69177b83c05ef1e3b99716693763dcfca9e8aa69aa033dda33ea82eb4584850a

Analysis

max time kernel
121s
max time network
133s
platform
windows7_x64
resource
win7-20231020-en
resource tags

arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system
submitted
06/11/2023, 21:39

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

NEAS.d3210846d7e995c8faadcfa9f3839ee0.exe
Size

147KB
MD5

d3210846d7e995c8faadcfa9f3839ee0
SHA1

9e7e41e7835d7fea4c71771f127e2b6cf0939593
SHA256

69177b83c05ef1e3b99716693763dcfca9e8aa69aa033dda33ea82eb4584850a
SHA512

7890b22609abdf5fb47f4f7393e9acd9c65ec3c44bdab1da2c5be473bc42fd8d4a9e8f91de3bd97296335f560a249c87f3dd1ee900a0333c7b5b4ab93156d715
SSDEEP

3072:3LVoDvPd+A4WhkhXDl+i1lApwH08TdTIIIIIIIIIIIIIIIIIIfIIIIyIIIITIIIR:ZopGGgbiwU8JF

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 3 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe spoolto.exe"	spoolto.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe spoolto.exe"	NEAS.d3210846d7e995c8faadcfa9f3839ee0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe spoolto.exe"	spoolto.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	NEAS.d3210846d7e995c8faadcfa9f3839ee0.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	spoolto.exe

Disables RegEdit via registry modification 2 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	NEAS.d3210846d7e995c8faadcfa9f3839ee0.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	spoolto.exe

Executes dropped EXE 2 IoCs

pid	Process
2640	spoolto.exe
2152	spoolto.exe

Modifies system executable filetype association 2 TTPs 8 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\Shell\open\command	NEAS.d3210846d7e995c8faadcfa9f3839ee0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "C:\\Windows\\svchost.exe \"%1\" %*"	NEAS.d3210846d7e995c8faadcfa9f3839ee0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\Shell\open\command	NEAS.d3210846d7e995c8faadcfa9f3839ee0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "C:\\Windows\\svchost.exe \"%1\" %*"	NEAS.d3210846d7e995c8faadcfa9f3839ee0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\Shell\open\command	NEAS.d3210846d7e995c8faadcfa9f3839ee0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.exe \"%1\" %*"	NEAS.d3210846d7e995c8faadcfa9f3839ee0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\Shell\open\command	NEAS.d3210846d7e995c8faadcfa9f3839ee0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "C:\\Windows\\svchost.exe \"%1\" %*"	NEAS.d3210846d7e995c8faadcfa9f3839ee0.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Service Host = "C:\\Windows\\spoolto.exe"	NEAS.d3210846d7e995c8faadcfa9f3839ee0.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsColorChart.html	spoolto.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\JFONT.DAT	spoolto.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\Groove\ToolData\groove.net\GrooveForms\FormsPrintTemplate.html	spoolto.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsColorChart.html	spoolto.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsMacroTemplate.html	spoolto.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\ENGIDX.DAT	spoolto.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\1033\QuickStyles\Modern.dotx	spoolto.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\Document Parts\1033\14\Built-In Building Blocks.dotx	spoolto.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\Groove\ToolData\groove.net\GrooveForms\FormsBrowserUpgrade.html	spoolto.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\Groove\ToolData\groove.net\GrooveForms\FormsDoNotTrust.html	spoolto.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsHomePage.html	spoolto.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsImageTemplate.html	spoolto.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsPreviewTemplate.html	spoolto.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsViewFrame.html	spoolto.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\1033\QuickStyles\Default.dotx	spoolto.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\1033\QuickStyles\Traditional.dotx	spoolto.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsViewFrame.html	spoolto.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsFormTemplate.html	spoolto.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsPreviewTemplate.html	spoolto.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\1033\OUTFORM.DAT	spoolto.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\1033\PSRCHLEX.DAT	spoolto.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsHomePage.html	spoolto.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\Groove\ToolData\groove.net\GrooveForms\FormsVersion1Warning.htm	spoolto.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsFormTemplate.html	spoolto.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\1033\QuickStyles\Newsprint.dotx	spoolto.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\Groove\ToolData\groove.net\GrooveForms\FormsViewFrame.html	spoolto.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsPrintTemplateRTL.html	spoolto.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\ENGDIC.DAT	spoolto.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\1033\QuickStyles\Classic.dotx	spoolto.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsViewTemplate.html	spoolto.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\1033\PSRCHPHN.DAT	spoolto.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsBlankPage.html	spoolto.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsVersion1Warning.htm	spoolto.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsFormTemplateRTL.html	spoolto.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsPreviewTemplateRTL.html	spoolto.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\OUTLFLTR.DAT	spoolto.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\1033\QuickStyles\Simple.dotx	spoolto.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\1033\PSRCHKEY.DAT	spoolto.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\1033\QuickStyles\Thatch.dotx	spoolto.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\Groove\ToolData\groove.net\GrooveForms\FormsPreviewTemplate.html	spoolto.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsBrowserUpgrade.html	spoolto.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\OCRVC.DAT	spoolto.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\1033\QuickStyles\Manuscript.dotx	spoolto.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsBrowserUpgrade.html	spoolto.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsPrintTemplate.html	spoolto.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsBrowserUpgrade.html	spoolto.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsMacroTemplate.html	spoolto.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsPrintTemplate.html	spoolto.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsPrintTemplate.html	spoolto.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\OSPP.HTM	spoolto.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\1033\QuickStyles\Fancy.dotx	spoolto.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsColorChart.html	spoolto.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsImageTemplate.html	spoolto.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\LOOKUP.DAT	spoolto.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\1033\QuickStyles\Distinctive.dotx	spoolto.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\1033\PROTTPLN.DOC	spoolto.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\OCRHC.DAT	spoolto.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\Groove\ToolData\groove.net\GrooveForms\FormsBlankPage.html	spoolto.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsPreviewTemplate.html	spoolto.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsVersion1Warning.htm	spoolto.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsViewTemplate.html	spoolto.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsBlankPage.html	spoolto.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\1033\QuickStyles\Elegant.dotx	spoolto.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\AccessWeb\CLNTWRAP.HTM	spoolto.exe

Drops file in Windows directory 46 IoCs

description	ioc	Process
File created	C:\Windows\spoolto.exe	spoolto.exe
File opened for modification	C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\	spoolto.exe
File created	C:\Windows\message.dat	spoolto.exe
File created	C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\Macromedia Contribute 2 Crack.exe	spoolto.exe
File created	C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\FormsBrowserUpgrade.html	spoolto.exe
File created	C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\FormsHomePage.html	spoolto.exe
File opened for modification	C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\FormsPrintTemplate.html	spoolto.exe
File opened for modification	C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\FormsViewTemplate.html	spoolto.exe
File created	C:\Windows\spoolto.exe	spoolto.exe
File opened for modification	C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\	spoolto.exe
File opened for modification	C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\iMesh 4.2 Ad Remover Keygen.exe	spoolto.exe
File created	C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\FormsVersion1Warning.htm	spoolto.exe
File created	C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\FormsViewFrame.html	spoolto.exe
File opened for modification	C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\FormsBrowserUpgrade.html	spoolto.exe
File opened for modification	C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\FormsHomePage.html	spoolto.exe
File created	C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\FormsPrintTemplateRTL.html	spoolto.exe
File created	C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\FormsBlankPage.html	spoolto.exe
File opened for modification	C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\FormsBlankPage.html	spoolto.exe
File created	C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\FormsImageTemplate.html	spoolto.exe
File opened for modification	C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\FormsPreviewTemplate.html	spoolto.exe
File opened for modification	C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\FormsViewFrame.html	spoolto.exe
File opened for modification	C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\FormsFormTemplate.html	spoolto.exe
File opened for modification	C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\FormsMacroTemplate.html	spoolto.exe
File opened for modification	C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\	NEAS.d3210846d7e995c8faadcfa9f3839ee0.exe
File created	C:\Windows\message.htm	spoolto.exe
File created	C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\CLNTWRAP.HTM	spoolto.exe
File opened for modification	C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\FormsImageTemplate.html	spoolto.exe
File created	C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\FormsFormTemplateRTL.html	spoolto.exe
File opened for modification	C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\Macromedia Contribute 2 Crack.exe	spoolto.exe
File opened for modification	C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\FormsColorChart.html	spoolto.exe
File created	C:\Windows\spoolto.exe	NEAS.d3210846d7e995c8faadcfa9f3839ee0.exe
File created	C:\Windows\svchost.exe	NEAS.d3210846d7e995c8faadcfa9f3839ee0.exe
File created	C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\FormsPrintTemplate.html	spoolto.exe
File created	C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\FormsColorChart.html	spoolto.exe
File created	C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\FormsPreviewTemplateRTL.html	spoolto.exe
File opened for modification	C:\Windows\svchost.exe	spoolto.exe
File opened for modification	C:\Windows\svchost.exe	spoolto.exe
File created	C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\FormsDoNotTrust.html	spoolto.exe
File created	C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\FormsPreviewTemplate.html	spoolto.exe
File created	C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\FormsFormTemplate.html	spoolto.exe
File created	C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\FormsMacroTemplate.html	spoolto.exe
File opened for modification	C:\Windows\spoolto.exe	NEAS.d3210846d7e995c8faadcfa9f3839ee0.exe
File created	C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\iMesh 4.2 Ad Remover Keygen.exe	spoolto.exe
File opened for modification	C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\FormsVersion1Warning.htm	spoolto.exe
File created	C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\FormsViewTemplate.html	spoolto.exe
File created	C:\Windows\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\OSPP.HTM	spoolto.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies data under HKEY_USERS 47 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Office\14.0\Common\LanguageResources\PPTChangeInstallLanguage = "No"	spoolto.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Shared	spoolto.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows NT	spoolto.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\System	spoolto.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	spoolto.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion	spoolto.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	spoolto.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Office\14.0\Common\LanguageResources\PreviousInstallLanguage = "1033"	spoolto.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	spoolto.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Office\14.0	spoolto.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Office\14.0\Common	spoolto.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Office\14.0\Common\LanguageResources\UILanguage = "1033"	spoolto.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Office\14.0\Common\LanguageResources\SharePointDesignerChangeInstallLanguage = "No"	spoolto.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Office\14.0\Common\LanguageResources\PublisherChangeInstallLanguage = "No"	spoolto.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Office\14.0\Common\LanguageResources\ProjectChangeInstallLanguage = "No"	spoolto.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows NT\CurrentVersion	spoolto.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	spoolto.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Office\14.0\Common\LanguageResources\InstallLanguage = "1033"	spoolto.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Office\14.0\Common\LanguageResources\WordChangeInstallLanguage = "No"	spoolto.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Office\14.0\Common\LanguageResources\OutlookChangeInstallLanguage = "No"	spoolto.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles	spoolto.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Office\14.0\Common\LanguageResources\InfoPathChangeInstallLanguage = "No"	spoolto.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Office\14.0\Common\LanguageResources\WebDesignerChangeInstallLanguage = "No"	spoolto.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Shared\OfficeUILanguage = "1033"	spoolto.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced	spoolto.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Office\14.0\Common\LanguageResources	spoolto.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Office\14.0\Common\LanguageResources\UISnapshot = 31003000330033000000	spoolto.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Office\14.0\Common\LanguageResources\WordMailChangeInstallLanguage = "No"	spoolto.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	spoolto.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Office\14.0\Common\LanguageResources\HelpLanguage = "1033"	spoolto.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Office\14.0\Common\LanguageResources\WinXPLanguagePatch = "1"	spoolto.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem	spoolto.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Office\14.0\Common\LanguageResources\OneNoteChangeInstallLanguage = "No"	spoolto.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Office\14.0\Common\LanguageResources\LangTuneUp = "OfficeCompleted"	spoolto.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages	spoolto.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows	spoolto.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Office\14.0\Common\LanguageResources\UIFallback = 30003b0031003000330033000000	spoolto.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Office\14.0\Common\LanguageResources\HelpFallback = 30003b0031003000330033000000	spoolto.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Office\14.0\Common\LanguageResources\AccessChangeInstallLanguage = "No"	spoolto.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages\1033 = "On"	spoolto.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies	spoolto.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	spoolto.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\14.0\Common\LanguageResources	spoolto.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Office\14.0\Common\LanguageResources\XLChangeInstallLanguage = "No"	spoolto.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{40DD6E20-7C17-11CE-A804-00AA003CA9F6} {000214FC-0000-0000-C000-000000000046} 0xFFFF = 010000000000000040b51bccf910da01	spoolto.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Office	spoolto.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles	spoolto.exe

Modifies registry class 12 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\Shell\open\command	NEAS.d3210846d7e995c8faadcfa9f3839ee0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\cmdfile\Shell\open\command	NEAS.d3210846d7e995c8faadcfa9f3839ee0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "C:\\Windows\\svchost.exe \"%1\" %*"	NEAS.d3210846d7e995c8faadcfa9f3839ee0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\Shell\open\command	NEAS.d3210846d7e995c8faadcfa9f3839ee0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "C:\\Windows\\svchost.exe \"%1\" %*"	NEAS.d3210846d7e995c8faadcfa9f3839ee0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\Shell\open\command	NEAS.d3210846d7e995c8faadcfa9f3839ee0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.exe \"%1\" %*"	NEAS.d3210846d7e995c8faadcfa9f3839ee0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\cmdfile\shell\open\command\ = "C:\\Windows\\svchost.exe \"%1\" %*"	NEAS.d3210846d7e995c8faadcfa9f3839ee0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\Shell\open\command	NEAS.d3210846d7e995c8faadcfa9f3839ee0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "C:\\Windows\\svchost.exe \"%1\" %*"	NEAS.d3210846d7e995c8faadcfa9f3839ee0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\Shell\open\command	NEAS.d3210846d7e995c8faadcfa9f3839ee0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\shell\open\command\ = "C:\\Windows\\svchost.exe \"%1\" /S"	NEAS.d3210846d7e995c8faadcfa9f3839ee0.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2152	spoolto.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2120 wrote to memory of 2640	2120	NEAS.d3210846d7e995c8faadcfa9f3839ee0.exe	25
PID 2120 wrote to memory of 2640	2120	NEAS.d3210846d7e995c8faadcfa9f3839ee0.exe	25
PID 2120 wrote to memory of 2640	2120	NEAS.d3210846d7e995c8faadcfa9f3839ee0.exe	25
PID 2120 wrote to memory of 2640	2120	NEAS.d3210846d7e995c8faadcfa9f3839ee0.exe	25

C:\Users\Admin\AppData\Local\Temp\NEAS.d3210846d7e995c8faadcfa9f3839ee0.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.d3210846d7e995c8faadcfa9f3839ee0.exe"
1⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Modifies system executable filetype association
- Adds Run key to start application
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2120
- C:\Windows\spoolto.exe
  "C:\Windows\spoolto.exe" -xInstallOurNiceServicesYes
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visiblity of hidden/system files in Explorer
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Drops file in Windows directory
  PID:2640

C:\Windows\spoolto.exe
C:\Windows\spoolto.exe -xStartOurNiceServicesYes
1⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:2152

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Temp\FIpQvBFM.oSN\message.htm

Filesize
202KB

MD5
3559b3840debd9e32ce933720dd7e1c7

SHA1
41e7ae2ac57c1f188d248cbc5e821fd94e5360d3

SHA256
209627ba9584fb48e14f0bc2d936d43f2e21bc73b55a6b55a06a62049132afe2

SHA512
1c453c609520c2ff9e2ab01636537b5b66c477226f9de03bbc089549fcb8c93ca472ae242e92143379cdab00a1363bb0e19fb72579b56c4cf7572013da048b51

Download Submit
C:\Windows\message.dat

Filesize
201KB

MD5
3ed9c417a4d811fed28d8f07bb22165d

SHA1
c1a33c8552066d0c43d5530a142b33be18689d19

SHA256
2364d73882f4dc4e717f18fa00e9de11f121945597556b605913daa4f4b61877

SHA512
484817c352a353e641e1e76d54b1e989b25ff6fee9cebd686297d4a6855cc14caaf2c7b59834aabae11aac9ab4a71cf1630e4559b5f20cf7046d94fb5807959e

Download Submit
C:\Windows\spoolto.exe

Filesize
147KB

MD5
d3210846d7e995c8faadcfa9f3839ee0

SHA1
9e7e41e7835d7fea4c71771f127e2b6cf0939593

SHA256
69177b83c05ef1e3b99716693763dcfca9e8aa69aa033dda33ea82eb4584850a

SHA512
7890b22609abdf5fb47f4f7393e9acd9c65ec3c44bdab1da2c5be473bc42fd8d4a9e8f91de3bd97296335f560a249c87f3dd1ee900a0333c7b5b4ab93156d715

Download Submit
C:\Windows\spoolto.exe

Filesize
147KB

MD5
d3210846d7e995c8faadcfa9f3839ee0

SHA1
9e7e41e7835d7fea4c71771f127e2b6cf0939593

SHA256
69177b83c05ef1e3b99716693763dcfca9e8aa69aa033dda33ea82eb4584850a

SHA512
7890b22609abdf5fb47f4f7393e9acd9c65ec3c44bdab1da2c5be473bc42fd8d4a9e8f91de3bd97296335f560a249c87f3dd1ee900a0333c7b5b4ab93156d715

Download Submit
C:\Windows\spoolto.exe

Filesize
147KB

MD5
d3210846d7e995c8faadcfa9f3839ee0

SHA1
9e7e41e7835d7fea4c71771f127e2b6cf0939593

SHA256
69177b83c05ef1e3b99716693763dcfca9e8aa69aa033dda33ea82eb4584850a

SHA512
7890b22609abdf5fb47f4f7393e9acd9c65ec3c44bdab1da2c5be473bc42fd8d4a9e8f91de3bd97296335f560a249c87f3dd1ee900a0333c7b5b4ab93156d715

Download Submit
C:\Windows\spoolto.exe

Filesize
147KB

MD5
d3210846d7e995c8faadcfa9f3839ee0

SHA1
9e7e41e7835d7fea4c71771f127e2b6cf0939593

SHA256
69177b83c05ef1e3b99716693763dcfca9e8aa69aa033dda33ea82eb4584850a

SHA512
7890b22609abdf5fb47f4f7393e9acd9c65ec3c44bdab1da2c5be473bc42fd8d4a9e8f91de3bd97296335f560a249c87f3dd1ee900a0333c7b5b4ab93156d715

Download Submit
C:\Windows\svchost.exe

Filesize
147KB

MD5
e0b75e023274ca8f6b57e457e2074a87

SHA1
5b60303cfde199875c3520714f1ea367bdc5e958

SHA256
be5997558d53924438a8399221f0573a8b0db898444c5bd0326ddff2585ef7e2

SHA512
a3840ca1b70d607f2018e04bc51aed37f352de03d58e0adf6c508fb60287cfb0391f0600e5bf876608839428581b8152e8559426bb832638251a28dbdfd8c08d

Download Submit
C:\Windows\svchost.exe

Filesize
147KB

MD5
d3210846d7e995c8faadcfa9f3839ee0

SHA1
9e7e41e7835d7fea4c71771f127e2b6cf0939593

SHA256
69177b83c05ef1e3b99716693763dcfca9e8aa69aa033dda33ea82eb4584850a

SHA512
7890b22609abdf5fb47f4f7393e9acd9c65ec3c44bdab1da2c5be473bc42fd8d4a9e8f91de3bd97296335f560a249c87f3dd1ee900a0333c7b5b4ab93156d715

Download Submit