a4213dd229af9c5c4d24ac2a24a1360c1e4fc4ba0c453288fef7456d5fda67e7

General

Target

NEAS.7217171d6bcdb7b66ca8e9b011f1d2b0_JC.exe
Size

1.6MB
MD5

7217171d6bcdb7b66ca8e9b011f1d2b0
SHA1

ba47a783c82becd418cd95b6a2cf21efcd63472a
SHA256

a4213dd229af9c5c4d24ac2a24a1360c1e4fc4ba0c453288fef7456d5fda67e7
SHA512

31ca1607bf2146a3852c31fbe03094ffdef703e1cd8504e98434aae10acc705a257f70c077439f8611e8b19141a7baae1d5bbe5204846581bd5e13f5891254d3
SSDEEP

24576:M51xscS9in6bxcqbF8fYTOYKbDurSUQN7kBG+JqJS+WOZseId9x0FOXr2rlWQ:MtscS4neHbyfYTOYKPu/gEjiEO5ItDq

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
844	MSWDM.EXE
1924	MSWDM.EXE
2724	NEAS.7217171D6BCDB7B66CA8E9B011F1D2B0_JC.EXE

Loads dropped DLL 1 IoCs

pid	Process
1924	MSWDM.EXE

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE"	NEAS.7217171d6bcdb7b66ca8e9b011f1d2b0_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE"	MSWDM.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE"	MSWDM.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE"	NEAS.7217171d6bcdb7b66ca8e9b011f1d2b0_JC.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\WINDOWS\MSWDM.EXE	NEAS.7217171d6bcdb7b66ca8e9b011f1d2b0_JC.exe
File opened for modification	C:\Windows\dev3B3C.tmp	NEAS.7217171d6bcdb7b66ca8e9b011f1d2b0_JC.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1924	MSWDM.EXE

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 3012 wrote to memory of 844	3012	NEAS.7217171d6bcdb7b66ca8e9b011f1d2b0_JC.exe	3
PID 3012 wrote to memory of 844	3012	NEAS.7217171d6bcdb7b66ca8e9b011f1d2b0_JC.exe	3
PID 3012 wrote to memory of 844	3012	NEAS.7217171d6bcdb7b66ca8e9b011f1d2b0_JC.exe	3
PID 3012 wrote to memory of 844	3012	NEAS.7217171d6bcdb7b66ca8e9b011f1d2b0_JC.exe	3
PID 3012 wrote to memory of 1924	3012	NEAS.7217171d6bcdb7b66ca8e9b011f1d2b0_JC.exe	2
PID 3012 wrote to memory of 1924	3012	NEAS.7217171d6bcdb7b66ca8e9b011f1d2b0_JC.exe	2
PID 3012 wrote to memory of 1924	3012	NEAS.7217171d6bcdb7b66ca8e9b011f1d2b0_JC.exe	2
PID 3012 wrote to memory of 1924	3012	NEAS.7217171d6bcdb7b66ca8e9b011f1d2b0_JC.exe	2
PID 1924 wrote to memory of 2724	1924	MSWDM.EXE	1
PID 1924 wrote to memory of 2724	1924	MSWDM.EXE	1
PID 1924 wrote to memory of 2724	1924	MSWDM.EXE	1
PID 1924 wrote to memory of 2724	1924	MSWDM.EXE	1
PID 1924 wrote to memory of 2724	1924	MSWDM.EXE	1
PID 1924 wrote to memory of 2724	1924	MSWDM.EXE	1
PID 1924 wrote to memory of 2724	1924	MSWDM.EXE	1

C:\Users\Admin\AppData\Local\Temp\NEAS.7217171D6BCDB7B66CA8E9B011F1D2B0_JC.EXE
1⤵
- Executes dropped EXE
PID:2724

C:\WINDOWS\MSWDM.EXE
-r!C:\Windows\dev3B3C.tmp!C:\Users\Admin\AppData\Local\Temp\NEAS.7217171d6bcdb7b66ca8e9b011f1d2b0_JC.exe! !
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1924

C:\WINDOWS\MSWDM.EXE
"C:\WINDOWS\MSWDM.EXE"
1⤵
- Executes dropped EXE
- Adds Run key to start application
PID:844

C:\Users\Admin\AppData\Local\Temp\NEAS.7217171d6bcdb7b66ca8e9b011f1d2b0_JC.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.7217171d6bcdb7b66ca8e9b011f1d2b0_JC.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3012

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\NEAS.7217171d6bcdb7b66ca8e9b011f1d2b0_JC.exe

Filesize
15KB

MD5
b0cec9f342bf95700b602ee376446577

SHA1
b955b1b64280bb0ea873538029cf5ea44081501b

SHA256
24a2472e3bd5016cb22ce14cefee112d5bc18354bf099e8e66ad9846aea15088

SHA512
05ebecfc8d3e2e7885d3cacc65bfd97db710c2cbc0fb76b19b7d6cc82b327b25df953a20affc8d84002167dd8ac7710622279d3579c6605e742a98fe7095aa4e

Download Submit
C:\WINDOWS\MSWDM.EXE

Filesize
1.6MB

MD5
a6d525906bdb2d9885426f32dceac582

SHA1
f6899ddcfe03813625d4dff2bcb4b072a3903286

SHA256
a40d1971c0916bbc7b7bf2359022d60bb45f61e5d78c305fc2910a07fd66d8d4

SHA512
3727cb264261817c2bc8735335b1254a14b8a97bb862822052d669966af3ca6a89d01a3c242682d2d19af314f24798f921070dacd3f9ec6cef0c6d817593d5a7

Download Submit
C:\Windows\MSWDM.EXE

Filesize
1.6MB

MD5
a6d525906bdb2d9885426f32dceac582

SHA1
f6899ddcfe03813625d4dff2bcb4b072a3903286

SHA256
a40d1971c0916bbc7b7bf2359022d60bb45f61e5d78c305fc2910a07fd66d8d4

SHA512
3727cb264261817c2bc8735335b1254a14b8a97bb862822052d669966af3ca6a89d01a3c242682d2d19af314f24798f921070dacd3f9ec6cef0c6d817593d5a7

Download Submit
C:\Windows\MSWDM.EXE

Filesize
1.6MB

MD5
a6d525906bdb2d9885426f32dceac582

SHA1
f6899ddcfe03813625d4dff2bcb4b072a3903286

SHA256
a40d1971c0916bbc7b7bf2359022d60bb45f61e5d78c305fc2910a07fd66d8d4

SHA512
3727cb264261817c2bc8735335b1254a14b8a97bb862822052d669966af3ca6a89d01a3c242682d2d19af314f24798f921070dacd3f9ec6cef0c6d817593d5a7

Download Submit
C:\Windows\MSWDM.EXE

Filesize
1.6MB

MD5
a6d525906bdb2d9885426f32dceac582

SHA1
f6899ddcfe03813625d4dff2bcb4b072a3903286

SHA256
a40d1971c0916bbc7b7bf2359022d60bb45f61e5d78c305fc2910a07fd66d8d4

SHA512
3727cb264261817c2bc8735335b1254a14b8a97bb862822052d669966af3ca6a89d01a3c242682d2d19af314f24798f921070dacd3f9ec6cef0c6d817593d5a7

Download Submit
C:\Windows\dev3B3C.tmp

Filesize
15KB

MD5
b0cec9f342bf95700b602ee376446577

SHA1
b955b1b64280bb0ea873538029cf5ea44081501b

SHA256
24a2472e3bd5016cb22ce14cefee112d5bc18354bf099e8e66ad9846aea15088

SHA512
05ebecfc8d3e2e7885d3cacc65bfd97db710c2cbc0fb76b19b7d6cc82b327b25df953a20affc8d84002167dd8ac7710622279d3579c6605e742a98fe7095aa4e

Download Submit
\Users\Admin\AppData\Local\Temp\NEAS.7217171d6bcdb7b66ca8e9b011f1d2b0_JC.exe

Filesize
15KB

MD5
b0cec9f342bf95700b602ee376446577

SHA1
b955b1b64280bb0ea873538029cf5ea44081501b

SHA256
24a2472e3bd5016cb22ce14cefee112d5bc18354bf099e8e66ad9846aea15088

SHA512
05ebecfc8d3e2e7885d3cacc65bfd97db710c2cbc0fb76b19b7d6cc82b327b25df953a20affc8d84002167dd8ac7710622279d3579c6605e742a98fe7095aa4e

Download Submit
memory/844-20-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/844-26-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1924-18-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/3012-12-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/3012-8-0x0000000000220000-0x0000000000234000-memory.dmp

Filesize
80KB

Download
memory/3012-0-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/3012-25-0x0000000000220000-0x0000000000234000-memory.dmp

Filesize
80KB

Download
memory/3012-17-0x0000000000220000-0x0000000000234000-memory.dmp

Filesize
80KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads