2929709e1e45f6d8659d606a1e50474e313c87b16da9d1f12431cea87a982f65

Analysis

max time kernel
120s
max time network
132s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
13/10/2023, 20:27

Target

NEAS.6f097e939a486c0cc65dcd6362dddc20.exe
Size

123KB
MD5

6f097e939a486c0cc65dcd6362dddc20
SHA1

a96987b95882cb5045b4830c6406685443e2b51e
SHA256

2929709e1e45f6d8659d606a1e50474e313c87b16da9d1f12431cea87a982f65
SHA512

5c3613367b25e34565808ba8c364f77cd9047b765e9a91e58f736277487bb518d30358033dc3c87b3b692f1a2c2b28348b57da7e2c20840c84bd10bbf33fbb1a
SSDEEP

1536:6k3c2rlUV0ysgkkkkDkkkF0GNQaWXzd0Ifz60ppdQQ4oIOQw:UcgkkkkDkkkF0Geas9dmLc

Score

3^/10

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2560 wrote to memory of 3040	2560	NEAS.6f097e939a486c0cc65dcd6362dddc20.exe	28
PID 2560 wrote to memory of 3040	2560	NEAS.6f097e939a486c0cc65dcd6362dddc20.exe	28
PID 2560 wrote to memory of 3040	2560	NEAS.6f097e939a486c0cc65dcd6362dddc20.exe	28
PID 2560 wrote to memory of 3040	2560	NEAS.6f097e939a486c0cc65dcd6362dddc20.exe	28
PID 3040 wrote to memory of 2352	3040	control.exe	29
PID 3040 wrote to memory of 2352	3040	control.exe	29
PID 3040 wrote to memory of 2352	3040	control.exe	29
PID 3040 wrote to memory of 2352	3040	control.exe	29
PID 3040 wrote to memory of 2352	3040	control.exe	29
PID 3040 wrote to memory of 2352	3040	control.exe	29
PID 3040 wrote to memory of 2352	3040	control.exe	29
PID 2352 wrote to memory of 2708	2352	rundll32.exe	30
PID 2352 wrote to memory of 2708	2352	rundll32.exe	30
PID 2352 wrote to memory of 2708	2352	rundll32.exe	30
PID 2352 wrote to memory of 2708	2352	rundll32.exe	30

C:\Users\Admin\AppData\Local\Temp\NEAS.6f097e939a486c0cc65dcd6362dddc20.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.6f097e939a486c0cc65dcd6362dddc20.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2560
- C:\Windows\SysWOW64\control.exe
  "C:\Windows\System32\control.exe" "C:\Windows\System32\sysdm.cpl",
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3040
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Windows\System32\sysdm.cpl",
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2352
  - - C:\Windows\SysWOW64\SystemPropertiesComputerName.exe
      "C:\Windows\System32\SystemPropertiesComputerName.exe"
      4⤵
      PID:2708

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

memory/2560-0-0x00000000013E0000-0x0000000001406000-memory.dmp

Filesize
152KB

Download
memory/2560-1-0x00000000744A0000-0x0000000074B8E000-memory.dmp

Filesize
6.9MB

Download
memory/2560-2-0x0000000004DB0000-0x0000000004DF0000-memory.dmp

Filesize
256KB

Download
memory/2560-3-0x0000000004DB0000-0x0000000004DF0000-memory.dmp

Filesize
256KB

Download
memory/2560-4-0x00000000744A0000-0x0000000074B8E000-memory.dmp

Filesize
6.9MB

Download
memory/2560-5-0x0000000004DB0000-0x0000000004DF0000-memory.dmp

Filesize
256KB

Download
memory/2560-6-0x00000000744A0000-0x0000000074B8E000-memory.dmp

Filesize
6.9MB

Download