d446cb49bdba9f9b4b7aff9264fb5ecac5158de6c5d38c0de831e13df390e84a

Analysis

max time kernel
174s
max time network
129s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
16/10/2023, 18:33

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

NEAS.b0517993ba73597e63779801bde29ce0.exe
Size

479KB
MD5

b0517993ba73597e63779801bde29ce0
SHA1

bcbda1e5934798fa059b022d7657f1c341e7101d
SHA256

d446cb49bdba9f9b4b7aff9264fb5ecac5158de6c5d38c0de831e13df390e84a
SHA512

3d5d3d3959d8c5ac3f62c4ffa0a8c2c0e1443bfcd6671e886971eafdaeaab897e7b329e4a97283d13f13d601e404a2ca7701341ecf678b5750cd2ab2bc3de798
SSDEEP

12288:5Glc87eqqV5e+wBV6O+VqI+CpYPHYp1WnOOQ+ZK:5GSqqHeVBxyfOApMO4ZK

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
2816	ciphetup.exe
2832	~DB71.tmp
2536	clealing.exe

Loads dropped DLL 3 IoCs

pid	Process
2044	NEAS.b0517993ba73597e63779801bde29ce0.exe
2044	NEAS.b0517993ba73597e63779801bde29ce0.exe
2816	ciphetup.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Windows\CurrentVersion\Run\DpiSnsvr = "C:\\Users\\Admin\\AppData\\Roaming\\fltMutil\\ciphetup.exe"	NEAS.b0517993ba73597e63779801bde29ce0.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\clealing.exe	NEAS.b0517993ba73597e63779801bde29ce0.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2816	ciphetup.exe
1264	Explorer.EXE
1264	Explorer.EXE
1264	Explorer.EXE
1264	Explorer.EXE
1264	Explorer.EXE
1264	Explorer.EXE
1264	Explorer.EXE
1264	Explorer.EXE
1264	Explorer.EXE
1264	Explorer.EXE
1264	Explorer.EXE
1264	Explorer.EXE
1264	Explorer.EXE
1264	Explorer.EXE
1264	Explorer.EXE
1264	Explorer.EXE
1264	Explorer.EXE
1264	Explorer.EXE
1264	Explorer.EXE
1264	Explorer.EXE
1264	Explorer.EXE
1264	Explorer.EXE
1264	Explorer.EXE
1264	Explorer.EXE
1264	Explorer.EXE
1264	Explorer.EXE
1264	Explorer.EXE
1264	Explorer.EXE
1264	Explorer.EXE
1264	Explorer.EXE
1264	Explorer.EXE
1264	Explorer.EXE
1264	Explorer.EXE
1264	Explorer.EXE
1264	Explorer.EXE
1264	Explorer.EXE
1264	Explorer.EXE
1264	Explorer.EXE
1264	Explorer.EXE
1264	Explorer.EXE
1264	Explorer.EXE
1264	Explorer.EXE
1264	Explorer.EXE
1264	Explorer.EXE
1264	Explorer.EXE
1264	Explorer.EXE
1264	Explorer.EXE
1264	Explorer.EXE
1264	Explorer.EXE
1264	Explorer.EXE
1264	Explorer.EXE
1264	Explorer.EXE
1264	Explorer.EXE
1264	Explorer.EXE
1264	Explorer.EXE
1264	Explorer.EXE
1264	Explorer.EXE
1264	Explorer.EXE
1264	Explorer.EXE
1264	Explorer.EXE
1264	Explorer.EXE
1264	Explorer.EXE
1264	Explorer.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1264	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2816	ciphetup.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2044 wrote to memory of 2816	2044	NEAS.b0517993ba73597e63779801bde29ce0.exe	29
PID 2044 wrote to memory of 2816	2044	NEAS.b0517993ba73597e63779801bde29ce0.exe	29
PID 2044 wrote to memory of 2816	2044	NEAS.b0517993ba73597e63779801bde29ce0.exe	29
PID 2044 wrote to memory of 2816	2044	NEAS.b0517993ba73597e63779801bde29ce0.exe	29
PID 2816 wrote to memory of 2832	2816	ciphetup.exe	30
PID 2816 wrote to memory of 2832	2816	ciphetup.exe	30
PID 2816 wrote to memory of 2832	2816	ciphetup.exe	30
PID 2816 wrote to memory of 2832	2816	ciphetup.exe	30
PID 2832 wrote to memory of 1264	2832	~DB71.tmp	12

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
PID:1264
- C:\Users\Admin\AppData\Local\Temp\NEAS.b0517993ba73597e63779801bde29ce0.exe
  "C:\Users\Admin\AppData\Local\Temp\NEAS.b0517993ba73597e63779801bde29ce0.exe"
  2⤵
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:2044
- - C:\Users\Admin\AppData\Roaming\fltMutil\ciphetup.exe
    "C:\Users\Admin\AppData\Roaming\fltMutil"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2816
  - - C:\Users\Admin\AppData\Local\Temp\~DB71.tmp
      1264 490504 2816 1
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:2832

C:\Windows\SysWOW64\clealing.exe
C:\Windows\SysWOW64\clealing.exe -s
1⤵
- Executes dropped EXE
PID:2536

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\~DB71.tmp

Filesize
8KB

MD5
86dc243576cf5c7445451af37631eea9

SHA1
99a81c47c4c02f32c0ab456bfa23c306c7a09bf9

SHA256
25d2a671e1b5b5b95697ac0234ce4d46e0d0894919521b54aabebd9daecf994a

SHA512
c7310524f9b65f811146c1eb6ae944966351ac88a95fbc1ac422d8810730e5e212a7e28090ad758ea23c96ba38073e7fcf42460575e7f09dbc759a45c5d5a4a4

Download Submit
C:\Users\Admin\AppData\Roaming\fltMutil\ciphetup.exe

Filesize
479KB

MD5
7d0d761f418ea1ab9b3d2904473279f6

SHA1
a98bd1a3e50e91bdf7dfe6a5b98e42feec3829c7

SHA256
a2093bde758cbe30d28d2cf7e1ecf27ddc5ebd47b6ab4b76359c16a0f32d8f89

SHA512
2f15abd8cc8ae9319bbc15a8f0a2532ceeba9c84dd1d6318053f6b27d93252be8512674d286dda4837173ac5120f949eb835b95d4194e9fe646c13b374b21218

Download Submit
C:\Users\Admin\AppData\Roaming\fltMutil\ciphetup.exe

Filesize
479KB

MD5
7d0d761f418ea1ab9b3d2904473279f6

SHA1
a98bd1a3e50e91bdf7dfe6a5b98e42feec3829c7

SHA256
a2093bde758cbe30d28d2cf7e1ecf27ddc5ebd47b6ab4b76359c16a0f32d8f89

SHA512
2f15abd8cc8ae9319bbc15a8f0a2532ceeba9c84dd1d6318053f6b27d93252be8512674d286dda4837173ac5120f949eb835b95d4194e9fe646c13b374b21218

Download Submit
C:\Users\Admin\AppData\Roaming\fltMutil\ciphetup.exe

Filesize
479KB

MD5
7d0d761f418ea1ab9b3d2904473279f6

SHA1
a98bd1a3e50e91bdf7dfe6a5b98e42feec3829c7

SHA256
a2093bde758cbe30d28d2cf7e1ecf27ddc5ebd47b6ab4b76359c16a0f32d8f89

SHA512
2f15abd8cc8ae9319bbc15a8f0a2532ceeba9c84dd1d6318053f6b27d93252be8512674d286dda4837173ac5120f949eb835b95d4194e9fe646c13b374b21218

Download Submit
C:\Windows\SysWOW64\clealing.exe

Filesize
479KB

MD5
7d0d761f418ea1ab9b3d2904473279f6

SHA1
a98bd1a3e50e91bdf7dfe6a5b98e42feec3829c7

SHA256
a2093bde758cbe30d28d2cf7e1ecf27ddc5ebd47b6ab4b76359c16a0f32d8f89

SHA512
2f15abd8cc8ae9319bbc15a8f0a2532ceeba9c84dd1d6318053f6b27d93252be8512674d286dda4837173ac5120f949eb835b95d4194e9fe646c13b374b21218

Download Submit
C:\Windows\SysWOW64\clealing.exe

Filesize
479KB

MD5
7d0d761f418ea1ab9b3d2904473279f6

SHA1
a98bd1a3e50e91bdf7dfe6a5b98e42feec3829c7

SHA256
a2093bde758cbe30d28d2cf7e1ecf27ddc5ebd47b6ab4b76359c16a0f32d8f89

SHA512
2f15abd8cc8ae9319bbc15a8f0a2532ceeba9c84dd1d6318053f6b27d93252be8512674d286dda4837173ac5120f949eb835b95d4194e9fe646c13b374b21218

Download Submit
\Users\Admin\AppData\Local\Temp\~DB71.tmp

Filesize
8KB

MD5
86dc243576cf5c7445451af37631eea9

SHA1
99a81c47c4c02f32c0ab456bfa23c306c7a09bf9

SHA256
25d2a671e1b5b5b95697ac0234ce4d46e0d0894919521b54aabebd9daecf994a

SHA512
c7310524f9b65f811146c1eb6ae944966351ac88a95fbc1ac422d8810730e5e212a7e28090ad758ea23c96ba38073e7fcf42460575e7f09dbc759a45c5d5a4a4

Download Submit
\Users\Admin\AppData\Roaming\fltMutil\ciphetup.exe

Filesize
479KB

MD5
7d0d761f418ea1ab9b3d2904473279f6

SHA1
a98bd1a3e50e91bdf7dfe6a5b98e42feec3829c7

SHA256
a2093bde758cbe30d28d2cf7e1ecf27ddc5ebd47b6ab4b76359c16a0f32d8f89

SHA512
2f15abd8cc8ae9319bbc15a8f0a2532ceeba9c84dd1d6318053f6b27d93252be8512674d286dda4837173ac5120f949eb835b95d4194e9fe646c13b374b21218

Download Submit
\Users\Admin\AppData\Roaming\fltMutil\ciphetup.exe

Filesize
479KB

MD5
7d0d761f418ea1ab9b3d2904473279f6

SHA1
a98bd1a3e50e91bdf7dfe6a5b98e42feec3829c7

SHA256
a2093bde758cbe30d28d2cf7e1ecf27ddc5ebd47b6ab4b76359c16a0f32d8f89

SHA512
2f15abd8cc8ae9319bbc15a8f0a2532ceeba9c84dd1d6318053f6b27d93252be8512674d286dda4837173ac5120f949eb835b95d4194e9fe646c13b374b21218

Download Submit
memory/1264-27-0x0000000002610000-0x0000000002616000-memory.dmp

Filesize
24KB

Download
memory/1264-29-0x0000000002CB0000-0x0000000002CBD000-memory.dmp

Filesize
52KB

Download
memory/1264-23-0x0000000002A90000-0x0000000002B17000-memory.dmp

Filesize
540KB

Download
memory/1264-24-0x0000000002A90000-0x0000000002B17000-memory.dmp

Filesize
540KB

Download
memory/1264-22-0x0000000002A90000-0x0000000002B17000-memory.dmp

Filesize
540KB

Download
memory/2044-14-0x0000000000220000-0x00000000002A0000-memory.dmp

Filesize
512KB

Download
memory/2044-0-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2044-11-0x0000000008570000-0x00000000085F2000-memory.dmp

Filesize
520KB

Download
memory/2044-33-0x0000000008570000-0x00000000085F2000-memory.dmp

Filesize
520KB

Download
memory/2044-5-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2044-1-0x0000000000220000-0x00000000002A0000-memory.dmp

Filesize
512KB

Download
memory/2536-36-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2816-17-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2816-18-0x0000000000220000-0x00000000002A0000-memory.dmp

Filesize
512KB

Download
memory/2816-16-0x00000000002C0000-0x00000000002C5000-memory.dmp

Filesize
20KB

Download