d3704e176ea8c6e8fbe65ad40da6504df7ead2a86b356ae56a5e7171e28dcb46

Analysis

max time kernel
122s
max time network
136s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
13/10/2023, 20:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.a8183377f88070b5d7f06be1330eb010.exe
Size

182KB
MD5

a8183377f88070b5d7f06be1330eb010
SHA1

4ad686f062683f5eaea3cbb2c923efba3c8c3025
SHA256

d3704e176ea8c6e8fbe65ad40da6504df7ead2a86b356ae56a5e7171e28dcb46
SHA512

f1fae69830fc207ac88379a784bc8463c2388eb0104c778407acd756768f90e9735e6e4d7fb378a32ee19a5b19618999ee27959c5422293e848066dce100dc13
SSDEEP

3072:2e+N8sceIO+wq4YuThkFcex8kD4wuitYpI0dZef0+7:2eBe2wsuThkKe81ppIwZef0+7

Score

8^/10

persistence

Malware Config

Signatures

Modifies AppInit DLL entries 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1547.001

Modify Registry
T1112

Executes dropped EXE 1 IoCs

pid	Process
2676	xvqykzi.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\PROGRA~3\Mozilla\xvqykzi.exe	NEAS.a8183377f88070b5d7f06be1330eb010.exe
File created	C:\PROGRA~3\Mozilla\zyfdqqb.dll	xvqykzi.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2652 wrote to memory of 2676	2652	taskeng.exe	31
PID 2652 wrote to memory of 2676	2652	taskeng.exe	31
PID 2652 wrote to memory of 2676	2652	taskeng.exe	31
PID 2652 wrote to memory of 2676	2652	taskeng.exe	31

C:\Users\Admin\AppData\Local\Temp\NEAS.a8183377f88070b5d7f06be1330eb010.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.a8183377f88070b5d7f06be1330eb010.exe"
1⤵
- Drops file in Program Files directory
PID:2588

C:\Windows\system32\taskeng.exe
taskeng.exe {FFB4F4BE-C0CA-4B29-93E6-FAAC4A1F558A} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:2652
- C:\PROGRA~3\Mozilla\xvqykzi.exe
  C:\PROGRA~3\Mozilla\xvqykzi.exe -tkarfve
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  PID:2676

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~3\Mozilla\xvqykzi.exe

Filesize
182KB

MD5
deaa9273943aff74a36f4752bd4d59c9

SHA1
1e23c80406f981f647b6553b6624039220f0c679

SHA256
556602738f89040348e10e0d73bdd9585a2874be4404a3f78b20b56f1127b000

SHA512
4fc360bdd7d24d2b067757bf4099ec6e598d0f210a629713423816ddf8b5efc2d4a5b79fd2c2b67c1930b8cbdacc3a9d7ed225f7207f7c76539e4d5b3e2804ac

Download Submit
C:\PROGRA~3\Mozilla\xvqykzi.exe

Filesize
182KB

MD5
deaa9273943aff74a36f4752bd4d59c9

SHA1
1e23c80406f981f647b6553b6624039220f0c679

SHA256
556602738f89040348e10e0d73bdd9585a2874be4404a3f78b20b56f1127b000

SHA512
4fc360bdd7d24d2b067757bf4099ec6e598d0f210a629713423816ddf8b5efc2d4a5b79fd2c2b67c1930b8cbdacc3a9d7ed225f7207f7c76539e4d5b3e2804ac

Download Submit
memory/2588-0-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2588-1-0x0000000000330000-0x000000000038B000-memory.dmp

Filesize
364KB

Download
memory/2588-7-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2676-11-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2676-12-0x0000000000260000-0x00000000002BB000-memory.dmp

Filesize
364KB

Download