ccecfc3df788e7ec11383f6d3b83d4a9c42810a5aa297072ee5a5d59df952584

Analysis

max time kernel
118s
max time network
124s
platform
windows7_x64
resource
win7-20231023-en
resource tags

arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system
submitted
28-10-2023 20:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.e8d3de8668b772007863e0e1b5043f80.exe
Size

134KB
MD5

e8d3de8668b772007863e0e1b5043f80
SHA1

c719aaff6940be877a13335a7495e90df0b6dc0b
SHA256

ccecfc3df788e7ec11383f6d3b83d4a9c42810a5aa297072ee5a5d59df952584
SHA512

d511fce0c06ab4a8b2c08aedd70ecb2fd885562112e791b123a9b8eef9677ac4036ca77173441cc8cc7fdd6d917d5d8ffff3a5db420a9465542a004e64cb7a5c
SSDEEP

1536:NH5wZhGZmhunyQfnh7/NmuHSu6xx/4xBgnQT1dZXDo9dNc/ymiS0TX5D5qB0FMXE:pQsrhhx9yuk/47ZzomBm5D5LMXqNp

Score

8^/10

persistence

Malware Config

Signatures

Modifies AppInit DLL entries 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1547.001

Modify Registry
T1112

Executes dropped EXE 1 IoCs

pid	Process
2368	suvkbwn.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\PROGRA~3\Mozilla\suvkbwn.exe	NEAS.e8d3de8668b772007863e0e1b5043f80.exe
File created	C:\PROGRA~3\Mozilla\wfwcssm.dll	suvkbwn.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2700 wrote to memory of 2368	2700	taskeng.exe	29
PID 2700 wrote to memory of 2368	2700	taskeng.exe	29
PID 2700 wrote to memory of 2368	2700	taskeng.exe	29
PID 2700 wrote to memory of 2368	2700	taskeng.exe	29

C:\Users\Admin\AppData\Local\Temp\NEAS.e8d3de8668b772007863e0e1b5043f80.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.e8d3de8668b772007863e0e1b5043f80.exe"
1⤵
- Drops file in Program Files directory
PID:2840

C:\Windows\system32\taskeng.exe
taskeng.exe {F18791B3-71B6-4084-AA56-E1425E155AFC} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:2700
- C:\PROGRA~3\Mozilla\suvkbwn.exe
  C:\PROGRA~3\Mozilla\suvkbwn.exe -tlhykym
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  PID:2368

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~3\Mozilla\suvkbwn.exe

Filesize
134KB

MD5
545e705af6a37cd2774ef353253b8783

SHA1
89f1b778f135e6182ad6cb40919adfa78f0e7db2

SHA256
a2dfbcc2df3dc65d5ec9001956cebecea8c414291b64dc058a8a20660c4dfa3d

SHA512
37b350c0e08c097fcdb61d21fc65ace23a092a314cb88203ea0f2b4e484e45a4b579e5518d27606946729204d6e35ad20ff8d1ade4e785544ee3a8943fe2ed8e

Download Submit
C:\PROGRA~3\Mozilla\suvkbwn.exe

Filesize
134KB

MD5
545e705af6a37cd2774ef353253b8783

SHA1
89f1b778f135e6182ad6cb40919adfa78f0e7db2

SHA256
a2dfbcc2df3dc65d5ec9001956cebecea8c414291b64dc058a8a20660c4dfa3d

SHA512
37b350c0e08c097fcdb61d21fc65ace23a092a314cb88203ea0f2b4e484e45a4b579e5518d27606946729204d6e35ad20ff8d1ade4e785544ee3a8943fe2ed8e

Download Submit
memory/2368-10-0x0000000000990000-0x00000000009EB000-memory.dmp

Filesize
364KB

Download
memory/2368-16-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2840-0-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2840-1-0x0000000001CB0000-0x0000000001D0B000-memory.dmp

Filesize
364KB

Download
memory/2840-7-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download