b525eb7207acc2739513e6996df64c569151be26ea3e4dfaa73c2df4c215d311

Analysis

max time kernel
151s
max time network
155s
platform
windows7_x64
resource
win7-20231025-en
resource tags

arch:x64arch:x86image:win7-20231025-enlocale:en-usos:windows7-x64system
submitted
12-11-2023 09:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.02b70a97c3c0b99ccf84ab7ffe3be600.exe
Size

293KB
MD5

02b70a97c3c0b99ccf84ab7ffe3be600
SHA1

d93886c2b4a2901be15c0469c8ad4adb4c3d53e6
SHA256

b525eb7207acc2739513e6996df64c569151be26ea3e4dfaa73c2df4c215d311
SHA512

8fff2c644f0c8caa3863d17e5c9c6cf0c50463b6a47796660bf8bbdda03e273500af6babe7bdae39637ae704149b4bd4be0b28321b3bc31f0d75e73a731d8862
SSDEEP

3072:AygCullUQN7gsBh1L1QygCullUQN7gsBh1L12:ARleK7712RleK771o

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	svchost.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	svchost.exe

Modifies Installed Components in the registry 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	svchost.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	svchost.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	svchost.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}	svchost.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	explorer.exe

Executes dropped EXE 4 IoCs

pid	Process
2004	explorer.exe
2740	spoolsv.exe
2816	svchost.exe
2896	spoolsv.exe

Loads dropped DLL 8 IoCs

pid	Process
1664	NEAS.02b70a97c3c0b99ccf84ab7ffe3be600.exe
1664	NEAS.02b70a97c3c0b99ccf84ab7ffe3be600.exe
2004	explorer.exe
2004	explorer.exe
2740	spoolsv.exe
2740	spoolsv.exe
2816	svchost.exe
2816	svchost.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	svchost.exe

Drops file in Windows directory 7 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\system\svchost.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	\??\c:\windows\system\svchost.exe	svchost.exe
File opened for modification	C:\Windows\System\tjud.exe	explorer.exe
File opened for modification	C:\Windows\System\tjcm.cmn	explorer.exe
File opened for modification	\??\c:\windows\system\explorer.exe	NEAS.02b70a97c3c0b99ccf84ab7ffe3be600.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	explorer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1664	NEAS.02b70a97c3c0b99ccf84ab7ffe3be600.exe
2004	explorer.exe
2004	explorer.exe
2004	explorer.exe
2816	svchost.exe
2816	svchost.exe
2004	explorer.exe
2816	svchost.exe
2004	explorer.exe
2816	svchost.exe
2004	explorer.exe
2816	svchost.exe
2004	explorer.exe
2816	svchost.exe
2004	explorer.exe
2816	svchost.exe
2004	explorer.exe
2816	svchost.exe
2004	explorer.exe
2816	svchost.exe
2004	explorer.exe
2816	svchost.exe
2004	explorer.exe
2816	svchost.exe
2004	explorer.exe
2816	svchost.exe
2004	explorer.exe
2816	svchost.exe
2004	explorer.exe
2816	svchost.exe
2004	explorer.exe
2816	svchost.exe
2004	explorer.exe
2816	svchost.exe
2004	explorer.exe
2816	svchost.exe
2004	explorer.exe
2816	svchost.exe
2004	explorer.exe
2816	svchost.exe
2004	explorer.exe
2816	svchost.exe
2004	explorer.exe
2816	svchost.exe
2004	explorer.exe
2816	svchost.exe
2004	explorer.exe
2816	svchost.exe
2004	explorer.exe
2816	svchost.exe
2004	explorer.exe
2816	svchost.exe
2004	explorer.exe
2816	svchost.exe
2004	explorer.exe
2816	svchost.exe
2004	explorer.exe
2816	svchost.exe
2004	explorer.exe
2816	svchost.exe
2004	explorer.exe
2816	svchost.exe
2004	explorer.exe
2816	svchost.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
2004	explorer.exe
2816	svchost.exe

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
1664	NEAS.02b70a97c3c0b99ccf84ab7ffe3be600.exe
1664	NEAS.02b70a97c3c0b99ccf84ab7ffe3be600.exe
2004	explorer.exe
2004	explorer.exe
2740	spoolsv.exe
2740	spoolsv.exe
2816	svchost.exe
2816	svchost.exe
2896	spoolsv.exe
2896	spoolsv.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1664 wrote to memory of 2004	1664	NEAS.02b70a97c3c0b99ccf84ab7ffe3be600.exe	28
PID 1664 wrote to memory of 2004	1664	NEAS.02b70a97c3c0b99ccf84ab7ffe3be600.exe	28
PID 1664 wrote to memory of 2004	1664	NEAS.02b70a97c3c0b99ccf84ab7ffe3be600.exe	28
PID 1664 wrote to memory of 2004	1664	NEAS.02b70a97c3c0b99ccf84ab7ffe3be600.exe	28
PID 2004 wrote to memory of 2740	2004	explorer.exe	29
PID 2004 wrote to memory of 2740	2004	explorer.exe	29
PID 2004 wrote to memory of 2740	2004	explorer.exe	29
PID 2004 wrote to memory of 2740	2004	explorer.exe	29
PID 2740 wrote to memory of 2816	2740	spoolsv.exe	30
PID 2740 wrote to memory of 2816	2740	spoolsv.exe	30
PID 2740 wrote to memory of 2816	2740	spoolsv.exe	30
PID 2740 wrote to memory of 2816	2740	spoolsv.exe	30
PID 2816 wrote to memory of 2896	2816	svchost.exe	31
PID 2816 wrote to memory of 2896	2816	svchost.exe	31
PID 2816 wrote to memory of 2896	2816	svchost.exe	31
PID 2816 wrote to memory of 2896	2816	svchost.exe	31

C:\Users\Admin\AppData\Local\Temp\NEAS.02b70a97c3c0b99ccf84ab7ffe3be600.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.02b70a97c3c0b99ccf84ab7ffe3be600.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1664
- \??\c:\windows\system\explorer.exe
  c:\windows\system\explorer.exe
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visiblity of hidden/system files in Explorer
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2004
- - \??\c:\windows\system\spoolsv.exe
    c:\windows\system\spoolsv.exe SE
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2740
  - - \??\c:\windows\system\svchost.exe
      c:\windows\system\svchost.exe
      4⤵
      Modifies WinLogon for persistence
      Modifies visiblity of hidden/system files in Explorer
      Modifies Installed Components in the registry
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2816
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe PR
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2896

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\mrsys.exe

Filesize
292KB

MD5
704cf812a5b79cbc357c79fef61e5a14

SHA1
fab4f67dc39d44ced59f23ecb49e721a395ccdad

SHA256
b669606afe817bc00322fcfdaadb92111b273fc6a514f406607061057e9cc898

SHA512
6ed6d7391816ab155122a8892227b9e7dc9eda98ff998986a4c3efcf7bfb99d35b066fa7f81b2e2152f35f73380d791a826807eb1e6c875b4a8c81dad04ee390

Download Submit
C:\Windows\system\explorer.exe

Filesize
293KB

MD5
849bc53befde9bcc1daf4079b4018dec

SHA1
8df36ebd85fd847211368f8b0544db270e29889f

SHA256
a6ac265ac76606c2662e433c57cbde4e8dbf3ab019955cc28434be4712773e5e

SHA512
671af759d2d0e7bafb2085d10ca7a7611d26ae9f4a7cac76034b972ae7d121758b3dfd9e8f03c55a574d6e6ac561f098f92cb536774adcd2522ecbd39eb43135

Download Submit
C:\Windows\system\explorer.exe

Filesize
293KB

MD5
849bc53befde9bcc1daf4079b4018dec

SHA1
8df36ebd85fd847211368f8b0544db270e29889f

SHA256
a6ac265ac76606c2662e433c57cbde4e8dbf3ab019955cc28434be4712773e5e

SHA512
671af759d2d0e7bafb2085d10ca7a7611d26ae9f4a7cac76034b972ae7d121758b3dfd9e8f03c55a574d6e6ac561f098f92cb536774adcd2522ecbd39eb43135

Download Submit
C:\Windows\system\spoolsv.exe

Filesize
292KB

MD5
1a9629e68a5dc2d4fef627341ecc7adc

SHA1
9ef480d6cbc3b9608d0cfb774c2f861c725589a2

SHA256
b262d4ed2dd33d8fd8d502c50276fedbb5341b7901d06aa6f29744d318faef6e

SHA512
9473ec8b94461a28b6c7a60e385a23df6d8e655a8216b6e5a4530fd2ddb2c780779667a0d18e35a8cd3a0b7c59ff987793e1ed76eb71f42530ab49b842a4879c

Download Submit
C:\Windows\system\spoolsv.exe

Filesize
292KB

MD5
1a9629e68a5dc2d4fef627341ecc7adc

SHA1
9ef480d6cbc3b9608d0cfb774c2f861c725589a2

SHA256
b262d4ed2dd33d8fd8d502c50276fedbb5341b7901d06aa6f29744d318faef6e

SHA512
9473ec8b94461a28b6c7a60e385a23df6d8e655a8216b6e5a4530fd2ddb2c780779667a0d18e35a8cd3a0b7c59ff987793e1ed76eb71f42530ab49b842a4879c

Download Submit
C:\Windows\system\svchost.exe

Filesize
293KB

MD5
b34eb2abb127858187d3cd30ab0cf246

SHA1
17144d86a617ed414a7a1f627083fdcdc9da8f08

SHA256
30296798928cbfa87d95bc18e7b5e8747320ca1769ad77035e603d69dad1efa9

SHA512
d27dfab5b6db115ae68eff6ab4b76c35d79a7d5d4956e184522c368e6b12346133433550aa49fbbd92a9ec676b1629280e6b69e4c808725ed47f9adbd93ca4ad

Download Submit
\??\c:\windows\system\explorer.exe

Filesize
293KB

MD5
849bc53befde9bcc1daf4079b4018dec

SHA1
8df36ebd85fd847211368f8b0544db270e29889f

SHA256
a6ac265ac76606c2662e433c57cbde4e8dbf3ab019955cc28434be4712773e5e

SHA512
671af759d2d0e7bafb2085d10ca7a7611d26ae9f4a7cac76034b972ae7d121758b3dfd9e8f03c55a574d6e6ac561f098f92cb536774adcd2522ecbd39eb43135

Download Submit
\??\c:\windows\system\spoolsv.exe

Filesize
292KB

MD5
1a9629e68a5dc2d4fef627341ecc7adc

SHA1
9ef480d6cbc3b9608d0cfb774c2f861c725589a2

SHA256
b262d4ed2dd33d8fd8d502c50276fedbb5341b7901d06aa6f29744d318faef6e

SHA512
9473ec8b94461a28b6c7a60e385a23df6d8e655a8216b6e5a4530fd2ddb2c780779667a0d18e35a8cd3a0b7c59ff987793e1ed76eb71f42530ab49b842a4879c

Download Submit
\??\c:\windows\system\svchost.exe

Filesize
293KB

MD5
b34eb2abb127858187d3cd30ab0cf246

SHA1
17144d86a617ed414a7a1f627083fdcdc9da8f08

SHA256
30296798928cbfa87d95bc18e7b5e8747320ca1769ad77035e603d69dad1efa9

SHA512
d27dfab5b6db115ae68eff6ab4b76c35d79a7d5d4956e184522c368e6b12346133433550aa49fbbd92a9ec676b1629280e6b69e4c808725ed47f9adbd93ca4ad

Download Submit
\Windows\system\explorer.exe

Filesize
293KB

MD5
849bc53befde9bcc1daf4079b4018dec

SHA1
8df36ebd85fd847211368f8b0544db270e29889f

SHA256
a6ac265ac76606c2662e433c57cbde4e8dbf3ab019955cc28434be4712773e5e

SHA512
671af759d2d0e7bafb2085d10ca7a7611d26ae9f4a7cac76034b972ae7d121758b3dfd9e8f03c55a574d6e6ac561f098f92cb536774adcd2522ecbd39eb43135

Download Submit
\Windows\system\explorer.exe

Filesize
293KB

MD5
849bc53befde9bcc1daf4079b4018dec

SHA1
8df36ebd85fd847211368f8b0544db270e29889f

SHA256
a6ac265ac76606c2662e433c57cbde4e8dbf3ab019955cc28434be4712773e5e

SHA512
671af759d2d0e7bafb2085d10ca7a7611d26ae9f4a7cac76034b972ae7d121758b3dfd9e8f03c55a574d6e6ac561f098f92cb536774adcd2522ecbd39eb43135

Download Submit
\Windows\system\spoolsv.exe

Filesize
292KB

MD5
1a9629e68a5dc2d4fef627341ecc7adc

SHA1
9ef480d6cbc3b9608d0cfb774c2f861c725589a2

SHA256
b262d4ed2dd33d8fd8d502c50276fedbb5341b7901d06aa6f29744d318faef6e

SHA512
9473ec8b94461a28b6c7a60e385a23df6d8e655a8216b6e5a4530fd2ddb2c780779667a0d18e35a8cd3a0b7c59ff987793e1ed76eb71f42530ab49b842a4879c

Download Submit
\Windows\system\spoolsv.exe

Filesize
292KB

MD5
1a9629e68a5dc2d4fef627341ecc7adc

SHA1
9ef480d6cbc3b9608d0cfb774c2f861c725589a2

SHA256
b262d4ed2dd33d8fd8d502c50276fedbb5341b7901d06aa6f29744d318faef6e

SHA512
9473ec8b94461a28b6c7a60e385a23df6d8e655a8216b6e5a4530fd2ddb2c780779667a0d18e35a8cd3a0b7c59ff987793e1ed76eb71f42530ab49b842a4879c

Download Submit
\Windows\system\spoolsv.exe

Filesize
292KB

MD5
1a9629e68a5dc2d4fef627341ecc7adc

SHA1
9ef480d6cbc3b9608d0cfb774c2f861c725589a2

SHA256
b262d4ed2dd33d8fd8d502c50276fedbb5341b7901d06aa6f29744d318faef6e

SHA512
9473ec8b94461a28b6c7a60e385a23df6d8e655a8216b6e5a4530fd2ddb2c780779667a0d18e35a8cd3a0b7c59ff987793e1ed76eb71f42530ab49b842a4879c

Download Submit
\Windows\system\spoolsv.exe

Filesize
292KB

MD5
1a9629e68a5dc2d4fef627341ecc7adc

SHA1
9ef480d6cbc3b9608d0cfb774c2f861c725589a2

SHA256
b262d4ed2dd33d8fd8d502c50276fedbb5341b7901d06aa6f29744d318faef6e

SHA512
9473ec8b94461a28b6c7a60e385a23df6d8e655a8216b6e5a4530fd2ddb2c780779667a0d18e35a8cd3a0b7c59ff987793e1ed76eb71f42530ab49b842a4879c

Download Submit
\Windows\system\svchost.exe

Filesize
293KB

MD5
b34eb2abb127858187d3cd30ab0cf246

SHA1
17144d86a617ed414a7a1f627083fdcdc9da8f08

SHA256
30296798928cbfa87d95bc18e7b5e8747320ca1769ad77035e603d69dad1efa9

SHA512
d27dfab5b6db115ae68eff6ab4b76c35d79a7d5d4956e184522c368e6b12346133433550aa49fbbd92a9ec676b1629280e6b69e4c808725ed47f9adbd93ca4ad

Download Submit
\Windows\system\svchost.exe

Filesize
293KB

MD5
b34eb2abb127858187d3cd30ab0cf246

SHA1
17144d86a617ed414a7a1f627083fdcdc9da8f08

SHA256
30296798928cbfa87d95bc18e7b5e8747320ca1769ad77035e603d69dad1efa9

SHA512
d27dfab5b6db115ae68eff6ab4b76c35d79a7d5d4956e184522c368e6b12346133433550aa49fbbd92a9ec676b1629280e6b69e4c808725ed47f9adbd93ca4ad

Download Submit