f5dc51f408d921aa0f5e36643f51b51a487639a
SHA256

9c2e03316821804c8f21dda28c1bd2c93a7539133ded5af5e9b307cd2fc7b0d6
SHA512

068bf1f9f0131aecf8b6a2b9253aaefdd8233d959ac20b5c27c86883c81987b7a2802a33da9035d69af3380a8e09e89b4cea654f4a8a90cde54eedccb018c74b
SSDEEP

24576:rKfQR1QpusQ/WJDaS5LbZKmUXubhEOLvpv5xV02zqByyXd3YE:rKfQR1iWWMCLblJbP1HV0F

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4624	shfill.exe

Loads dropped DLL 1 IoCs

pid	Process
4624	shfill.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\shfill.INI	shfill.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4624	shfill.exe
4624	shfill.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 1528 wrote to memory of 4624	1528	NEAS.4af88ea026da3d82dcea879ec94b7d10_JC.exe	91
PID 1528 wrote to memory of 4624	1528	NEAS.4af88ea026da3d82dcea879ec94b7d10_JC.exe	91
PID 1528 wrote to memory of 4624	1528	NEAS.4af88ea026da3d82dcea879ec94b7d10_JC.exe	91
PID 4624 wrote to memory of 4212	4624	shfill.exe	92
PID 4624 wrote to memory of 4212	4624	shfill.exe	92

C:\Users\Admin\AppData\Local\Temp\NEAS.4af88ea026da3d82dcea879ec94b7d10_JC.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.4af88ea026da3d82dcea879ec94b7d10_JC.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1528
- C:\Users\Admin\AppData\Local\Temp\ShF509C.tmp\shfill.exe
  C:\Users\Admin\AppData\Local\Temp\ShF509C.tmp\shfill.exe form.ftf "C:\Users\Admin\AppData\Local\Temp\NEAS.4af88ea026da3d82dcea879ec94b7d10_JC.exe" Form.fdd
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4624
- - C:\Windows\splwow64.exe
    C:\Windows\splwow64.exe 12288
    3⤵
    PID:4212

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
1⤵
PID:3092

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ShF509C.tmp\CODEBAR.dll

Filesize
64KB

MD5
1e6564a600b7cfea93f0684aa6188f2e

SHA1
c8027fa5e4ccf0dc50171351bf0bed78da70727b

SHA256
862ab277a7b83265df7c9875256240dd61feb27799d07f8cd48307bb3a79ea29

SHA512
79f29a17c5a34369c0d80997d9af380d7fd44f19018ff564f7400c3141adab8be7af20a34cf158301d364c083c4e3a696d50cbfefe79cb7d328c7c750db706b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\ShF509C.tmp\Form.fdd

Filesize
1KB

MD5
7aff3e768acd60511287e484510c73a5

SHA1
ee4544c35751ef3c27d904d2a23fabc862f3079b

SHA256
fac69f69bdacc10248e7c76f6f094b9c92ee0cf086ac802c1765ba72f529cb20

SHA512
13839ca2f1462725668a3f2a50495a6e21940d9ca8279243baa1e4395ff55bf88324b556002ed0bdca414c4075f5737b6a9bb085ff21624cc77adbf2ec90ab7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\ShF509C.tmp\ShFill.exe

Filesize
1.3MB

MD5
cd3a82cc3684196c11430de1d37218b3

SHA1
21ed2dad045f7c0880e122ca166ea3a1c6cab635

SHA256
fca070de6b7e48b20211e5fe90acd8a2c329e08a359cba6f4110c720d4a196ef

SHA512
861d369477811a457a60438d1e3d9798fcd79f7c95b5f472ceac32b8e3a6c52abeaf1ecfe9eb29e8b35e6dbd5995d338ff784aad7b9782086948affd1510223d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ShF509C.tmp\codebar.dll

Filesize
64KB

MD5
1e6564a600b7cfea93f0684aa6188f2e

SHA1
c8027fa5e4ccf0dc50171351bf0bed78da70727b

SHA256
862ab277a7b83265df7c9875256240dd61feb27799d07f8cd48307bb3a79ea29

SHA512
79f29a17c5a34369c0d80997d9af380d7fd44f19018ff564f7400c3141adab8be7af20a34cf158301d364c083c4e3a696d50cbfefe79cb7d328c7c750db706b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\ShF509C.tmp\form.ftf

Filesize
46KB

MD5
e7a9299bb7ed2216805040d8c3f668d9

SHA1
54fef28119acf0362756871f99c0cdc07109494d

SHA256
18cc8d64bed8cf913510327ba30edb2d83c0f2f962e2dbd007b1388c70169b7a

SHA512
ed54e4a71bfff3234fde575ec09d9eab2f539c7d1c546ab8cc9794c55f21949ed7edf114ffefc69a1c90a018b8066589052e941f4069e0cf3cce500b50a4203d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ShF509C.tmp\shfill.exe

Filesize
1.3MB

MD5
cd3a82cc3684196c11430de1d37218b3

SHA1
21ed2dad045f7c0880e122ca166ea3a1c6cab635

SHA256
fca070de6b7e48b20211e5fe90acd8a2c329e08a359cba6f4110c720d4a196ef

SHA512
861d369477811a457a60438d1e3d9798fcd79f7c95b5f472ceac32b8e3a6c52abeaf1ecfe9eb29e8b35e6dbd5995d338ff784aad7b9782086948affd1510223d

Download Submit
C:\Windows\shfill.INI

Filesize
151B

MD5
b7f129f2a79bd6b9ec1c9620df935cd5

SHA1
00ebae4b62d2595305f81e97206b7069b46daf5a

SHA256
2465cdea2e1e581cf9d5df3dd0bc5c85c456284906ed0bb9ae1f9510139e1140

SHA512
3461bf6933fb54d380c816e9996b6cf4e580d96e82c97141fd285f17aeee45cc94410326acff91ac0a0c7850258f9f181fdfceb7c700aae7457c8b2dd41f43c1

Download Submit