4d6e23223e3d95a28d8cf624450c0514b63d57fbf14b62a8bfbd08d81aa84f54

Analysis

max time kernel
18s
max time network
21s
platform
windows7_x64
resource
win7-20231023-en
resource tags

arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system
submitted
28/10/2023, 18:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.2f8d2180bc8636101ca5754310731080.exe
Size

144KB
MD5

2f8d2180bc8636101ca5754310731080
SHA1

b93b1620febf631f9dd7f3dc113e7690e69d9feb
SHA256

4d6e23223e3d95a28d8cf624450c0514b63d57fbf14b62a8bfbd08d81aa84f54
SHA512

ff5e869bfca92424c0fd244d3488b5cd14dcce357e3ff2af2d6bb1242b48877b7e3979814424d154593de24c2c57a9f9dafa9ae9a10e983538d2efbe42bbb683
SSDEEP

3072:9QwtBcEiZztKydjXbyDwFQhoAawGvV2OtzaA+H1gUqNGEgUBG83HZ:9Qwt6EUzMo2po3wGvVevH1gjDgO

Score

8^/10

persistence

Malware Config

Signatures

Modifies AppInit DLL entries 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1547.001

Modify Registry
T1112

Executes dropped EXE 1 IoCs

pid	Process
2632	wwljcul.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\PROGRA~3\Mozilla\wwljcul.exe	NEAS.2f8d2180bc8636101ca5754310731080.exe
File created	C:\PROGRA~3\Mozilla\sdwojsn.dll	wwljcul.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2032 wrote to memory of 2632	2032	taskeng.exe	29
PID 2032 wrote to memory of 2632	2032	taskeng.exe	29
PID 2032 wrote to memory of 2632	2032	taskeng.exe	29
PID 2032 wrote to memory of 2632	2032	taskeng.exe	29

C:\Users\Admin\AppData\Local\Temp\NEAS.2f8d2180bc8636101ca5754310731080.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.2f8d2180bc8636101ca5754310731080.exe"
1⤵
- Drops file in Program Files directory
PID:2948

C:\Windows\system32\taskeng.exe
taskeng.exe {639CE1BE-D626-4D0C-A8B3-EF5DD47102C1} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:2032
- C:\PROGRA~3\Mozilla\wwljcul.exe
  C:\PROGRA~3\Mozilla\wwljcul.exe -anxczaj
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  PID:2632

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~3\Mozilla\wwljcul.exe

Filesize
144KB

MD5
a31a6052e111d79ed6aff3f989b55122

SHA1
0b0b8d719fb58cd0d47b7838a56377dc91f06ce3

SHA256
2a427bb47c4f2e6bf2b503c5cc80a49583bc990d076a57b05b742f6887eb034a

SHA512
a98f29f0ec9c40120e85a878bc6c89c996df37cb74b4e238b7e426218f76c10ef354fd7da6d9068b73618e4ee47f80ee0d3e056df0f343775576a7eadedeac48

Download Submit
C:\PROGRA~3\Mozilla\wwljcul.exe

Filesize
144KB

MD5
a31a6052e111d79ed6aff3f989b55122

SHA1
0b0b8d719fb58cd0d47b7838a56377dc91f06ce3

SHA256
2a427bb47c4f2e6bf2b503c5cc80a49583bc990d076a57b05b742f6887eb034a

SHA512
a98f29f0ec9c40120e85a878bc6c89c996df37cb74b4e238b7e426218f76c10ef354fd7da6d9068b73618e4ee47f80ee0d3e056df0f343775576a7eadedeac48

Download Submit
memory/2632-11-0x0000000000400000-0x0000000000461000-memory.dmp

Filesize
388KB

Download
memory/2632-16-0x0000000000400000-0x0000000000461000-memory.dmp

Filesize
388KB

Download
memory/2948-0-0x0000000000400000-0x0000000000461000-memory.dmp

Filesize
388KB

Download
memory/2948-1-0x0000000000400000-0x0000000000461000-memory.dmp

Filesize
388KB

Download
memory/2948-2-0x00000000002F0000-0x00000000002F1000-memory.dmp

Filesize
4KB

Download
memory/2948-3-0x0000000000400000-0x0000000000461000-memory.dmp

Filesize
388KB

Download
memory/2948-7-0x0000000000400000-0x0000000000461000-memory.dmp

Filesize
388KB

Download