e70085aa1f4d6f5b98412ee2a2b1e8505dce378b7704ab816fab4f26706f9e24

Analysis

max time kernel
121s
max time network
124s
platform
windows7_x64
resource
win7-20231020-en
resource tags

arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system
submitted
21-10-2023 21:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.6296452948590aebe62ddd22ee76ed60.exe
Size

93KB
MD5

6296452948590aebe62ddd22ee76ed60
SHA1

a3bed2ea0e2b78f21b3a3fc04ab853fd3146af80
SHA256

e70085aa1f4d6f5b98412ee2a2b1e8505dce378b7704ab816fab4f26706f9e24
SHA512

0d49a2fd28e1be0252af30b8bb165f91f76c8fa291aa86f498d6891b775a64d8295b84aab4c09373244a044518b3f45e0b90856fbefc2c3990a5eb9ae9366e69
SSDEEP

1536:PGYU/W2/HG6QMauSV3ixJHABLrmhH7i9CO+WHg7zRZICrWaGZh7O:PfU/WF6QMauSuiWNi9CO+WARJrWNZ8

Score

7^/10

persistence

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2668	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2264	wuauclt.exe

Loads dropped DLL 1 IoCs

pid	Process
2304	NEAS.6296452948590aebe62ddd22ee76ed60.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Window Update = "\"C:\\ProgramData\\Update\\wuauclt.exe\" /run"	NEAS.6296452948590aebe62ddd22ee76ed60.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2304 wrote to memory of 2264	2304	NEAS.6296452948590aebe62ddd22ee76ed60.exe	28
PID 2304 wrote to memory of 2264	2304	NEAS.6296452948590aebe62ddd22ee76ed60.exe	28
PID 2304 wrote to memory of 2264	2304	NEAS.6296452948590aebe62ddd22ee76ed60.exe	28
PID 2304 wrote to memory of 2264	2304	NEAS.6296452948590aebe62ddd22ee76ed60.exe	28
PID 2304 wrote to memory of 2668	2304	NEAS.6296452948590aebe62ddd22ee76ed60.exe	29
PID 2304 wrote to memory of 2668	2304	NEAS.6296452948590aebe62ddd22ee76ed60.exe	29
PID 2304 wrote to memory of 2668	2304	NEAS.6296452948590aebe62ddd22ee76ed60.exe	29
PID 2304 wrote to memory of 2668	2304	NEAS.6296452948590aebe62ddd22ee76ed60.exe	29

C:\Users\Admin\AppData\Local\Temp\NEAS.6296452948590aebe62ddd22ee76ed60.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.6296452948590aebe62ddd22ee76ed60.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2304
- C:\ProgramData\Update\wuauclt.exe
  "C:\ProgramData\Update\wuauclt.exe" /run
  2⤵
  - Executes dropped EXE
  PID:2264
- C:\windows\SysWOW64\cmd.exe
  "C:\windows\system32\cmd.exe" /c del /q "C:\Users\Admin\AppData\Local\Temp\NEAS.6296452948590aebe62ddd22ee76ed60.exe" >> NUL
  2⤵
  - Deletes itself
  PID:2668

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Update\wuauclt.exe

Filesize
93KB

MD5
0b3050b3847cbacbda8de9b8dbc23259

SHA1
ae1a6c22cb5df92bbe52791e03a8111716067c97

SHA256
de9d897141eb8a279b0f3211b55bab0b38df345b2f340cc0600a33ca55b4fc56

SHA512
be823ed16965b84bdba6979ce70f4a88eddfcdf21218ceeaa198bc2c3dfebb711910c7baf5cf8547419313a0f12daf561ebc423ad97fe143a6c8c6a77b406e30

Download Submit
\ProgramData\Update\wuauclt.exe

Filesize
93KB

MD5
0b3050b3847cbacbda8de9b8dbc23259

SHA1
ae1a6c22cb5df92bbe52791e03a8111716067c97

SHA256
de9d897141eb8a279b0f3211b55bab0b38df345b2f340cc0600a33ca55b4fc56

SHA512
be823ed16965b84bdba6979ce70f4a88eddfcdf21218ceeaa198bc2c3dfebb711910c7baf5cf8547419313a0f12daf561ebc423ad97fe143a6c8c6a77b406e30

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads