208a0ff37c42374c00a303505de4cf65492a6357890185a4153dc43134d0b745

Analysis

max time kernel
142s
max time network
38s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
14-10-2023 17:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.6c3bd864d8ec2bb4e5b18310e84a9c70.exe
Size

6.5MB
MD5

6c3bd864d8ec2bb4e5b18310e84a9c70
SHA1

a6b75368cc6d650d361b2e223c29cdd04fe3c1e3
SHA256

208a0ff37c42374c00a303505de4cf65492a6357890185a4153dc43134d0b745
SHA512

fa237ef7e615670e627b5d8dd46a17c31b9867978533a9621348030c3f0523e73be2657e3bb1f66daba990ec36a601efcbba467c81b86202403d3ac3539060ed
SSDEEP

49152:D+NEfT0HSh8wTwzWn1lioYTDGAfp8a+nTdsb0N00VwmNG2TXEBGhTod6sTJN0QbO:nnpavoSIqjnTMfHSy

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2792	wmpscfgs.exe
2128	wmpscfgs.exe

Loads dropped DLL 8 IoCs

pid	Process
2344	NEAS.6c3bd864d8ec2bb4e5b18310e84a9c70.exe
2344	NEAS.6c3bd864d8ec2bb4e5b18310e84a9c70.exe
2344	NEAS.6c3bd864d8ec2bb4e5b18310e84a9c70.exe
2344	NEAS.6c3bd864d8ec2bb4e5b18310e84a9c70.exe
2620	WerFault.exe
2620	WerFault.exe
2620	WerFault.exe
2620	WerFault.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Adobe_Reader = "c:\\users\\admin\\appdata\\local\\temp\\\\wmpscfgs.exe"	NEAS.6c3bd864d8ec2bb4e5b18310e84a9c70.exe

Drops file in Program Files directory 9 IoCs

description	ioc	Process
File created	\??\c:\program files (x86)\adobe\acrotray.exe	NEAS.6c3bd864d8ec2bb4e5b18310e84a9c70.exe
File created	\??\c:\program files (x86)\internet explorer\wmpscfgs.exe	NEAS.6c3bd864d8ec2bb4e5b18310e84a9c70.exe
File created	C:\Program Files (x86)\259578222.dat	wmpscfgs.exe
File opened for modification	\??\c:\program files (x86)\adobe\acrotray .exe	wmpscfgs.exe
File opened for modification	\??\c:\program files (x86)\adobe\acrotray.exe	wmpscfgs.exe
File created	\??\c:\program files (x86)\microsoft office\office14\bcssync.exe	NEAS.6c3bd864d8ec2bb4e5b18310e84a9c70.exe
File created	\??\c:\program files (x86)\adobe\acrotray .exe	NEAS.6c3bd864d8ec2bb4e5b18310e84a9c70.exe
File created	\??\c:\program files (x86)\microsoft office\office14\bcssync.exe	wmpscfgs.exe
File created	\??\c:\program files (x86)\internet explorer\wmpscfgs.exe	wmpscfgs.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2620	2128	WerFault.exe	31

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2344	NEAS.6c3bd864d8ec2bb4e5b18310e84a9c70.exe
2792	wmpscfgs.exe
2792	wmpscfgs.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2344	NEAS.6c3bd864d8ec2bb4e5b18310e84a9c70.exe
Token: SeDebugPrivilege	2792	wmpscfgs.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2344 wrote to memory of 2792	2344	NEAS.6c3bd864d8ec2bb4e5b18310e84a9c70.exe	30
PID 2344 wrote to memory of 2792	2344	NEAS.6c3bd864d8ec2bb4e5b18310e84a9c70.exe	30
PID 2344 wrote to memory of 2792	2344	NEAS.6c3bd864d8ec2bb4e5b18310e84a9c70.exe	30
PID 2344 wrote to memory of 2792	2344	NEAS.6c3bd864d8ec2bb4e5b18310e84a9c70.exe	30
PID 2344 wrote to memory of 2128	2344	NEAS.6c3bd864d8ec2bb4e5b18310e84a9c70.exe	31
PID 2344 wrote to memory of 2128	2344	NEAS.6c3bd864d8ec2bb4e5b18310e84a9c70.exe	31
PID 2344 wrote to memory of 2128	2344	NEAS.6c3bd864d8ec2bb4e5b18310e84a9c70.exe	31
PID 2344 wrote to memory of 2128	2344	NEAS.6c3bd864d8ec2bb4e5b18310e84a9c70.exe	31
PID 2128 wrote to memory of 2620	2128	wmpscfgs.exe	32
PID 2128 wrote to memory of 2620	2128	wmpscfgs.exe	32
PID 2128 wrote to memory of 2620	2128	wmpscfgs.exe	32
PID 2128 wrote to memory of 2620	2128	wmpscfgs.exe	32

C:\Users\Admin\AppData\Local\Temp\NEAS.6c3bd864d8ec2bb4e5b18310e84a9c70.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.6c3bd864d8ec2bb4e5b18310e84a9c70.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2344
- \??\c:\users\admin\appdata\local\temp\wmpscfgs.exe
  c:\users\admin\appdata\local\temp\\wmpscfgs.exe
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2792
- C:\Program Files (x86)\Internet Explorer\wmpscfgs.exe
  C:\Program Files (x86)\Internet Explorer\wmpscfgs.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2128
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2128 -s 44
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:2620

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Internet Explorer\wmpscfgs.exe

Filesize
6.5MB

MD5
e57718a8a0fc9b339b20c95df739947e

SHA1
4313a2b351b62525975f75c48001fc47ee6b143e

SHA256
4a8863a3f63a82a5f1ee7e7201dd4a6a6883023e91c28b27edc88cff71767b29

SHA512
f9a9961cc8e7a9c502faceac91553cd5a2ff4e8acb43f1709247f5080fb8cf6603a1470adce07762df0fd228477d7d21c700b83764aa19788b841c4e03fb4de7

Download Submit
C:\Users\Admin\AppData\Local\Temp\wmpscfgs.exe

Filesize
6.5MB

MD5
bbee493c6797caf34aaa6a7b165bd02d

SHA1
3aa0fa03edfc177db19751b82573f75df8d37f67

SHA256
6306c7a9e1c2f8b857cc22e77bf7201730cf7d09941c6f1f4ead91a914c982f1

SHA512
2974d59d19d4a338c65dbf1062c93ddf98c3329e23c342382a57c5ddfebfa9ac460ac7c34b6ff9470cf9fa19b9fee651a10fb6956f80441fb27245eb74053d31

Download Submit
C:\Users\Admin\AppData\Local\Temp\wmpscfgs.exe

Filesize
6.5MB

MD5
bbee493c6797caf34aaa6a7b165bd02d

SHA1
3aa0fa03edfc177db19751b82573f75df8d37f67

SHA256
6306c7a9e1c2f8b857cc22e77bf7201730cf7d09941c6f1f4ead91a914c982f1

SHA512
2974d59d19d4a338c65dbf1062c93ddf98c3329e23c342382a57c5ddfebfa9ac460ac7c34b6ff9470cf9fa19b9fee651a10fb6956f80441fb27245eb74053d31

Download Submit
\??\c:\program files (x86)\microsoft office\office14\bcssync.exe

Filesize
6.5MB

MD5
6da31c0ecc93aa49d31071376bdfd52f

SHA1
224e5fc34c40bbaa7a4e9fdd4f20ea1d544c135c

SHA256
4ed262be6c58b880280b31abb31378e5139c30e4397f527a4dfb96530b927d1c

SHA512
8ee6febc12424854694568bb564d36048d643348e481d7ff5ea2cb04603411fda8157ef602858fe9e824ecb2279b6f4514584c0f9d2b3903ad2da719a2482533

Download Submit
\??\c:\users\admin\appdata\local\temp\wmpscfgs.exe

Filesize
6.5MB

MD5
bbee493c6797caf34aaa6a7b165bd02d

SHA1
3aa0fa03edfc177db19751b82573f75df8d37f67

SHA256
6306c7a9e1c2f8b857cc22e77bf7201730cf7d09941c6f1f4ead91a914c982f1

SHA512
2974d59d19d4a338c65dbf1062c93ddf98c3329e23c342382a57c5ddfebfa9ac460ac7c34b6ff9470cf9fa19b9fee651a10fb6956f80441fb27245eb74053d31

Download Submit
\Program Files (x86)\Internet Explorer\wmpscfgs.exe

Filesize
6.5MB

MD5
e57718a8a0fc9b339b20c95df739947e

SHA1
4313a2b351b62525975f75c48001fc47ee6b143e

SHA256
4a8863a3f63a82a5f1ee7e7201dd4a6a6883023e91c28b27edc88cff71767b29

SHA512
f9a9961cc8e7a9c502faceac91553cd5a2ff4e8acb43f1709247f5080fb8cf6603a1470adce07762df0fd228477d7d21c700b83764aa19788b841c4e03fb4de7

Download Submit
\Program Files (x86)\Internet Explorer\wmpscfgs.exe

Filesize
6.5MB

MD5
e57718a8a0fc9b339b20c95df739947e

SHA1
4313a2b351b62525975f75c48001fc47ee6b143e

SHA256
4a8863a3f63a82a5f1ee7e7201dd4a6a6883023e91c28b27edc88cff71767b29

SHA512
f9a9961cc8e7a9c502faceac91553cd5a2ff4e8acb43f1709247f5080fb8cf6603a1470adce07762df0fd228477d7d21c700b83764aa19788b841c4e03fb4de7

Download Submit
\Program Files (x86)\Internet Explorer\wmpscfgs.exe

Filesize
6.5MB

MD5
e57718a8a0fc9b339b20c95df739947e

SHA1
4313a2b351b62525975f75c48001fc47ee6b143e

SHA256
4a8863a3f63a82a5f1ee7e7201dd4a6a6883023e91c28b27edc88cff71767b29

SHA512
f9a9961cc8e7a9c502faceac91553cd5a2ff4e8acb43f1709247f5080fb8cf6603a1470adce07762df0fd228477d7d21c700b83764aa19788b841c4e03fb4de7

Download Submit
\Program Files (x86)\Internet Explorer\wmpscfgs.exe

Filesize
6.5MB

MD5
e57718a8a0fc9b339b20c95df739947e

SHA1
4313a2b351b62525975f75c48001fc47ee6b143e

SHA256
4a8863a3f63a82a5f1ee7e7201dd4a6a6883023e91c28b27edc88cff71767b29

SHA512
f9a9961cc8e7a9c502faceac91553cd5a2ff4e8acb43f1709247f5080fb8cf6603a1470adce07762df0fd228477d7d21c700b83764aa19788b841c4e03fb4de7

Download Submit
\Program Files (x86)\Internet Explorer\wmpscfgs.exe

Filesize
6.5MB

MD5
e57718a8a0fc9b339b20c95df739947e

SHA1
4313a2b351b62525975f75c48001fc47ee6b143e

SHA256
4a8863a3f63a82a5f1ee7e7201dd4a6a6883023e91c28b27edc88cff71767b29

SHA512
f9a9961cc8e7a9c502faceac91553cd5a2ff4e8acb43f1709247f5080fb8cf6603a1470adce07762df0fd228477d7d21c700b83764aa19788b841c4e03fb4de7

Download Submit
\Program Files (x86)\Internet Explorer\wmpscfgs.exe

Filesize
6.5MB

MD5
e57718a8a0fc9b339b20c95df739947e

SHA1
4313a2b351b62525975f75c48001fc47ee6b143e

SHA256
4a8863a3f63a82a5f1ee7e7201dd4a6a6883023e91c28b27edc88cff71767b29

SHA512
f9a9961cc8e7a9c502faceac91553cd5a2ff4e8acb43f1709247f5080fb8cf6603a1470adce07762df0fd228477d7d21c700b83764aa19788b841c4e03fb4de7

Download Submit
\Users\Admin\AppData\Local\Temp\wmpscfgs.exe

Filesize
6.5MB

MD5
bbee493c6797caf34aaa6a7b165bd02d

SHA1
3aa0fa03edfc177db19751b82573f75df8d37f67

SHA256
6306c7a9e1c2f8b857cc22e77bf7201730cf7d09941c6f1f4ead91a914c982f1

SHA512
2974d59d19d4a338c65dbf1062c93ddf98c3329e23c342382a57c5ddfebfa9ac460ac7c34b6ff9470cf9fa19b9fee651a10fb6956f80441fb27245eb74053d31

Download Submit
\Users\Admin\AppData\Local\Temp\wmpscfgs.exe

Filesize
6.5MB

MD5
bbee493c6797caf34aaa6a7b165bd02d

SHA1
3aa0fa03edfc177db19751b82573f75df8d37f67

SHA256
6306c7a9e1c2f8b857cc22e77bf7201730cf7d09941c6f1f4ead91a914c982f1

SHA512
2974d59d19d4a338c65dbf1062c93ddf98c3329e23c342382a57c5ddfebfa9ac460ac7c34b6ff9470cf9fa19b9fee651a10fb6956f80441fb27245eb74053d31

Download Submit
memory/2344-0-0x0000000010000000-0x0000000010010000-memory.dmp

Filesize
64KB

Download