f3913f342925a194afa64bbf41f7353dc2c735380163fad906f4bcb8d31b0d36

Analysis

max time kernel
150s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20231023-en
resource tags

arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
submitted
05-11-2023 16:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.74687ec1de6d49e2dfd11d5c4f0c45a0_JC.exe
Size

217KB
MD5

74687ec1de6d49e2dfd11d5c4f0c45a0
SHA1

004f7135db1386be0ed6689dde4a5a8977fd213b
SHA256

f3913f342925a194afa64bbf41f7353dc2c735380163fad906f4bcb8d31b0d36
SHA512

7aa708ab661ea67f686e27aa2f8fdf045dbc76c3880f82d0ced8226bb9f4921612088d349b22e60996e77714f79eb8ee3ba16a49e558196e67aa15df5600cb9a
SSDEEP

6144:/rRaTyDOnlo7eM+mlkWgRXOqobzWjozm2ulYM6Y:DsTbzu1glovW4EH6Y

Score

10^/10

persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\apppatch\\svchost.exe,"	svchost.exe

Executes dropped EXE 1 IoCs

pid	Process
820	svchost.exe

Modifies WinLogon 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\4e584100 = "ÃÕ\x18\x01\x12Ñ§sÛ°Ú‡\x13ß—\u008d¤,ÜÊÕ\x19mÏ,¿#Ž!ÔQß\x7fÜ›»»w\|œ·Öÿ+xl~&ô,\x7fƒ\a·OLèäP³\aLÎäTÇ_@\bÌÓDg‹†[\\Ô÷,Ücôþ4\|›ÿæß¿\\„ßð\b\x10Ô€„ì/\x1eFœ<Û~ø{?\x04óîS"	NEAS.74687ec1de6d49e2dfd11d5c4f0c45a0_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\4e584100 = "ÃÕ\x18\x01\x12Ñ§sÛ°Ú‡\x13ß—\u008d¤,ÜÊÕ\x19mÏ,¿#Ž!ÔQß\x7fÜ›»»w\|œ·Öÿ+xl~&ô,\x7fƒ\a·OLèäP³\aLÎäTÇ_@\bÌÓDg‹†[\\Ô÷,Ücôþ4\|›ÿæß¿\\„ßð\b\x10Ô€„ì/\x1eFœ<Û~ø{?\x04óîS"	svchost.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\apppatch\svchost.exe	NEAS.74687ec1de6d49e2dfd11d5c4f0c45a0_JC.exe
File opened for modification	C:\Windows\apppatch\svchost.exe	NEAS.74687ec1de6d49e2dfd11d5c4f0c45a0_JC.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3840	NEAS.74687ec1de6d49e2dfd11d5c4f0c45a0_JC.exe
3840	NEAS.74687ec1de6d49e2dfd11d5c4f0c45a0_JC.exe
3840	NEAS.74687ec1de6d49e2dfd11d5c4f0c45a0_JC.exe
3840	NEAS.74687ec1de6d49e2dfd11d5c4f0c45a0_JC.exe
3840	NEAS.74687ec1de6d49e2dfd11d5c4f0c45a0_JC.exe
3840	NEAS.74687ec1de6d49e2dfd11d5c4f0c45a0_JC.exe
3840	NEAS.74687ec1de6d49e2dfd11d5c4f0c45a0_JC.exe
3840	NEAS.74687ec1de6d49e2dfd11d5c4f0c45a0_JC.exe
820	svchost.exe
820	svchost.exe
820	svchost.exe
820	svchost.exe
820	svchost.exe
820	svchost.exe
820	svchost.exe
820	svchost.exe
820	svchost.exe
820	svchost.exe
820	svchost.exe
820	svchost.exe
820	svchost.exe
820	svchost.exe
820	svchost.exe
820	svchost.exe
820	svchost.exe
820	svchost.exe
820	svchost.exe
820	svchost.exe
820	svchost.exe
820	svchost.exe
820	svchost.exe
820	svchost.exe
820	svchost.exe
820	svchost.exe
820	svchost.exe
820	svchost.exe
820	svchost.exe
820	svchost.exe
820	svchost.exe
820	svchost.exe
820	svchost.exe
820	svchost.exe
820	svchost.exe
820	svchost.exe
820	svchost.exe
820	svchost.exe
820	svchost.exe
820	svchost.exe
820	svchost.exe
820	svchost.exe
820	svchost.exe
820	svchost.exe
820	svchost.exe
820	svchost.exe
820	svchost.exe
820	svchost.exe
820	svchost.exe
820	svchost.exe
820	svchost.exe
820	svchost.exe
820	svchost.exe
820	svchost.exe
820	svchost.exe
820	svchost.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
3840	NEAS.74687ec1de6d49e2dfd11d5c4f0c45a0_JC.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3840 wrote to memory of 820	3840	NEAS.74687ec1de6d49e2dfd11d5c4f0c45a0_JC.exe	85
PID 3840 wrote to memory of 820	3840	NEAS.74687ec1de6d49e2dfd11d5c4f0c45a0_JC.exe	85
PID 3840 wrote to memory of 820	3840	NEAS.74687ec1de6d49e2dfd11d5c4f0c45a0_JC.exe	85

C:\Users\Admin\AppData\Local\Temp\NEAS.74687ec1de6d49e2dfd11d5c4f0c45a0_JC.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.74687ec1de6d49e2dfd11d5c4f0c45a0_JC.exe"
1⤵
- Modifies WinLogon
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:3840
- C:\Windows\apppatch\svchost.exe
  "C:\Windows\apppatch\svchost.exe"
  2⤵
  - Modifies WinLogon for persistence
  - Executes dropped EXE
  - Modifies WinLogon
  - Suspicious behavior: EnumeratesProcesses
  PID:820

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\5T0U3BIO\login[1].htm

Filesize
168B

MD5
d57e3a550060f85d44a175139ea23021

SHA1
2c5cb3428a322c9709a34d04dd86fe7628f8f0a6

SHA256
43edf068d34276e8ade4113d4d7207de19fc98a2ae1c07298e593edae2a8774c

SHA512
0364fe6a010fce7a3f4a6344c84468c64b20fd131f3160fc649db78f1075ba52d8a1c4496e50dbe27c357e01ee52e94cdcda8f7927cba28d5f2f45b9da690063

Download Submit
C:\Users\Admin\AppData\Local\Temp\1630.tmp

Filesize
12KB

MD5
1639705c0468ff5b89d563cc785c9374

SHA1
f6807f616bab661123da67196ca7d5015df9ea82

SHA256
4788bc2f12f5ef35a1e86ba33d4ecd9efcc89446502465d7e8320a36c6a0e25c

SHA512
d50f65b6100586ddda7d62a8d21d013e0c5d4c52a2fc5d53867ba086571116dac992eefd2fb55873196f3516bac91c9cff8da5f4b8f91e5f9c13240e5622d768

Download Submit
C:\Users\Admin\AppData\Local\Temp\1815.tmp

Filesize
1KB

MD5
b17764956b4b96a9f73213225c56c705

SHA1
1484dda4ae8dbf937561bdd273a19f03cba459d1

SHA256
a8dbf47554cfed8b50b81d3ac033bc2bd95aa52527fa23c7a333148ec8585c3f

SHA512
3de01ba4197bc6833c5b1932f962e57768c1e71093cc0bedb511dcbd10c23c907fdaf176599cd5fb147ac5ec42ee0ee0b49290a8f47a374d43957db496de1150

Download Submit
C:\Users\Admin\AppData\Local\Temp\2D87.tmp

Filesize
22KB

MD5
c06432d6ba8b642a0ae252cee2d3b0d5

SHA1
84d5b75d7dfadbba8fc8c9c47371fbc618293dea

SHA256
d26f87a68079eb6c544018cb07d0493c08cf558e032ad516453b9a796974ee76

SHA512
865cad15c1fa9c9987672f6d4eb5961e13227ed67423745f4b79aa6ddee82fd87a78256d4df16867eda08fc49f525e86636f645c55959a1aafc972d9bb5307df

Download Submit
C:\Users\Admin\AppData\Local\Temp\5410.tmp

Filesize
593B

MD5
926512864979bc27cf187f1de3f57aff

SHA1
acdeb9d6187932613c7fa08eaf28f0cd8116f4b5

SHA256
b3e893a653ec06c05ee90f2f6e98cc052a92f6616d7cca8c416420e178dcc73f

SHA512
f6f9fd3ca9305bec879cfcd38e64111a18e65e30d25c49e9f2cd546cbab9b2dcd03eca81952f6b77c0eaab20192ef7bef0d8d434f6f371811929e75f8620633b

Download Submit
C:\Users\Admin\AppData\Local\Temp\8A54.tmp

Filesize
2KB

MD5
54c88c4489b40b3fb2629eaf3c1787cf

SHA1
7d5d159e22fa9bc8f3c65998b2a568bec461bd30

SHA256
0f22c2500e1c571fb35b410c0c36730b86cc898fe2dcb1f19d1bc77d8fd73335

SHA512
c21f46323692560c0a08c2beda25326a69b84bcba31d3252cc14efdf6876826cf81ff63a4515f1328543c34adda354c0bfe61d13d588813e90635ff3474a3c3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\A0F.tmp

Filesize
1KB

MD5
46263a3fbc735f083d6666ddfb3516f5

SHA1
4839b7678ec67c8bd61398e16d9e646c1e48e6d1

SHA256
c4b37218e3027d4bb6039b7c819cb3b2293a7f0bd56d5fd386470ff379a9fb48

SHA512
c60375efc0213035e5404a7f35c190c5ee08cd834bb4f130ae23f80427f253c2e543249bc627598298b0d537f5251f56b86d519e5a534d0df81cc462ff2f40f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\E372.tmp

Filesize
2KB

MD5
b29b24656038db93482de700a18e29b6

SHA1
ad34241496eab11d47f213707559f7dc9d99b947

SHA256
36814482b7ae02eef64c4c117fdbcf73d2ad4fc5f67b86be2d7d5ad70fd0c275

SHA512
831b79fe44ae52ba79bc1dd346ee0be5f685cc8a94fc7e9efdb804055a819e667b88680bdb31b3362bd57712b11a97717934a5a3c796f2095e910a008991d028

Download Submit
C:\Users\Admin\AppData\Local\Temp\EAF5.tmp

Filesize
2KB

MD5
bef4b14559981aeedb39b664a1050292

SHA1
11e79e75ba61e7315b41c398bc83d66252235a4a

SHA256
f88925ae116ec21afbf5aed4e82d6ea7b1a63e79aa1c0d28f987ef6197691ff2

SHA512
fc18aa315b8801e989c75ac0852020b30f5343e2a651870e104fbe8619de5ef131ecc8036a32dc34ecfb1e2b43ae3d945cb5462890c62fd763a770b41d7af867

Download Submit
C:\Users\Admin\AppData\Local\Temp\EB35.tmp

Filesize
42KB

MD5
64234f7306d3ce393764d0cb4bec0d73

SHA1
5e67b61820c0f5fde70e37b2a9b6c09b22a3a034

SHA256
84bebf83e799fbb74ffa856e44015b2320037246f32cd9f9f5d235435e494741

SHA512
d86532b58f78ac4fde638e57fa102aa51e9742501eeeb16a637391faeeee5e3f63aeeabaa94372198ba359ef5afe456ba437bc6658127f7ab6b1a0edc668d33c

Download Submit
C:\Users\Admin\AppData\Local\Temp\F17B.tmp

Filesize
22KB

MD5
e66eee055ee7eb00ef671e3f2eb335c7

SHA1
2289d4fbedf39e0fd2f82ba3d7fb9702770701cd

SHA256
e24c807467dd1cb24f9e51c09f818d1c92fc1230920553f24102cf48475b30f6

SHA512
31e7969de46fd0d5cf2a5d49f72878e7b10afd4ce6151131c9b835321f08dd6ccecb67f46f8c052d95d74861d2e979be06f2d087db781da57945fd0c28b1e2e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\FA3F.tmp

Filesize
481B

MD5
4c69a8728ac6b7af96a2a98a38c51830

SHA1
a36373b92e7662042b519ed03d13e9f52ba535ed

SHA256
57930d8f254c2b8e9b3d0c6f54dd518b6c5c52b9a4a6ce5e4f4bec953f7f1a63

SHA512
73c380c51c7ab8ed1f362e61f513d6cd801d00bf23e1ab3103b57f331d0bb5cd31f25da40d0fe9fb7123428bba0666a66cb799971606da5e732196ea607999c2

Download Submit
C:\Windows\apppatch\svchost.exe

Filesize
217KB

MD5
d905028c84214a392fdca14f640ed5f3

SHA1
d37f64b1a0854ac65a23d08118ef207809436d02

SHA256
6f3c9565913bbee65cdb8c7b7d9a56ddb0263e2e1620b6896d71cba5c205e230

SHA512
af081e56fe5bd6527de493203daa48f72869d8ac15376af423bdbc5cd3c0c4eedf8c376d7edd05c44072117d58f690d9432341b020e21a84a8aeecbdfab65598

Download Submit
C:\Windows\apppatch\svchost.exe

Filesize
217KB

MD5
d905028c84214a392fdca14f640ed5f3

SHA1
d37f64b1a0854ac65a23d08118ef207809436d02

SHA256
6f3c9565913bbee65cdb8c7b7d9a56ddb0263e2e1620b6896d71cba5c205e230

SHA512
af081e56fe5bd6527de493203daa48f72869d8ac15376af423bdbc5cd3c0c4eedf8c376d7edd05c44072117d58f690d9432341b020e21a84a8aeecbdfab65598

Download Submit
C:\Windows\apppatch\svchost.exe

Filesize
217KB

MD5
d905028c84214a392fdca14f640ed5f3

SHA1
d37f64b1a0854ac65a23d08118ef207809436d02

SHA256
6f3c9565913bbee65cdb8c7b7d9a56ddb0263e2e1620b6896d71cba5c205e230

SHA512
af081e56fe5bd6527de493203daa48f72869d8ac15376af423bdbc5cd3c0c4eedf8c376d7edd05c44072117d58f690d9432341b020e21a84a8aeecbdfab65598

Download Submit
memory/820-41-0x0000000002D00000-0x0000000002DB6000-memory.dmp

Filesize
728KB

Download
memory/820-48-0x0000000002D00000-0x0000000002DB6000-memory.dmp

Filesize
728KB

Download
memory/820-26-0x0000000002D00000-0x0000000002DB6000-memory.dmp

Filesize
728KB

Download
memory/820-28-0x0000000002D00000-0x0000000002DB6000-memory.dmp

Filesize
728KB

Download
memory/820-29-0x0000000002D00000-0x0000000002DB6000-memory.dmp

Filesize
728KB

Download
memory/820-31-0x0000000002D00000-0x0000000002DB6000-memory.dmp

Filesize
728KB

Download
memory/820-30-0x0000000002D00000-0x0000000002DB6000-memory.dmp

Filesize
728KB

Download
memory/820-32-0x0000000002D00000-0x0000000002DB6000-memory.dmp

Filesize
728KB

Download
memory/820-34-0x0000000002D00000-0x0000000002DB6000-memory.dmp

Filesize
728KB

Download
memory/820-33-0x0000000002D00000-0x0000000002DB6000-memory.dmp

Filesize
728KB

Download
memory/820-35-0x0000000002D00000-0x0000000002DB6000-memory.dmp

Filesize
728KB

Download
memory/820-36-0x0000000002D00000-0x0000000002DB6000-memory.dmp

Filesize
728KB

Download
memory/820-37-0x0000000002D00000-0x0000000002DB6000-memory.dmp

Filesize
728KB

Download
memory/820-38-0x0000000002D00000-0x0000000002DB6000-memory.dmp

Filesize
728KB

Download
memory/820-39-0x0000000002D00000-0x0000000002DB6000-memory.dmp

Filesize
728KB

Download
memory/820-25-0x0000000002D00000-0x0000000002DB6000-memory.dmp

Filesize
728KB

Download
memory/820-40-0x0000000002D00000-0x0000000002DB6000-memory.dmp

Filesize
728KB

Download
memory/820-42-0x0000000002D00000-0x0000000002DB6000-memory.dmp

Filesize
728KB

Download
memory/820-43-0x0000000002D00000-0x0000000002DB6000-memory.dmp

Filesize
728KB

Download
memory/820-44-0x0000000002D00000-0x0000000002DB6000-memory.dmp

Filesize
728KB

Download
memory/820-45-0x0000000002D00000-0x0000000002DB6000-memory.dmp

Filesize
728KB

Download
memory/820-46-0x0000000002D00000-0x0000000002DB6000-memory.dmp

Filesize
728KB

Download
memory/820-47-0x0000000002D00000-0x0000000002DB6000-memory.dmp

Filesize
728KB

Download
memory/820-27-0x0000000002D00000-0x0000000002DB6000-memory.dmp

Filesize
728KB

Download
memory/820-49-0x0000000002D00000-0x0000000002DB6000-memory.dmp

Filesize
728KB

Download
memory/820-50-0x0000000002D00000-0x0000000002DB6000-memory.dmp

Filesize
728KB

Download
memory/820-51-0x0000000002D00000-0x0000000002DB6000-memory.dmp

Filesize
728KB

Download
memory/820-52-0x0000000002D00000-0x0000000002DB6000-memory.dmp

Filesize
728KB

Download
memory/820-55-0x0000000002D00000-0x0000000002DB6000-memory.dmp

Filesize
728KB

Download
memory/820-54-0x0000000002D00000-0x0000000002DB6000-memory.dmp

Filesize
728KB

Download
memory/820-76-0x0000000002D00000-0x0000000002DB6000-memory.dmp

Filesize
728KB

Download
memory/820-77-0x0000000002D00000-0x0000000002DB6000-memory.dmp

Filesize
728KB

Download
memory/820-53-0x0000000002D00000-0x0000000002DB6000-memory.dmp

Filesize
728KB

Download
memory/820-24-0x0000000002D00000-0x0000000002DB6000-memory.dmp

Filesize
728KB

Download
memory/820-23-0x0000000002D00000-0x0000000002DB6000-memory.dmp

Filesize
728KB

Download
memory/820-21-0x0000000002D00000-0x0000000002DB6000-memory.dmp

Filesize
728KB

Download
memory/820-179-0x0000000000400000-0x0000000000589000-memory.dmp

Filesize
1.5MB

Download
memory/820-183-0x0000000002D00000-0x0000000002DB6000-memory.dmp

Filesize
728KB

Download
memory/820-19-0x0000000002D00000-0x0000000002DB6000-memory.dmp

Filesize
728KB

Download
memory/820-17-0x00000000028B0000-0x0000000002958000-memory.dmp

Filesize
672KB

Download
memory/820-16-0x0000000000400000-0x0000000000589000-memory.dmp

Filesize
1.5MB

Download
memory/820-13-0x0000000000400000-0x0000000000589000-memory.dmp

Filesize
1.5MB

Download
memory/820-15-0x00000000024D0000-0x0000000002521000-memory.dmp

Filesize
324KB

Download
memory/3840-1-0x0000000002190000-0x00000000021E1000-memory.dmp

Filesize
324KB

Download
memory/3840-0-0x0000000000400000-0x0000000000589000-memory.dmp

Filesize
1.5MB

Download
memory/3840-2-0x0000000000400000-0x0000000000589000-memory.dmp

Filesize
1.5MB

Download
memory/3840-11-0x0000000002190000-0x00000000021E1000-memory.dmp

Filesize
324KB

Download
memory/3840-14-0x0000000000400000-0x0000000000589000-memory.dmp

Filesize
1.5MB

Download