9fe0a993037dbb7c29e2b3c3244fe303e9f72cb7588641d239fcc5af712580c4

Analysis

max time kernel
152s
max time network
142s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
12/10/2023, 16:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.073fab4b680398e2ac4f8931f076b440_JC.exe
Size

415KB
MD5

073fab4b680398e2ac4f8931f076b440
SHA1

5b9c3dc1ad790755d16859eab025fb30aa6470ef
SHA256

9fe0a993037dbb7c29e2b3c3244fe303e9f72cb7588641d239fcc5af712580c4
SHA512

6d2a094732f9211cd923f846d6e14785aee388e4794960b59315c22ea31c7d3c13a1a74cab5e2163d8c0f4b486f67dc63fd07487f2087b0bd2900407f19bf354
SSDEEP

12288:srdH8/giNOvQtqOLsicFTINftCHBqRI12:2SIxywicmJtCHF

Score

8^/10

evasion persistence

Malware Config

Signatures

Disables Task Manager via registry modification
evasion

Executes dropped EXE 2 IoCs

pid	Process
2352	wmsdk64_32.exe
2660	wscsvc32.exe

Loads dropped DLL 5 IoCs

pid	Process
1708	NEAS.073fab4b680398e2ac4f8931f076b440_JC.exe
1708	NEAS.073fab4b680398e2ac4f8931f076b440_JC.exe
2352	wmsdk64_32.exe
2352	wmsdk64_32.exe
2352	wmsdk64_32.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Windows\CurrentVersion\Run\wmsdk64_32.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wmsdk64_32.exe"	NEAS.073fab4b680398e2ac4f8931f076b440_JC.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\Main	wscsvc32.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

pid	Process
1708	NEAS.073fab4b680398e2ac4f8931f076b440_JC.exe
1708	NEAS.073fab4b680398e2ac4f8931f076b440_JC.exe
1708	NEAS.073fab4b680398e2ac4f8931f076b440_JC.exe
1708	NEAS.073fab4b680398e2ac4f8931f076b440_JC.exe
2352	wmsdk64_32.exe
2352	wmsdk64_32.exe
2352	wmsdk64_32.exe
2352	wmsdk64_32.exe
2352	wmsdk64_32.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1708	NEAS.073fab4b680398e2ac4f8931f076b440_JC.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
2352	wmsdk64_32.exe
2352	wmsdk64_32.exe
2352	wmsdk64_32.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
2352	wmsdk64_32.exe
2352	wmsdk64_32.exe
2352	wmsdk64_32.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2660	wscsvc32.exe
2660	wscsvc32.exe
2660	wscsvc32.exe
2660	wscsvc32.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1708 wrote to memory of 2352	1708	NEAS.073fab4b680398e2ac4f8931f076b440_JC.exe	27
PID 1708 wrote to memory of 2352	1708	NEAS.073fab4b680398e2ac4f8931f076b440_JC.exe	27
PID 1708 wrote to memory of 2352	1708	NEAS.073fab4b680398e2ac4f8931f076b440_JC.exe	27
PID 1708 wrote to memory of 2352	1708	NEAS.073fab4b680398e2ac4f8931f076b440_JC.exe	27
PID 2352 wrote to memory of 2660	2352	wmsdk64_32.exe	29
PID 2352 wrote to memory of 2660	2352	wmsdk64_32.exe	29
PID 2352 wrote to memory of 2660	2352	wmsdk64_32.exe	29
PID 2352 wrote to memory of 2660	2352	wmsdk64_32.exe	29

System policy modification 1 TTPs 5 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	wmsdk64_32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1"	wmsdk64_32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1"	wscsvc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	NEAS.073fab4b680398e2ac4f8931f076b440_JC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1"	NEAS.073fab4b680398e2ac4f8931f076b440_JC.exe

C:\Users\Admin\AppData\Local\Temp\NEAS.073fab4b680398e2ac4f8931f076b440_JC.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.073fab4b680398e2ac4f8931f076b440_JC.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1708
- C:\Users\Admin\AppData\Local\Temp\wmsdk64_32.exe
  "C:\Users\Admin\AppData\Local\Temp\wmsdk64_32.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:2352
- - C:\Users\Admin\AppData\Local\Temp\wscsvc32.exe
    C:\Users\Admin\AppData\Local\Temp\wscsvc32.exe
    3⤵
    - Executes dropped EXE
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    - System policy modification
    PID:2660

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\wmsdk64_32.exe

Filesize
415KB

MD5
073fab4b680398e2ac4f8931f076b440

SHA1
5b9c3dc1ad790755d16859eab025fb30aa6470ef

SHA256
9fe0a993037dbb7c29e2b3c3244fe303e9f72cb7588641d239fcc5af712580c4

SHA512
6d2a094732f9211cd923f846d6e14785aee388e4794960b59315c22ea31c7d3c13a1a74cab5e2163d8c0f4b486f67dc63fd07487f2087b0bd2900407f19bf354

Download Submit
C:\Users\Admin\AppData\Local\Temp\wmsdk64_32.exe

Filesize
415KB

MD5
073fab4b680398e2ac4f8931f076b440

SHA1
5b9c3dc1ad790755d16859eab025fb30aa6470ef

SHA256
9fe0a993037dbb7c29e2b3c3244fe303e9f72cb7588641d239fcc5af712580c4

SHA512
6d2a094732f9211cd923f846d6e14785aee388e4794960b59315c22ea31c7d3c13a1a74cab5e2163d8c0f4b486f67dc63fd07487f2087b0bd2900407f19bf354

Download Submit
C:\Users\Admin\AppData\Local\Temp\wscsvc32.exe

Filesize
263KB

MD5
17e3c0a62571b2a7e5e02593a0cde85e

SHA1
9828576946beef89818e874f493a65fe0b743665

SHA256
8c1e3d299669fa5e17e8d189e2273e66d4ab7a16c3b3a37d0ceb7780dfde07a0

SHA512
9a8810e47e575d29c3d2f0bf139db7f3b62fbdf6e634a0fb1627a656832b75a8ad8fd31ef188c7d7db846484a9438700044fc1644ed3dfae71421ca3736a2135

Download Submit
C:\Users\Admin\AppData\Local\Temp\wscsvc32.exe

Filesize
263KB

MD5
17e3c0a62571b2a7e5e02593a0cde85e

SHA1
9828576946beef89818e874f493a65fe0b743665

SHA256
8c1e3d299669fa5e17e8d189e2273e66d4ab7a16c3b3a37d0ceb7780dfde07a0

SHA512
9a8810e47e575d29c3d2f0bf139db7f3b62fbdf6e634a0fb1627a656832b75a8ad8fd31ef188c7d7db846484a9438700044fc1644ed3dfae71421ca3736a2135

Download Submit
C:\Users\Admin\AppData\Local\Temp\wscsvc32.exe

Filesize
263KB

MD5
17e3c0a62571b2a7e5e02593a0cde85e

SHA1
9828576946beef89818e874f493a65fe0b743665

SHA256
8c1e3d299669fa5e17e8d189e2273e66d4ab7a16c3b3a37d0ceb7780dfde07a0

SHA512
9a8810e47e575d29c3d2f0bf139db7f3b62fbdf6e634a0fb1627a656832b75a8ad8fd31ef188c7d7db846484a9438700044fc1644ed3dfae71421ca3736a2135

Download Submit
\Users\Admin\AppData\Local\Temp\expand32xp.dll

Filesize
316KB

MD5
1d5d41ea1d08227a6bed3235f1662621

SHA1
7a8b3a2d2bcc85492f25a582a519d960dee43782

SHA256
7c2a6540eed79b42281047bdb987f19afb259633143c30be274f44443085e84c

SHA512
a08075b1aacf1ad73167e2d4e6bde8d5a771984eaa9f02fe121719d58ab07b26a902209d05288b298b76cc2db39ca510d37c3d0f53edcfbb664d100c30ed2da3

Download Submit
\Users\Admin\AppData\Local\Temp\wmsdk64_32.exe

Filesize
415KB

MD5
073fab4b680398e2ac4f8931f076b440

SHA1
5b9c3dc1ad790755d16859eab025fb30aa6470ef

SHA256
9fe0a993037dbb7c29e2b3c3244fe303e9f72cb7588641d239fcc5af712580c4

SHA512
6d2a094732f9211cd923f846d6e14785aee388e4794960b59315c22ea31c7d3c13a1a74cab5e2163d8c0f4b486f67dc63fd07487f2087b0bd2900407f19bf354

Download Submit
\Users\Admin\AppData\Local\Temp\wmsdk64_32.exe

Filesize
415KB

MD5
073fab4b680398e2ac4f8931f076b440

SHA1
5b9c3dc1ad790755d16859eab025fb30aa6470ef

SHA256
9fe0a993037dbb7c29e2b3c3244fe303e9f72cb7588641d239fcc5af712580c4

SHA512
6d2a094732f9211cd923f846d6e14785aee388e4794960b59315c22ea31c7d3c13a1a74cab5e2163d8c0f4b486f67dc63fd07487f2087b0bd2900407f19bf354

Download Submit
\Users\Admin\AppData\Local\Temp\wscsvc32.exe

Filesize
263KB

MD5
17e3c0a62571b2a7e5e02593a0cde85e

SHA1
9828576946beef89818e874f493a65fe0b743665

SHA256
8c1e3d299669fa5e17e8d189e2273e66d4ab7a16c3b3a37d0ceb7780dfde07a0

SHA512
9a8810e47e575d29c3d2f0bf139db7f3b62fbdf6e634a0fb1627a656832b75a8ad8fd31ef188c7d7db846484a9438700044fc1644ed3dfae71421ca3736a2135

Download Submit
\Users\Admin\AppData\Local\Temp\wscsvc32.exe

Filesize
263KB

MD5
17e3c0a62571b2a7e5e02593a0cde85e

SHA1
9828576946beef89818e874f493a65fe0b743665

SHA256
8c1e3d299669fa5e17e8d189e2273e66d4ab7a16c3b3a37d0ceb7780dfde07a0

SHA512
9a8810e47e575d29c3d2f0bf139db7f3b62fbdf6e634a0fb1627a656832b75a8ad8fd31ef188c7d7db846484a9438700044fc1644ed3dfae71421ca3736a2135

Download Submit
memory/1708-14-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/1708-1-0x00000000002C0000-0x00000000002F5000-memory.dmp

Filesize
212KB

Download
memory/1708-12-0x00000000002C0000-0x00000000002F5000-memory.dmp

Filesize
212KB

Download
memory/1708-2-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/1708-0-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/2352-44-0x00000000002C0000-0x00000000002C6000-memory.dmp

Filesize
24KB

Download
memory/2352-18-0x00000000002C0000-0x00000000002C6000-memory.dmp

Filesize
24KB

Download
memory/2352-19-0x0000000010000000-0x0000000010053000-memory.dmp

Filesize
332KB

Download
memory/2352-84-0x0000000010000000-0x0000000010053000-memory.dmp

Filesize
332KB

Download
memory/2352-75-0x0000000010000000-0x0000000010053000-memory.dmp

Filesize
332KB

Download
memory/2352-66-0x0000000010000000-0x0000000010053000-memory.dmp

Filesize
332KB

Download
memory/2660-29-0x00000000002B0000-0x00000000002E5000-memory.dmp

Filesize
212KB

Download
memory/2660-47-0x00000000002B0000-0x00000000002E5000-memory.dmp

Filesize
212KB

Download
memory/2660-48-0x0000000000400000-0x0000000000443C00-memory.dmp

Filesize
271KB

Download
memory/2660-55-0x0000000000400000-0x0000000000443C00-memory.dmp

Filesize
271KB

Download
memory/2660-31-0x0000000000400000-0x0000000000443C00-memory.dmp

Filesize
271KB

Download
memory/2660-67-0x0000000000400000-0x0000000000443C00-memory.dmp

Filesize
271KB

Download
memory/2660-73-0x0000000000400000-0x0000000000443C00-memory.dmp

Filesize
271KB

Download
memory/2660-30-0x0000000000400000-0x0000000000443C00-memory.dmp

Filesize
271KB

Download
memory/2660-28-0x0000000000400000-0x0000000000443C00-memory.dmp

Filesize
271KB

Download
memory/2660-85-0x0000000000400000-0x0000000000443C00-memory.dmp

Filesize
271KB

Download