Analysis

  • max time kernel
    21s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231020-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01/11/2023, 02:40

General

  • Target

    NEAS.01b5ab450bde6d113d2396f089efe170.exe

  • Size

    708KB

  • MD5

    01b5ab450bde6d113d2396f089efe170

  • SHA1

    d09c5e02107873446e6c77bd3eb168794a1a8cf2

  • SHA256

    7cf15cb30faa87f5ca12ceca72c3634db0d0095422d1ddbffc0804a5d059af71

  • SHA512

    01d84cc377b720e074c929a3e4f25cad97fd856ff709812d6d91047558e258812f29bb6602f11453b4c2bbd00b24edb34ebeb31a6af55cae559a1e62e6d97bc6

  • SSDEEP

    12288:phJ6nTOYREHEpQQJvKPSwvY1fHTHy90w6O:phJ6nTOYKHEpQQJvKPzvYZHTHy7b

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 4 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
  • Drops file in Windows directory 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\NEAS.01b5ab450bde6d113d2396f089efe170.exe
    "C:\Users\Admin\AppData\Local\Temp\NEAS.01b5ab450bde6d113d2396f089efe170.exe"
    1⤵
    • Adds Run key to start application
    • Drops file in Windows directory
    • Suspicious use of WriteProcessMemory
    PID:5084
    • C:\WINDOWS\MSWDM.EXE
      "C:\WINDOWS\MSWDM.EXE"
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      PID:5004
    • C:\WINDOWS\MSWDM.EXE
      -r!C:\Windows\dev77EF.tmp!C:\Users\Admin\AppData\Local\Temp\NEAS.01b5ab450bde6d113d2396f089efe170.exe! !
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:1920
      • C:\Users\Admin\AppData\Local\Temp\NEAS.01B5AB450BDE6D113D2396F089EFE170.EXE
        3⤵
        • Executes dropped EXE
        PID:1440
      • C:\WINDOWS\MSWDM.EXE
        -e!C:\Windows\dev77EF.tmp!C:\Users\Admin\AppData\Local\Temp\NEAS.01B5AB450BDE6D113D2396F089EFE170.EXE!
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        PID:2688

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\NEAS.01B5AB450BDE6D113D2396F089EFE170.EXE

    Filesize

    708KB

    MD5

    7d1c1815ca3d1b5df29d0b693d2aac54

    SHA1

    67ea45e52c110de6725ab1ca9147a01ceee7806c

    SHA256

    e2dfbdd474e654675a55ac8f9ed1ef4134ecb7c22c04e8559a0fe02e79d3ac49

    SHA512

    ae545f77a9b4980b2695e1e18d62a8f7260ce4291d228dbfcc0fb2ba12e77760be5908d8641cdce0aa5421fab583197828b850a7931deede6fb26d81d214c040

  • C:\Users\Admin\AppData\Local\Temp\NEAS.01B5AB450BDE6D113D2396F089EFE170.EXE

    Filesize

    708KB

    MD5

    7d1c1815ca3d1b5df29d0b693d2aac54

    SHA1

    67ea45e52c110de6725ab1ca9147a01ceee7806c

    SHA256

    e2dfbdd474e654675a55ac8f9ed1ef4134ecb7c22c04e8559a0fe02e79d3ac49

    SHA512

    ae545f77a9b4980b2695e1e18d62a8f7260ce4291d228dbfcc0fb2ba12e77760be5908d8641cdce0aa5421fab583197828b850a7931deede6fb26d81d214c040

  • C:\Users\Admin\AppData\Local\Temp\NEAS.01b5ab450bde6d113d2396f089efe170.exe

    Filesize

    452KB

    MD5

    95b8a4245a6cd37d36e56fae5a23e2b1

    SHA1

    139e0223e64a2d4f7ae94e347c657bdb86dfd5ff

    SHA256

    e69c4abcc4d2f130e66560fc27829b4fe62a2b1f66933790a3060bd7f4fcd878

    SHA512

    9114af555b9d97c87834982c80d9a4a7cc97b8678ed55d96a1a02999b551e9e018d376b404d0925bbb87dcd2aa8e0fa8bf7745f60096a7df01cd918002fb0bf1

  • C:\Users\Admin\AppData\Local\Temp\NEAS.01b5ab450bde6d113d2396f089efe170.exe

    Filesize

    708KB

    MD5

    7d1c1815ca3d1b5df29d0b693d2aac54

    SHA1

    67ea45e52c110de6725ab1ca9147a01ceee7806c

    SHA256

    e2dfbdd474e654675a55ac8f9ed1ef4134ecb7c22c04e8559a0fe02e79d3ac49

    SHA512

    ae545f77a9b4980b2695e1e18d62a8f7260ce4291d228dbfcc0fb2ba12e77760be5908d8641cdce0aa5421fab583197828b850a7931deede6fb26d81d214c040

  • C:\WINDOWS\MSWDM.EXE

    Filesize

    256KB

    MD5

    8a1198209520897514a2d82a912a66d2

    SHA1

    5dda8ec47f948814d808cd71e89ebe65940a1ff7

    SHA256

    5ce9e416f5b7811b9e91ec2de680aad0c38aa4a080999853b096b06d409887f0

    SHA512

    9a6e4e3729f77bcdcc1ace7fa154490717473fb05899e13b1f920ee438dc1c1812eae6fdec8b97da7807e9d626014ad0481d9cf0d4f5a06e327b4b75534f7e00

  • C:\Windows\MSWDM.EXE

    Filesize

    256KB

    MD5

    8a1198209520897514a2d82a912a66d2

    SHA1

    5dda8ec47f948814d808cd71e89ebe65940a1ff7

    SHA256

    5ce9e416f5b7811b9e91ec2de680aad0c38aa4a080999853b096b06d409887f0

    SHA512

    9a6e4e3729f77bcdcc1ace7fa154490717473fb05899e13b1f920ee438dc1c1812eae6fdec8b97da7807e9d626014ad0481d9cf0d4f5a06e327b4b75534f7e00

  • C:\Windows\MSWDM.EXE

    Filesize

    256KB

    MD5

    8a1198209520897514a2d82a912a66d2

    SHA1

    5dda8ec47f948814d808cd71e89ebe65940a1ff7

    SHA256

    5ce9e416f5b7811b9e91ec2de680aad0c38aa4a080999853b096b06d409887f0

    SHA512

    9a6e4e3729f77bcdcc1ace7fa154490717473fb05899e13b1f920ee438dc1c1812eae6fdec8b97da7807e9d626014ad0481d9cf0d4f5a06e327b4b75534f7e00

  • C:\Windows\MSWDM.EXE

    Filesize

    256KB

    MD5

    8a1198209520897514a2d82a912a66d2

    SHA1

    5dda8ec47f948814d808cd71e89ebe65940a1ff7

    SHA256

    5ce9e416f5b7811b9e91ec2de680aad0c38aa4a080999853b096b06d409887f0

    SHA512

    9a6e4e3729f77bcdcc1ace7fa154490717473fb05899e13b1f920ee438dc1c1812eae6fdec8b97da7807e9d626014ad0481d9cf0d4f5a06e327b4b75534f7e00

  • C:\Windows\dev77EF.tmp

    Filesize

    452KB

    MD5

    95b8a4245a6cd37d36e56fae5a23e2b1

    SHA1

    139e0223e64a2d4f7ae94e347c657bdb86dfd5ff

    SHA256

    e69c4abcc4d2f130e66560fc27829b4fe62a2b1f66933790a3060bd7f4fcd878

    SHA512

    9114af555b9d97c87834982c80d9a4a7cc97b8678ed55d96a1a02999b551e9e018d376b404d0925bbb87dcd2aa8e0fa8bf7745f60096a7df01cd918002fb0bf1