6e3dacdd8a7cc77daa5a99209683c33f5c99cc3aad07651faa75fbd362742452

Analysis

max time kernel
172s
max time network
169s
platform
windows7_x64
resource
win7-20231023-en
resource tags

arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system
submitted
15-11-2023 05:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.604c13e89b7040430744c9059dd73200.exe
Size

212KB
MD5

604c13e89b7040430744c9059dd73200
SHA1

d9623dca9729ffcf4bca36bb666b4fd11de9fd3f
SHA256

6e3dacdd8a7cc77daa5a99209683c33f5c99cc3aad07651faa75fbd362742452
SHA512

669c494588f1b42ef741285b9dbe57c141675e2207af9918fddb72134ade97c912982006f903812481d357a3d1391477ac3d9eaeb16d7affcd91ecab33a5e29d
SSDEEP

6144:4xNqLW6opBZMU/y/JEGjg+op2BSNCCr7/jU:+A6NBT/yEGjWwa7vU

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2620	svchost.exe

Loads dropped DLL 2 IoCs

pid	Process
1580	NEAS.604c13e89b7040430744c9059dd73200.exe
1580	NEAS.604c13e89b7040430744c9059dd73200.exe

Modifies WinLogon 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\6cf37bd2 = "C:\\Windows\\apppatch\\svchost.exe"	NEAS.604c13e89b7040430744c9059dd73200.exe

Drops file in Program Files directory 18 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows Defender\lysyfyj.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\lyrysor.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\pupycag.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\volykit.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\vojyqem.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\qetyfuv.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\puzylyp.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\lymyxid.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\purylev.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\qetyhyg.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\vofycot.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\vonypom.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\galynuh.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\gadyciz.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\gatyhub.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\vocyzit.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\galyqaz.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\qexyhuv.com	svchost.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\apppatch\svchost.exe	NEAS.604c13e89b7040430744c9059dd73200.exe
File opened for modification	C:\Windows\apppatch\svchost.exe	NEAS.604c13e89b7040430744c9059dd73200.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000_CLASSES\Local Settings\MuiCache	svchost.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2620	svchost.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1580	NEAS.604c13e89b7040430744c9059dd73200.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeSecurityPrivilege	1580	NEAS.604c13e89b7040430744c9059dd73200.exe
Token: SeSecurityPrivilege	1580	NEAS.604c13e89b7040430744c9059dd73200.exe
Token: SeSecurityPrivilege	2620	svchost.exe
Token: SeSecurityPrivilege	2620	svchost.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1580 wrote to memory of 2620	1580	NEAS.604c13e89b7040430744c9059dd73200.exe	29
PID 1580 wrote to memory of 2620	1580	NEAS.604c13e89b7040430744c9059dd73200.exe	29
PID 1580 wrote to memory of 2620	1580	NEAS.604c13e89b7040430744c9059dd73200.exe	29
PID 1580 wrote to memory of 2620	1580	NEAS.604c13e89b7040430744c9059dd73200.exe	29

C:\Users\Admin\AppData\Local\Temp\NEAS.604c13e89b7040430744c9059dd73200.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.604c13e89b7040430744c9059dd73200.exe"
1⤵
- Loads dropped DLL
- Modifies WinLogon
- Drops file in Windows directory
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1580
- C:\Windows\apppatch\svchost.exe
  "C:\Windows\apppatch\svchost.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2620

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
1445e59b38f54be8786b1354a524767c

SHA1
5058d84f663d392713ab4e99ee28732b913b7f74

SHA256
cc485c28fab1c32effcfcf2cebb7850255e3689047ca1b7f733c482145c22333

SHA512
b1ac537a6e16cab7cf4c6112d3c9ab623d8cabbe2dcfdc8382053922e712942ded17d80482bea1b423bf69076c1683f0c09d4a590f297580c47d83ca2651b8fa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
e18a9c33c39de357dccf31f1c2401ab9

SHA1
66517ab86382d03544a607b9023c65d15c19d5dc

SHA256
3c839f58be330452cec3d772e4bd45f14f74bddcd128a72540a8668709849d25

SHA512
b922e73993b4eaa0d72c9a61ca34b4f2458a09706708168ff037bb6e541e81864fa8d091dc4c5d721417b4ddd9b22419a1ea74abf1917b604b5e1d1a9c131f6d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
09a2324cc8991fc28f05fca918e4b7ac

SHA1
ffd8ab30f17f1d653b581b192e4d57dcb6a93078

SHA256
a49d3027f4d5b2351eef064083e620efbc24725cfeb00d334e3416c4c3895afb

SHA512
47f12ff27e96870db3f643aeaacc32285528d9339c9d33bb756f4c2c8d4a369dfed27c5b82cc02c4979e8b3aececbd2a750e6d8db4264ee9bb559612a9d421f8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
7fb36089ed6f32b2f064457424ab9e7f

SHA1
b2b2c8b1f5acbb7403b650eee8e0d9795644e664

SHA256
ca11f5a81a6b437870c3c0411846a807134c9eca34892d604e4014401d166b89

SHA512
fda5703b7a02ea03fd9b36939277048c770810776dd6c57ba574f0880c69135576bb557822fe3b40ee44dcaed992b2858961b8f04d7a9c2d28ac92db36a7e492

Download Submit
C:\Users\Admin\AppData\LocalLow\Temp\Cab46E4.tmp

Filesize
61KB

MD5
f3441b8572aae8801c04f3060b550443

SHA1
4ef0a35436125d6821831ef36c28ffaf196cda15

SHA256
6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf

SHA512
5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

Download Submit
C:\Users\Admin\AppData\LocalLow\Temp\Tar4919.tmp

Filesize
163KB

MD5
9441737383d21192400eca82fda910ec

SHA1
725e0d606a4fc9ba44aa8ffde65bed15e65367e4

SHA256
bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5

SHA512
7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

Download Submit
C:\Windows\AppPatch\svchost.exe

Filesize
212KB

MD5
17fb2929edf20d5702b04146f34d3840

SHA1
88f34aa08a741ee5d3cd7978cc7fffb027892e40

SHA256
0d1c85c4d252ed290c73bdd434752d910c0caab6782c29ad83a71249be775985

SHA512
8db866ea34a504e8698c4f23c4b708cf19c81da87e433aa1483f5a26d509d6ebf061f91520fdd237f494d0423498cf2a191ec349c7e6bed7dd57fcb570718c24

Download Submit
C:\Windows\AppPatch\svchost.exe

Filesize
212KB

MD5
17fb2929edf20d5702b04146f34d3840

SHA1
88f34aa08a741ee5d3cd7978cc7fffb027892e40

SHA256
0d1c85c4d252ed290c73bdd434752d910c0caab6782c29ad83a71249be775985

SHA512
8db866ea34a504e8698c4f23c4b708cf19c81da87e433aa1483f5a26d509d6ebf061f91520fdd237f494d0423498cf2a191ec349c7e6bed7dd57fcb570718c24

Download Submit
C:\Windows\apppatch\svchost.exe

Filesize
212KB

MD5
17fb2929edf20d5702b04146f34d3840

SHA1
88f34aa08a741ee5d3cd7978cc7fffb027892e40

SHA256
0d1c85c4d252ed290c73bdd434752d910c0caab6782c29ad83a71249be775985

SHA512
8db866ea34a504e8698c4f23c4b708cf19c81da87e433aa1483f5a26d509d6ebf061f91520fdd237f494d0423498cf2a191ec349c7e6bed7dd57fcb570718c24

Download Submit
\Windows\AppPatch\svchost.exe

Filesize
212KB

MD5
17fb2929edf20d5702b04146f34d3840

SHA1
88f34aa08a741ee5d3cd7978cc7fffb027892e40

SHA256
0d1c85c4d252ed290c73bdd434752d910c0caab6782c29ad83a71249be775985

SHA512
8db866ea34a504e8698c4f23c4b708cf19c81da87e433aa1483f5a26d509d6ebf061f91520fdd237f494d0423498cf2a191ec349c7e6bed7dd57fcb570718c24

Download Submit
\Windows\AppPatch\svchost.exe

Filesize
212KB

MD5
17fb2929edf20d5702b04146f34d3840

SHA1
88f34aa08a741ee5d3cd7978cc7fffb027892e40

SHA256
0d1c85c4d252ed290c73bdd434752d910c0caab6782c29ad83a71249be775985

SHA512
8db866ea34a504e8698c4f23c4b708cf19c81da87e433aa1483f5a26d509d6ebf061f91520fdd237f494d0423498cf2a191ec349c7e6bed7dd57fcb570718c24

Download Submit
memory/1580-18-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/1580-17-0x0000000000220000-0x0000000000272000-memory.dmp

Filesize
328KB

Download
memory/1580-1-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/1580-0-0x0000000000220000-0x0000000000272000-memory.dmp

Filesize
328KB

Download
memory/2620-52-0x0000000002530000-0x00000000025E7000-memory.dmp

Filesize
732KB

Download
memory/2620-64-0x0000000002530000-0x00000000025E7000-memory.dmp

Filesize
732KB

Download
memory/2620-34-0x0000000002530000-0x00000000025E7000-memory.dmp

Filesize
732KB

Download
memory/2620-33-0x0000000002530000-0x00000000025E7000-memory.dmp

Filesize
732KB

Download
memory/2620-36-0x0000000002530000-0x00000000025E7000-memory.dmp

Filesize
732KB

Download
memory/2620-38-0x0000000002530000-0x00000000025E7000-memory.dmp

Filesize
732KB

Download
memory/2620-39-0x0000000002530000-0x00000000025E7000-memory.dmp

Filesize
732KB

Download
memory/2620-40-0x0000000002530000-0x00000000025E7000-memory.dmp

Filesize
732KB

Download
memory/2620-41-0x0000000002530000-0x00000000025E7000-memory.dmp

Filesize
732KB

Download
memory/2620-42-0x0000000002530000-0x00000000025E7000-memory.dmp

Filesize
732KB

Download
memory/2620-43-0x0000000002530000-0x00000000025E7000-memory.dmp

Filesize
732KB

Download
memory/2620-44-0x0000000002530000-0x00000000025E7000-memory.dmp

Filesize
732KB

Download
memory/2620-45-0x0000000002530000-0x00000000025E7000-memory.dmp

Filesize
732KB

Download
memory/2620-46-0x0000000002530000-0x00000000025E7000-memory.dmp

Filesize
732KB

Download
memory/2620-47-0x0000000002530000-0x00000000025E7000-memory.dmp

Filesize
732KB

Download
memory/2620-48-0x0000000002530000-0x00000000025E7000-memory.dmp

Filesize
732KB

Download
memory/2620-49-0x0000000002530000-0x00000000025E7000-memory.dmp

Filesize
732KB

Download
memory/2620-50-0x0000000002530000-0x00000000025E7000-memory.dmp

Filesize
732KB

Download
memory/2620-51-0x0000000002530000-0x00000000025E7000-memory.dmp

Filesize
732KB

Download
memory/2620-30-0x0000000002380000-0x000000000242A000-memory.dmp

Filesize
680KB

Download
memory/2620-53-0x0000000002530000-0x00000000025E7000-memory.dmp

Filesize
732KB

Download
memory/2620-54-0x0000000002530000-0x00000000025E7000-memory.dmp

Filesize
732KB

Download
memory/2620-55-0x0000000002530000-0x00000000025E7000-memory.dmp

Filesize
732KB

Download
memory/2620-56-0x0000000002530000-0x00000000025E7000-memory.dmp

Filesize
732KB

Download
memory/2620-57-0x0000000002530000-0x00000000025E7000-memory.dmp

Filesize
732KB

Download
memory/2620-60-0x0000000002530000-0x00000000025E7000-memory.dmp

Filesize
732KB

Download
memory/2620-63-0x0000000002530000-0x00000000025E7000-memory.dmp

Filesize
732KB

Download
memory/2620-31-0x0000000002530000-0x00000000025E7000-memory.dmp

Filesize
732KB

Download
memory/2620-66-0x0000000002530000-0x00000000025E7000-memory.dmp

Filesize
732KB

Download
memory/2620-67-0x0000000002530000-0x00000000025E7000-memory.dmp

Filesize
732KB

Download
memory/2620-68-0x0000000002530000-0x00000000025E7000-memory.dmp

Filesize
732KB

Download
memory/2620-70-0x0000000002530000-0x00000000025E7000-memory.dmp

Filesize
732KB

Download
memory/2620-69-0x0000000002530000-0x00000000025E7000-memory.dmp

Filesize
732KB

Download
memory/2620-72-0x0000000002530000-0x00000000025E7000-memory.dmp

Filesize
732KB

Download
memory/2620-71-0x0000000002530000-0x00000000025E7000-memory.dmp

Filesize
732KB

Download
memory/2620-73-0x0000000002530000-0x00000000025E7000-memory.dmp

Filesize
732KB

Download
memory/2620-74-0x0000000002530000-0x00000000025E7000-memory.dmp

Filesize
732KB

Download
memory/2620-75-0x0000000002530000-0x00000000025E7000-memory.dmp

Filesize
732KB

Download
memory/2620-76-0x0000000002530000-0x00000000025E7000-memory.dmp

Filesize
732KB

Download
memory/2620-79-0x0000000002530000-0x00000000025E7000-memory.dmp

Filesize
732KB

Download
memory/2620-77-0x0000000002530000-0x00000000025E7000-memory.dmp

Filesize
732KB

Download
memory/2620-78-0x0000000002530000-0x00000000025E7000-memory.dmp

Filesize
732KB

Download
memory/2620-81-0x0000000002530000-0x00000000025E7000-memory.dmp

Filesize
732KB

Download
memory/2620-82-0x0000000002530000-0x00000000025E7000-memory.dmp

Filesize
732KB

Download
memory/2620-83-0x0000000002530000-0x00000000025E7000-memory.dmp

Filesize
732KB

Download
memory/2620-84-0x0000000002530000-0x00000000025E7000-memory.dmp

Filesize
732KB

Download
memory/2620-85-0x0000000002530000-0x00000000025E7000-memory.dmp

Filesize
732KB

Download
memory/2620-28-0x0000000002380000-0x000000000242A000-memory.dmp

Filesize
680KB

Download
memory/2620-26-0x0000000002380000-0x000000000242A000-memory.dmp

Filesize
680KB

Download
memory/2620-24-0x0000000002380000-0x000000000242A000-memory.dmp

Filesize
680KB

Download
memory/2620-22-0x0000000002380000-0x000000000242A000-memory.dmp

Filesize
680KB

Download
memory/2620-20-0x0000000002380000-0x000000000242A000-memory.dmp

Filesize
680KB

Download
memory/2620-19-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/2620-499-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/2620-665-0x0000000002530000-0x00000000025E7000-memory.dmp

Filesize
732KB

Download