7921430bd122856c7a586729109f1ffac679071ac91f1c345d1942157ce10c5a

Analysis

max time kernel
138s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20231023-en
resource tags

arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
submitted
07/11/2023, 13:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.7ff3fb48f73f8481b359382afbd44acb.exe
Size

399KB
MD5

7ff3fb48f73f8481b359382afbd44acb
SHA1

4666a392b15186da0b04f4246e977ff7ae846fb5
SHA256

7921430bd122856c7a586729109f1ffac679071ac91f1c345d1942157ce10c5a
SHA512

31b2293aabd8ead15603459f874be22cf25dc12a29565930283f95942df9e798e79d213dd0a6195d9a0ec6fff58a32c70d15c1fb5d24ebb7aea9be7d341fff9a
SSDEEP

6144:m4EmWPDNND9yRPzLq+YXFqaZiMLic9kzVd7EAC4TSs9Eir4Xd5Md:8mWhND9yJz+b1FcMLmp2ATTSsdr4NW

Score

10^/10

persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\apppatch\\svchost.exe,"	svchost.exe

Executes dropped EXE 1 IoCs

pid	Process
3432	svchost.exe

Modifies WinLogon 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\d14788c4 = "ÿ6Š—9ÞŸÔó·P©\|\fhña…MX\x0f\u00a0?s›“ç&Ù\x1d\u00ad\u0090¼FHv¥;\vˆ\x18PÀ¬\x1dh4\x1eåð»#<ÖŒ-&œm¬\u0090#\x1däd<@\fnÈ5\rû3\r\röõ8Ì<\u0090\x05´³î\x05xD\\#Þ;\x1b=\x14ô=L«˜ìäµ4ü\\#†ü\x03þ”ìä¬–F\u008d\x15D\u0090\x15V›N³µl5å$Ml<#Ô…\r›Ü\\à"	NEAS.7ff3fb48f73f8481b359382afbd44acb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\d14788c4 = "ÿ6Š—9ÞŸÔó·P©\|\fhña…MX\x0f\u00a0?s›“ç&Ù\x1d\u00ad\u0090¼FHv¥;\vˆ\x18PÀ¬\x1dh4\x1eåð»#<ÖŒ-&œm¬\u0090#\x1däd<@\fnÈ5\rû3\r\röõ8Ì<\u0090\x05´³î\x05xD\\#Þ;\x1b=\x14ô=L«˜ìäµ4ü\\#†ü\x03þ”ìä¬–F\u008d\x15D\u0090\x15V›N³µl5å$Ml<#Ô…\r›Ü\\à"	svchost.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\apppatch\svchost.exe	NEAS.7ff3fb48f73f8481b359382afbd44acb.exe
File opened for modification	C:\Windows\apppatch\svchost.exe	NEAS.7ff3fb48f73f8481b359382afbd44acb.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4624	NEAS.7ff3fb48f73f8481b359382afbd44acb.exe
4624	NEAS.7ff3fb48f73f8481b359382afbd44acb.exe
4624	NEAS.7ff3fb48f73f8481b359382afbd44acb.exe
4624	NEAS.7ff3fb48f73f8481b359382afbd44acb.exe
4624	NEAS.7ff3fb48f73f8481b359382afbd44acb.exe
4624	NEAS.7ff3fb48f73f8481b359382afbd44acb.exe
4624	NEAS.7ff3fb48f73f8481b359382afbd44acb.exe
4624	NEAS.7ff3fb48f73f8481b359382afbd44acb.exe
3432	svchost.exe
3432	svchost.exe
3432	svchost.exe
3432	svchost.exe
3432	svchost.exe
3432	svchost.exe
3432	svchost.exe
3432	svchost.exe
3432	svchost.exe
3432	svchost.exe
3432	svchost.exe
3432	svchost.exe
3432	svchost.exe
3432	svchost.exe
3432	svchost.exe
3432	svchost.exe
3432	svchost.exe
3432	svchost.exe
3432	svchost.exe
3432	svchost.exe
3432	svchost.exe
3432	svchost.exe
3432	svchost.exe
3432	svchost.exe
3432	svchost.exe
3432	svchost.exe
3432	svchost.exe
3432	svchost.exe
3432	svchost.exe
3432	svchost.exe
3432	svchost.exe
3432	svchost.exe
3432	svchost.exe
3432	svchost.exe
3432	svchost.exe
3432	svchost.exe
3432	svchost.exe
3432	svchost.exe
3432	svchost.exe
3432	svchost.exe
3432	svchost.exe
3432	svchost.exe
3432	svchost.exe
3432	svchost.exe
3432	svchost.exe
3432	svchost.exe
3432	svchost.exe
3432	svchost.exe
3432	svchost.exe
3432	svchost.exe
3432	svchost.exe
3432	svchost.exe
3432	svchost.exe
3432	svchost.exe
3432	svchost.exe
3432	svchost.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
4624	NEAS.7ff3fb48f73f8481b359382afbd44acb.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4624 wrote to memory of 3432	4624	NEAS.7ff3fb48f73f8481b359382afbd44acb.exe	84
PID 4624 wrote to memory of 3432	4624	NEAS.7ff3fb48f73f8481b359382afbd44acb.exe	84
PID 4624 wrote to memory of 3432	4624	NEAS.7ff3fb48f73f8481b359382afbd44acb.exe	84

C:\Users\Admin\AppData\Local\Temp\NEAS.7ff3fb48f73f8481b359382afbd44acb.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.7ff3fb48f73f8481b359382afbd44acb.exe"
1⤵
- Modifies WinLogon
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:4624
- C:\Windows\apppatch\svchost.exe
  "C:\Windows\apppatch\svchost.exe"
  2⤵
  - Modifies WinLogon for persistence
  - Executes dropped EXE
  - Modifies WinLogon
  - Suspicious behavior: EnumeratesProcesses
  PID:3432

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1419.tmp

Filesize
481B

MD5
ba383ee605ad6e2af6f97befaef61a9d

SHA1
8aae5b135bc405131632eb44f7644fa6e324fa2e

SHA256
622a440de30946f845cda5d4ea2b416d4d22051ae90a3c537402dc59061b7916

SHA512
b1fdf87a4a972d073af6bb8413f5de961db80c58fa5567bcd2bf59b9d2dd1fe7938a61fc2035daae204c1efafdfcf86b568b8ab2cdfd907da68d370a151ceec4

Download Submit
C:\Users\Admin\AppData\Local\Temp\1497.tmp

Filesize
41KB

MD5
4d47b69b206e4f6392477e7120bcd267

SHA1
e2c2fd89707b1f3cfa268080888a85e398c9edcf

SHA256
d4f30d2777ebeb5fa6136c6874a75cd09b7850323b11708c546c7b0af32a1b8e

SHA512
bc788bf03828a518b396f5a195993aa80325f3e85d74dd82d1782e483f8055fa172a14b37db4532d5f278b0a83b30184f88ed2075cffc8b5d5e25e66bc17fadc

Download Submit
C:\Users\Admin\AppData\Local\Temp\399.tmp

Filesize
22KB

MD5
6aa6337d955d91b3d532105e502dc514

SHA1
8f891825c3ee74d620a07695387696c375f3c0bc

SHA256
6991ad758e2c4a3cf917260a0d0bc3ed008c2f32526a41f3aa247d085f2491f2

SHA512
114f2e82fa5669ff76a0652a89f884f9b7472f01dc0d3f1c862d48a2eb42346f05c4bded92f0c62faf449ac22be56ba8d593f90be69073d0647008f370cccace

Download Submit
C:\Users\Admin\AppData\Local\Temp\3FE0.tmp

Filesize
12KB

MD5
1639705c0468ff5b89d563cc785c9374

SHA1
f6807f616bab661123da67196ca7d5015df9ea82

SHA256
4788bc2f12f5ef35a1e86ba33d4ecd9efcc89446502465d7e8320a36c6a0e25c

SHA512
d50f65b6100586ddda7d62a8d21d013e0c5d4c52a2fc5d53867ba086571116dac992eefd2fb55873196f3516bac91c9cff8da5f4b8f91e5f9c13240e5622d768

Download Submit
C:\Users\Admin\AppData\Local\Temp\41A6.tmp

Filesize
1KB

MD5
f9de35710e0e4803ca0102c62b495bde

SHA1
2c391db7ea27b04bdbd9d2d5c2c7090d8b2d55b2

SHA256
9a00fae7922704337b441aef9873b03831802642f1fbae2640d82a20cbb6329b

SHA512
f81cdc1daa8aed3b9a1ca6064dde9887417be80057908f2a088f36a895a93b2ddf27b8b7a4a602ff71f8c429afb2a67064a2878da27873a646747cb117d59eab

Download Submit
C:\Users\Admin\AppData\Local\Temp\5272.tmp

Filesize
593B

MD5
926512864979bc27cf187f1de3f57aff

SHA1
acdeb9d6187932613c7fa08eaf28f0cd8116f4b5

SHA256
b3e893a653ec06c05ee90f2f6e98cc052a92f6616d7cca8c416420e178dcc73f

SHA512
f6f9fd3ca9305bec879cfcd38e64111a18e65e30d25c49e9f2cd546cbab9b2dcd03eca81952f6b77c0eaab20192ef7bef0d8d434f6f371811929e75f8620633b

Download Submit
C:\Users\Admin\AppData\Local\Temp\562D.tmp

Filesize
22KB

MD5
1458a374fcfd6ead855dae05271a9bf9

SHA1
c4ef3e60a017ee65eced43c0815a488d2f9ca6cb

SHA256
c3ed9dcc59d611fcc360722c3a546ff4dd9c59d1e36c0757b95511fae398234b

SHA512
7e4a0e6b497cb3233fdf1308d2b0d15e89a579e9e7ac94ed46e234ea5e6eb5ac8d81f390d3eaee5fe04e6e3519df369a1a9dbeb88341e114960a601c8435dd3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\744.tmp

Filesize
54KB

MD5
031d18a70cce4cd813e22873a00ab75e

SHA1
f0cbecb397cb8a3cc05536a1998e45ee8e635ddd

SHA256
fb1990b40eaa026b1929d9c3d9d58a768e9d2fcafe4872b78f57ffc3da8ba939

SHA512
f29d72e070076537299ef1010c6aa3e134a276c14267897f2205c4843b5145dd38a92b6d1fdca158cf47f5209eed5b00bbfc3dcbaaef57cfb92157320665c6e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\CE6F.tmp

Filesize
2KB

MD5
257f1d11d2201b68a3174a4a8d248a92

SHA1
87d4e0755bfccedbdc45c7bc6c1642e01d2487f6

SHA256
bb798d986a6564530de365a6e794fea96acc52854f694d766d8b1ab3e895b398

SHA512
69419efbae1efb5f093ea2864c120e3cb9f4f69989a04b7b761766f939d4e5183504fe4cd00ec9e316d170796e3e4bbaa697ab01cfe901c1d8069e9dcf2fee13

Download Submit
C:\Windows\apppatch\svchost.exe

Filesize
399KB

MD5
2d21de9fb390bb474a6291e4d602dd87

SHA1
0b1f058b9d975d4cc28be4e490bd51a7ff5387dc

SHA256
05cdc3cae066c3cba6e60d0fdd6891198efdcc93f810e1f23c5fad54328e136e

SHA512
f13d3aaa4b6b925508f8164c8dae674b2b4dc4d56576cb8c8e85b88d1400fbe6892a7a937f10fd2ce50b5a85af6bc4ea377fe791cbeaa7027b33b11fb3340a5c

Download Submit
C:\Windows\apppatch\svchost.exe

Filesize
399KB

MD5
2d21de9fb390bb474a6291e4d602dd87

SHA1
0b1f058b9d975d4cc28be4e490bd51a7ff5387dc

SHA256
05cdc3cae066c3cba6e60d0fdd6891198efdcc93f810e1f23c5fad54328e136e

SHA512
f13d3aaa4b6b925508f8164c8dae674b2b4dc4d56576cb8c8e85b88d1400fbe6892a7a937f10fd2ce50b5a85af6bc4ea377fe791cbeaa7027b33b11fb3340a5c

Download Submit
C:\Windows\apppatch\svchost.exe

Filesize
399KB

MD5
2d21de9fb390bb474a6291e4d602dd87

SHA1
0b1f058b9d975d4cc28be4e490bd51a7ff5387dc

SHA256
05cdc3cae066c3cba6e60d0fdd6891198efdcc93f810e1f23c5fad54328e136e

SHA512
f13d3aaa4b6b925508f8164c8dae674b2b4dc4d56576cb8c8e85b88d1400fbe6892a7a937f10fd2ce50b5a85af6bc4ea377fe791cbeaa7027b33b11fb3340a5c

Download Submit
memory/3432-40-0x0000000002B40000-0x0000000002BF6000-memory.dmp

Filesize
728KB

Download
memory/3432-62-0x0000000002B40000-0x0000000002BF6000-memory.dmp

Filesize
728KB

Download
memory/3432-18-0x0000000002B40000-0x0000000002BF6000-memory.dmp

Filesize
728KB

Download
memory/3432-19-0x0000000002B40000-0x0000000002BF6000-memory.dmp

Filesize
728KB

Download
memory/3432-20-0x0000000002B40000-0x0000000002BF6000-memory.dmp

Filesize
728KB

Download
memory/3432-21-0x0000000002B40000-0x0000000002BF6000-memory.dmp

Filesize
728KB

Download
memory/3432-22-0x0000000002B40000-0x0000000002BF6000-memory.dmp

Filesize
728KB

Download
memory/3432-23-0x0000000002B40000-0x0000000002BF6000-memory.dmp

Filesize
728KB

Download
memory/3432-25-0x0000000002B40000-0x0000000002BF6000-memory.dmp

Filesize
728KB

Download
memory/3432-27-0x0000000002B40000-0x0000000002BF6000-memory.dmp

Filesize
728KB

Download
memory/3432-28-0x0000000002B40000-0x0000000002BF6000-memory.dmp

Filesize
728KB

Download
memory/3432-31-0x0000000002B40000-0x0000000002BF6000-memory.dmp

Filesize
728KB

Download
memory/3432-33-0x0000000002B40000-0x0000000002BF6000-memory.dmp

Filesize
728KB

Download
memory/3432-35-0x0000000002B40000-0x0000000002BF6000-memory.dmp

Filesize
728KB

Download
memory/3432-37-0x0000000002B40000-0x0000000002BF6000-memory.dmp

Filesize
728KB

Download
memory/3432-39-0x0000000002B40000-0x0000000002BF6000-memory.dmp

Filesize
728KB

Download
memory/3432-16-0x0000000002B40000-0x0000000002BF6000-memory.dmp

Filesize
728KB

Download
memory/3432-43-0x0000000002B40000-0x0000000002BF6000-memory.dmp

Filesize
728KB

Download
memory/3432-48-0x0000000002B40000-0x0000000002BF6000-memory.dmp

Filesize
728KB

Download
memory/3432-45-0x0000000002B40000-0x0000000002BF6000-memory.dmp

Filesize
728KB

Download
memory/3432-52-0x0000000002B40000-0x0000000002BF6000-memory.dmp

Filesize
728KB

Download
memory/3432-61-0x0000000002B40000-0x0000000002BF6000-memory.dmp

Filesize
728KB

Download
memory/3432-51-0x0000000002B40000-0x0000000002BF6000-memory.dmp

Filesize
728KB

Download
memory/3432-17-0x0000000002B40000-0x0000000002BF6000-memory.dmp

Filesize
728KB

Download
memory/3432-64-0x0000000002B40000-0x0000000002BF6000-memory.dmp

Filesize
728KB

Download
memory/3432-65-0x0000000002B40000-0x0000000002BF6000-memory.dmp

Filesize
728KB

Download
memory/3432-67-0x0000000002B40000-0x0000000002BF6000-memory.dmp

Filesize
728KB

Download
memory/3432-68-0x0000000002B40000-0x0000000002BF6000-memory.dmp

Filesize
728KB

Download
memory/3432-66-0x0000000002B40000-0x0000000002BF6000-memory.dmp

Filesize
728KB

Download
memory/3432-69-0x0000000002B40000-0x0000000002BF6000-memory.dmp

Filesize
728KB

Download
memory/3432-70-0x0000000002B40000-0x0000000002BF6000-memory.dmp

Filesize
728KB

Download
memory/3432-71-0x0000000002B40000-0x0000000002BF6000-memory.dmp

Filesize
728KB

Download
memory/3432-72-0x0000000002B40000-0x0000000002BF6000-memory.dmp

Filesize
728KB

Download
memory/3432-73-0x0000000002B40000-0x0000000002BF6000-memory.dmp

Filesize
728KB

Download
memory/3432-74-0x0000000002B40000-0x0000000002BF6000-memory.dmp

Filesize
728KB

Download
memory/3432-75-0x0000000002B40000-0x0000000002BF6000-memory.dmp

Filesize
728KB

Download
memory/3432-15-0x0000000002B40000-0x0000000002BF6000-memory.dmp

Filesize
728KB

Download
memory/3432-13-0x0000000002B40000-0x0000000002BF6000-memory.dmp

Filesize
728KB

Download
memory/3432-11-0x0000000002B40000-0x0000000002BF6000-memory.dmp

Filesize
728KB

Download
memory/3432-76-0x0000000002B40000-0x0000000002BF6000-memory.dmp

Filesize
728KB

Download
memory/3432-77-0x0000000002B40000-0x0000000002BF6000-memory.dmp

Filesize
728KB

Download
memory/3432-78-0x0000000002B40000-0x0000000002BF6000-memory.dmp

Filesize
728KB

Download
memory/3432-79-0x0000000002B40000-0x0000000002BF6000-memory.dmp

Filesize
728KB

Download
memory/3432-481-0x0000000002B40000-0x0000000002BF6000-memory.dmp

Filesize
728KB

Download
memory/3432-9-0x0000000002730000-0x00000000027D8000-memory.dmp

Filesize
672KB

Download