362c3f08658bbd5afb648d8e867d4696577ee9789e4c5d841a0a3df811227c24

Analysis

max time kernel
120s
max time network
125s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
14/10/2023, 11:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.083681585ef25f0503e2d57838628c80_JC.exe
Size

315KB
MD5

083681585ef25f0503e2d57838628c80
SHA1

b6e3415682f83018d667f0760f8d7cbddd1a18a2
SHA256

362c3f08658bbd5afb648d8e867d4696577ee9789e4c5d841a0a3df811227c24
SHA512

f10ae5e681c796d60f1e21bb265bf5c9f73beb7c10b8a20e29f198776dac0259e343058b1660d352486fb938d916b5f022df35359fa33ad35adcfbcb53aaa29d
SSDEEP

6144:CDJVazMKV31FdaQvXluxqU+A/0y+nt75voqQEnHv0CxN8H9RJPz7Dha:CDJM/bXntAh+nhZoqQEHvVIzJPzk

Score

8^/10

persistence

Malware Config

Signatures

Modifies AppInit DLL entries 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1547.001

Modify Registry
T1112

Executes dropped EXE 1 IoCs

pid	Process
2528	eskchkd.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\PROGRA~3\Mozilla\iaxspia.dll	eskchkd.exe
File created	C:\PROGRA~3\Mozilla\eskchkd.exe	NEAS.083681585ef25f0503e2d57838628c80_JC.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2796 wrote to memory of 2528	2796	taskeng.exe	31
PID 2796 wrote to memory of 2528	2796	taskeng.exe	31
PID 2796 wrote to memory of 2528	2796	taskeng.exe	31
PID 2796 wrote to memory of 2528	2796	taskeng.exe	31

C:\Users\Admin\AppData\Local\Temp\NEAS.083681585ef25f0503e2d57838628c80_JC.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.083681585ef25f0503e2d57838628c80_JC.exe"
1⤵
- Drops file in Program Files directory
PID:2788

C:\Windows\system32\taskeng.exe
taskeng.exe {5115A03F-0314-4A16-9417-9519A5AAF31E} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:2796
- C:\PROGRA~3\Mozilla\eskchkd.exe
  C:\PROGRA~3\Mozilla\eskchkd.exe -srskkzl
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  PID:2528

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~3\Mozilla\eskchkd.exe

Filesize
315KB

MD5
1200a064bdd78a739bdc66b12cc24bca

SHA1
09f4443c7828f5e854860fe4d6ac3a6bc30e6c7c

SHA256
d86b890094fa430c570ec0f17a1224f1d0b46022d2e7285e71d44e51b5c31c6e

SHA512
706718d87c3c00146c293c7c76690d174a58c3df38e659d06bcd9c739d02f48158efa92c58a4505c921799c12ec5ec9caaece20348b998bab8cdf74e12d90803

Download Submit
C:\PROGRA~3\Mozilla\eskchkd.exe

Filesize
315KB

MD5
1200a064bdd78a739bdc66b12cc24bca

SHA1
09f4443c7828f5e854860fe4d6ac3a6bc30e6c7c

SHA256
d86b890094fa430c570ec0f17a1224f1d0b46022d2e7285e71d44e51b5c31c6e

SHA512
706718d87c3c00146c293c7c76690d174a58c3df38e659d06bcd9c739d02f48158efa92c58a4505c921799c12ec5ec9caaece20348b998bab8cdf74e12d90803

Download Submit
memory/2528-13-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2528-14-0x0000000000260000-0x00000000002BB000-memory.dmp

Filesize
364KB

Download
memory/2528-20-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2788-0-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2788-1-0x00000000002F0000-0x000000000034B000-memory.dmp

Filesize
364KB

Download
memory/2788-6-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download