2130cef6de7f7b3743042d567f73ad666e23dedd477c66b514aea07d4b7ec5f7

General

Target

NEAS.28900030d87b8933457875e0d2544e4c.exe
Size

176KB
MD5

28900030d87b8933457875e0d2544e4c
SHA1

634772d11c6812722175f5e39116d8fa0b9c66f7
SHA256

2130cef6de7f7b3743042d567f73ad666e23dedd477c66b514aea07d4b7ec5f7
SHA512

f078b61cb2c346d128230043cd020351846f83b127a0eee3fd993ae7c50c5fe8b1ac2271ef4021f544ba8a0ea14187ef21840ecece1f6d75e9e80635884c6350
SSDEEP

3072:zj9mD4Pa78AgZUUeXVHI2uza78+OBNia6+en4FXMhWAYCXD:zjYD4PawAJ1VI2sa758Tey8ACz

Score

7^/10

persistence upx

Malware Config

Signatures

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3812-0-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral2/files/0x0007000000022d95-5.dat	upx
behavioral2/memory/3812-25-0x0000000000400000-0x0000000000421000-memory.dmp	upx

Modifies WinLogon 2 TTPs 8 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlogon\Logon = "EvWinLogon"	NEAS.28900030d87b8933457875e0d2544e4c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlogon\Startup = "EvWinLogon"	NEAS.28900030d87b8933457875e0d2544e4c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlogon\StartShell = "EvWinLogon"	NEAS.28900030d87b8933457875e0d2544e4c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlogon\DLLName = "wlogon.dll"	NEAS.28900030d87b8933457875e0d2544e4c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlogon	NEAS.28900030d87b8933457875e0d2544e4c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify	NEAS.28900030d87b8933457875e0d2544e4c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlogon\Asynchronous = "1"	NEAS.28900030d87b8933457875e0d2544e4c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlogon\Impersonate = "1"	NEAS.28900030d87b8933457875e0d2544e4c.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\crypto.dll	NEAS.28900030d87b8933457875e0d2544e4c.exe
File opened for modification	C:\Windows\SysWOW64\wlogon.dll	NEAS.28900030d87b8933457875e0d2544e4c.exe
File opened for modification	C:\Windows\SysWOW64\net.cpl	NEAS.28900030d87b8933457875e0d2544e4c.exe
File opened for modification	C:\Windows\SysWOW64\lcss.exe	NEAS.28900030d87b8933457875e0d2544e4c.exe

Modifies registry class 19 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{310DE29C-0AD3-4A43-A2DB-221F1160CACB}\ = "Windows Cryptography"	NEAS.28900030d87b8933457875e0d2544e4c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinCryptography.Encrypt\ = "Windows Cryptography"	NEAS.28900030d87b8933457875e0d2544e4c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinCryptography.Encrypt.1\CLSID\ = "{310DE29C-0AD3-4A43-A2DB-221F1160CACB}"	NEAS.28900030d87b8933457875e0d2544e4c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{310DE29C-0AD3-4A43-A2DB-221F1160CACB}	NEAS.28900030d87b8933457875e0d2544e4c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinCryptography.Encrypt\CLSID	NEAS.28900030d87b8933457875e0d2544e4c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{310DE29C-0AD3-4A43-A2DB-221F1160CACB}\VersionIndependentProgID	NEAS.28900030d87b8933457875e0d2544e4c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{310DE29C-0AD3-4A43-A2DB-221F1160CACB}\InprocServer32\ThreadingModel = "Both"	NEAS.28900030d87b8933457875e0d2544e4c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{310DE29C-0AD3-4A43-A2DB-221F1160CACB}\InprocServer32	NEAS.28900030d87b8933457875e0d2544e4c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{310DE29C-0AD3-4A43-A2DB-221F1160CACB}\ProgID	NEAS.28900030d87b8933457875e0d2544e4c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{310DE29C-0AD3-4A43-A2DB-221F1160CACB}\InprocServer32\ = "crypto.dll"	NEAS.28900030d87b8933457875e0d2544e4c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{310DE29C-0AD3-4A43-A2DB-221F1160CACB}\ProgID\ = "WinCryptography.Encrypt.1"	NEAS.28900030d87b8933457875e0d2544e4c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{310DE29C-0AD3-4A43-A2DB-221F1160CACB}\VersionIndependentProgID\ = "WinCryptography.Encrypt"	NEAS.28900030d87b8933457875e0d2544e4c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinCryptography.Encrypt\CLSID\ = "{310DE29C-0AD3-4A43-A2DB-221F1160CACB}"	NEAS.28900030d87b8933457875e0d2544e4c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinCryptography.Encrypt\CurVer\ = "WinCryptography.Encrypt.1"	NEAS.28900030d87b8933457875e0d2544e4c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinCryptography.Encrypt	NEAS.28900030d87b8933457875e0d2544e4c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinCryptography.Encrypt.1	NEAS.28900030d87b8933457875e0d2544e4c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinCryptography.Encrypt.1\ = "Windows Cryptography"	NEAS.28900030d87b8933457875e0d2544e4c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinCryptography.Encrypt\CurVer	NEAS.28900030d87b8933457875e0d2544e4c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinCryptography.Encrypt.1\CLSID	NEAS.28900030d87b8933457875e0d2544e4c.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	3812	NEAS.28900030d87b8933457875e0d2544e4c.exe
Token: SeDebugPrivilege	3812	NEAS.28900030d87b8933457875e0d2544e4c.exe

C:\Users\Admin\AppData\Local\Temp\NEAS.28900030d87b8933457875e0d2544e4c.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.28900030d87b8933457875e0d2544e4c.exe"
1⤵
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:3812

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\lcss.exe

Filesize
120KB

MD5
f57bc304d3708c1811793c996b3a9833

SHA1
5d909c82ee1b4312a30d9c50a061b7600e5674cf

SHA256
4ca40d8d7811ab75a0c65f9b9fb6a4310c4403d2e3c54f56c70574f5f61852be

SHA512
f34b70f5f8da8042021c3a7b713e5684d4788ddb6c0c43d824827d995c67e7ac3f2b07a4e69eca16035ceecc2a2672650d2241816d6fd9645b34fc5adf48e197

Download Submit
C:\Windows\SysWOW64\net.cpl

Filesize
167KB

MD5
2b9e229a1b61c5b8987bb1726ccadf2a

SHA1
b982bf81348c62c51721edb33437aa5055945150

SHA256
70ef8a15abb91864f34665bc4f64599a95a95b4136ec3e9622c4ba20c4edc253

SHA512
064c90759492cb66457d5cb8c7a8959445b88d7f0131a84c113e128193f91baaa69ca07eabecdcce4f6736060561fa305371e0412046d5a0a3a3f11ea69bea5c

Download Submit
memory/3812-0-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/3812-25-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads