e01e10fbaeb9451d5253f3e19dc88cde173ba24168de95ca37dfdbee9cbe1ef8

Analysis

max time kernel
25s
max time network
131s
platform
windows7_x64
resource
win7-20231020-en
resource tags

arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system
submitted
21/10/2023, 21:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.3f95bd12844ff57e289705b4aacb84a0.exe
Size

2.2MB
MD5

3f95bd12844ff57e289705b4aacb84a0
SHA1

aff1cdf5b60adaa9266a8d01aad255a2af75d533
SHA256

e01e10fbaeb9451d5253f3e19dc88cde173ba24168de95ca37dfdbee9cbe1ef8
SHA512

877af4372adefd5c21c20a6903549dad3bf6e4d85e3e7d735672b903c7fbe0b505e81739f3064c73502f99c423c24e297d1bd427c3b7abb6a525e25c77738eaf
SSDEEP

49152:MtEcS4neHbyfYTOYKPu/gEjiEO5ItDaWmbANr92TDoET9l:Mt1S4neHvZjiEO5Ih1mbANrkwW

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
2072	MSWDM.EXE
864	MSWDM.EXE
2724	NEAS.3F95BD12844FF57E289705B4AACB84A0.EXE
2804	MSWDM.EXE

Loads dropped DLL 1 IoCs

pid	Process
864	MSWDM.EXE

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE"	MSWDM.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE"	NEAS.3f95bd12844ff57e289705b4aacb84a0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE"	NEAS.3f95bd12844ff57e289705b4aacb84a0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE"	MSWDM.EXE

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\WINDOWS\MSWDM.EXE	NEAS.3f95bd12844ff57e289705b4aacb84a0.exe
File opened for modification	C:\Windows\dev8E99.tmp	NEAS.3f95bd12844ff57e289705b4aacb84a0.exe
File opened for modification	C:\Windows\dev8E99.tmp	MSWDM.EXE

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
864	MSWDM.EXE

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 2788 wrote to memory of 2072	2788	NEAS.3f95bd12844ff57e289705b4aacb84a0.exe	28
PID 2788 wrote to memory of 2072	2788	NEAS.3f95bd12844ff57e289705b4aacb84a0.exe	28
PID 2788 wrote to memory of 2072	2788	NEAS.3f95bd12844ff57e289705b4aacb84a0.exe	28
PID 2788 wrote to memory of 2072	2788	NEAS.3f95bd12844ff57e289705b4aacb84a0.exe	28
PID 2788 wrote to memory of 864	2788	NEAS.3f95bd12844ff57e289705b4aacb84a0.exe	29
PID 2788 wrote to memory of 864	2788	NEAS.3f95bd12844ff57e289705b4aacb84a0.exe	29
PID 2788 wrote to memory of 864	2788	NEAS.3f95bd12844ff57e289705b4aacb84a0.exe	29
PID 2788 wrote to memory of 864	2788	NEAS.3f95bd12844ff57e289705b4aacb84a0.exe	29
PID 864 wrote to memory of 2724	864	MSWDM.EXE	30
PID 864 wrote to memory of 2724	864	MSWDM.EXE	30
PID 864 wrote to memory of 2724	864	MSWDM.EXE	30
PID 864 wrote to memory of 2724	864	MSWDM.EXE	30
PID 864 wrote to memory of 2724	864	MSWDM.EXE	30
PID 864 wrote to memory of 2724	864	MSWDM.EXE	30
PID 864 wrote to memory of 2724	864	MSWDM.EXE	30
PID 864 wrote to memory of 2804	864	MSWDM.EXE	31
PID 864 wrote to memory of 2804	864	MSWDM.EXE	31
PID 864 wrote to memory of 2804	864	MSWDM.EXE	31
PID 864 wrote to memory of 2804	864	MSWDM.EXE	31

C:\Users\Admin\AppData\Local\Temp\NEAS.3f95bd12844ff57e289705b4aacb84a0.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.3f95bd12844ff57e289705b4aacb84a0.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2788
- C:\WINDOWS\MSWDM.EXE
  "C:\WINDOWS\MSWDM.EXE"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:2072
- C:\WINDOWS\MSWDM.EXE
  -r!C:\Windows\dev8E99.tmp!C:\Users\Admin\AppData\Local\Temp\NEAS.3f95bd12844ff57e289705b4aacb84a0.exe! !
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:864
- - C:\Users\Admin\AppData\Local\Temp\NEAS.3F95BD12844FF57E289705B4AACB84A0.EXE
    3⤵
    - Executes dropped EXE
    PID:2724
- - C:\WINDOWS\MSWDM.EXE
    -e!C:\Windows\dev8E99.tmp!C:\Users\Admin\AppData\Local\Temp\NEAS.3F95BD12844FF57E289705B4AACB84A0.EXE!
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    PID:2804

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\NEAS.3F95BD12844FF57E289705B4AACB84A0.EXE

Filesize
2.2MB

MD5
05edbdaa5af9d2f4e93d9949c4fff85a

SHA1
2bc8cbeb2ac9a5b598d3031103cbcfcba3291e7c

SHA256
12dc2ed4e9dba6a87b83a190ffae01e82157031d97ebec38422daf86c865ca14

SHA512
9600f51d91f94dbd224e727d8d400228ee8506df16b49212094528a36d6203bff7f356081dfbacafea076bd076702a70572f128fee0f2e9b2d7c76c33e9a07ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\NEAS.3F95BD12844FF57E289705B4AACB84A0.EXE

Filesize
2.2MB

MD5
05edbdaa5af9d2f4e93d9949c4fff85a

SHA1
2bc8cbeb2ac9a5b598d3031103cbcfcba3291e7c

SHA256
12dc2ed4e9dba6a87b83a190ffae01e82157031d97ebec38422daf86c865ca14

SHA512
9600f51d91f94dbd224e727d8d400228ee8506df16b49212094528a36d6203bff7f356081dfbacafea076bd076702a70572f128fee0f2e9b2d7c76c33e9a07ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\NEAS.3f95bd12844ff57e289705b4aacb84a0.exe

Filesize
549KB

MD5
520a6d1cbcc9cf642c625fe814c93c58

SHA1
fb517abb38e9ccc67de411d4f18a9446c11c0923

SHA256
08966ce743aa1cbed0874933e104ef7b913188ecd8f0c679f7d8378516c51da2

SHA512
b92a32b27d6e6187c30d8018d7e0a35bde98dc524eabcd7709420b499778159e2872db04a3f2dfacf016d0e6d97b8175920e83fa28804609786828e52f058ff0

Download Submit
C:\WINDOWS\MSWDM.EXE

Filesize
1.6MB

MD5
fc6ac2fb7742cbea2400f7e240305d39

SHA1
6c91f130359e4d037fb2831e05c309cf8ca5768f

SHA256
d34c3be6e82f51dffece09b6ddca240915a2c1f6a5fcd8074191f8c63b9afb98

SHA512
46680d0004287beece99f2241fc691ebecd92558297b7a73815ffc216108b8faa5456bb6e45201f758e36a01d112a8dc90d42da7a0045e1c76039a3418f734d2

Download Submit
C:\Windows\MSWDM.EXE

Filesize
1.6MB

MD5
fc6ac2fb7742cbea2400f7e240305d39

SHA1
6c91f130359e4d037fb2831e05c309cf8ca5768f

SHA256
d34c3be6e82f51dffece09b6ddca240915a2c1f6a5fcd8074191f8c63b9afb98

SHA512
46680d0004287beece99f2241fc691ebecd92558297b7a73815ffc216108b8faa5456bb6e45201f758e36a01d112a8dc90d42da7a0045e1c76039a3418f734d2

Download Submit
C:\Windows\MSWDM.EXE

Filesize
1.6MB

MD5
fc6ac2fb7742cbea2400f7e240305d39

SHA1
6c91f130359e4d037fb2831e05c309cf8ca5768f

SHA256
d34c3be6e82f51dffece09b6ddca240915a2c1f6a5fcd8074191f8c63b9afb98

SHA512
46680d0004287beece99f2241fc691ebecd92558297b7a73815ffc216108b8faa5456bb6e45201f758e36a01d112a8dc90d42da7a0045e1c76039a3418f734d2

Download Submit
C:\Windows\MSWDM.EXE

Filesize
1.6MB

MD5
fc6ac2fb7742cbea2400f7e240305d39

SHA1
6c91f130359e4d037fb2831e05c309cf8ca5768f

SHA256
d34c3be6e82f51dffece09b6ddca240915a2c1f6a5fcd8074191f8c63b9afb98

SHA512
46680d0004287beece99f2241fc691ebecd92558297b7a73815ffc216108b8faa5456bb6e45201f758e36a01d112a8dc90d42da7a0045e1c76039a3418f734d2

Download Submit
C:\Windows\MSWDM.EXE

Filesize
1.6MB

MD5
fc6ac2fb7742cbea2400f7e240305d39

SHA1
6c91f130359e4d037fb2831e05c309cf8ca5768f

SHA256
d34c3be6e82f51dffece09b6ddca240915a2c1f6a5fcd8074191f8c63b9afb98

SHA512
46680d0004287beece99f2241fc691ebecd92558297b7a73815ffc216108b8faa5456bb6e45201f758e36a01d112a8dc90d42da7a0045e1c76039a3418f734d2

Download Submit
C:\Windows\dev8E99.tmp

Filesize
549KB

MD5
520a6d1cbcc9cf642c625fe814c93c58

SHA1
fb517abb38e9ccc67de411d4f18a9446c11c0923

SHA256
08966ce743aa1cbed0874933e104ef7b913188ecd8f0c679f7d8378516c51da2

SHA512
b92a32b27d6e6187c30d8018d7e0a35bde98dc524eabcd7709420b499778159e2872db04a3f2dfacf016d0e6d97b8175920e83fa28804609786828e52f058ff0

Download Submit
\Users\Admin\AppData\Local\Temp\NEAS.3f95bd12844ff57e289705b4aacb84a0.exe

Filesize
549KB

MD5
520a6d1cbcc9cf642c625fe814c93c58

SHA1
fb517abb38e9ccc67de411d4f18a9446c11c0923

SHA256
08966ce743aa1cbed0874933e104ef7b913188ecd8f0c679f7d8378516c51da2

SHA512
b92a32b27d6e6187c30d8018d7e0a35bde98dc524eabcd7709420b499778159e2872db04a3f2dfacf016d0e6d97b8175920e83fa28804609786828e52f058ff0

Download Submit
memory/864-16-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/864-30-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2072-17-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2072-31-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2788-6-0x0000000000220000-0x0000000000234000-memory.dmp

Filesize
80KB

Download
memory/2788-12-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2788-0-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2804-28-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download