0a16d4233ef1fa49445afb01291a6db783d868acfea44db0bbf12c95cdf59d22

General

Target

NEAS.588591a0cddf8ec45ea62186b4919160.exe
Size

1.6MB
MD5

588591a0cddf8ec45ea62186b4919160
SHA1

eb435b75fd0d741ef0823400c352b686ec1ca3ca
SHA256

0a16d4233ef1fa49445afb01291a6db783d868acfea44db0bbf12c95cdf59d22
SHA512

7f632aba85b59970976daf3fab72c783a75a43e0b0ec3d4dd5aeb24b1ae02d96b3c7421cb711dc2382dbcf5fb5856cc1c1e3063ad3517a6471b90fe4dd28aa8f
SSDEEP

24576:M51x7cS9in6bxcqbF8fYTOYKbDurSUQN7kBG+JqJS+WOZseId9x0FOXr2rle:Mt7cS4neHbyfYTOYKPu/gEjiEO5ItDt

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
1448	MSWDM.EXE
2700	MSWDM.EXE
4976	NEAS.588591A0CDDF8EC45EA62186B4919160.EXE
3968	MSWDM.EXE

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE"	MSWDM.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE"	NEAS.588591a0cddf8ec45ea62186b4919160.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE"	NEAS.588591a0cddf8ec45ea62186b4919160.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE"	MSWDM.EXE

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\WINDOWS\MSWDM.EXE	NEAS.588591a0cddf8ec45ea62186b4919160.exe
File opened for modification	C:\Windows\devBD83.tmp	NEAS.588591a0cddf8ec45ea62186b4919160.exe
File opened for modification	C:\Windows\devBD83.tmp	MSWDM.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2700	MSWDM.EXE
2700	MSWDM.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 4124 wrote to memory of 1448	4124	NEAS.588591a0cddf8ec45ea62186b4919160.exe	82
PID 4124 wrote to memory of 1448	4124	NEAS.588591a0cddf8ec45ea62186b4919160.exe	82
PID 4124 wrote to memory of 1448	4124	NEAS.588591a0cddf8ec45ea62186b4919160.exe	82
PID 4124 wrote to memory of 2700	4124	NEAS.588591a0cddf8ec45ea62186b4919160.exe	83
PID 4124 wrote to memory of 2700	4124	NEAS.588591a0cddf8ec45ea62186b4919160.exe	83
PID 4124 wrote to memory of 2700	4124	NEAS.588591a0cddf8ec45ea62186b4919160.exe	83
PID 2700 wrote to memory of 4976	2700	MSWDM.EXE	84
PID 2700 wrote to memory of 4976	2700	MSWDM.EXE	84
PID 2700 wrote to memory of 4976	2700	MSWDM.EXE	84
PID 2700 wrote to memory of 3968	2700	MSWDM.EXE	85
PID 2700 wrote to memory of 3968	2700	MSWDM.EXE	85
PID 2700 wrote to memory of 3968	2700	MSWDM.EXE	85

C:\Users\Admin\AppData\Local\Temp\NEAS.588591a0cddf8ec45ea62186b4919160.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.588591a0cddf8ec45ea62186b4919160.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4124
- C:\WINDOWS\MSWDM.EXE
  "C:\WINDOWS\MSWDM.EXE"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:1448
- C:\WINDOWS\MSWDM.EXE
  -r!C:\Windows\devBD83.tmp!C:\Users\Admin\AppData\Local\Temp\NEAS.588591a0cddf8ec45ea62186b4919160.exe! !
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2700
- - C:\Users\Admin\AppData\Local\Temp\NEAS.588591A0CDDF8EC45EA62186B4919160.EXE
    3⤵
    - Executes dropped EXE
    PID:4976
- - C:\WINDOWS\MSWDM.EXE
    -e!C:\Windows\devBD83.tmp!C:\Users\Admin\AppData\Local\Temp\NEAS.588591A0CDDF8EC45EA62186B4919160.EXE!
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    PID:3968

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\NEAS.588591A0CDDF8EC45EA62186B4919160.EXE

Filesize
1.6MB

MD5
ca32fc9a565cf8164e731279147ae098

SHA1
0270195a5e9adba8465d97abe59fa8eb92f35bcf

SHA256
666f308a7a6790d651a3016415025743316a87732ff2375dfe595a4749050395

SHA512
b41c7271d7eb0318f15bd629b1cdfcab666f3fa6fc13dc2a3e131018d149add454b2a0935117bf2be0256cab2e9430c78835eba868ac36ba4fbb472d120f6b5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\NEAS.588591A0CDDF8EC45EA62186B4919160.EXE

Filesize
1.6MB

MD5
ca32fc9a565cf8164e731279147ae098

SHA1
0270195a5e9adba8465d97abe59fa8eb92f35bcf

SHA256
666f308a7a6790d651a3016415025743316a87732ff2375dfe595a4749050395

SHA512
b41c7271d7eb0318f15bd629b1cdfcab666f3fa6fc13dc2a3e131018d149add454b2a0935117bf2be0256cab2e9430c78835eba868ac36ba4fbb472d120f6b5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\NEAS.588591a0cddf8ec45ea62186b4919160.exe

Filesize
25KB

MD5
3cc29072905c7387f04b6fe38d4f2d04

SHA1
32e0a2396e281cb7f8a160bcb60b1f19816bab6e

SHA256
94339cb67e79233ac81e31953270d3219beeaf5f9b71e775a46ab68c5a3dc218

SHA512
a67b27d89b72a16efad2cd615d60c0d49fc3c34c20a9817af73651fe7a48e2c4125034d3bc4a42fd9d1fb65ca8fac5d1974a1a4e8afe73a9823f6a6f285179ed

Download Submit
C:\WINDOWS\MSWDM.EXE

Filesize
1.6MB

MD5
859e3613f84d7fb1938d0385ea593f90

SHA1
0dce6abe18e7fad189d1c8643ce4e68f3e3a791d

SHA256
cf647f5991edb508710ca30a22f68057c0ee676e78a4c110a3a1c7e9746e6b89

SHA512
0a0e38f0ae0f02ca33ccac5617d1b0ec594b6fad9f0284d5d51add4d7ce28d83ea7a61805ad318a7561397a9ccdaa697b60f6c98ef4ca23dd4731d6fb7ae1adb

Download Submit
C:\Windows\MSWDM.EXE

Filesize
1.6MB

MD5
859e3613f84d7fb1938d0385ea593f90

SHA1
0dce6abe18e7fad189d1c8643ce4e68f3e3a791d

SHA256
cf647f5991edb508710ca30a22f68057c0ee676e78a4c110a3a1c7e9746e6b89

SHA512
0a0e38f0ae0f02ca33ccac5617d1b0ec594b6fad9f0284d5d51add4d7ce28d83ea7a61805ad318a7561397a9ccdaa697b60f6c98ef4ca23dd4731d6fb7ae1adb

Download Submit
C:\Windows\MSWDM.EXE

Filesize
1.6MB

MD5
859e3613f84d7fb1938d0385ea593f90

SHA1
0dce6abe18e7fad189d1c8643ce4e68f3e3a791d

SHA256
cf647f5991edb508710ca30a22f68057c0ee676e78a4c110a3a1c7e9746e6b89

SHA512
0a0e38f0ae0f02ca33ccac5617d1b0ec594b6fad9f0284d5d51add4d7ce28d83ea7a61805ad318a7561397a9ccdaa697b60f6c98ef4ca23dd4731d6fb7ae1adb

Download Submit
C:\Windows\MSWDM.EXE

Filesize
1.6MB

MD5
859e3613f84d7fb1938d0385ea593f90

SHA1
0dce6abe18e7fad189d1c8643ce4e68f3e3a791d

SHA256
cf647f5991edb508710ca30a22f68057c0ee676e78a4c110a3a1c7e9746e6b89

SHA512
0a0e38f0ae0f02ca33ccac5617d1b0ec594b6fad9f0284d5d51add4d7ce28d83ea7a61805ad318a7561397a9ccdaa697b60f6c98ef4ca23dd4731d6fb7ae1adb

Download Submit
C:\Windows\devBD83.tmp

Filesize
25KB

MD5
3cc29072905c7387f04b6fe38d4f2d04

SHA1
32e0a2396e281cb7f8a160bcb60b1f19816bab6e

SHA256
94339cb67e79233ac81e31953270d3219beeaf5f9b71e775a46ab68c5a3dc218

SHA512
a67b27d89b72a16efad2cd615d60c0d49fc3c34c20a9817af73651fe7a48e2c4125034d3bc4a42fd9d1fb65ca8fac5d1974a1a4e8afe73a9823f6a6f285179ed

Download Submit
memory/1448-20-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2700-19-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/3968-17-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4124-7-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4124-0-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4976-12-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads