91e8a25e056ef3d6d6c733170ba9ae92e2dac95866c2c7ef865eb97cf77b91b1

Analysis

max time kernel
150s
max time network
121s
platform
windows7_x64
resource
win7-20231020-en
resource tags

arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system
submitted
17/11/2023, 22:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.3aa153304f53a2ea33e4c74a4ad07dd0.exe
Size

211KB
MD5

3aa153304f53a2ea33e4c74a4ad07dd0
SHA1

620eb2916f6c484e6ddc95932e8ef7b3720a137f
SHA256

91e8a25e056ef3d6d6c733170ba9ae92e2dac95866c2c7ef865eb97cf77b91b1
SHA512

b16947b8f6b7558dc410657032722520dc9b7491045763ca071133b358904b15a795017d99adba66ea08843f2094951b137335456776a6e21f8fcbf81fc6af8a
SSDEEP

3072:bDpM9Nvih5c9DE1pvAPXIHLfMgw7ySBL8PEAjAfIbAYGPJz6sPJBINFZ1Fqnj:b1iNKQxENHLfMgw7y9Zrs

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\userinit.exe"	userinit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\userinit.exe"	swchost.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	userinit.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	swchost.exe

Modifies Installed Components in the registry 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Local\\mrsys.exe MR"	swchost.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	swchost.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	swchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Local\\mrsys.exe MR"	swchost.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}	swchost.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	userinit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Local\\mrsys.exe MR"	userinit.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}	swchost.exe

Executes dropped EXE 4 IoCs

pid	Process
2104	userinit.exe
2888	spoolsw.exe
2624	swchost.exe
2604	spoolsw.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\userinit = "c:\\windows\\userinit.exe RO"	userinit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Swchost = "c:\\windows\\swchost.exe RO"	userinit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\userinit = "c:\\windows\\userinit.exe RO"	swchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Swchost = "c:\\windows\\swchost.exe RO"	swchost.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\udsys.exe	userinit.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\swchost.exe	spoolsw.exe
File opened for modification	\??\c:\windows\userinit.exe	userinit.exe
File opened for modification	\??\c:\windows\swchost.exe	swchost.exe
File opened for modification	\??\c:\windows\userinit.exe	NEAS.3aa153304f53a2ea33e4c74a4ad07dd0.exe
File opened for modification	\??\c:\windows\spoolsw.exe	userinit.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
764	NEAS.3aa153304f53a2ea33e4c74a4ad07dd0.exe
2104	userinit.exe
2104	userinit.exe
2104	userinit.exe
2624	swchost.exe
2624	swchost.exe
2104	userinit.exe
2624	swchost.exe
2104	userinit.exe
2624	swchost.exe
2104	userinit.exe
2624	swchost.exe
2104	userinit.exe
2624	swchost.exe
2104	userinit.exe
2624	swchost.exe
2104	userinit.exe
2624	swchost.exe
2104	userinit.exe
2624	swchost.exe
2104	userinit.exe
2624	swchost.exe
2104	userinit.exe
2624	swchost.exe
2104	userinit.exe
2624	swchost.exe
2104	userinit.exe
2624	swchost.exe
2104	userinit.exe
2624	swchost.exe
2104	userinit.exe
2624	swchost.exe
2104	userinit.exe
2624	swchost.exe
2104	userinit.exe
2624	swchost.exe
2104	userinit.exe
2624	swchost.exe
2104	userinit.exe
2624	swchost.exe
2104	userinit.exe
2624	swchost.exe
2104	userinit.exe
2624	swchost.exe
2104	userinit.exe
2624	swchost.exe
2104	userinit.exe
2624	swchost.exe
2104	userinit.exe
2624	swchost.exe
2104	userinit.exe
2624	swchost.exe
2104	userinit.exe
2624	swchost.exe
2104	userinit.exe
2624	swchost.exe
2104	userinit.exe
2624	swchost.exe
2104	userinit.exe
2624	swchost.exe
2104	userinit.exe
2624	swchost.exe
2104	userinit.exe
2624	swchost.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
2104	userinit.exe
2624	swchost.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
764	NEAS.3aa153304f53a2ea33e4c74a4ad07dd0.exe
764	NEAS.3aa153304f53a2ea33e4c74a4ad07dd0.exe
2104	userinit.exe
2104	userinit.exe
2888	spoolsw.exe
2888	spoolsw.exe
2624	swchost.exe
2624	swchost.exe
2604	spoolsw.exe
2604	spoolsw.exe
2104	userinit.exe
2104	userinit.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 764 wrote to memory of 2104	764	NEAS.3aa153304f53a2ea33e4c74a4ad07dd0.exe	29
PID 764 wrote to memory of 2104	764	NEAS.3aa153304f53a2ea33e4c74a4ad07dd0.exe	29
PID 764 wrote to memory of 2104	764	NEAS.3aa153304f53a2ea33e4c74a4ad07dd0.exe	29
PID 764 wrote to memory of 2104	764	NEAS.3aa153304f53a2ea33e4c74a4ad07dd0.exe	29
PID 2104 wrote to memory of 2888	2104	userinit.exe	30
PID 2104 wrote to memory of 2888	2104	userinit.exe	30
PID 2104 wrote to memory of 2888	2104	userinit.exe	30
PID 2104 wrote to memory of 2888	2104	userinit.exe	30
PID 2888 wrote to memory of 2624	2888	spoolsw.exe	31
PID 2888 wrote to memory of 2624	2888	spoolsw.exe	31
PID 2888 wrote to memory of 2624	2888	spoolsw.exe	31
PID 2888 wrote to memory of 2624	2888	spoolsw.exe	31
PID 2624 wrote to memory of 2604	2624	swchost.exe	32
PID 2624 wrote to memory of 2604	2624	swchost.exe	32
PID 2624 wrote to memory of 2604	2624	swchost.exe	32
PID 2624 wrote to memory of 2604	2624	swchost.exe	32

C:\Users\Admin\AppData\Local\Temp\NEAS.3aa153304f53a2ea33e4c74a4ad07dd0.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.3aa153304f53a2ea33e4c74a4ad07dd0.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:764
- \??\c:\windows\userinit.exe
  c:\windows\userinit.exe
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visiblity of hidden/system files in Explorer
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2104
- - \??\c:\windows\spoolsw.exe
    c:\windows\spoolsw.exe SE
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2888
  - - \??\c:\windows\swchost.exe
      c:\windows\swchost.exe
      4⤵
      Modifies WinLogon for persistence
      Modifies visiblity of hidden/system files in Explorer
      Modifies Installed Components in the registry
      Executes dropped EXE
      Adds Run key to start application
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2624
    - - \??\c:\windows\spoolsw.exe
        
        c:\windows\spoolsw.exe PR
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2604

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\mrsys.exe

Filesize
211KB

MD5
eadf51ad1695128b070f2fa4f0956991

SHA1
c69ef227a11445ce37a7db30880a1c25fbe0dfe9

SHA256
f742b4a5e3283f21a1c2616faf2cda521fcf3fbd2cd887e144b8f2804a84169b

SHA512
b1b83abfa1baa2826a67e9460dc0b5e004787f8bbe5413ed344488c1df8f7e018ce5f4c2368bbfcda6b9a2b3662adbb3884b7bb5befe83899e9f371e5c3b40c1

Download Submit
C:\Windows\spoolsw.exe

Filesize
211KB

MD5
7399365c217819b86b7eaa6a5f283cd0

SHA1
99a0b753c4d5ec07c6771445ed0ac76fd53906e9

SHA256
9a620f754391ab893285c1b6f2ccd80551608da85cd319627398e2c0e296adf5

SHA512
abee12c63444c453b759c597016b174601ce4ea80cddfca8731b1d7a4a12f9e0f02323c28bed0acee3bc32b9217bb0ef0b5acee7ef272609eff9609abb7323a4

Download Submit
C:\Windows\spoolsw.exe

Filesize
211KB

MD5
7399365c217819b86b7eaa6a5f283cd0

SHA1
99a0b753c4d5ec07c6771445ed0ac76fd53906e9

SHA256
9a620f754391ab893285c1b6f2ccd80551608da85cd319627398e2c0e296adf5

SHA512
abee12c63444c453b759c597016b174601ce4ea80cddfca8731b1d7a4a12f9e0f02323c28bed0acee3bc32b9217bb0ef0b5acee7ef272609eff9609abb7323a4

Download Submit
C:\Windows\swchost.exe

Filesize
211KB

MD5
1f32dbbf091651b3c357dfd88fa228e2

SHA1
6d30ef9eee3e8708d8fda2d4f40d87ceac05739e

SHA256
660dea3a2c1925eef7a9e7882a2de3aca0a56c843e75fda5f644cd9a5c60b0f5

SHA512
36cc1bf5b85d5e1c1fa90fb8c9becac22f4baab864016cfc96685afd5c548e04d579c8a39b2572deba24225763ab2b43e36252aadb8832fe31d54b7a87f9735e

Download Submit
C:\Windows\userinit.exe

Filesize
211KB

MD5
c0098356e98ab3681b66102567bdc4bd

SHA1
12f6ff757a1ea1de06de0fdda0fc50660211e495

SHA256
a7da676df7732697313594dac461ddd4bebb8940129a0f8b078dcefd3b485f79

SHA512
11106e9116d48c56ec7234d427f9c4af004061aba449ec221d155b9d5b133e17232fa8ee8075be3c054e5233992e1c74b5d774e0e4f81a5b08494274bf71af2e

Download Submit
C:\Windows\userinit.exe

Filesize
211KB

MD5
c0098356e98ab3681b66102567bdc4bd

SHA1
12f6ff757a1ea1de06de0fdda0fc50660211e495

SHA256
a7da676df7732697313594dac461ddd4bebb8940129a0f8b078dcefd3b485f79

SHA512
11106e9116d48c56ec7234d427f9c4af004061aba449ec221d155b9d5b133e17232fa8ee8075be3c054e5233992e1c74b5d774e0e4f81a5b08494274bf71af2e

Download Submit
\??\c:\windows\spoolsw.exe

Filesize
211KB

MD5
7399365c217819b86b7eaa6a5f283cd0

SHA1
99a0b753c4d5ec07c6771445ed0ac76fd53906e9

SHA256
9a620f754391ab893285c1b6f2ccd80551608da85cd319627398e2c0e296adf5

SHA512
abee12c63444c453b759c597016b174601ce4ea80cddfca8731b1d7a4a12f9e0f02323c28bed0acee3bc32b9217bb0ef0b5acee7ef272609eff9609abb7323a4

Download Submit
\??\c:\windows\swchost.exe

Filesize
211KB

MD5
1f32dbbf091651b3c357dfd88fa228e2

SHA1
6d30ef9eee3e8708d8fda2d4f40d87ceac05739e

SHA256
660dea3a2c1925eef7a9e7882a2de3aca0a56c843e75fda5f644cd9a5c60b0f5

SHA512
36cc1bf5b85d5e1c1fa90fb8c9becac22f4baab864016cfc96685afd5c548e04d579c8a39b2572deba24225763ab2b43e36252aadb8832fe31d54b7a87f9735e

Download Submit
\??\c:\windows\userinit.exe

Filesize
211KB

MD5
c0098356e98ab3681b66102567bdc4bd

SHA1
12f6ff757a1ea1de06de0fdda0fc50660211e495

SHA256
a7da676df7732697313594dac461ddd4bebb8940129a0f8b078dcefd3b485f79

SHA512
11106e9116d48c56ec7234d427f9c4af004061aba449ec221d155b9d5b133e17232fa8ee8075be3c054e5233992e1c74b5d774e0e4f81a5b08494274bf71af2e

Download Submit