6139873fb7d4f5918a4f2b56dbc49d943c33276d1b453fac2065dfd1cd764601

Analysis

max time kernel
156s
max time network
171s
platform
windows7_x64
resource
win7-20231020-en
resource tags

arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system
submitted
17/11/2023, 02:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.68dc620ba38c4feed9d40902bdb58e20.exe
Size

208KB
MD5

68dc620ba38c4feed9d40902bdb58e20
SHA1

710c5ab2c024fbd85e98e2ae4739d4bfe03fa8bd
SHA256

6139873fb7d4f5918a4f2b56dbc49d943c33276d1b453fac2065dfd1cd764601
SHA512

c0a7ae0d293cd3f90e8483b09a775b7036e29937134d6ce26cee0870271fb91c4d6c09eeecdbb99652c735d0f8accda83778d8d287c78f197d1297689f8c8526
SSDEEP

6144:0ZWia9ubuBsyGvMwlvaB8Mi5vz9IGePA+hq5:iquCuygMQjd5vJIBP1

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2088	svchost.exe

Loads dropped DLL 2 IoCs

pid	Process
852	NEAS.68dc620ba38c4feed9d40902bdb58e20.exe
852	NEAS.68dc620ba38c4feed9d40902bdb58e20.exe

Modifies WinLogon 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\be20f6c2 = "C:\\Windows\\apppatch\\svchost.exe"	NEAS.68dc620ba38c4feed9d40902bdb58e20.exe

Drops file in Program Files directory 19 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows Defender\lysyfyj.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\pupycag.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\volykit.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\qetyfuv.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\puzylyp.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\gahyqah.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\lyrysor.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\galynuh.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\qetyhyg.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\vonypom.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\lymyxid.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\vofycot.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\gadyciz.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\purylev.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\gatyhub.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\vocyzit.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\vojyqem.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\galyqaz.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\qexyhuv.com	svchost.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\apppatch\svchost.exe	NEAS.68dc620ba38c4feed9d40902bdb58e20.exe
File opened for modification	C:\Windows\apppatch\svchost.exe	NEAS.68dc620ba38c4feed9d40902bdb58e20.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000_CLASSES\Local Settings\MuiCache	svchost.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2088	svchost.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
852	NEAS.68dc620ba38c4feed9d40902bdb58e20.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeSecurityPrivilege	852	NEAS.68dc620ba38c4feed9d40902bdb58e20.exe
Token: SeSecurityPrivilege	852	NEAS.68dc620ba38c4feed9d40902bdb58e20.exe
Token: SeSecurityPrivilege	2088	svchost.exe
Token: SeSecurityPrivilege	2088	svchost.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 852 wrote to memory of 2088	852	NEAS.68dc620ba38c4feed9d40902bdb58e20.exe	28
PID 852 wrote to memory of 2088	852	NEAS.68dc620ba38c4feed9d40902bdb58e20.exe	28
PID 852 wrote to memory of 2088	852	NEAS.68dc620ba38c4feed9d40902bdb58e20.exe	28
PID 852 wrote to memory of 2088	852	NEAS.68dc620ba38c4feed9d40902bdb58e20.exe	28

C:\Users\Admin\AppData\Local\Temp\NEAS.68dc620ba38c4feed9d40902bdb58e20.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.68dc620ba38c4feed9d40902bdb58e20.exe"
1⤵
- Loads dropped DLL
- Modifies WinLogon
- Drops file in Windows directory
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:852
- C:\Windows\apppatch\svchost.exe
  "C:\Windows\apppatch\svchost.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2088

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
f4bdf7f477d4f08fd449336d8ecf050d

SHA1
dc6172b52eddc99d834bf22994e0ea8d9f380c35

SHA256
511c1659c3bdbd1f78c215a6dd751ab358cb15aa76f9fb71fbc5d068a60b0f75

SHA512
9d6d09666252d2852b8ffd5c207076fc0c198372aebc32c41b3bed5c4fa569ccdc65709f4fb46839e0b29721b6a69ec82ff982c1eba0dfcc58aa6beed5530c72

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
c552e11a06339d54a7147743ac4dd063

SHA1
39324be33dae6d5d3b2b1a2ce15749a3d13984ef

SHA256
4e0a2811b38687fbdbbcdfbb8e8c4be1d35f728ceec6b1a8d6f41a2888ef4568

SHA512
9187899c2576463b8c391a81af0bc53b9057e8e8cb64422e4cbbcbeb1da43bd2025c559be19c51c3827ffa8d6b79a81ee21a8521d0f2f78b94e2a023d28fbf73

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
f3ad3bc46272b139123c6497b7188173

SHA1
7ee5880ab1732352bd3cb8c1e8249374f80567b1

SHA256
92daf4f7f12e15a98ba55cc07f0abf42b7d8535892bbee6a4b0f5c2433054b23

SHA512
2dccf679cb8b7bfe735728fb805ecdf73a46a3663e85f7907b2a25a426dee95949848474df224a3c3da2eaee0bdd227067c60e603129b22cdc8cb6831955de9c

Download Submit
C:\Users\Admin\AppData\LocalLow\Temp\CabAAF3.tmp

Filesize
61KB

MD5
f3441b8572aae8801c04f3060b550443

SHA1
4ef0a35436125d6821831ef36c28ffaf196cda15

SHA256
6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf

SHA512
5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

Download Submit
C:\Users\Admin\AppData\LocalLow\Temp\TarAE03.tmp

Filesize
163KB

MD5
9441737383d21192400eca82fda910ec

SHA1
725e0d606a4fc9ba44aa8ffde65bed15e65367e4

SHA256
bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5

SHA512
7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

Download Submit
C:\Windows\AppPatch\svchost.exe

Filesize
208KB

MD5
af196d1259cbc59fdfdfa83a2931465d

SHA1
fb10b123687cb84801fa8ef808dd82e393bfaa4c

SHA256
600207248f79490d53696369d85b4000b4335921896c70d48ab902e81c14f7c4

SHA512
11cfd731eb36b8d60520970115b7ce3f7cb00edcd981822b6e7e43b73f0a3269136f4391b0d02db215e7677f33f20863919198c269d36a723f74049513fbd070

Download Submit
C:\Windows\AppPatch\svchost.exe

Filesize
208KB

MD5
af196d1259cbc59fdfdfa83a2931465d

SHA1
fb10b123687cb84801fa8ef808dd82e393bfaa4c

SHA256
600207248f79490d53696369d85b4000b4335921896c70d48ab902e81c14f7c4

SHA512
11cfd731eb36b8d60520970115b7ce3f7cb00edcd981822b6e7e43b73f0a3269136f4391b0d02db215e7677f33f20863919198c269d36a723f74049513fbd070

Download Submit
C:\Windows\apppatch\svchost.exe

Filesize
208KB

MD5
af196d1259cbc59fdfdfa83a2931465d

SHA1
fb10b123687cb84801fa8ef808dd82e393bfaa4c

SHA256
600207248f79490d53696369d85b4000b4335921896c70d48ab902e81c14f7c4

SHA512
11cfd731eb36b8d60520970115b7ce3f7cb00edcd981822b6e7e43b73f0a3269136f4391b0d02db215e7677f33f20863919198c269d36a723f74049513fbd070

Download Submit
\Windows\AppPatch\svchost.exe

Filesize
208KB

MD5
af196d1259cbc59fdfdfa83a2931465d

SHA1
fb10b123687cb84801fa8ef808dd82e393bfaa4c

SHA256
600207248f79490d53696369d85b4000b4335921896c70d48ab902e81c14f7c4

SHA512
11cfd731eb36b8d60520970115b7ce3f7cb00edcd981822b6e7e43b73f0a3269136f4391b0d02db215e7677f33f20863919198c269d36a723f74049513fbd070

Download Submit
\Windows\AppPatch\svchost.exe

Filesize
208KB

MD5
af196d1259cbc59fdfdfa83a2931465d

SHA1
fb10b123687cb84801fa8ef808dd82e393bfaa4c

SHA256
600207248f79490d53696369d85b4000b4335921896c70d48ab902e81c14f7c4

SHA512
11cfd731eb36b8d60520970115b7ce3f7cb00edcd981822b6e7e43b73f0a3269136f4391b0d02db215e7677f33f20863919198c269d36a723f74049513fbd070

Download Submit
memory/852-21-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/852-19-0x00000000002B0000-0x0000000000302000-memory.dmp

Filesize
328KB

Download
memory/852-2-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/852-1-0x00000000002B0000-0x0000000000302000-memory.dmp

Filesize
328KB

Download
memory/852-0-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/2088-52-0x0000000002470000-0x0000000002527000-memory.dmp

Filesize
732KB

Download
memory/2088-60-0x0000000002470000-0x0000000002527000-memory.dmp

Filesize
732KB

Download
memory/2088-33-0x0000000000490000-0x000000000053A000-memory.dmp

Filesize
680KB

Download
memory/2088-34-0x0000000002470000-0x0000000002527000-memory.dmp

Filesize
732KB

Download
memory/2088-36-0x0000000002470000-0x0000000002527000-memory.dmp

Filesize
732KB

Download
memory/2088-38-0x0000000002470000-0x0000000002527000-memory.dmp

Filesize
732KB

Download
memory/2088-29-0x0000000000490000-0x000000000053A000-memory.dmp

Filesize
680KB

Download
memory/2088-40-0x0000000002470000-0x0000000002527000-memory.dmp

Filesize
732KB

Download
memory/2088-41-0x0000000002470000-0x0000000002527000-memory.dmp

Filesize
732KB

Download
memory/2088-42-0x0000000002470000-0x0000000002527000-memory.dmp

Filesize
732KB

Download
memory/2088-43-0x0000000002470000-0x0000000002527000-memory.dmp

Filesize
732KB

Download
memory/2088-44-0x0000000002470000-0x0000000002527000-memory.dmp

Filesize
732KB

Download
memory/2088-45-0x0000000002470000-0x0000000002527000-memory.dmp

Filesize
732KB

Download
memory/2088-46-0x0000000002470000-0x0000000002527000-memory.dmp

Filesize
732KB

Download
memory/2088-47-0x0000000002470000-0x0000000002527000-memory.dmp

Filesize
732KB

Download
memory/2088-48-0x0000000002470000-0x0000000002527000-memory.dmp

Filesize
732KB

Download
memory/2088-49-0x0000000002470000-0x0000000002527000-memory.dmp

Filesize
732KB

Download
memory/2088-50-0x0000000002470000-0x0000000002527000-memory.dmp

Filesize
732KB

Download
memory/2088-51-0x0000000002470000-0x0000000002527000-memory.dmp

Filesize
732KB

Download
memory/2088-27-0x0000000000490000-0x000000000053A000-memory.dmp

Filesize
680KB

Download
memory/2088-53-0x0000000002470000-0x0000000002527000-memory.dmp

Filesize
732KB

Download
memory/2088-54-0x0000000002470000-0x0000000002527000-memory.dmp

Filesize
732KB

Download
memory/2088-55-0x0000000002470000-0x0000000002527000-memory.dmp

Filesize
732KB

Download
memory/2088-56-0x0000000002470000-0x0000000002527000-memory.dmp

Filesize
732KB

Download
memory/2088-57-0x0000000002470000-0x0000000002527000-memory.dmp

Filesize
732KB

Download
memory/2088-58-0x0000000002470000-0x0000000002527000-memory.dmp

Filesize
732KB

Download
memory/2088-59-0x0000000002470000-0x0000000002527000-memory.dmp

Filesize
732KB

Download
memory/2088-31-0x0000000000490000-0x000000000053A000-memory.dmp

Filesize
680KB

Download
memory/2088-61-0x0000000002470000-0x0000000002527000-memory.dmp

Filesize
732KB

Download
memory/2088-62-0x0000000002470000-0x0000000002527000-memory.dmp

Filesize
732KB

Download
memory/2088-63-0x0000000002470000-0x0000000002527000-memory.dmp

Filesize
732KB

Download
memory/2088-64-0x0000000002470000-0x0000000002527000-memory.dmp

Filesize
732KB

Download
memory/2088-65-0x0000000002470000-0x0000000002527000-memory.dmp

Filesize
732KB

Download
memory/2088-66-0x0000000002470000-0x0000000002527000-memory.dmp

Filesize
732KB

Download
memory/2088-69-0x0000000002470000-0x0000000002527000-memory.dmp

Filesize
732KB

Download
memory/2088-71-0x0000000002470000-0x0000000002527000-memory.dmp

Filesize
732KB

Download
memory/2088-70-0x0000000002470000-0x0000000002527000-memory.dmp

Filesize
732KB

Download
memory/2088-74-0x0000000002470000-0x0000000002527000-memory.dmp

Filesize
732KB

Download
memory/2088-75-0x0000000002470000-0x0000000002527000-memory.dmp

Filesize
732KB

Download
memory/2088-76-0x0000000002470000-0x0000000002527000-memory.dmp

Filesize
732KB

Download
memory/2088-77-0x0000000002470000-0x0000000002527000-memory.dmp

Filesize
732KB

Download
memory/2088-78-0x0000000002470000-0x0000000002527000-memory.dmp

Filesize
732KB

Download
memory/2088-79-0x0000000002470000-0x0000000002527000-memory.dmp

Filesize
732KB

Download
memory/2088-80-0x0000000002470000-0x0000000002527000-memory.dmp

Filesize
732KB

Download
memory/2088-81-0x0000000002470000-0x0000000002527000-memory.dmp

Filesize
732KB

Download
memory/2088-82-0x0000000002470000-0x0000000002527000-memory.dmp

Filesize
732KB

Download
memory/2088-83-0x0000000002470000-0x0000000002527000-memory.dmp

Filesize
732KB

Download
memory/2088-84-0x0000000002470000-0x0000000002527000-memory.dmp

Filesize
732KB

Download
memory/2088-85-0x0000000002470000-0x0000000002527000-memory.dmp

Filesize
732KB

Download
memory/2088-25-0x0000000000490000-0x000000000053A000-memory.dmp

Filesize
680KB

Download
memory/2088-23-0x0000000000490000-0x000000000053A000-memory.dmp

Filesize
680KB

Download
memory/2088-22-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/2088-20-0x0000000000230000-0x0000000000282000-memory.dmp

Filesize
328KB

Download
memory/2088-18-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/2088-724-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/2088-823-0x0000000002470000-0x0000000002527000-memory.dmp

Filesize
732KB

Download