3e8079f63a1943a5414921db3576e315ca688f45f658ec78fb85ef226d68dd12

Analysis

max time kernel
161s
max time network
139s
platform
windows7_x64
resource
win7-20231020-en
resource tags

arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system
submitted
22/10/2023, 17:16

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

NEAS.2d56d2ff081e30abde775279949a5f30.exe
Size

484KB
MD5

2d56d2ff081e30abde775279949a5f30
SHA1

a7e9f8b535d5e658988e3b5a1ce201a1cdfe6324
SHA256

3e8079f63a1943a5414921db3576e315ca688f45f658ec78fb85ef226d68dd12
SHA512

7ef7261ebdce58debd81738d9f460d1d521aea80710048d6874a398112c4a6209ed314272fee20c5170c1eed02a460260a37391c8d4692f3cfdabcd639d5929b
SSDEEP

12288:fLPkCDt1EG2XVekhdeTXX3kF1CWwH8k1ZklkpoZ:fLPkQ1bqAk1CpckfklNZ

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
2692	AtBrutil.exe
2816	~B165.tmp
2896	PINGings.exe

Loads dropped DLL 3 IoCs

pid	Process
1884	NEAS.2d56d2ff081e30abde775279949a5f30.exe
1884	NEAS.2d56d2ff081e30abde775279949a5f30.exe
2692	AtBrutil.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Windows\CurrentVersion\Run\dxdiexec = "C:\\Users\\Admin\\AppData\\Roaming\\MigAdt32\\AtBrutil.exe"	NEAS.2d56d2ff081e30abde775279949a5f30.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\PINGings.exe	NEAS.2d56d2ff081e30abde775279949a5f30.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2736	1884	WerFault.exe	17

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2692	AtBrutil.exe
1264	Explorer.EXE
2896	PINGings.exe
1264	Explorer.EXE
2896	PINGings.exe
1264	Explorer.EXE
2896	PINGings.exe
1264	Explorer.EXE
2896	PINGings.exe
1264	Explorer.EXE
2896	PINGings.exe
1264	Explorer.EXE
2896	PINGings.exe
1264	Explorer.EXE
2896	PINGings.exe
1264	Explorer.EXE
2896	PINGings.exe
1264	Explorer.EXE
2896	PINGings.exe
1264	Explorer.EXE
2896	PINGings.exe
1264	Explorer.EXE
2896	PINGings.exe
1264	Explorer.EXE
2896	PINGings.exe
1264	Explorer.EXE
2896	PINGings.exe
1264	Explorer.EXE
2896	PINGings.exe
1264	Explorer.EXE
2896	PINGings.exe
1264	Explorer.EXE
2896	PINGings.exe
1264	Explorer.EXE
2896	PINGings.exe
1264	Explorer.EXE
2896	PINGings.exe
1264	Explorer.EXE
2896	PINGings.exe
1264	Explorer.EXE
2896	PINGings.exe
1264	Explorer.EXE
2896	PINGings.exe
1264	Explorer.EXE
2896	PINGings.exe
1264	Explorer.EXE
2896	PINGings.exe
1264	Explorer.EXE
2896	PINGings.exe
1264	Explorer.EXE
2896	PINGings.exe
1264	Explorer.EXE
2896	PINGings.exe
1264	Explorer.EXE
2896	PINGings.exe
1264	Explorer.EXE
2896	PINGings.exe
1264	Explorer.EXE
2896	PINGings.exe
1264	Explorer.EXE
2896	PINGings.exe
1264	Explorer.EXE
2896	PINGings.exe
1264	Explorer.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1264	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2692	AtBrutil.exe
Token: SeShutdownPrivilege	1264	Explorer.EXE

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 1884 wrote to memory of 2692	1884	NEAS.2d56d2ff081e30abde775279949a5f30.exe	28
PID 1884 wrote to memory of 2692	1884	NEAS.2d56d2ff081e30abde775279949a5f30.exe	28
PID 1884 wrote to memory of 2692	1884	NEAS.2d56d2ff081e30abde775279949a5f30.exe	28
PID 1884 wrote to memory of 2692	1884	NEAS.2d56d2ff081e30abde775279949a5f30.exe	28
PID 2692 wrote to memory of 2816	2692	AtBrutil.exe	29
PID 2692 wrote to memory of 2816	2692	AtBrutil.exe	29
PID 2692 wrote to memory of 2816	2692	AtBrutil.exe	29
PID 2692 wrote to memory of 2816	2692	AtBrutil.exe	29
PID 2816 wrote to memory of 1264	2816	~B165.tmp	11
PID 1884 wrote to memory of 2736	1884	NEAS.2d56d2ff081e30abde775279949a5f30.exe	31
PID 1884 wrote to memory of 2736	1884	NEAS.2d56d2ff081e30abde775279949a5f30.exe	31
PID 1884 wrote to memory of 2736	1884	NEAS.2d56d2ff081e30abde775279949a5f30.exe	31
PID 1884 wrote to memory of 2736	1884	NEAS.2d56d2ff081e30abde775279949a5f30.exe	31

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:1264
- C:\Users\Admin\AppData\Local\Temp\NEAS.2d56d2ff081e30abde775279949a5f30.exe
  "C:\Users\Admin\AppData\Local\Temp\NEAS.2d56d2ff081e30abde775279949a5f30.exe"
  2⤵
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:1884
- - C:\Users\Admin\AppData\Roaming\MigAdt32\AtBrutil.exe
    "C:\Users\Admin\AppData\Roaming\MigAdt32"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2692
  - - C:\Users\Admin\AppData\Local\Temp\~B165.tmp
      1264 496136 2692 1
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:2816
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1884 -s 252
    3⤵
    - Program crash
    PID:2736

C:\Windows\SysWOW64\PINGings.exe
C:\Windows\SysWOW64\PINGings.exe -s
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2896

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\~B165.tmp

Filesize
8KB

MD5
aac3165ece2959f39ff98334618d10d9

SHA1
020a191bfdc70c1fbd3bf74cd7479258bd197f51

SHA256
96fa6a7714670823c83099ea01d24d6d3ae8fef027f01a4ddac14f123b1c9974

SHA512
9eb876812a6a13dd4b090788c2b1d9e9a2e25370598ed5c040f82e6f378edc4b78d58bc8f60d5a559ea57b1edcf3a144bfe09454a9928997173db8279d5b40cf

Download Submit
C:\Users\Admin\AppData\Roaming\MigAdt32\AtBrutil.exe

Filesize
484KB

MD5
32c828999b641183a2cd28f3c420dd4f

SHA1
b0788a7db33c5c457a938cfbc476f6c988a86d0c

SHA256
de49c0e4a7c8aa2b44b6f71113cb55ce2f24eb5cf76eb721e491269179c9ee1a

SHA512
1872e8779390e36fa9202860dd728924c23614dba760842ceacc6f1ee05644eba81aba5ae1d6581290d4d3f7d0c431c576d9a68ca2a70f13d56baf5128d6e985

Download Submit
C:\Users\Admin\AppData\Roaming\MigAdt32\AtBrutil.exe

Filesize
484KB

MD5
32c828999b641183a2cd28f3c420dd4f

SHA1
b0788a7db33c5c457a938cfbc476f6c988a86d0c

SHA256
de49c0e4a7c8aa2b44b6f71113cb55ce2f24eb5cf76eb721e491269179c9ee1a

SHA512
1872e8779390e36fa9202860dd728924c23614dba760842ceacc6f1ee05644eba81aba5ae1d6581290d4d3f7d0c431c576d9a68ca2a70f13d56baf5128d6e985

Download Submit
C:\Users\Admin\AppData\Roaming\MigAdt32\AtBrutil.exe

Filesize
484KB

MD5
32c828999b641183a2cd28f3c420dd4f

SHA1
b0788a7db33c5c457a938cfbc476f6c988a86d0c

SHA256
de49c0e4a7c8aa2b44b6f71113cb55ce2f24eb5cf76eb721e491269179c9ee1a

SHA512
1872e8779390e36fa9202860dd728924c23614dba760842ceacc6f1ee05644eba81aba5ae1d6581290d4d3f7d0c431c576d9a68ca2a70f13d56baf5128d6e985

Download Submit
C:\Windows\SysWOW64\PINGings.exe

Filesize
484KB

MD5
32c828999b641183a2cd28f3c420dd4f

SHA1
b0788a7db33c5c457a938cfbc476f6c988a86d0c

SHA256
de49c0e4a7c8aa2b44b6f71113cb55ce2f24eb5cf76eb721e491269179c9ee1a

SHA512
1872e8779390e36fa9202860dd728924c23614dba760842ceacc6f1ee05644eba81aba5ae1d6581290d4d3f7d0c431c576d9a68ca2a70f13d56baf5128d6e985

Download Submit
C:\Windows\SysWOW64\PINGings.exe

Filesize
484KB

MD5
32c828999b641183a2cd28f3c420dd4f

SHA1
b0788a7db33c5c457a938cfbc476f6c988a86d0c

SHA256
de49c0e4a7c8aa2b44b6f71113cb55ce2f24eb5cf76eb721e491269179c9ee1a

SHA512
1872e8779390e36fa9202860dd728924c23614dba760842ceacc6f1ee05644eba81aba5ae1d6581290d4d3f7d0c431c576d9a68ca2a70f13d56baf5128d6e985

Download Submit
\Users\Admin\AppData\Local\Temp\~B165.tmp

Filesize
8KB

MD5
aac3165ece2959f39ff98334618d10d9

SHA1
020a191bfdc70c1fbd3bf74cd7479258bd197f51

SHA256
96fa6a7714670823c83099ea01d24d6d3ae8fef027f01a4ddac14f123b1c9974

SHA512
9eb876812a6a13dd4b090788c2b1d9e9a2e25370598ed5c040f82e6f378edc4b78d58bc8f60d5a559ea57b1edcf3a144bfe09454a9928997173db8279d5b40cf

Download Submit
\Users\Admin\AppData\Roaming\MigAdt32\AtBrutil.exe

Filesize
484KB

MD5
32c828999b641183a2cd28f3c420dd4f

SHA1
b0788a7db33c5c457a938cfbc476f6c988a86d0c

SHA256
de49c0e4a7c8aa2b44b6f71113cb55ce2f24eb5cf76eb721e491269179c9ee1a

SHA512
1872e8779390e36fa9202860dd728924c23614dba760842ceacc6f1ee05644eba81aba5ae1d6581290d4d3f7d0c431c576d9a68ca2a70f13d56baf5128d6e985

Download Submit
\Users\Admin\AppData\Roaming\MigAdt32\AtBrutil.exe

Filesize
484KB

MD5
32c828999b641183a2cd28f3c420dd4f

SHA1
b0788a7db33c5c457a938cfbc476f6c988a86d0c

SHA256
de49c0e4a7c8aa2b44b6f71113cb55ce2f24eb5cf76eb721e491269179c9ee1a

SHA512
1872e8779390e36fa9202860dd728924c23614dba760842ceacc6f1ee05644eba81aba5ae1d6581290d4d3f7d0c431c576d9a68ca2a70f13d56baf5128d6e985

Download Submit
memory/1264-22-0x0000000002A80000-0x0000000002A8D000-memory.dmp

Filesize
52KB

Download
memory/1264-16-0x0000000003E00000-0x0000000003E89000-memory.dmp

Filesize
548KB

Download
memory/1264-18-0x0000000003E00000-0x0000000003E89000-memory.dmp

Filesize
548KB

Download
memory/1264-19-0x0000000003E00000-0x0000000003E89000-memory.dmp

Filesize
548KB

Download
memory/1264-21-0x0000000002A70000-0x0000000002A76000-memory.dmp

Filesize
24KB

Download
memory/1884-0-0x00000000000E0000-0x0000000000163000-memory.dmp

Filesize
524KB

Download
memory/1884-33-0x00000000000E0000-0x0000000000163000-memory.dmp

Filesize
524KB

Download
memory/2692-12-0x0000000000290000-0x0000000000313000-memory.dmp

Filesize
524KB

Download
memory/2692-17-0x0000000000090000-0x0000000000096000-memory.dmp

Filesize
24KB

Download
memory/2896-28-0x0000000000360000-0x00000000003E3000-memory.dmp

Filesize
524KB

Download
memory/2896-29-0x0000000000130000-0x0000000000136000-memory.dmp

Filesize
24KB

Download
memory/2896-31-0x0000000000140000-0x0000000000146000-memory.dmp

Filesize
24KB

Download
memory/2896-32-0x0000000000130000-0x0000000000136000-memory.dmp

Filesize
24KB

Download
memory/2896-34-0x0000000000360000-0x00000000003E3000-memory.dmp

Filesize
524KB

Download
memory/2896-35-0x0000000000130000-0x0000000000136000-memory.dmp

Filesize
24KB

Download