2e1c0e7a8760240f1053f484d2182cd29840a1132b95dae1c48d2e60b331e68a

Analysis

max time kernel
151s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20231023-en
resource tags

arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
submitted
11/11/2023, 14:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.dc67e1448e16e3b3aeed6c6ef246eb70.exe
Size

135KB
MD5

dc67e1448e16e3b3aeed6c6ef246eb70
SHA1

01e6a3542494d4ff4f6bcbc860b4e35dc217ecf8
SHA256

2e1c0e7a8760240f1053f484d2182cd29840a1132b95dae1c48d2e60b331e68a
SHA512

b9341e838bd503f911a3ef818202ffda52d41507ef4e790720f6f726f567114a2271168a89b891827484ea6a4f2a825c634cd3d8197814f55d00e7a5e3945dc4
SSDEEP

1536:UfsEqouTRcG/Mzvgf7xEuvnXNTRdUzwTekUOisZ1yDDajtXbV0a:UVqoCl/YgjxEufVU0TbTyDDal6a

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	svchost.exe

Executes dropped EXE 4 IoCs

pid	Process
4472	explorer.exe
1648	spoolsv.exe
3996	svchost.exe
1652	spoolsv.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	svchost.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\explorer.exe	svchost.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\resources\svchost.exe	spoolsv.exe
File opened for modification	C:\Windows\Resources\tjud.exe	explorer.exe
File opened for modification	\??\c:\windows\resources\themes\explorer.exe	NEAS.dc67e1448e16e3b3aeed6c6ef246eb70.exe
File opened for modification	\??\c:\windows\resources\spoolsv.exe	explorer.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4948	NEAS.dc67e1448e16e3b3aeed6c6ef246eb70.exe
4948	NEAS.dc67e1448e16e3b3aeed6c6ef246eb70.exe
4948	NEAS.dc67e1448e16e3b3aeed6c6ef246eb70.exe
4948	NEAS.dc67e1448e16e3b3aeed6c6ef246eb70.exe
4948	NEAS.dc67e1448e16e3b3aeed6c6ef246eb70.exe
4948	NEAS.dc67e1448e16e3b3aeed6c6ef246eb70.exe
4948	NEAS.dc67e1448e16e3b3aeed6c6ef246eb70.exe
4948	NEAS.dc67e1448e16e3b3aeed6c6ef246eb70.exe
4948	NEAS.dc67e1448e16e3b3aeed6c6ef246eb70.exe
4948	NEAS.dc67e1448e16e3b3aeed6c6ef246eb70.exe
4948	NEAS.dc67e1448e16e3b3aeed6c6ef246eb70.exe
4948	NEAS.dc67e1448e16e3b3aeed6c6ef246eb70.exe
4948	NEAS.dc67e1448e16e3b3aeed6c6ef246eb70.exe
4948	NEAS.dc67e1448e16e3b3aeed6c6ef246eb70.exe
4948	NEAS.dc67e1448e16e3b3aeed6c6ef246eb70.exe
4948	NEAS.dc67e1448e16e3b3aeed6c6ef246eb70.exe
4948	NEAS.dc67e1448e16e3b3aeed6c6ef246eb70.exe
4948	NEAS.dc67e1448e16e3b3aeed6c6ef246eb70.exe
4948	NEAS.dc67e1448e16e3b3aeed6c6ef246eb70.exe
4948	NEAS.dc67e1448e16e3b3aeed6c6ef246eb70.exe
4948	NEAS.dc67e1448e16e3b3aeed6c6ef246eb70.exe
4948	NEAS.dc67e1448e16e3b3aeed6c6ef246eb70.exe
4948	NEAS.dc67e1448e16e3b3aeed6c6ef246eb70.exe
4948	NEAS.dc67e1448e16e3b3aeed6c6ef246eb70.exe
4948	NEAS.dc67e1448e16e3b3aeed6c6ef246eb70.exe
4948	NEAS.dc67e1448e16e3b3aeed6c6ef246eb70.exe
4948	NEAS.dc67e1448e16e3b3aeed6c6ef246eb70.exe
4948	NEAS.dc67e1448e16e3b3aeed6c6ef246eb70.exe
4948	NEAS.dc67e1448e16e3b3aeed6c6ef246eb70.exe
4948	NEAS.dc67e1448e16e3b3aeed6c6ef246eb70.exe
4948	NEAS.dc67e1448e16e3b3aeed6c6ef246eb70.exe
4948	NEAS.dc67e1448e16e3b3aeed6c6ef246eb70.exe
4948	NEAS.dc67e1448e16e3b3aeed6c6ef246eb70.exe
4948	NEAS.dc67e1448e16e3b3aeed6c6ef246eb70.exe
4472	explorer.exe
4472	explorer.exe
4472	explorer.exe
4472	explorer.exe
4472	explorer.exe
4472	explorer.exe
4472	explorer.exe
4472	explorer.exe
4472	explorer.exe
4472	explorer.exe
4472	explorer.exe
4472	explorer.exe
4472	explorer.exe
4472	explorer.exe
4472	explorer.exe
4472	explorer.exe
4472	explorer.exe
4472	explorer.exe
4472	explorer.exe
4472	explorer.exe
4472	explorer.exe
4472	explorer.exe
4472	explorer.exe
4472	explorer.exe
4472	explorer.exe
4472	explorer.exe
4472	explorer.exe
4472	explorer.exe
4472	explorer.exe
4472	explorer.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
4472	explorer.exe
3996	svchost.exe

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
4948	NEAS.dc67e1448e16e3b3aeed6c6ef246eb70.exe
4948	NEAS.dc67e1448e16e3b3aeed6c6ef246eb70.exe
4472	explorer.exe
4472	explorer.exe
1648	spoolsv.exe
1648	spoolsv.exe
3996	svchost.exe
3996	svchost.exe
1652	spoolsv.exe
1652	spoolsv.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 4948 wrote to memory of 4472	4948	NEAS.dc67e1448e16e3b3aeed6c6ef246eb70.exe	84
PID 4948 wrote to memory of 4472	4948	NEAS.dc67e1448e16e3b3aeed6c6ef246eb70.exe	84
PID 4948 wrote to memory of 4472	4948	NEAS.dc67e1448e16e3b3aeed6c6ef246eb70.exe	84
PID 4472 wrote to memory of 1648	4472	explorer.exe	85
PID 4472 wrote to memory of 1648	4472	explorer.exe	85
PID 4472 wrote to memory of 1648	4472	explorer.exe	85
PID 1648 wrote to memory of 3996	1648	spoolsv.exe	87
PID 1648 wrote to memory of 3996	1648	spoolsv.exe	87
PID 1648 wrote to memory of 3996	1648	spoolsv.exe	87
PID 3996 wrote to memory of 1652	3996	svchost.exe	88
PID 3996 wrote to memory of 1652	3996	svchost.exe	88
PID 3996 wrote to memory of 1652	3996	svchost.exe	88

C:\Users\Admin\AppData\Local\Temp\NEAS.dc67e1448e16e3b3aeed6c6ef246eb70.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.dc67e1448e16e3b3aeed6c6ef246eb70.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4948
- \??\c:\windows\resources\themes\explorer.exe
  c:\windows\resources\themes\explorer.exe
  2⤵
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4472
- - \??\c:\windows\resources\spoolsv.exe
    c:\windows\resources\spoolsv.exe SE
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1648
  - - \??\c:\windows\resources\svchost.exe
      c:\windows\resources\svchost.exe
      4⤵
      Modifies visiblity of hidden/system files in Explorer
      Executes dropped EXE
      Adds Run key to start application
      Drops file in System32 directory
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:3996
    - - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe PR
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1652

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Resources\Themes\explorer.exe

Filesize
135KB

MD5
797f669030878c3f2e73e8930e463255

SHA1
ba596445f7b665d9089a8af6bde79fff09c661b0

SHA256
a33ae4e0b72097c673fff4d9315dc7164823379053df7cc028d95f76b58776b4

SHA512
fc0fe250508f221fdc20dd572f63678e69d55b5739d9447dce276fabcacef3fb5dd3fbe337cf40c32330e62e120141f4c4cfc62400f01f4a25ab0d7339d204fe

Download Submit
C:\Windows\Resources\spoolsv.exe

Filesize
135KB

MD5
d709bd8f1c4e9d8e241d21b12b2d38b5

SHA1
c0022bae79c0c0bcfc778cf948134bbb6932119e

SHA256
da4f7b078f65a46227d5ea29f08831a5e04d6a5a16c9ad5d4d40f58071172319

SHA512
1455e4382fb243dc4cc51fd627a901c5deecac23f0490437e1058de7538d90b8dba44f8277c5e0d74ae232bf4c870fbf5315932230507573e09c7d5ac2f07a55

Download Submit
C:\Windows\Resources\spoolsv.exe

Filesize
135KB

MD5
d709bd8f1c4e9d8e241d21b12b2d38b5

SHA1
c0022bae79c0c0bcfc778cf948134bbb6932119e

SHA256
da4f7b078f65a46227d5ea29f08831a5e04d6a5a16c9ad5d4d40f58071172319

SHA512
1455e4382fb243dc4cc51fd627a901c5deecac23f0490437e1058de7538d90b8dba44f8277c5e0d74ae232bf4c870fbf5315932230507573e09c7d5ac2f07a55

Download Submit
C:\Windows\Resources\spoolsv.exe

Filesize
135KB

MD5
d709bd8f1c4e9d8e241d21b12b2d38b5

SHA1
c0022bae79c0c0bcfc778cf948134bbb6932119e

SHA256
da4f7b078f65a46227d5ea29f08831a5e04d6a5a16c9ad5d4d40f58071172319

SHA512
1455e4382fb243dc4cc51fd627a901c5deecac23f0490437e1058de7538d90b8dba44f8277c5e0d74ae232bf4c870fbf5315932230507573e09c7d5ac2f07a55

Download Submit
C:\Windows\Resources\svchost.exe

Filesize
135KB

MD5
e24b442ebc49c9f0c5a9c74cb22f76f7

SHA1
f61c71375847ee67734fff8ba9b9a0162456d3a7

SHA256
bc60b4de29d1981897985b2ed309a8e461865b2df111964dee7519aaf6f57a10

SHA512
b870d4e2963e31a4fc3436075a8873122efce61edff40f4a20ba8413e4835ba3818b321dc4132115783157f3a359c6fc1e670ffcb6b625a9423b2ea722b5e0c2

Download Submit
\??\c:\windows\resources\spoolsv.exe

Filesize
135KB

MD5
d709bd8f1c4e9d8e241d21b12b2d38b5

SHA1
c0022bae79c0c0bcfc778cf948134bbb6932119e

SHA256
da4f7b078f65a46227d5ea29f08831a5e04d6a5a16c9ad5d4d40f58071172319

SHA512
1455e4382fb243dc4cc51fd627a901c5deecac23f0490437e1058de7538d90b8dba44f8277c5e0d74ae232bf4c870fbf5315932230507573e09c7d5ac2f07a55

Download Submit
\??\c:\windows\resources\svchost.exe

Filesize
135KB

MD5
e24b442ebc49c9f0c5a9c74cb22f76f7

SHA1
f61c71375847ee67734fff8ba9b9a0162456d3a7

SHA256
bc60b4de29d1981897985b2ed309a8e461865b2df111964dee7519aaf6f57a10

SHA512
b870d4e2963e31a4fc3436075a8873122efce61edff40f4a20ba8413e4835ba3818b321dc4132115783157f3a359c6fc1e670ffcb6b625a9423b2ea722b5e0c2

Download Submit
\??\c:\windows\resources\themes\explorer.exe

Filesize
135KB

MD5
797f669030878c3f2e73e8930e463255

SHA1
ba596445f7b665d9089a8af6bde79fff09c661b0

SHA256
a33ae4e0b72097c673fff4d9315dc7164823379053df7cc028d95f76b58776b4

SHA512
fc0fe250508f221fdc20dd572f63678e69d55b5739d9447dce276fabcacef3fb5dd3fbe337cf40c32330e62e120141f4c4cfc62400f01f4a25ab0d7339d204fe

Download Submit
memory/1648-34-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1652-29-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1652-33-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4948-0-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4948-35-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download