737c9375cd60423cbf0056af1e7b0e666e6c673d0f580e696161a01d5b551a48

Analysis

max time kernel
142s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20231020-en
resource tags

arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
submitted
13/11/2023, 02:06

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

NEAS.322f9a41f7883e8292b9187684826c40.exe
Size

141KB
MD5

322f9a41f7883e8292b9187684826c40
SHA1

a361f382992dd745159ab60e4b94ba5c3f86ca80
SHA256

737c9375cd60423cbf0056af1e7b0e666e6c673d0f580e696161a01d5b551a48
SHA512

5c6ecce696c81bbb9aa6acb6e1a55583cd169deed68710cee04872abfa9016382973e36a3478b7f2d9a710e2f5b01b578690f0525cb6e52541fed9c8c8963c6c
SSDEEP

3072:ELlglTEH6xklGwA/qkwsjvxzzjNjljIxjfjA8bnIIIId:aqAHCntRlg/5

Score

10^/10

persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 3 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe spoolut.exe"	spoolut.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe spoolut.exe"	NEAS.322f9a41f7883e8292b9187684826c40.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe spoolut.exe"	spoolut.exe

Executes dropped EXE 2 IoCs

pid	Process
3576	spoolut.exe
4952	spoolut.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Service Host = "C:\\Windows\\spoolut.exe"	NEAS.322f9a41f7883e8292b9187684826c40.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\U:	svchost.exe
File opened (read-only)	\??\X:	svchost.exe
File opened (read-only)	\??\I:	svchost.exe
File opened (read-only)	\??\J:	svchost.exe
File opened (read-only)	\??\L:	svchost.exe
File opened (read-only)	\??\S:	svchost.exe
File opened (read-only)	\??\B:	svchost.exe
File opened (read-only)	\??\H:	svchost.exe
File opened (read-only)	\??\Q:	svchost.exe
File opened (read-only)	\??\Z:	svchost.exe
File opened (read-only)	\??\M:	svchost.exe
File opened (read-only)	\??\N:	svchost.exe
File opened (read-only)	\??\R:	svchost.exe
File opened (read-only)	\??\T:	svchost.exe
File opened (read-only)	\??\O:	svchost.exe
File opened (read-only)	\??\P:	svchost.exe
File opened (read-only)	\??\V:	svchost.exe
File opened (read-only)	\??\W:	svchost.exe
File opened (read-only)	\??\A:	svchost.exe
File opened (read-only)	\??\E:	svchost.exe
File opened (read-only)	\??\G:	svchost.exe
File opened (read-only)	\??\K:	svchost.exe
File opened (read-only)	\??\Y:	svchost.exe

Drops file in Windows directory 32 IoCs

description	ioc	Process
File opened for modification	C:\Windows\spoolut.exe	NEAS.322f9a41f7883e8292b9187684826c40.exe
File created	C:\Windows\mstorvil\iMesh 4.2 Ad Remover Crack.exe	spoolut.exe
File opened for modification	C:\Windows\mstorvil\iMesh 4.2 Ad Remover Crack.exe	spoolut.exe
File created	C:\Windows\message.htm	spoolut.exe
File created	C:\Windows\mstorvil\NHL 2004 Crack.exe	spoolut.exe
File created	C:\Windows\mstorvil\Norton Antispam 2004 Keygen.exe	spoolut.exe
File created	C:\Windows\mstorvil\BearShare Pro 4.3.0 Crack.exe	spoolut.exe
File opened for modification	C:\Windows\mstorvil\NHL 2004 Crack.exe	spoolut.exe
File opened for modification	C:\Windows\mstorvil\	NEAS.322f9a41f7883e8292b9187684826c40.exe
File created	C:\Windows\message.dat	spoolut.exe
File created	C:\Windows\mstorvil\McAfee SpamKiller 2004 Crack.exe	spoolut.exe
File created	C:\Windows\mstorvil\TVTool v8.31 Crack.exe	spoolut.exe
File opened for modification	C:\Windows\mstorvil\TVTool v8.31 Crack.exe	spoolut.exe
File opened for modification	C:\Windows\svchost.exe	spoolut.exe
File opened for modification	C:\Windows\mstorvil\Norton Antispam 2004 Keygen.exe	spoolut.exe
File opened for modification	C:\Windows\mstorvil\Norton AntiVirus 2004 Crack.exe	spoolut.exe
File opened for modification	C:\Windows\mstorvil\BearShare Pro 4.3.0 Crack.exe	spoolut.exe
File created	C:\Windows\svchost.exe	NEAS.322f9a41f7883e8292b9187684826c40.exe
File created	C:\Windows\spoolut.exe	spoolut.exe
File opened for modification	C:\Windows\mstorvil\	spoolut.exe
File opened for modification	C:\Windows\mstorvil\McAfee SpamKiller 2004 Crack.exe	spoolut.exe
File created	C:\Windows\mstorvil\Macromedia Studio MX 2004 AllApps Crack.exe	spoolut.exe
File opened for modification	C:\Windows\mstorvil\McAfee VirusScan Home Edition 2004 Crack.exe	spoolut.exe
File created	C:\Windows\spoolut.exe	NEAS.322f9a41f7883e8292b9187684826c40.exe
File opened for modification	C:\Windows\svchost.exe	spoolut.exe
File opened for modification	C:\Windows\mstorvil\Sophos AntiVirus v3.74 Crack.exe	spoolut.exe
File created	C:\Windows\mstorvil\McAfee VirusScan Home Edition 2004 Crack.exe	spoolut.exe
File created	C:\Windows\spoolut.exe	spoolut.exe
File opened for modification	C:\Windows\mstorvil\	spoolut.exe
File opened for modification	C:\Windows\mstorvil\Macromedia Studio MX 2004 AllApps Crack.exe	spoolut.exe
File created	C:\Windows\mstorvil\Sophos AntiVirus v3.74 Crack.exe	spoolut.exe
File created	C:\Windows\mstorvil\Norton AntiVirus 2004 Crack.exe	spoolut.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4900	4952	WerFault.exe	92

Modifies data under HKEY_USERS 4 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	spoolut.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{40DD6E20-7C17-11CE-A804-00AA003CA9F6} {000214FC-0000-0000-C000-000000000046} 0xFFFF = 0100000000000000a6c564fed515da01	spoolut.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	spoolut.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\TelemetrySalt = "0"	spoolut.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4952	spoolut.exe
4952	spoolut.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeAuditPrivilege	4352	svchost.exe
Token: SeAuditPrivilege	4352	svchost.exe
Token: SeAuditPrivilege	4352	svchost.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4068 wrote to memory of 2068	4068	NEAS.322f9a41f7883e8292b9187684826c40.exe	89
PID 4068 wrote to memory of 2068	4068	NEAS.322f9a41f7883e8292b9187684826c40.exe	89
PID 4068 wrote to memory of 2068	4068	NEAS.322f9a41f7883e8292b9187684826c40.exe	89
PID 4068 wrote to memory of 3576	4068	NEAS.322f9a41f7883e8292b9187684826c40.exe	90
PID 4068 wrote to memory of 3576	4068	NEAS.322f9a41f7883e8292b9187684826c40.exe	90
PID 4068 wrote to memory of 3576	4068	NEAS.322f9a41f7883e8292b9187684826c40.exe	90

C:\Users\Admin\AppData\Local\Temp\NEAS.322f9a41f7883e8292b9187684826c40.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.322f9a41f7883e8292b9187684826c40.exe"
1⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4068
- C:\Windows\SysWOW64\rundll32.exe
  rundll32 setupapi,InstallHinfSection MSMAIL 132 msmail.inf
  2⤵
  PID:2068
- C:\Windows\spoolut.exe
  "C:\Windows\spoolut.exe" -i
  2⤵
  - Modifies WinLogon for persistence
  - Executes dropped EXE
  - Drops file in Windows directory
  PID:3576

C:\Windows\spoolut.exe
C:\Windows\spoolut.exe -s
1⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:4952
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4952 -s 1496
  2⤵
  - Program crash
  PID:4900

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
PID:4352

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4952 -ip 4952
1⤵
PID:1816

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\spoolut.exe

Filesize
141KB

MD5
322f9a41f7883e8292b9187684826c40

SHA1
a361f382992dd745159ab60e4b94ba5c3f86ca80

SHA256
737c9375cd60423cbf0056af1e7b0e666e6c673d0f580e696161a01d5b551a48

SHA512
5c6ecce696c81bbb9aa6acb6e1a55583cd169deed68710cee04872abfa9016382973e36a3478b7f2d9a710e2f5b01b578690f0525cb6e52541fed9c8c8963c6c

Download Submit
C:\Windows\spoolut.exe

Filesize
141KB

MD5
322f9a41f7883e8292b9187684826c40

SHA1
a361f382992dd745159ab60e4b94ba5c3f86ca80

SHA256
737c9375cd60423cbf0056af1e7b0e666e6c673d0f580e696161a01d5b551a48

SHA512
5c6ecce696c81bbb9aa6acb6e1a55583cd169deed68710cee04872abfa9016382973e36a3478b7f2d9a710e2f5b01b578690f0525cb6e52541fed9c8c8963c6c

Download Submit
C:\Windows\spoolut.exe

Filesize
141KB

MD5
322f9a41f7883e8292b9187684826c40

SHA1
a361f382992dd745159ab60e4b94ba5c3f86ca80

SHA256
737c9375cd60423cbf0056af1e7b0e666e6c673d0f580e696161a01d5b551a48

SHA512
5c6ecce696c81bbb9aa6acb6e1a55583cd169deed68710cee04872abfa9016382973e36a3478b7f2d9a710e2f5b01b578690f0525cb6e52541fed9c8c8963c6c

Download Submit
C:\Windows\svchost.exe

Filesize
141KB

MD5
322f9a41f7883e8292b9187684826c40

SHA1
a361f382992dd745159ab60e4b94ba5c3f86ca80

SHA256
737c9375cd60423cbf0056af1e7b0e666e6c673d0f580e696161a01d5b551a48

SHA512
5c6ecce696c81bbb9aa6acb6e1a55583cd169deed68710cee04872abfa9016382973e36a3478b7f2d9a710e2f5b01b578690f0525cb6e52541fed9c8c8963c6c

Download Submit
C:\Windows\svchost.exe

Filesize
141KB

MD5
0eb848444dbf33ce8195ccba40cd7a0f

SHA1
75ca9b071dc49e436f9d7c76fa6ab2ac20f4609e

SHA256
1d27aa3eb6fb0b1677d63c167e9c33f4631481cb812a8e931d0a667ba10cdb4d

SHA512
402bbf63672b9ee7e6f180216af372fac82315e180e0a6d9c8336d290f5554a2be3a82a4679b6004a64fd7431664da32c549d05eb94d877dfdfebfa3f10ceec1

Download Submit
C:\Windows\svchost.exe

Filesize
141KB

MD5
322f9a41f7883e8292b9187684826c40

SHA1
a361f382992dd745159ab60e4b94ba5c3f86ca80

SHA256
737c9375cd60423cbf0056af1e7b0e666e6c673d0f580e696161a01d5b551a48

SHA512
5c6ecce696c81bbb9aa6acb6e1a55583cd169deed68710cee04872abfa9016382973e36a3478b7f2d9a710e2f5b01b578690f0525cb6e52541fed9c8c8963c6c

Download Submit
C:\torvil.log

Filesize
218B

MD5
76d6c819a5babd4c19149305810b65f8

SHA1
3af0d2198f338d368bd83081683f6313126aaa6f

SHA256
30e5835a32eedaf6d6b422b218c30eb6e8abdcd1cccd1d32b2fd43652a80179e

SHA512
cd972316897b5e744453c5d1c0c964ed41caf6af7bc73ebcb8f1593e52f53517705ba96c33c648bea68d623ea6861051bb224e88fd99afbd684fe2cf8eb46d6d

Download Submit
C:\torvil.log

Filesize
792B

MD5
6f005f030eeefc09d04311347c5e32b9

SHA1
7efa4b4661c991ccc75c8138a492aefbf05379b8

SHA256
d267414403884d345a6709014fc9cc066bcd0f6cb8387d329846585766558d7c

SHA512
7ce512543453bb28ec233a520e1fb03e804aa03137f6b2c6700f9fed4740951902f4db346577818ed89a9e01e5bb135ec0109cf299af68f76383d4e17801fcf3

Download Submit
C:\torvil.log

Filesize
3KB

MD5
0a6b33d702eb233cbb7ac8794a6ea364

SHA1
d44d6684d1ec9c07a1b984ffb1e7181d1d18706e

SHA256
aeceb53fd33ace0f5b8df0596845f8c71598f1db1e3a4ea9b7c606cba1cc6316

SHA512
28d49927f8194c730f0c39dbb10a93eca81e682400f1c27c207427a40fe1a9a3c4dd4463330ba3cc2b4fe2f0f06506d703b22ac9f4092b133a4f123c5dd527a3

Download Submit