15ae65aa18ce3eae724c85745de8975a15b86307b3d7d6effbc7ea8541c2e5e2

Analysis

max time kernel
120s
max time network
123s
platform
windows7_x64
resource
win7-20231020-en
resource tags

arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system
submitted
23/10/2023, 20:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.098fdb658f90a3bba3b3f0280c952580_JC.exe
Size

249KB
MD5

098fdb658f90a3bba3b3f0280c952580
SHA1

d25eba00706a642e2dd83514fe3303d2cb0749db
SHA256

15ae65aa18ce3eae724c85745de8975a15b86307b3d7d6effbc7ea8541c2e5e2
SHA512

c477a8cc27aca6da317c83864bab9aede8d3acd1a377ced7d172eaaa8e075a7685f8e94b1635aac386786b59e0cb887517f44b8d3d5a014ed4639b482aeb56fd
SSDEEP

6144:7sZJCstu4PJg5/Ly0d8YaDRVHTVtSbGqJP:Yy5zyNYaHHDSf

Score

8^/10

persistence

Malware Config

Signatures

Modifies AppInit DLL entries 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1547.001

Modify Registry
T1112

Executes dropped EXE 1 IoCs

pid	Process
1796	dhuqaed.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\PROGRA~3\Mozilla\dhuqaed.exe	NEAS.098fdb658f90a3bba3b3f0280c952580_JC.exe
File created	C:\PROGRA~3\Mozilla\fjgblbm.dll	dhuqaed.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
1716	NEAS.098fdb658f90a3bba3b3f0280c952580_JC.exe
1796	dhuqaed.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1012 wrote to memory of 1796	1012	taskeng.exe	29
PID 1012 wrote to memory of 1796	1012	taskeng.exe	29
PID 1012 wrote to memory of 1796	1012	taskeng.exe	29
PID 1012 wrote to memory of 1796	1012	taskeng.exe	29

C:\Users\Admin\AppData\Local\Temp\NEAS.098fdb658f90a3bba3b3f0280c952580_JC.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.098fdb658f90a3bba3b3f0280c952580_JC.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of UnmapMainImage
PID:1716

C:\Windows\system32\taskeng.exe
taskeng.exe {327D8CA4-0839-41BF-AE87-F1B3440A5DB3} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:1012
- C:\PROGRA~3\Mozilla\dhuqaed.exe
  C:\PROGRA~3\Mozilla\dhuqaed.exe -vpwggce
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Suspicious use of UnmapMainImage
  PID:1796

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~3\Mozilla\dhuqaed.exe

Filesize
249KB

MD5
d4b38409e7df093e6ce97c810505b99f

SHA1
75448539079929962cffa450150c23fb584c0a78

SHA256
4e0a407e3d24cb93ddabe26382a9360b4d017ccdbc6bcb0d1a90e9c57ecf466e

SHA512
b8a88a6ceec8aedd3cfa36191054bb528dfe6ec222fba85d629ac17be56c2e9a8cd1a308439b3a6b2c04ab3edd567a4d1f5b3672f2a6466b33e2067270fa6000

Download Submit
C:\PROGRA~3\Mozilla\dhuqaed.exe

Filesize
249KB

MD5
d4b38409e7df093e6ce97c810505b99f

SHA1
75448539079929962cffa450150c23fb584c0a78

SHA256
4e0a407e3d24cb93ddabe26382a9360b4d017ccdbc6bcb0d1a90e9c57ecf466e

SHA512
b8a88a6ceec8aedd3cfa36191054bb528dfe6ec222fba85d629ac17be56c2e9a8cd1a308439b3a6b2c04ab3edd567a4d1f5b3672f2a6466b33e2067270fa6000

Download Submit
memory/1716-0-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1716-1-0x0000000000460000-0x00000000004BC000-memory.dmp

Filesize
368KB

Download
memory/1716-2-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1716-5-0x0000000000460000-0x00000000004BC000-memory.dmp

Filesize
368KB

Download
memory/1716-4-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1796-8-0x0000000000460000-0x00000000004BC000-memory.dmp

Filesize
368KB

Download
memory/1796-9-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1796-11-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1796-12-0x0000000000460000-0x00000000004BC000-memory.dmp

Filesize
368KB

Download