47a23873f6e88d48160cbaa738c0dcf0eb83b910beac17d716a773ed1a31a94d

Analysis

max time kernel
149s
max time network
151s
platform
windows7_x64
resource
win7-20231020-en
resource tags

arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system
submitted
15/11/2023, 05:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.7fe9c8d26917cca3ab674f3b726147b0.exe
Size

212KB
MD5

7fe9c8d26917cca3ab674f3b726147b0
SHA1

5583509fb9ccc0786042d58335b5e428d6749a4e
SHA256

47a23873f6e88d48160cbaa738c0dcf0eb83b910beac17d716a773ed1a31a94d
SHA512

cd8ff61fa843a289e3e724a1f67d4f31ff08d49b943f245e28f91eee36fe532717c8151a0826450bf3491216b94a966bb02c48e3ef6f0694fed71f8ac36d428e
SSDEEP

6144:SxNqLW6opBZMU/y/JEGjg+op2BSNCCr7/jU:MA6NBT/yEGjWwa7vU

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2224	svchost.exe

Loads dropped DLL 2 IoCs

pid	Process
2200	NEAS.7fe9c8d26917cca3ab674f3b726147b0.exe
2200	NEAS.7fe9c8d26917cca3ab674f3b726147b0.exe

Modifies WinLogon 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\f80f5a83 = "C:\\Windows\\apppatch\\svchost.exe"	NEAS.7fe9c8d26917cca3ab674f3b726147b0.exe

Drops file in Program Files directory 20 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows Defender\gahyqah.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\vonypom.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\lymyxid.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\puzylyp.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\lysyfyj.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\pupycag.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\qetyhyg.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\lygyvuj.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\vojyqem.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\qetyfuv.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\qexyhuv.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\vofycot.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\purylev.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\volykit.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\vocyzit.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\galyqaz.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\lyrysor.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\galynuh.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\gadyciz.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\gatyhub.com	svchost.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\apppatch\svchost.exe	NEAS.7fe9c8d26917cca3ab674f3b726147b0.exe
File opened for modification	C:\Windows\apppatch\svchost.exe	NEAS.7fe9c8d26917cca3ab674f3b726147b0.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000_CLASSES\Local Settings\MuiCache	svchost.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2224	svchost.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2200	NEAS.7fe9c8d26917cca3ab674f3b726147b0.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeSecurityPrivilege	2200	NEAS.7fe9c8d26917cca3ab674f3b726147b0.exe
Token: SeSecurityPrivilege	2200	NEAS.7fe9c8d26917cca3ab674f3b726147b0.exe
Token: SeSecurityPrivilege	2224	svchost.exe
Token: SeSecurityPrivilege	2224	svchost.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2200 wrote to memory of 2224	2200	NEAS.7fe9c8d26917cca3ab674f3b726147b0.exe	28
PID 2200 wrote to memory of 2224	2200	NEAS.7fe9c8d26917cca3ab674f3b726147b0.exe	28
PID 2200 wrote to memory of 2224	2200	NEAS.7fe9c8d26917cca3ab674f3b726147b0.exe	28
PID 2200 wrote to memory of 2224	2200	NEAS.7fe9c8d26917cca3ab674f3b726147b0.exe	28

C:\Users\Admin\AppData\Local\Temp\NEAS.7fe9c8d26917cca3ab674f3b726147b0.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.7fe9c8d26917cca3ab674f3b726147b0.exe"
1⤵
- Loads dropped DLL
- Modifies WinLogon
- Drops file in Windows directory
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2200
- C:\Windows\apppatch\svchost.exe
  "C:\Windows\apppatch\svchost.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2224

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
39a70d81496af80586208df293b94f2c

SHA1
ce03fb13f148d002c7ff694df558b9f8b53840d6

SHA256
799760e7c69355b3bd4b90f0fc17c228196bde3f84225137f91f00407c2a139d

SHA512
3f00f97aad175f0efc7e63a71cd8771ff6158e7e2de163c3fa07785d30f711daca9e586ebad4bda7a51b350db3d1c51314c17248241bfbc8e285bae407b64557

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
a6e71949cf5e3e1ee78eabd156f37128

SHA1
f1e9e522d13e005cd540fd429f1eeae6be9b91fd

SHA256
4d0de5170255e439247f722b2f7289962f51c3deccdd75e693babba1793bbf5f

SHA512
ed180d759e440f18df1b063a5621b8b2f64080a0ecdc0e7336f747297200401c213f161327fc22a67523887399094768bf5c36b842af288de22b7a5162c45c78

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
94626ec8c4a573c1e84e9f89e1f413e6

SHA1
d62c7c914b897d95020b1cb0bc2cf157ed25e21c

SHA256
9a81543f6854787aa83d49f4a02cab21b11d20dbdf48a69e2081b7c28eb247d8

SHA512
ac91be603417ba9494181ceaf1494f1d87b101fee7eee5391ce7d2a9d19f8f9132f62bac1567fd1b5b0099b660d767a0e98cabccdecfaf1768fd908e9b2ff626

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
d3c818906f0191c4be9209c0429b3ae3

SHA1
13d978392868f6323548f79b42210aac76173969

SHA256
51572623b0b21186f7a54ee8df6a30c1d9379c8e4f845fb978f31b4c7465f17e

SHA512
369227b6283c62c5f6fb1fae8f0d66dba71738011288f168b25dece47b066176ded5b97acc3a44a26071a5a599269f0bbd33cfe8835b5a1c1fef414f4fc244ee

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
b6eb919e2c5bcf432ac86cf0745cb467

SHA1
3fa74dd138753422e8f1edcd865e34b5b4c5fe35

SHA256
d9981a182e4ba9af388f9ddefc3492a242d95d75601379b60b52bd7bbff1ff54

SHA512
953d1cc5ec30906860c48d1349e5e8bf23fb3934aef3f8e04e4c893e077d686daa31ab1f42e282d7bcb43301de3fa08411f763cf87ccc2a7750f972414d26053

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
334b0ecf932114c5c7a6f86ff4a01f17

SHA1
c20f168714810fd8113c78dcb33abd5311ca372e

SHA256
6caed394b3107134bf18bed3071ffc938c9f74d192fc4ae4a2c85a292e1fcf7f

SHA512
4b77311c3ba7d352334a4a53e0201be508c190f0cc1dea331269332f8a0515cca7df4757d55c0ce97be681b7acfb5c094171ae912780bb5d9e4b25f675e0050b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
146331d0353a7bd97636155786d23303

SHA1
fea1034ccff939f1452028836b356845db0d8c9a

SHA256
950c66dc2f4f977ebdceba143fe0e0f7638c8ccab030a097e4609f37cfb0296d

SHA512
130d140449277a1c469e2a33e976796210c56e76d2ab7ce3ba09fd6dc8c48406d0b09dd3554c20517a67a802ede2aaec988ec216be3b32bf15133b1f33427d88

Download Submit
C:\Users\Admin\AppData\LocalLow\Temp\Cab7E87.tmp

Filesize
61KB

MD5
f3441b8572aae8801c04f3060b550443

SHA1
4ef0a35436125d6821831ef36c28ffaf196cda15

SHA256
6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf

SHA512
5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

Download Submit
C:\Users\Admin\AppData\LocalLow\Temp\Tar7F27.tmp

Filesize
163KB

MD5
9441737383d21192400eca82fda910ec

SHA1
725e0d606a4fc9ba44aa8ffde65bed15e65367e4

SHA256
bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5

SHA512
7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

Download Submit
C:\Windows\AppPatch\svchost.exe

Filesize
212KB

MD5
93e5b53c6811912d602e5f33ced9ece4

SHA1
cd7c937612729f9fb74c6a52f3ad1fdea41b379e

SHA256
d450fba243af2a8095e3f3314f2511fb2cdb8496225a06d800fa78a4344acef5

SHA512
d03133daf4cf72c495beb255a7aa0c55ec23382aa9f51489c4ea5b4a8314d69a3cf0cbf1b832f2bbcb44ff63470c080cc0add722e4a5bebfae0d3bd19ef463eb

Download Submit
C:\Windows\AppPatch\svchost.exe

Filesize
212KB

MD5
93e5b53c6811912d602e5f33ced9ece4

SHA1
cd7c937612729f9fb74c6a52f3ad1fdea41b379e

SHA256
d450fba243af2a8095e3f3314f2511fb2cdb8496225a06d800fa78a4344acef5

SHA512
d03133daf4cf72c495beb255a7aa0c55ec23382aa9f51489c4ea5b4a8314d69a3cf0cbf1b832f2bbcb44ff63470c080cc0add722e4a5bebfae0d3bd19ef463eb

Download Submit
C:\Windows\apppatch\svchost.exe

Filesize
212KB

MD5
93e5b53c6811912d602e5f33ced9ece4

SHA1
cd7c937612729f9fb74c6a52f3ad1fdea41b379e

SHA256
d450fba243af2a8095e3f3314f2511fb2cdb8496225a06d800fa78a4344acef5

SHA512
d03133daf4cf72c495beb255a7aa0c55ec23382aa9f51489c4ea5b4a8314d69a3cf0cbf1b832f2bbcb44ff63470c080cc0add722e4a5bebfae0d3bd19ef463eb

Download Submit
\Windows\AppPatch\svchost.exe

Filesize
212KB

MD5
93e5b53c6811912d602e5f33ced9ece4

SHA1
cd7c937612729f9fb74c6a52f3ad1fdea41b379e

SHA256
d450fba243af2a8095e3f3314f2511fb2cdb8496225a06d800fa78a4344acef5

SHA512
d03133daf4cf72c495beb255a7aa0c55ec23382aa9f51489c4ea5b4a8314d69a3cf0cbf1b832f2bbcb44ff63470c080cc0add722e4a5bebfae0d3bd19ef463eb

Download Submit
\Windows\AppPatch\svchost.exe

Filesize
212KB

MD5
93e5b53c6811912d602e5f33ced9ece4

SHA1
cd7c937612729f9fb74c6a52f3ad1fdea41b379e

SHA256
d450fba243af2a8095e3f3314f2511fb2cdb8496225a06d800fa78a4344acef5

SHA512
d03133daf4cf72c495beb255a7aa0c55ec23382aa9f51489c4ea5b4a8314d69a3cf0cbf1b832f2bbcb44ff63470c080cc0add722e4a5bebfae0d3bd19ef463eb

Download Submit
memory/2200-19-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/2200-17-0x0000000000220000-0x0000000000272000-memory.dmp

Filesize
328KB

Download
memory/2200-1-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/2200-0-0x0000000000220000-0x0000000000272000-memory.dmp

Filesize
328KB

Download
memory/2224-53-0x00000000024A0000-0x0000000002557000-memory.dmp

Filesize
732KB

Download
memory/2224-69-0x00000000024A0000-0x0000000002557000-memory.dmp

Filesize
732KB

Download
memory/2224-40-0x00000000024A0000-0x0000000002557000-memory.dmp

Filesize
732KB

Download
memory/2224-39-0x00000000024A0000-0x0000000002557000-memory.dmp

Filesize
732KB

Download
memory/2224-41-0x00000000024A0000-0x0000000002557000-memory.dmp

Filesize
732KB

Download
memory/2224-42-0x00000000024A0000-0x0000000002557000-memory.dmp

Filesize
732KB

Download
memory/2224-43-0x00000000024A0000-0x0000000002557000-memory.dmp

Filesize
732KB

Download
memory/2224-44-0x00000000024A0000-0x0000000002557000-memory.dmp

Filesize
732KB

Download
memory/2224-45-0x00000000024A0000-0x0000000002557000-memory.dmp

Filesize
732KB

Download
memory/2224-46-0x00000000024A0000-0x0000000002557000-memory.dmp

Filesize
732KB

Download
memory/2224-48-0x00000000024A0000-0x0000000002557000-memory.dmp

Filesize
732KB

Download
memory/2224-47-0x00000000024A0000-0x0000000002557000-memory.dmp

Filesize
732KB

Download
memory/2224-49-0x00000000024A0000-0x0000000002557000-memory.dmp

Filesize
732KB

Download
memory/2224-50-0x00000000024A0000-0x0000000002557000-memory.dmp

Filesize
732KB

Download
memory/2224-51-0x00000000024A0000-0x0000000002557000-memory.dmp

Filesize
732KB

Download
memory/2224-52-0x00000000024A0000-0x0000000002557000-memory.dmp

Filesize
732KB

Download
memory/2224-35-0x00000000024A0000-0x0000000002557000-memory.dmp

Filesize
732KB

Download
memory/2224-54-0x00000000024A0000-0x0000000002557000-memory.dmp

Filesize
732KB

Download
memory/2224-55-0x00000000024A0000-0x0000000002557000-memory.dmp

Filesize
732KB

Download
memory/2224-57-0x00000000024A0000-0x0000000002557000-memory.dmp

Filesize
732KB

Download
memory/2224-59-0x00000000024A0000-0x0000000002557000-memory.dmp

Filesize
732KB

Download
memory/2224-62-0x00000000024A0000-0x0000000002557000-memory.dmp

Filesize
732KB

Download
memory/2224-64-0x00000000024A0000-0x0000000002557000-memory.dmp

Filesize
732KB

Download
memory/2224-65-0x00000000024A0000-0x0000000002557000-memory.dmp

Filesize
732KB

Download
memory/2224-66-0x00000000024A0000-0x0000000002557000-memory.dmp

Filesize
732KB

Download
memory/2224-67-0x00000000024A0000-0x0000000002557000-memory.dmp

Filesize
732KB

Download
memory/2224-68-0x00000000024A0000-0x0000000002557000-memory.dmp

Filesize
732KB

Download
memory/2224-38-0x00000000024A0000-0x0000000002557000-memory.dmp

Filesize
732KB

Download
memory/2224-70-0x00000000024A0000-0x0000000002557000-memory.dmp

Filesize
732KB

Download
memory/2224-71-0x00000000024A0000-0x0000000002557000-memory.dmp

Filesize
732KB

Download
memory/2224-72-0x00000000024A0000-0x0000000002557000-memory.dmp

Filesize
732KB

Download
memory/2224-73-0x00000000024A0000-0x0000000002557000-memory.dmp

Filesize
732KB

Download
memory/2224-74-0x00000000024A0000-0x0000000002557000-memory.dmp

Filesize
732KB

Download
memory/2224-75-0x00000000024A0000-0x0000000002557000-memory.dmp

Filesize
732KB

Download
memory/2224-78-0x00000000024A0000-0x0000000002557000-memory.dmp

Filesize
732KB

Download
memory/2224-79-0x00000000024A0000-0x0000000002557000-memory.dmp

Filesize
732KB

Download
memory/2224-77-0x00000000024A0000-0x0000000002557000-memory.dmp

Filesize
732KB

Download
memory/2224-80-0x00000000024A0000-0x0000000002557000-memory.dmp

Filesize
732KB

Download
memory/2224-81-0x00000000024A0000-0x0000000002557000-memory.dmp

Filesize
732KB

Download
memory/2224-85-0x00000000024A0000-0x0000000002557000-memory.dmp

Filesize
732KB

Download
memory/2224-84-0x00000000024A0000-0x0000000002557000-memory.dmp

Filesize
732KB

Download
memory/2224-86-0x00000000024A0000-0x0000000002557000-memory.dmp

Filesize
732KB

Download
memory/2224-33-0x00000000024A0000-0x0000000002557000-memory.dmp

Filesize
732KB

Download
memory/2224-31-0x00000000021A0000-0x000000000224A000-memory.dmp

Filesize
680KB

Download
memory/2224-29-0x00000000021A0000-0x000000000224A000-memory.dmp

Filesize
680KB

Download
memory/2224-27-0x00000000021A0000-0x000000000224A000-memory.dmp

Filesize
680KB

Download
memory/2224-25-0x00000000021A0000-0x000000000224A000-memory.dmp

Filesize
680KB

Download
memory/2224-23-0x00000000021A0000-0x000000000224A000-memory.dmp

Filesize
680KB

Download
memory/2224-20-0x00000000021A0000-0x000000000224A000-memory.dmp

Filesize
680KB

Download
memory/2224-21-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/2224-18-0x0000000000230000-0x0000000000282000-memory.dmp

Filesize
328KB

Download
memory/2224-572-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/2224-573-0x00000000024A0000-0x0000000002557000-memory.dmp

Filesize
732KB

Download