46066559e259609a51c63c54f19d60e8fb305c2996b71108e69fe1c206ec3764

Analysis

max time kernel
122s
max time network
136s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
14/10/2023, 18:08

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

NEAS.a35d5761d77cc24b4f6e63e718c8ac70.exe
Size

170KB
MD5

a35d5761d77cc24b4f6e63e718c8ac70
SHA1

7c039b3caa04739692979aefadfb32a617a79f1f
SHA256

46066559e259609a51c63c54f19d60e8fb305c2996b71108e69fe1c206ec3764
SHA512

5b073d4a2b7a00b52203790e141708b52857c86aaefa2921bc4dfd1e3dcd0275c34fe73a5e263d5e9e22984ee85c0f3cdf7fd2b022a82919ecf12373cd98ea40
SSDEEP

3072:Wbg/Zb5iCiXYteEp/tJzRgWf1hGLi0BCxAlJyRGQCfeypNfzSeKkCciI:vBdiDIFJ/zRr1gLi4BlJyJC2yp4e9iI

Score

8^/10

persistence

Malware Config

Signatures

Modifies AppInit DLL entries 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1547.001

Modify Registry
T1112

Executes dropped EXE 1 IoCs

pid	Process
2720	jezwark.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\PROGRA~3\Mozilla\jezwark.exe	NEAS.a35d5761d77cc24b4f6e63e718c8ac70.exe
File created	C:\PROGRA~3\Mozilla\gicylsk.dll	jezwark.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2636 wrote to memory of 2720	2636	taskeng.exe	29
PID 2636 wrote to memory of 2720	2636	taskeng.exe	29
PID 2636 wrote to memory of 2720	2636	taskeng.exe	29
PID 2636 wrote to memory of 2720	2636	taskeng.exe	29

C:\Users\Admin\AppData\Local\Temp\NEAS.a35d5761d77cc24b4f6e63e718c8ac70.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.a35d5761d77cc24b4f6e63e718c8ac70.exe"
1⤵
- Drops file in Program Files directory
PID:2412

C:\Windows\system32\taskeng.exe
taskeng.exe {6DA279F2-2F19-4298-BC62-7E3EE5EA53F0} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:2636
- C:\PROGRA~3\Mozilla\jezwark.exe
  C:\PROGRA~3\Mozilla\jezwark.exe -yvxgvyl
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  PID:2720

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~3\Mozilla\jezwark.exe

Filesize
170KB

MD5
926e717ddc895aea9a9a5b568d21e405

SHA1
5029f5f0d12056cb3a3084f3bd637d444a326dae

SHA256
bbc1a28c4d90ef1388159554119e5ce3d5f85bc621556bca615dfdc8aa4b25f7

SHA512
2ce2f3dda68957cfc5596280ece87dcd1f410375b676ecbe864b38259618657304a305b8b84f721b08d08bf52e47295abc71d3011fda80914cb0de730693599f

Download Submit
C:\PROGRA~3\Mozilla\jezwark.exe

Filesize
170KB

MD5
926e717ddc895aea9a9a5b568d21e405

SHA1
5029f5f0d12056cb3a3084f3bd637d444a326dae

SHA256
bbc1a28c4d90ef1388159554119e5ce3d5f85bc621556bca615dfdc8aa4b25f7

SHA512
2ce2f3dda68957cfc5596280ece87dcd1f410375b676ecbe864b38259618657304a305b8b84f721b08d08bf52e47295abc71d3011fda80914cb0de730693599f

Download Submit
memory/2412-0-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2412-1-0x0000000000260000-0x00000000002BB000-memory.dmp

Filesize
364KB

Download
memory/2412-7-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2720-10-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2720-11-0x0000000000220000-0x000000000027B000-memory.dmp

Filesize
364KB

Download
memory/2720-17-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download