40351e2368dc01d2960dec65a84c20a69378f4ace22bafcfd7f087b577ad16eb

Analysis

max time kernel
20s
max time network
132s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
14/10/2023, 18:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.7c3ac8738fec71b87715ff8c597e8d90.exe
Size

1.6MB
MD5

7c3ac8738fec71b87715ff8c597e8d90
SHA1

9964f8babf8a6d0adfa810b8b5989a893e416892
SHA256

40351e2368dc01d2960dec65a84c20a69378f4ace22bafcfd7f087b577ad16eb
SHA512

1ce81f2427c1fd1cf67d14ba1df0992a7d2c9574b99a90d963ec9254d95c1cb13eb1bac8c1302976bc4a60b28dbf440b3a3d7d9067119b4392a40179fc277d6f
SSDEEP

24576:M51xHcS9in6bxcqbF8fYTOYKbDurSUQN7kBG+JqJS+WOZseId9x0FOXr2rl1:MtHcS4neHbyfYTOYKPu/gEjiEO5ItD2

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
2764	MSWDM.EXE
2424	MSWDM.EXE
2704	NEAS.7C3AC8738FEC71B87715FF8C597E8D90.EXE
2760	MSWDM.EXE

Loads dropped DLL 2 IoCs

pid	Process
2764	MSWDM.EXE
2764	MSWDM.EXE

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE"	NEAS.7c3ac8738fec71b87715ff8c597e8d90.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE"	NEAS.7c3ac8738fec71b87715ff8c597e8d90.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE"	MSWDM.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE"	MSWDM.EXE

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\WINDOWS\MSWDM.EXE	NEAS.7c3ac8738fec71b87715ff8c597e8d90.exe
File opened for modification	C:\Windows\dev6893.tmp	NEAS.7c3ac8738fec71b87715ff8c597e8d90.exe
File opened for modification	C:\Windows\dev6893.tmp	MSWDM.EXE

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2764	MSWDM.EXE

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1492 wrote to memory of 2424	1492	NEAS.7c3ac8738fec71b87715ff8c597e8d90.exe	28
PID 1492 wrote to memory of 2424	1492	NEAS.7c3ac8738fec71b87715ff8c597e8d90.exe	28
PID 1492 wrote to memory of 2424	1492	NEAS.7c3ac8738fec71b87715ff8c597e8d90.exe	28
PID 1492 wrote to memory of 2424	1492	NEAS.7c3ac8738fec71b87715ff8c597e8d90.exe	28
PID 1492 wrote to memory of 2764	1492	NEAS.7c3ac8738fec71b87715ff8c597e8d90.exe	30
PID 1492 wrote to memory of 2764	1492	NEAS.7c3ac8738fec71b87715ff8c597e8d90.exe	30
PID 1492 wrote to memory of 2764	1492	NEAS.7c3ac8738fec71b87715ff8c597e8d90.exe	30
PID 1492 wrote to memory of 2764	1492	NEAS.7c3ac8738fec71b87715ff8c597e8d90.exe	30
PID 2764 wrote to memory of 2704	2764	MSWDM.EXE	29
PID 2764 wrote to memory of 2704	2764	MSWDM.EXE	29
PID 2764 wrote to memory of 2704	2764	MSWDM.EXE	29
PID 2764 wrote to memory of 2704	2764	MSWDM.EXE	29
PID 2764 wrote to memory of 2760	2764	MSWDM.EXE	31
PID 2764 wrote to memory of 2760	2764	MSWDM.EXE	31
PID 2764 wrote to memory of 2760	2764	MSWDM.EXE	31
PID 2764 wrote to memory of 2760	2764	MSWDM.EXE	31

C:\Users\Admin\AppData\Local\Temp\NEAS.7c3ac8738fec71b87715ff8c597e8d90.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.7c3ac8738fec71b87715ff8c597e8d90.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1492
- C:\WINDOWS\MSWDM.EXE
  "C:\WINDOWS\MSWDM.EXE"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:2424
- C:\WINDOWS\MSWDM.EXE
  -r!C:\Windows\dev6893.tmp!C:\Users\Admin\AppData\Local\Temp\NEAS.7c3ac8738fec71b87715ff8c597e8d90.exe! !
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2764
- - C:\WINDOWS\MSWDM.EXE
    -e!C:\Windows\dev6893.tmp!C:\Users\Admin\AppData\Local\Temp\NEAS.7C3AC8738FEC71B87715FF8C597E8D90.EXE!
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    PID:2760

C:\Users\Admin\AppData\Local\Temp\NEAS.7C3AC8738FEC71B87715FF8C597E8D90.EXE
1⤵
- Executes dropped EXE
PID:2704

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\NEAS.7C3AC8738FEC71B87715FF8C597E8D90.EXE

Filesize
1.6MB

MD5
bae088e1c3ed091ecdf6e0fcc5f14670

SHA1
eb67f2c652a0e2cf9c51e641edc44ea806ce0d0a

SHA256
a103648febbe042ecc125acf33ca9c940153c1bd8d9c238c8663cad773b4a579

SHA512
308658038b95cb9d892fa9b61849520dffc9f8da1725b7a5db915fe33345fcd6c5b59cca718ee09abf048c82f3a16dba5b9ca8adf398ae003c39daeaff05b463

Download Submit
C:\Users\Admin\AppData\Local\Temp\NEAS.7C3AC8738FEC71B87715FF8C597E8D90.EXE

Filesize
1.6MB

MD5
bae088e1c3ed091ecdf6e0fcc5f14670

SHA1
eb67f2c652a0e2cf9c51e641edc44ea806ce0d0a

SHA256
a103648febbe042ecc125acf33ca9c940153c1bd8d9c238c8663cad773b4a579

SHA512
308658038b95cb9d892fa9b61849520dffc9f8da1725b7a5db915fe33345fcd6c5b59cca718ee09abf048c82f3a16dba5b9ca8adf398ae003c39daeaff05b463

Download Submit
C:\Users\Admin\AppData\Local\Temp\NEAS.7c3ac8738fec71b87715ff8c597e8d90.exe

Filesize
10KB

MD5
bf2411bc726873efb646f8b47f3e4efe

SHA1
225a0b4dc3a79bfaf8496a3185026b0a5340ea6b

SHA256
972596c1a4f038f409b095e012e7ce95a38b82c1081fca9b6a4aa06c11853dcd

SHA512
fe787b40ecba76ebf352175849ba152d76ac2d302120df6871764bf62130fce3ec8ead1d1a07b0a9735f0c1e3c7022bdbacba9f234f62c9fb1fd8a49e1ce34c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\NEAS.7c3ac8738fec71b87715ff8c597e8d90.exe

Filesize
10KB

MD5
bf2411bc726873efb646f8b47f3e4efe

SHA1
225a0b4dc3a79bfaf8496a3185026b0a5340ea6b

SHA256
972596c1a4f038f409b095e012e7ce95a38b82c1081fca9b6a4aa06c11853dcd

SHA512
fe787b40ecba76ebf352175849ba152d76ac2d302120df6871764bf62130fce3ec8ead1d1a07b0a9735f0c1e3c7022bdbacba9f234f62c9fb1fd8a49e1ce34c2

Download Submit
C:\WINDOWS\MSWDM.EXE

Filesize
1.6MB

MD5
d7299c6c8107832edf102949fc042e8d

SHA1
ddc957625b1098c085d90a76f5bcf9f45f71b887

SHA256
36d64a2b05cad6e33e989d2c21fc12449f50b3cfaa1cce4528994f3d71255c72

SHA512
9868f59992aaf5d99fc4ca7ff2af0285e70a1c85f4bf1c8b8c11d00f2dc23721fb7e82ace46ac4298fe0167150e142c5c02517935fe475aba24ebc8ca7ac55f9

Download Submit
C:\Windows\MSWDM.EXE

Filesize
1.6MB

MD5
d7299c6c8107832edf102949fc042e8d

SHA1
ddc957625b1098c085d90a76f5bcf9f45f71b887

SHA256
36d64a2b05cad6e33e989d2c21fc12449f50b3cfaa1cce4528994f3d71255c72

SHA512
9868f59992aaf5d99fc4ca7ff2af0285e70a1c85f4bf1c8b8c11d00f2dc23721fb7e82ace46ac4298fe0167150e142c5c02517935fe475aba24ebc8ca7ac55f9

Download Submit
C:\Windows\MSWDM.EXE

Filesize
1.6MB

MD5
d7299c6c8107832edf102949fc042e8d

SHA1
ddc957625b1098c085d90a76f5bcf9f45f71b887

SHA256
36d64a2b05cad6e33e989d2c21fc12449f50b3cfaa1cce4528994f3d71255c72

SHA512
9868f59992aaf5d99fc4ca7ff2af0285e70a1c85f4bf1c8b8c11d00f2dc23721fb7e82ace46ac4298fe0167150e142c5c02517935fe475aba24ebc8ca7ac55f9

Download Submit
C:\Windows\MSWDM.EXE

Filesize
1.6MB

MD5
d7299c6c8107832edf102949fc042e8d

SHA1
ddc957625b1098c085d90a76f5bcf9f45f71b887

SHA256
36d64a2b05cad6e33e989d2c21fc12449f50b3cfaa1cce4528994f3d71255c72

SHA512
9868f59992aaf5d99fc4ca7ff2af0285e70a1c85f4bf1c8b8c11d00f2dc23721fb7e82ace46ac4298fe0167150e142c5c02517935fe475aba24ebc8ca7ac55f9

Download Submit
C:\Windows\MSWDM.EXE

Filesize
1.6MB

MD5
d7299c6c8107832edf102949fc042e8d

SHA1
ddc957625b1098c085d90a76f5bcf9f45f71b887

SHA256
36d64a2b05cad6e33e989d2c21fc12449f50b3cfaa1cce4528994f3d71255c72

SHA512
9868f59992aaf5d99fc4ca7ff2af0285e70a1c85f4bf1c8b8c11d00f2dc23721fb7e82ace46ac4298fe0167150e142c5c02517935fe475aba24ebc8ca7ac55f9

Download Submit
C:\Windows\dev6893.tmp

Filesize
10KB

MD5
bf2411bc726873efb646f8b47f3e4efe

SHA1
225a0b4dc3a79bfaf8496a3185026b0a5340ea6b

SHA256
972596c1a4f038f409b095e012e7ce95a38b82c1081fca9b6a4aa06c11853dcd

SHA512
fe787b40ecba76ebf352175849ba152d76ac2d302120df6871764bf62130fce3ec8ead1d1a07b0a9735f0c1e3c7022bdbacba9f234f62c9fb1fd8a49e1ce34c2

Download Submit
\Users\Admin\AppData\Local\Temp\NEAS.7c3ac8738fec71b87715ff8c597e8d90.exe

Filesize
10KB

MD5
bf2411bc726873efb646f8b47f3e4efe

SHA1
225a0b4dc3a79bfaf8496a3185026b0a5340ea6b

SHA256
972596c1a4f038f409b095e012e7ce95a38b82c1081fca9b6a4aa06c11853dcd

SHA512
fe787b40ecba76ebf352175849ba152d76ac2d302120df6871764bf62130fce3ec8ead1d1a07b0a9735f0c1e3c7022bdbacba9f234f62c9fb1fd8a49e1ce34c2

Download Submit
\Users\Admin\AppData\Local\Temp\NEAS.7c3ac8738fec71b87715ff8c597e8d90.exe

Filesize
10KB

MD5
bf2411bc726873efb646f8b47f3e4efe

SHA1
225a0b4dc3a79bfaf8496a3185026b0a5340ea6b

SHA256
972596c1a4f038f409b095e012e7ce95a38b82c1081fca9b6a4aa06c11853dcd

SHA512
fe787b40ecba76ebf352175849ba152d76ac2d302120df6871764bf62130fce3ec8ead1d1a07b0a9735f0c1e3c7022bdbacba9f234f62c9fb1fd8a49e1ce34c2

Download Submit
memory/1492-11-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1492-0-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1492-38-0x00000000001B0000-0x00000000001C4000-memory.dmp

Filesize
80KB

Download
memory/1492-12-0x00000000001B0000-0x00000000001C4000-memory.dmp

Filesize
80KB

Download
memory/1492-17-0x00000000001B0000-0x00000000001C4000-memory.dmp

Filesize
80KB

Download
memory/2424-39-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2424-20-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2704-30-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/2760-35-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2764-29-0x0000000000220000-0x0000000000225000-memory.dmp

Filesize
20KB

Download
memory/2764-37-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2764-28-0x0000000000220000-0x0000000000225000-memory.dmp

Filesize
20KB

Download
memory/2764-19-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download