0c351f38a364a6e5c3bfd1579de668d585c668f463440c6db076e0faa4697303

Analysis

max time kernel
120s
max time network
128s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
13/10/2023, 20:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.68f360ba7d874645c414e37282b2efe0.exe
Size

208KB
MD5

68f360ba7d874645c414e37282b2efe0
SHA1

8c0ba1fb2cbb3dc7265ba29b9f3d10e5b154631a
SHA256

0c351f38a364a6e5c3bfd1579de668d585c668f463440c6db076e0faa4697303
SHA512

01a964287731b7601f028c87c03ea67ded3cecc24173f896ffb03eeca4a57bd85ac8b94d04a079a9f764df73ca42067ffbcfcd41b22cd4a27a5cdff3807a4139
SSDEEP

3072:8Q8zG+zq+7PYYj/N7Ts50IllG2TF1kA7aGHv94NLthEjQT6j:8Q8zGv+b7TSpd1QEj1

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
3056	AXN.exe
2752	AVEA.exe
2556	GSWNH.exe
1392	CDREFSX.exe

Loads dropped DLL 6 IoCs

pid	Process
2892	cmd.exe
2892	cmd.exe
2524	cmd.exe
2524	cmd.exe
2152	cmd.exe
2152	cmd.exe

Drops file in System32 directory 6 IoCs

description	ioc	Process
File opened for modification	C:\windows\SysWOW64\GSWNH.exe	AVEA.exe
File created	C:\windows\SysWOW64\GSWNH.exe.bat	AVEA.exe
File created	C:\windows\SysWOW64\AVEA.exe	AXN.exe
File opened for modification	C:\windows\SysWOW64\AVEA.exe	AXN.exe
File created	C:\windows\SysWOW64\AVEA.exe.bat	AXN.exe
File created	C:\windows\SysWOW64\GSWNH.exe	AVEA.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File opened for modification	C:\windows\system\CDREFSX.exe	GSWNH.exe
File created	C:\windows\system\CDREFSX.exe.bat	GSWNH.exe
File created	C:\windows\AXN.exe	NEAS.68f360ba7d874645c414e37282b2efe0.exe
File opened for modification	C:\windows\AXN.exe	NEAS.68f360ba7d874645c414e37282b2efe0.exe
File created	C:\windows\AXN.exe.bat	NEAS.68f360ba7d874645c414e37282b2efe0.exe
File created	C:\windows\system\CDREFSX.exe	GSWNH.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
2208	NEAS.68f360ba7d874645c414e37282b2efe0.exe
3056	AXN.exe
2752	AVEA.exe
2556	GSWNH.exe
1392	CDREFSX.exe

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
2208	NEAS.68f360ba7d874645c414e37282b2efe0.exe
2208	NEAS.68f360ba7d874645c414e37282b2efe0.exe
3056	AXN.exe
3056	AXN.exe
2752	AVEA.exe
2752	AVEA.exe
2556	GSWNH.exe
2556	GSWNH.exe
1392	CDREFSX.exe
1392	CDREFSX.exe

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 2208 wrote to memory of 2376	2208	NEAS.68f360ba7d874645c414e37282b2efe0.exe	28
PID 2208 wrote to memory of 2376	2208	NEAS.68f360ba7d874645c414e37282b2efe0.exe	28
PID 2208 wrote to memory of 2376	2208	NEAS.68f360ba7d874645c414e37282b2efe0.exe	28
PID 2208 wrote to memory of 2376	2208	NEAS.68f360ba7d874645c414e37282b2efe0.exe	28
PID 2376 wrote to memory of 3056	2376	cmd.exe	30
PID 2376 wrote to memory of 3056	2376	cmd.exe	30
PID 2376 wrote to memory of 3056	2376	cmd.exe	30
PID 2376 wrote to memory of 3056	2376	cmd.exe	30
PID 3056 wrote to memory of 2892	3056	AXN.exe	31
PID 3056 wrote to memory of 2892	3056	AXN.exe	31
PID 3056 wrote to memory of 2892	3056	AXN.exe	31
PID 3056 wrote to memory of 2892	3056	AXN.exe	31
PID 2892 wrote to memory of 2752	2892	cmd.exe	33
PID 2892 wrote to memory of 2752	2892	cmd.exe	33
PID 2892 wrote to memory of 2752	2892	cmd.exe	33
PID 2892 wrote to memory of 2752	2892	cmd.exe	33
PID 2752 wrote to memory of 2524	2752	AVEA.exe	34
PID 2752 wrote to memory of 2524	2752	AVEA.exe	34
PID 2752 wrote to memory of 2524	2752	AVEA.exe	34
PID 2752 wrote to memory of 2524	2752	AVEA.exe	34
PID 2524 wrote to memory of 2556	2524	cmd.exe	36
PID 2524 wrote to memory of 2556	2524	cmd.exe	36
PID 2524 wrote to memory of 2556	2524	cmd.exe	36
PID 2524 wrote to memory of 2556	2524	cmd.exe	36
PID 2556 wrote to memory of 2152	2556	GSWNH.exe	37
PID 2556 wrote to memory of 2152	2556	GSWNH.exe	37
PID 2556 wrote to memory of 2152	2556	GSWNH.exe	37
PID 2556 wrote to memory of 2152	2556	GSWNH.exe	37
PID 2152 wrote to memory of 1392	2152	cmd.exe	39
PID 2152 wrote to memory of 1392	2152	cmd.exe	39
PID 2152 wrote to memory of 1392	2152	cmd.exe	39
PID 2152 wrote to memory of 1392	2152	cmd.exe	39

C:\Users\Admin\AppData\Local\Temp\NEAS.68f360ba7d874645c414e37282b2efe0.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.68f360ba7d874645c414e37282b2efe0.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2208
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\windows\AXN.exe.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2376
- - C:\windows\AXN.exe
    C:\windows\AXN.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3056
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\windows\system32\AVEA.exe.bat" "
      4⤵
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2892
    - - C:\windows\SysWOW64\AVEA.exe
        
        C:\windows\system32\AVEA.exe
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2752
      - C:\windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\windows\system32\GSWNH.exe.bat" "
        6⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2524
        
        C:\windows\SysWOW64\GSWNH.exe
        
        C:\windows\system32\GSWNH.exe
        7⤵
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2556
        
        C:\windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\windows\system\CDREFSX.exe.bat" "
        8⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2152
        
        C:\windows\system\CDREFSX.exe
        
        C:\windows\system\CDREFSX.exe
        9⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1392

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\AXN.exe

Filesize
208KB

MD5
c35f678fb51c13b32e9ff36036e3b463

SHA1
8eedb8e006160ec8d28c6b114289e4e7e558c4a2

SHA256
addc1c7951bacfe50c748a854028905a43be4ea915da993864c507adb05bdcc8

SHA512
cf2dda16ba81a02234146b3c1215ca4c1170801240a27a8e81c8b9597814222b96c568ef1ab9e0e95dd5b10604d3cf07403cd5789dac49c3f0a6b10bdb2e8dfa

Download Submit
C:\Windows\AXN.exe.bat

Filesize
52B

MD5
8dad40ff4c82eb7b1c0039ee4f3bad0f

SHA1
784e45f93395cafce03f4273a8a9f56c4db3b480

SHA256
0cf437c2910de6561bac59dcd9a5f27be60a7902f4d6407f74e07e8ef461e738

SHA512
f221a6fe93f3ad8e6e8c12822107acda10e047a85c9e3463cb6274c8d7fa4a3422df6d3a7031d4f2535d86113a5462eb5191f599ab44686d5e159f64e531cc89

Download Submit
C:\Windows\SysWOW64\AVEA.exe

Filesize
208KB

MD5
5b151583f8f0fbb98fafb1565a69967e

SHA1
7f9e22eb1c0943a1bce1d8285ed4e6c5b4226c0b

SHA256
fe5674f7d12b1acb9d5f2811c5c036a960a7cd62a326b4cdb09c8aa3e0ae2f6c

SHA512
1e197292f2684cf4d7d75758add1619329398d6132fbab570edfe7ebf28615b7ce55d7025665f5096e81b7babe68a8915e40fe69db913adc748e73ca6d062935

Download Submit
C:\Windows\SysWOW64\AVEA.exe

Filesize
208KB

MD5
b4270baf875ec7544b827dad0ed1061f

SHA1
a026b46cc12d947b90961886d2fbd1a4f421560b

SHA256
d33ac4b3e9a68c184e20b49cee41ad25949b0dfc68eb2a88d535ff1a6142ba07

SHA512
f31b683c946c891d789c2cd643e41b15b8362c7e78ed01f63cf1609242b9f061aff5aff539bcdd5891a41ce2b7a930cad3e9e4b5c4856a681e73107241aa1bb9

Download Submit
C:\Windows\SysWOW64\AVEA.exe.bat

Filesize
72B

MD5
a6a0a3662e2eb1e3d7e0602e3ad70ea2

SHA1
91da3e44382075e381a958e2deaecbcf6d0cc440

SHA256
61401e795e47ee8ca96ab48609d84452acee0be4e85e498b23766d58a044e90c

SHA512
980f8f4a4d81338e2bdf3265c7e08c0a69eb342c6b9e39c579ffe08d171f864e45ebdf0846814b1ee848b7b76f52aa5bda9f0de53b44410dc72059752e4003f6

Download Submit
C:\Windows\SysWOW64\GSWNH.exe

Filesize
208KB

MD5
bc014cb0ed46f5a5703ff3fd939a7e74

SHA1
c2c4c24d2864d4655c7625362c5c61e26308b8ae

SHA256
975e48f294ff62bbecbddc5bbe97fb59b0b1700c116aa4e51b037bce7f4a4d4c

SHA512
79784e1e3c1144c978decbe9ae88c294cca906026f3330d0833d42f4c35f38c5eb37bef9734d9df8ab5c270dcc61286d330db31f5a4cf2675209d52e6e273944

Download Submit
C:\Windows\SysWOW64\GSWNH.exe.bat

Filesize
74B

MD5
1a9ca0f3f7e23c5813b3047e4c0955ba

SHA1
d495ff07bb4e2fa1a21f110d59898ac2b8d0c2c7

SHA256
45bee30ab2bf4606650b6d32985e023d513119bf300a9c423194c82009482c1c

SHA512
52ce805ad7bc6ed0311b1869ab5b3743f3046e8d4f776da63ea64cd855de60539b67346f948fd9232f059497caef56838ff1a01e4d9bc6816784d9f67017d467

Download Submit
C:\Windows\system\CDREFSX.exe

Filesize
208KB

MD5
c7ce422da1b3885060558bd7e1f678a2

SHA1
ce3d37204c91a03e36389b0af78c6e4bc45694cf

SHA256
43b8a844a90fcad06256a0d39188b826a28a9a8e33925381571f1a52fa99aed9

SHA512
c94f4624bb3a9915656c03b6977bc9849c9388f699f6642dd505d9568b687fe7b180d6c23a759354af196da49e0c7771b5634bb26549a581785be1e6b55c9fba

Download Submit
C:\Windows\system\CDREFSX.exe.bat

Filesize
74B

MD5
dcd7c7297aa22bc21a9e9a48061d810b

SHA1
c5c6ab8bfc82e6d79dcab2fdc2399add88d8eac1

SHA256
4d2aa48c7b8efbd6e0ec0b68ff9eaf9e5b89bd414b3c19d8ed99536dac6d8e14

SHA512
81fed2fb4e115832fb93da88383434b1d09e1cd25f83b56445817629932a4e8ceea9da23fe9d38fc189772058741e3b4fadba0d2751665f5608d9148d36b308c

Download Submit
C:\windows\AXN.exe

Filesize
208KB

MD5
c35f678fb51c13b32e9ff36036e3b463

SHA1
8eedb8e006160ec8d28c6b114289e4e7e558c4a2

SHA256
addc1c7951bacfe50c748a854028905a43be4ea915da993864c507adb05bdcc8

SHA512
cf2dda16ba81a02234146b3c1215ca4c1170801240a27a8e81c8b9597814222b96c568ef1ab9e0e95dd5b10604d3cf07403cd5789dac49c3f0a6b10bdb2e8dfa

Download Submit
C:\windows\AXN.exe.bat

Filesize
52B

MD5
8dad40ff4c82eb7b1c0039ee4f3bad0f

SHA1
784e45f93395cafce03f4273a8a9f56c4db3b480

SHA256
0cf437c2910de6561bac59dcd9a5f27be60a7902f4d6407f74e07e8ef461e738

SHA512
f221a6fe93f3ad8e6e8c12822107acda10e047a85c9e3463cb6274c8d7fa4a3422df6d3a7031d4f2535d86113a5462eb5191f599ab44686d5e159f64e531cc89

Download Submit
C:\windows\SysWOW64\AVEA.exe

Filesize
208KB

MD5
b4270baf875ec7544b827dad0ed1061f

SHA1
a026b46cc12d947b90961886d2fbd1a4f421560b

SHA256
d33ac4b3e9a68c184e20b49cee41ad25949b0dfc68eb2a88d535ff1a6142ba07

SHA512
f31b683c946c891d789c2cd643e41b15b8362c7e78ed01f63cf1609242b9f061aff5aff539bcdd5891a41ce2b7a930cad3e9e4b5c4856a681e73107241aa1bb9

Download Submit
C:\windows\SysWOW64\AVEA.exe.bat

Filesize
72B

MD5
a6a0a3662e2eb1e3d7e0602e3ad70ea2

SHA1
91da3e44382075e381a958e2deaecbcf6d0cc440

SHA256
61401e795e47ee8ca96ab48609d84452acee0be4e85e498b23766d58a044e90c

SHA512
980f8f4a4d81338e2bdf3265c7e08c0a69eb342c6b9e39c579ffe08d171f864e45ebdf0846814b1ee848b7b76f52aa5bda9f0de53b44410dc72059752e4003f6

Download Submit
C:\windows\SysWOW64\GSWNH.exe

Filesize
208KB

MD5
bc014cb0ed46f5a5703ff3fd939a7e74

SHA1
c2c4c24d2864d4655c7625362c5c61e26308b8ae

SHA256
975e48f294ff62bbecbddc5bbe97fb59b0b1700c116aa4e51b037bce7f4a4d4c

SHA512
79784e1e3c1144c978decbe9ae88c294cca906026f3330d0833d42f4c35f38c5eb37bef9734d9df8ab5c270dcc61286d330db31f5a4cf2675209d52e6e273944

Download Submit
C:\windows\SysWOW64\GSWNH.exe.bat

Filesize
74B

MD5
1a9ca0f3f7e23c5813b3047e4c0955ba

SHA1
d495ff07bb4e2fa1a21f110d59898ac2b8d0c2c7

SHA256
45bee30ab2bf4606650b6d32985e023d513119bf300a9c423194c82009482c1c

SHA512
52ce805ad7bc6ed0311b1869ab5b3743f3046e8d4f776da63ea64cd855de60539b67346f948fd9232f059497caef56838ff1a01e4d9bc6816784d9f67017d467

Download Submit
C:\windows\system\CDREFSX.exe

Filesize
208KB

MD5
c7ce422da1b3885060558bd7e1f678a2

SHA1
ce3d37204c91a03e36389b0af78c6e4bc45694cf

SHA256
43b8a844a90fcad06256a0d39188b826a28a9a8e33925381571f1a52fa99aed9

SHA512
c94f4624bb3a9915656c03b6977bc9849c9388f699f6642dd505d9568b687fe7b180d6c23a759354af196da49e0c7771b5634bb26549a581785be1e6b55c9fba

Download Submit
C:\windows\system\CDREFSX.exe.bat

Filesize
74B

MD5
dcd7c7297aa22bc21a9e9a48061d810b

SHA1
c5c6ab8bfc82e6d79dcab2fdc2399add88d8eac1

SHA256
4d2aa48c7b8efbd6e0ec0b68ff9eaf9e5b89bd414b3c19d8ed99536dac6d8e14

SHA512
81fed2fb4e115832fb93da88383434b1d09e1cd25f83b56445817629932a4e8ceea9da23fe9d38fc189772058741e3b4fadba0d2751665f5608d9148d36b308c

Download Submit
\Windows\SysWOW64\AVEA.exe

Filesize
208KB

MD5
b4270baf875ec7544b827dad0ed1061f

SHA1
a026b46cc12d947b90961886d2fbd1a4f421560b

SHA256
d33ac4b3e9a68c184e20b49cee41ad25949b0dfc68eb2a88d535ff1a6142ba07

SHA512
f31b683c946c891d789c2cd643e41b15b8362c7e78ed01f63cf1609242b9f061aff5aff539bcdd5891a41ce2b7a930cad3e9e4b5c4856a681e73107241aa1bb9

Download Submit
\Windows\SysWOW64\AVEA.exe

Filesize
208KB

MD5
b4270baf875ec7544b827dad0ed1061f

SHA1
a026b46cc12d947b90961886d2fbd1a4f421560b

SHA256
d33ac4b3e9a68c184e20b49cee41ad25949b0dfc68eb2a88d535ff1a6142ba07

SHA512
f31b683c946c891d789c2cd643e41b15b8362c7e78ed01f63cf1609242b9f061aff5aff539bcdd5891a41ce2b7a930cad3e9e4b5c4856a681e73107241aa1bb9

Download Submit
\Windows\SysWOW64\GSWNH.exe

Filesize
208KB

MD5
bc014cb0ed46f5a5703ff3fd939a7e74

SHA1
c2c4c24d2864d4655c7625362c5c61e26308b8ae

SHA256
975e48f294ff62bbecbddc5bbe97fb59b0b1700c116aa4e51b037bce7f4a4d4c

SHA512
79784e1e3c1144c978decbe9ae88c294cca906026f3330d0833d42f4c35f38c5eb37bef9734d9df8ab5c270dcc61286d330db31f5a4cf2675209d52e6e273944

Download Submit
\Windows\SysWOW64\GSWNH.exe

Filesize
208KB

MD5
bc014cb0ed46f5a5703ff3fd939a7e74

SHA1
c2c4c24d2864d4655c7625362c5c61e26308b8ae

SHA256
975e48f294ff62bbecbddc5bbe97fb59b0b1700c116aa4e51b037bce7f4a4d4c

SHA512
79784e1e3c1144c978decbe9ae88c294cca906026f3330d0833d42f4c35f38c5eb37bef9734d9df8ab5c270dcc61286d330db31f5a4cf2675209d52e6e273944

Download Submit
\Windows\system\CDREFSX.exe

Filesize
208KB

MD5
c7ce422da1b3885060558bd7e1f678a2

SHA1
ce3d37204c91a03e36389b0af78c6e4bc45694cf

SHA256
43b8a844a90fcad06256a0d39188b826a28a9a8e33925381571f1a52fa99aed9

SHA512
c94f4624bb3a9915656c03b6977bc9849c9388f699f6642dd505d9568b687fe7b180d6c23a759354af196da49e0c7771b5634bb26549a581785be1e6b55c9fba

Download Submit
\Windows\system\CDREFSX.exe

Filesize
208KB

MD5
c7ce422da1b3885060558bd7e1f678a2

SHA1
ce3d37204c91a03e36389b0af78c6e4bc45694cf

SHA256
43b8a844a90fcad06256a0d39188b826a28a9a8e33925381571f1a52fa99aed9

SHA512
c94f4624bb3a9915656c03b6977bc9849c9388f699f6642dd505d9568b687fe7b180d6c23a759354af196da49e0c7771b5634bb26549a581785be1e6b55c9fba

Download Submit
memory/1392-75-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1392-74-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2152-73-0x0000000000150000-0x0000000000188000-memory.dmp

Filesize
224KB

Download
memory/2208-12-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2208-0-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2376-15-0x0000000000130000-0x0000000000168000-memory.dmp

Filesize
224KB

Download
memory/2376-76-0x0000000000130000-0x0000000000168000-memory.dmp

Filesize
224KB

Download
memory/2524-53-0x0000000000170000-0x00000000001A8000-memory.dmp

Filesize
224KB

Download
memory/2524-77-0x0000000000170000-0x00000000001A8000-memory.dmp

Filesize
224KB

Download
memory/2556-67-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2556-55-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2752-36-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2752-48-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2892-33-0x00000000001F0000-0x0000000000228000-memory.dmp

Filesize
224KB

Download
memory/3056-17-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3056-29-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download