cf55ec22d9c296320b624f94156080c872093a47b8018276faffdbb1d47ea042

Analysis

max time kernel
146s
max time network
150s
platform
windows7_x64
resource
win7-20231023-en
resource tags

arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system
submitted
06/11/2023, 19:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.0ac5880cc1862e29e1683a403a64d9d0.exe
Size

210KB
MD5

0ac5880cc1862e29e1683a403a64d9d0
SHA1

d343babf19fe2fd46b504e7aaf67f1b1ca4d8a20
SHA256

cf55ec22d9c296320b624f94156080c872093a47b8018276faffdbb1d47ea042
SHA512

6c50fa07d714a85b9d900f23b678f83765af9e8c989bd51e5ae91f8ba1822b2a1857d52ef97a2b0ca4fc03e1af78daa7e5c76ee5dcc94edd6e64869660b2d7e0
SSDEEP

3072:HfI+O5HNkDxtVagroHSCpNce3oPOM7TC7BbCk+dZpp5bdAXPVaefq4Nxi/3:45YRjBh3C7dULPiPVBg

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2796	svchost.exe

Loads dropped DLL 2 IoCs

pid	Process
2604	NEAS.0ac5880cc1862e29e1683a403a64d9d0.exe
2604	NEAS.0ac5880cc1862e29e1683a403a64d9d0.exe

Modifies WinLogon 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\94407a86 = "C:\\Windows\\apppatch\\svchost.exe"	NEAS.0ac5880cc1862e29e1683a403a64d9d0.exe

Drops file in Program Files directory 19 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows Defender\pupycag.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\galynuh.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\purylev.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\qetyhyg.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\lysyfyj.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\lymyxid.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\qexyhuv.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\gatyhub.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\volykit.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\lygyvuj.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\vocyzit.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\vonypom.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\pumyjig.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\puzylyp.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\gadyciz.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\vofycot.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\lyxynyx.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\galyqaz.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\lyrysor.com	svchost.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\apppatch\svchost.exe	NEAS.0ac5880cc1862e29e1683a403a64d9d0.exe
File opened for modification	C:\Windows\apppatch\svchost.exe	NEAS.0ac5880cc1862e29e1683a403a64d9d0.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000_CLASSES\Local Settings\MuiCache	svchost.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2796	svchost.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2604	NEAS.0ac5880cc1862e29e1683a403a64d9d0.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeSecurityPrivilege	2604	NEAS.0ac5880cc1862e29e1683a403a64d9d0.exe
Token: SeSecurityPrivilege	2604	NEAS.0ac5880cc1862e29e1683a403a64d9d0.exe
Token: SeSecurityPrivilege	2796	svchost.exe
Token: SeSecurityPrivilege	2796	svchost.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2604 wrote to memory of 2796	2604	NEAS.0ac5880cc1862e29e1683a403a64d9d0.exe	28
PID 2604 wrote to memory of 2796	2604	NEAS.0ac5880cc1862e29e1683a403a64d9d0.exe	28
PID 2604 wrote to memory of 2796	2604	NEAS.0ac5880cc1862e29e1683a403a64d9d0.exe	28
PID 2604 wrote to memory of 2796	2604	NEAS.0ac5880cc1862e29e1683a403a64d9d0.exe	28

C:\Users\Admin\AppData\Local\Temp\NEAS.0ac5880cc1862e29e1683a403a64d9d0.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.0ac5880cc1862e29e1683a403a64d9d0.exe"
1⤵
- Loads dropped DLL
- Modifies WinLogon
- Drops file in Windows directory
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2604
- C:\Windows\apppatch\svchost.exe
  "C:\Windows\apppatch\svchost.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2796

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
b59b4a9c0f81196158417783cacaec79

SHA1
f007ffea643a5ab3fdb58d8005cb9eb441eb2c99

SHA256
b937892a72a8cee7feb8730929f31580591fd8c0fc1b98561cc0b9bb707954b3

SHA512
a358870ebb9448491214706a1d770ba1d0e69c946a2d03b77cd44bdfd46dcf9de7becc222ea031e3d749ce825f12884fc12e159e4855adbfcee1b82f9ab9f464

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
e7dd90b80690187100a055078fa4508c

SHA1
c2cbfb76219842c9865e74d65511087d2570b5c1

SHA256
ada52d87cf3e1994b3567201e5e5c459d11d5912dcc952998c5dec8d19a34964

SHA512
43f31c7401c4c8b66bcbb5b60e85a8a0208fadc964caf8b7c877f0c61fb86fb9c02af2dd1f1ca32412516ee58019172e864c49733c97e4b09d564227e3113fa3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
4e694fe6af4a7e97855e7a09a9be629a

SHA1
62bf690772689f7bed93d7948906f51f9a4c83da

SHA256
e544bfb8072b03a6c7249dfacf9887d155b7c0d191b92955d9ffdcf9cd3ac63c

SHA512
4f4aae19cf4c48ae4df171f2c508c07a8c887fb4a36ed658d57802132073366873d28532e368eaa82f3a5dea996515fd55ad0f3b3ec71657a0b4ce972d02cacd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
20b2ea9f5aec78b440975626499878c3

SHA1
66673c6f6372a75bb8b51507ce3f5c1c5bea7015

SHA256
0c9ad013bc4252b402e7dcbeb1917ab5ff9d255db8c599d74b5dd6ec084d9250

SHA512
a176621cd9b37fc1c780ef2f28287c0c83463ef49ab4c411e4dc711b55fa3b9e2a45f0c0af9fca2d5c9bb866d843b48e06ee837dc3647be7469304bba9e99a08

Download Submit
C:\Users\Admin\AppData\LocalLow\Temp\CabA1CF.tmp

Filesize
61KB

MD5
f3441b8572aae8801c04f3060b550443

SHA1
4ef0a35436125d6821831ef36c28ffaf196cda15

SHA256
6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf

SHA512
5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

Download Submit
C:\Users\Admin\AppData\LocalLow\Temp\TarA453.tmp

Filesize
163KB

MD5
9441737383d21192400eca82fda910ec

SHA1
725e0d606a4fc9ba44aa8ffde65bed15e65367e4

SHA256
bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5

SHA512
7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

Download Submit
C:\Windows\AppPatch\svchost.exe

Filesize
210KB

MD5
1d310977d20ab1790e653b0cfe6b882f

SHA1
f5bfe65aa9001112f6ad743e51e83baf26e3cbbc

SHA256
998fe8a2df1708602742ed867924e0eeb452af8b1d1070b3ed842a94689df52b

SHA512
990650a6c8adbe5ba62578bcbc2da75e151caa5b3eb6c9b91b207ad63cdb9d05bf1b26567e89b65a58749ac119819469fd99333be94583f3f09d317bfd21a36e

Download Submit
C:\Windows\AppPatch\svchost.exe

Filesize
210KB

MD5
1d310977d20ab1790e653b0cfe6b882f

SHA1
f5bfe65aa9001112f6ad743e51e83baf26e3cbbc

SHA256
998fe8a2df1708602742ed867924e0eeb452af8b1d1070b3ed842a94689df52b

SHA512
990650a6c8adbe5ba62578bcbc2da75e151caa5b3eb6c9b91b207ad63cdb9d05bf1b26567e89b65a58749ac119819469fd99333be94583f3f09d317bfd21a36e

Download Submit
C:\Windows\apppatch\svchost.exe

Filesize
210KB

MD5
1d310977d20ab1790e653b0cfe6b882f

SHA1
f5bfe65aa9001112f6ad743e51e83baf26e3cbbc

SHA256
998fe8a2df1708602742ed867924e0eeb452af8b1d1070b3ed842a94689df52b

SHA512
990650a6c8adbe5ba62578bcbc2da75e151caa5b3eb6c9b91b207ad63cdb9d05bf1b26567e89b65a58749ac119819469fd99333be94583f3f09d317bfd21a36e

Download Submit
\Windows\AppPatch\svchost.exe

Filesize
210KB

MD5
1d310977d20ab1790e653b0cfe6b882f

SHA1
f5bfe65aa9001112f6ad743e51e83baf26e3cbbc

SHA256
998fe8a2df1708602742ed867924e0eeb452af8b1d1070b3ed842a94689df52b

SHA512
990650a6c8adbe5ba62578bcbc2da75e151caa5b3eb6c9b91b207ad63cdb9d05bf1b26567e89b65a58749ac119819469fd99333be94583f3f09d317bfd21a36e

Download Submit
\Windows\AppPatch\svchost.exe

Filesize
210KB

MD5
1d310977d20ab1790e653b0cfe6b882f

SHA1
f5bfe65aa9001112f6ad743e51e83baf26e3cbbc

SHA256
998fe8a2df1708602742ed867924e0eeb452af8b1d1070b3ed842a94689df52b

SHA512
990650a6c8adbe5ba62578bcbc2da75e151caa5b3eb6c9b91b207ad63cdb9d05bf1b26567e89b65a58749ac119819469fd99333be94583f3f09d317bfd21a36e

Download Submit
memory/2604-1-0x0000000000340000-0x0000000000392000-memory.dmp

Filesize
328KB

Download
memory/2604-2-0x0000000000400000-0x00000000005E3000-memory.dmp

Filesize
1.9MB

Download
memory/2604-20-0x0000000000400000-0x00000000005E3000-memory.dmp

Filesize
1.9MB

Download
memory/2604-18-0x0000000000340000-0x0000000000392000-memory.dmp

Filesize
328KB

Download
memory/2604-0-0x0000000000400000-0x00000000005E3000-memory.dmp

Filesize
1.9MB

Download
memory/2796-53-0x00000000025C0000-0x0000000002677000-memory.dmp

Filesize
732KB

Download
memory/2796-65-0x00000000025C0000-0x0000000002677000-memory.dmp

Filesize
732KB

Download
memory/2796-35-0x00000000025C0000-0x0000000002677000-memory.dmp

Filesize
732KB

Download
memory/2796-37-0x00000000025C0000-0x0000000002677000-memory.dmp

Filesize
732KB

Download
memory/2796-31-0x0000000002220000-0x00000000022CA000-memory.dmp

Filesize
680KB

Download
memory/2796-40-0x00000000025C0000-0x0000000002677000-memory.dmp

Filesize
732KB

Download
memory/2796-42-0x00000000025C0000-0x0000000002677000-memory.dmp

Filesize
732KB

Download
memory/2796-43-0x00000000025C0000-0x0000000002677000-memory.dmp

Filesize
732KB

Download
memory/2796-41-0x00000000025C0000-0x0000000002677000-memory.dmp

Filesize
732KB

Download
memory/2796-44-0x00000000025C0000-0x0000000002677000-memory.dmp

Filesize
732KB

Download
memory/2796-45-0x00000000025C0000-0x0000000002677000-memory.dmp

Filesize
732KB

Download
memory/2796-46-0x00000000025C0000-0x0000000002677000-memory.dmp

Filesize
732KB

Download
memory/2796-47-0x00000000025C0000-0x0000000002677000-memory.dmp

Filesize
732KB

Download
memory/2796-48-0x00000000025C0000-0x0000000002677000-memory.dmp

Filesize
732KB

Download
memory/2796-49-0x00000000025C0000-0x0000000002677000-memory.dmp

Filesize
732KB

Download
memory/2796-50-0x00000000025C0000-0x0000000002677000-memory.dmp

Filesize
732KB

Download
memory/2796-52-0x00000000025C0000-0x0000000002677000-memory.dmp

Filesize
732KB

Download
memory/2796-51-0x00000000025C0000-0x0000000002677000-memory.dmp

Filesize
732KB

Download
memory/2796-29-0x0000000002220000-0x00000000022CA000-memory.dmp

Filesize
680KB

Download
memory/2796-54-0x00000000025C0000-0x0000000002677000-memory.dmp

Filesize
732KB

Download
memory/2796-55-0x00000000025C0000-0x0000000002677000-memory.dmp

Filesize
732KB

Download
memory/2796-56-0x00000000025C0000-0x0000000002677000-memory.dmp

Filesize
732KB

Download
memory/2796-58-0x00000000025C0000-0x0000000002677000-memory.dmp

Filesize
732KB

Download
memory/2796-60-0x00000000025C0000-0x0000000002677000-memory.dmp

Filesize
732KB

Download
memory/2796-61-0x00000000025C0000-0x0000000002677000-memory.dmp

Filesize
732KB

Download
memory/2796-62-0x00000000025C0000-0x0000000002677000-memory.dmp

Filesize
732KB

Download
memory/2796-64-0x00000000025C0000-0x0000000002677000-memory.dmp

Filesize
732KB

Download
memory/2796-33-0x0000000002220000-0x00000000022CA000-memory.dmp

Filesize
680KB

Download
memory/2796-66-0x00000000025C0000-0x0000000002677000-memory.dmp

Filesize
732KB

Download
memory/2796-68-0x00000000025C0000-0x0000000002677000-memory.dmp

Filesize
732KB

Download
memory/2796-69-0x00000000025C0000-0x0000000002677000-memory.dmp

Filesize
732KB

Download
memory/2796-70-0x00000000025C0000-0x0000000002677000-memory.dmp

Filesize
732KB

Download
memory/2796-71-0x00000000025C0000-0x0000000002677000-memory.dmp

Filesize
732KB

Download
memory/2796-72-0x00000000025C0000-0x0000000002677000-memory.dmp

Filesize
732KB

Download
memory/2796-73-0x00000000025C0000-0x0000000002677000-memory.dmp

Filesize
732KB

Download
memory/2796-74-0x00000000025C0000-0x0000000002677000-memory.dmp

Filesize
732KB

Download
memory/2796-75-0x00000000025C0000-0x0000000002677000-memory.dmp

Filesize
732KB

Download
memory/2796-76-0x00000000025C0000-0x0000000002677000-memory.dmp

Filesize
732KB

Download
memory/2796-77-0x00000000025C0000-0x0000000002677000-memory.dmp

Filesize
732KB

Download
memory/2796-78-0x00000000025C0000-0x0000000002677000-memory.dmp

Filesize
732KB

Download
memory/2796-80-0x00000000025C0000-0x0000000002677000-memory.dmp

Filesize
732KB

Download
memory/2796-82-0x00000000025C0000-0x0000000002677000-memory.dmp

Filesize
732KB

Download
memory/2796-83-0x00000000025C0000-0x0000000002677000-memory.dmp

Filesize
732KB

Download
memory/2796-86-0x00000000025C0000-0x0000000002677000-memory.dmp

Filesize
732KB

Download
memory/2796-84-0x00000000025C0000-0x0000000002677000-memory.dmp

Filesize
732KB

Download
memory/2796-85-0x00000000025C0000-0x0000000002677000-memory.dmp

Filesize
732KB

Download
memory/2796-182-0x0000000000400000-0x00000000005E3000-memory.dmp

Filesize
1.9MB

Download
memory/2796-184-0x00000000025C0000-0x0000000002677000-memory.dmp

Filesize
732KB

Download
memory/2796-27-0x0000000002220000-0x00000000022CA000-memory.dmp

Filesize
680KB

Download
memory/2796-25-0x0000000002220000-0x00000000022CA000-memory.dmp

Filesize
680KB

Download
memory/2796-22-0x0000000002220000-0x00000000022CA000-memory.dmp

Filesize
680KB

Download
memory/2796-23-0x0000000000400000-0x00000000005E3000-memory.dmp

Filesize
1.9MB

Download
memory/2796-21-0x0000000000270000-0x00000000002C2000-memory.dmp

Filesize
328KB

Download
memory/2796-19-0x0000000000400000-0x00000000005E3000-memory.dmp

Filesize
1.9MB

Download