b09633f6e63b2135aa363390018284dfa2efb50475e3bdcbe4c0cc834894ed2c

General

Target

NEAS.93d0169c877e83f546cffe39f72c36e0.exe
Size

1.2MB
MD5

93d0169c877e83f546cffe39f72c36e0
SHA1

541b9c7b8b9a76dd2a72ffaed32b71c9acd31e54
SHA256

b09633f6e63b2135aa363390018284dfa2efb50475e3bdcbe4c0cc834894ed2c
SHA512

8c9e7d0e3e8252bf763d805f123da9991095c6e7a63a7a9e91718eb513fb9f754ef35af8616067b60ba1fe01f7a85c72499c4334244519e8f9a4e34eed4dd9f2
SSDEEP

24576:M51xVcS9in6bxcqbF8fYTOYKbDurSUQNh:MtVcS4neHbyfYTOYKPu/A

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
1900	MSWDM.EXE
2628	MSWDM.EXE
1540	MSWDM.EXE

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE"	NEAS.93d0169c877e83f546cffe39f72c36e0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE"	NEAS.93d0169c877e83f546cffe39f72c36e0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE"	MSWDM.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE"	MSWDM.EXE

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\dev9878.tmp	MSWDM.EXE
File created	C:\WINDOWS\MSWDM.EXE	NEAS.93d0169c877e83f546cffe39f72c36e0.exe
File opened for modification	C:\Windows\dev9878.tmp	NEAS.93d0169c877e83f546cffe39f72c36e0.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2628	MSWDM.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2668 wrote to memory of 1900	2668	NEAS.93d0169c877e83f546cffe39f72c36e0.exe	28
PID 2668 wrote to memory of 1900	2668	NEAS.93d0169c877e83f546cffe39f72c36e0.exe	28
PID 2668 wrote to memory of 1900	2668	NEAS.93d0169c877e83f546cffe39f72c36e0.exe	28
PID 2668 wrote to memory of 1900	2668	NEAS.93d0169c877e83f546cffe39f72c36e0.exe	28
PID 2668 wrote to memory of 2628	2668	NEAS.93d0169c877e83f546cffe39f72c36e0.exe	29
PID 2668 wrote to memory of 2628	2668	NEAS.93d0169c877e83f546cffe39f72c36e0.exe	29
PID 2668 wrote to memory of 2628	2668	NEAS.93d0169c877e83f546cffe39f72c36e0.exe	29
PID 2668 wrote to memory of 2628	2668	NEAS.93d0169c877e83f546cffe39f72c36e0.exe	29
PID 2628 wrote to memory of 1540	2628	MSWDM.EXE	30
PID 2628 wrote to memory of 1540	2628	MSWDM.EXE	30
PID 2628 wrote to memory of 1540	2628	MSWDM.EXE	30
PID 2628 wrote to memory of 1540	2628	MSWDM.EXE	30

C:\Users\Admin\AppData\Local\Temp\NEAS.93d0169c877e83f546cffe39f72c36e0.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.93d0169c877e83f546cffe39f72c36e0.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2668
- C:\WINDOWS\MSWDM.EXE
  "C:\WINDOWS\MSWDM.EXE"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:1900
- C:\WINDOWS\MSWDM.EXE
  -r!C:\Windows\dev9878.tmp!C:\Users\Admin\AppData\Local\Temp\NEAS.93d0169c877e83f546cffe39f72c36e0.exe! !
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2628
- - C:\WINDOWS\MSWDM.EXE
    -e!C:\Windows\dev9878.tmp!C:\Users\Admin\AppData\Local\Temp\NEAS.93D0169C877E83F546CFFE39F72C36E0.EXE!
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    PID:1540

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\NEAS.93D0169C877E83F546CFFE39F72C36E0.EXE

Filesize
1.2MB

MD5
47c32ae59e3669fc5338c625ce6e9d4f

SHA1
eaca0f14ea10526bcec8286f51eb13459297cb98

SHA256
c3d1d9a75bd41c082bbb3e070bbfe02801aa1974230eb16857e288fe1963681a

SHA512
45cc81ca388db0f80da73215eef3711d1095837eec6dc0ef3efc115cb170b171bca2b1c38751f3c71d7a7e6c96e478bed7e23f97e573f4ba86869b518cbf4e7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\NEAS.93D0169C877E83F546CFFE39F72C36E0.EXE

Filesize
1.2MB

MD5
47c32ae59e3669fc5338c625ce6e9d4f

SHA1
eaca0f14ea10526bcec8286f51eb13459297cb98

SHA256
c3d1d9a75bd41c082bbb3e070bbfe02801aa1974230eb16857e288fe1963681a

SHA512
45cc81ca388db0f80da73215eef3711d1095837eec6dc0ef3efc115cb170b171bca2b1c38751f3c71d7a7e6c96e478bed7e23f97e573f4ba86869b518cbf4e7e

Download Submit
C:\WINDOWS\MSWDM.EXE

Filesize
1.2MB

MD5
c746d1dcd448faee36b083b8c00e6fa7

SHA1
62ae1b659f285b43ba1121ce8032c5a51073b12c

SHA256
8f4025b57ebeca9b974ec03f1a7f43fe06421f8aaac8f64cdd7b9c24c98a2813

SHA512
184fd6856c2db71f3c62c07af2fc140b9d9d94306f48505d471a46ccab8bd0a0c90da420c8d3b1139de4adc80c92bb684cdd555cecd779be78c04d952dd7d7a7

Download Submit
C:\Windows\MSWDM.EXE

Filesize
1.2MB

MD5
c746d1dcd448faee36b083b8c00e6fa7

SHA1
62ae1b659f285b43ba1121ce8032c5a51073b12c

SHA256
8f4025b57ebeca9b974ec03f1a7f43fe06421f8aaac8f64cdd7b9c24c98a2813

SHA512
184fd6856c2db71f3c62c07af2fc140b9d9d94306f48505d471a46ccab8bd0a0c90da420c8d3b1139de4adc80c92bb684cdd555cecd779be78c04d952dd7d7a7

Download Submit
C:\Windows\MSWDM.EXE

Filesize
1.2MB

MD5
c746d1dcd448faee36b083b8c00e6fa7

SHA1
62ae1b659f285b43ba1121ce8032c5a51073b12c

SHA256
8f4025b57ebeca9b974ec03f1a7f43fe06421f8aaac8f64cdd7b9c24c98a2813

SHA512
184fd6856c2db71f3c62c07af2fc140b9d9d94306f48505d471a46ccab8bd0a0c90da420c8d3b1139de4adc80c92bb684cdd555cecd779be78c04d952dd7d7a7

Download Submit
C:\Windows\MSWDM.EXE

Filesize
1.2MB

MD5
c746d1dcd448faee36b083b8c00e6fa7

SHA1
62ae1b659f285b43ba1121ce8032c5a51073b12c

SHA256
8f4025b57ebeca9b974ec03f1a7f43fe06421f8aaac8f64cdd7b9c24c98a2813

SHA512
184fd6856c2db71f3c62c07af2fc140b9d9d94306f48505d471a46ccab8bd0a0c90da420c8d3b1139de4adc80c92bb684cdd555cecd779be78c04d952dd7d7a7

Download Submit
C:\Windows\MSWDM.EXE

Filesize
1.2MB

MD5
c746d1dcd448faee36b083b8c00e6fa7

SHA1
62ae1b659f285b43ba1121ce8032c5a51073b12c

SHA256
8f4025b57ebeca9b974ec03f1a7f43fe06421f8aaac8f64cdd7b9c24c98a2813

SHA512
184fd6856c2db71f3c62c07af2fc140b9d9d94306f48505d471a46ccab8bd0a0c90da420c8d3b1139de4adc80c92bb684cdd555cecd779be78c04d952dd7d7a7

Download Submit
C:\Windows\dev9878.tmp

Filesize
162B

MD5
380bbf4d7bdac05d2248b49c4188cd92

SHA1
ae83ef83ebe684eab30ab3ca431e4f84994fd60f

SHA256
b97278e320af9d3d990703fd1af322e7c4b568a92f6a736149c1648b2f07a7c2

SHA512
06fe7a78b558b7581b52f8d65a6a8a62338a429e550c91ad4ba5cc3f445da83ee86b99e5c7dfbd9bbfcc12895215d2a329756dc6b24ef8313f70658abc08db15

Download Submit
memory/1540-24-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1540-26-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1900-12-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1900-29-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2628-23-0x00000000003C0000-0x00000000003D4000-memory.dmp

Filesize
80KB

Download
memory/2628-17-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2628-28-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2668-0-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2668-13-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads