0a16d4233ef1fa49445afb01291a6db783d868acfea44db0bbf12c95cdf59d22

Analysis

max time kernel
26s
max time network
140s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
16/10/2023, 18:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.588591a0cddf8ec45ea62186b4919160.exe
Size

1.6MB
MD5

588591a0cddf8ec45ea62186b4919160
SHA1

eb435b75fd0d741ef0823400c352b686ec1ca3ca
SHA256

0a16d4233ef1fa49445afb01291a6db783d868acfea44db0bbf12c95cdf59d22
SHA512

7f632aba85b59970976daf3fab72c783a75a43e0b0ec3d4dd5aeb24b1ae02d96b3c7421cb711dc2382dbcf5fb5856cc1c1e3063ad3517a6471b90fe4dd28aa8f
SSDEEP

24576:M51x7cS9in6bxcqbF8fYTOYKbDurSUQN7kBG+JqJS+WOZseId9x0FOXr2rle:Mt7cS4neHbyfYTOYKPu/gEjiEO5ItDt

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
1288	MSWDM.EXE
2248	MSWDM.EXE
2572	NEAS.588591A0CDDF8EC45EA62186B4919160.EXE
2672	MSWDM.EXE

Loads dropped DLL 2 IoCs

pid	Process
2248	MSWDM.EXE
2248	MSWDM.EXE

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE"	NEAS.588591a0cddf8ec45ea62186b4919160.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE"	NEAS.588591a0cddf8ec45ea62186b4919160.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE"	MSWDM.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE"	MSWDM.EXE

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\WINDOWS\MSWDM.EXE	NEAS.588591a0cddf8ec45ea62186b4919160.exe
File opened for modification	C:\Windows\devEE84.tmp	NEAS.588591a0cddf8ec45ea62186b4919160.exe
File opened for modification	C:\Windows\devEE84.tmp	MSWDM.EXE

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2248	MSWDM.EXE

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2428 wrote to memory of 1288	2428	NEAS.588591a0cddf8ec45ea62186b4919160.exe	30
PID 2428 wrote to memory of 1288	2428	NEAS.588591a0cddf8ec45ea62186b4919160.exe	30
PID 2428 wrote to memory of 1288	2428	NEAS.588591a0cddf8ec45ea62186b4919160.exe	30
PID 2428 wrote to memory of 1288	2428	NEAS.588591a0cddf8ec45ea62186b4919160.exe	30
PID 2428 wrote to memory of 2248	2428	NEAS.588591a0cddf8ec45ea62186b4919160.exe	31
PID 2428 wrote to memory of 2248	2428	NEAS.588591a0cddf8ec45ea62186b4919160.exe	31
PID 2428 wrote to memory of 2248	2428	NEAS.588591a0cddf8ec45ea62186b4919160.exe	31
PID 2428 wrote to memory of 2248	2428	NEAS.588591a0cddf8ec45ea62186b4919160.exe	31
PID 2248 wrote to memory of 2572	2248	MSWDM.EXE	32
PID 2248 wrote to memory of 2572	2248	MSWDM.EXE	32
PID 2248 wrote to memory of 2572	2248	MSWDM.EXE	32
PID 2248 wrote to memory of 2572	2248	MSWDM.EXE	32
PID 2248 wrote to memory of 2672	2248	MSWDM.EXE	33
PID 2248 wrote to memory of 2672	2248	MSWDM.EXE	33
PID 2248 wrote to memory of 2672	2248	MSWDM.EXE	33
PID 2248 wrote to memory of 2672	2248	MSWDM.EXE	33

C:\Users\Admin\AppData\Local\Temp\NEAS.588591a0cddf8ec45ea62186b4919160.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.588591a0cddf8ec45ea62186b4919160.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2428
- C:\WINDOWS\MSWDM.EXE
  "C:\WINDOWS\MSWDM.EXE"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:1288
- C:\WINDOWS\MSWDM.EXE
  -r!C:\Windows\devEE84.tmp!C:\Users\Admin\AppData\Local\Temp\NEAS.588591a0cddf8ec45ea62186b4919160.exe! !
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2248
- - C:\Users\Admin\AppData\Local\Temp\NEAS.588591A0CDDF8EC45EA62186B4919160.EXE
    3⤵
    - Executes dropped EXE
    PID:2572
- - C:\WINDOWS\MSWDM.EXE
    -e!C:\Windows\devEE84.tmp!C:\Users\Admin\AppData\Local\Temp\NEAS.588591A0CDDF8EC45EA62186B4919160.EXE!
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    PID:2672

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\NEAS.588591A0CDDF8EC45EA62186B4919160.EXE

Filesize
1.6MB

MD5
46b16fea3a1154d8ba2734c04378a6ce

SHA1
1d9978602d11d626b1104ad7485563a096f52117

SHA256
8d454c4d276b127bba850998c7e8ed2c7ef34cff664eaa5993bcde802e48ce86

SHA512
8bb6660982ade9a7bd557a417e34d46b3db833f2d537a9d98be4beadb259ea18c484771ab4a8f20eea0f5eabf752c697b3518f7f1b9bc34971e8caf55bc4d9e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\NEAS.588591A0CDDF8EC45EA62186B4919160.EXE

Filesize
1.6MB

MD5
46b16fea3a1154d8ba2734c04378a6ce

SHA1
1d9978602d11d626b1104ad7485563a096f52117

SHA256
8d454c4d276b127bba850998c7e8ed2c7ef34cff664eaa5993bcde802e48ce86

SHA512
8bb6660982ade9a7bd557a417e34d46b3db833f2d537a9d98be4beadb259ea18c484771ab4a8f20eea0f5eabf752c697b3518f7f1b9bc34971e8caf55bc4d9e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\NEAS.588591a0cddf8ec45ea62186b4919160.exe

Filesize
25KB

MD5
3cc29072905c7387f04b6fe38d4f2d04

SHA1
32e0a2396e281cb7f8a160bcb60b1f19816bab6e

SHA256
94339cb67e79233ac81e31953270d3219beeaf5f9b71e775a46ab68c5a3dc218

SHA512
a67b27d89b72a16efad2cd615d60c0d49fc3c34c20a9817af73651fe7a48e2c4125034d3bc4a42fd9d1fb65ca8fac5d1974a1a4e8afe73a9823f6a6f285179ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\NEAS.588591a0cddf8ec45ea62186b4919160.exe

Filesize
25KB

MD5
3cc29072905c7387f04b6fe38d4f2d04

SHA1
32e0a2396e281cb7f8a160bcb60b1f19816bab6e

SHA256
94339cb67e79233ac81e31953270d3219beeaf5f9b71e775a46ab68c5a3dc218

SHA512
a67b27d89b72a16efad2cd615d60c0d49fc3c34c20a9817af73651fe7a48e2c4125034d3bc4a42fd9d1fb65ca8fac5d1974a1a4e8afe73a9823f6a6f285179ed

Download Submit
C:\WINDOWS\MSWDM.EXE

Filesize
1.6MB

MD5
859e3613f84d7fb1938d0385ea593f90

SHA1
0dce6abe18e7fad189d1c8643ce4e68f3e3a791d

SHA256
cf647f5991edb508710ca30a22f68057c0ee676e78a4c110a3a1c7e9746e6b89

SHA512
0a0e38f0ae0f02ca33ccac5617d1b0ec594b6fad9f0284d5d51add4d7ce28d83ea7a61805ad318a7561397a9ccdaa697b60f6c98ef4ca23dd4731d6fb7ae1adb

Download Submit
C:\Windows\MSWDM.EXE

Filesize
1.6MB

MD5
859e3613f84d7fb1938d0385ea593f90

SHA1
0dce6abe18e7fad189d1c8643ce4e68f3e3a791d

SHA256
cf647f5991edb508710ca30a22f68057c0ee676e78a4c110a3a1c7e9746e6b89

SHA512
0a0e38f0ae0f02ca33ccac5617d1b0ec594b6fad9f0284d5d51add4d7ce28d83ea7a61805ad318a7561397a9ccdaa697b60f6c98ef4ca23dd4731d6fb7ae1adb

Download Submit
C:\Windows\MSWDM.EXE

Filesize
1.6MB

MD5
859e3613f84d7fb1938d0385ea593f90

SHA1
0dce6abe18e7fad189d1c8643ce4e68f3e3a791d

SHA256
cf647f5991edb508710ca30a22f68057c0ee676e78a4c110a3a1c7e9746e6b89

SHA512
0a0e38f0ae0f02ca33ccac5617d1b0ec594b6fad9f0284d5d51add4d7ce28d83ea7a61805ad318a7561397a9ccdaa697b60f6c98ef4ca23dd4731d6fb7ae1adb

Download Submit
C:\Windows\MSWDM.EXE

Filesize
1.6MB

MD5
859e3613f84d7fb1938d0385ea593f90

SHA1
0dce6abe18e7fad189d1c8643ce4e68f3e3a791d

SHA256
cf647f5991edb508710ca30a22f68057c0ee676e78a4c110a3a1c7e9746e6b89

SHA512
0a0e38f0ae0f02ca33ccac5617d1b0ec594b6fad9f0284d5d51add4d7ce28d83ea7a61805ad318a7561397a9ccdaa697b60f6c98ef4ca23dd4731d6fb7ae1adb

Download Submit
C:\Windows\MSWDM.EXE

Filesize
1.6MB

MD5
859e3613f84d7fb1938d0385ea593f90

SHA1
0dce6abe18e7fad189d1c8643ce4e68f3e3a791d

SHA256
cf647f5991edb508710ca30a22f68057c0ee676e78a4c110a3a1c7e9746e6b89

SHA512
0a0e38f0ae0f02ca33ccac5617d1b0ec594b6fad9f0284d5d51add4d7ce28d83ea7a61805ad318a7561397a9ccdaa697b60f6c98ef4ca23dd4731d6fb7ae1adb

Download Submit
C:\Windows\devEE84.tmp

Filesize
25KB

MD5
3cc29072905c7387f04b6fe38d4f2d04

SHA1
32e0a2396e281cb7f8a160bcb60b1f19816bab6e

SHA256
94339cb67e79233ac81e31953270d3219beeaf5f9b71e775a46ab68c5a3dc218

SHA512
a67b27d89b72a16efad2cd615d60c0d49fc3c34c20a9817af73651fe7a48e2c4125034d3bc4a42fd9d1fb65ca8fac5d1974a1a4e8afe73a9823f6a6f285179ed

Download Submit
\Users\Admin\AppData\Local\Temp\NEAS.588591a0cddf8ec45ea62186b4919160.exe

Filesize
25KB

MD5
3cc29072905c7387f04b6fe38d4f2d04

SHA1
32e0a2396e281cb7f8a160bcb60b1f19816bab6e

SHA256
94339cb67e79233ac81e31953270d3219beeaf5f9b71e775a46ab68c5a3dc218

SHA512
a67b27d89b72a16efad2cd615d60c0d49fc3c34c20a9817af73651fe7a48e2c4125034d3bc4a42fd9d1fb65ca8fac5d1974a1a4e8afe73a9823f6a6f285179ed

Download Submit
\Users\Admin\AppData\Local\Temp\NEAS.588591a0cddf8ec45ea62186b4919160.exe

Filesize
25KB

MD5
3cc29072905c7387f04b6fe38d4f2d04

SHA1
32e0a2396e281cb7f8a160bcb60b1f19816bab6e

SHA256
94339cb67e79233ac81e31953270d3219beeaf5f9b71e775a46ab68c5a3dc218

SHA512
a67b27d89b72a16efad2cd615d60c0d49fc3c34c20a9817af73651fe7a48e2c4125034d3bc4a42fd9d1fb65ca8fac5d1974a1a4e8afe73a9823f6a6f285179ed

Download Submit
memory/1288-34-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2248-17-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2248-33-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2428-0-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2428-13-0x00000000001B0000-0x00000000001C4000-memory.dmp

Filesize
80KB

Download
memory/2428-11-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2428-35-0x00000000001B0000-0x00000000001C4000-memory.dmp

Filesize
80KB

Download
memory/2572-26-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/2672-31-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download