bd8b68cf3e9b3f566c95eac0c5ae4b4efc8bfb79b942b34f2c68686ed00c78fa

General

Target

NEAS.e73b6a0568fff1d4e8de5f3576625400.exe
Size

1.1MB
MD5

e73b6a0568fff1d4e8de5f3576625400
SHA1

a9586e549f8bdb10c1eabb14b43293cd17de124f
SHA256

bd8b68cf3e9b3f566c95eac0c5ae4b4efc8bfb79b942b34f2c68686ed00c78fa
SHA512

0e3627df2889108ed7a04e77a903cc77a0109e06048c751438d9d53c322a6c2fd5897c2d7b45428240afa8f3ad746021db6ac253bfe2814b69634afa37996206
SSDEEP

24576:phJ6nTOYK2Ze0p4Ek4niOkl/A04szE87JKTvmr:p2nTOYK+eW4SkZP4sz9Mbk

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
1888	MSWDM.EXE
4540	MSWDM.EXE
440	NEAS.E73B6A0568FFF1D4E8DE5F3576625400.EXE

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE"	NEAS.e73b6a0568fff1d4e8de5f3576625400.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE"	NEAS.e73b6a0568fff1d4e8de5f3576625400.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE"	MSWDM.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE"	MSWDM.EXE

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\WINDOWS\MSWDM.EXE	NEAS.e73b6a0568fff1d4e8de5f3576625400.exe
File opened for modification	C:\Windows\devECE0.tmp	NEAS.e73b6a0568fff1d4e8de5f3576625400.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4540	MSWDM.EXE
4540	MSWDM.EXE

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeRestorePrivilege	440	NEAS.E73B6A0568FFF1D4E8DE5F3576625400.EXE
Token: 35	440	NEAS.E73B6A0568FFF1D4E8DE5F3576625400.EXE

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 4060 wrote to memory of 1888	4060	NEAS.e73b6a0568fff1d4e8de5f3576625400.exe	89
PID 4060 wrote to memory of 1888	4060	NEAS.e73b6a0568fff1d4e8de5f3576625400.exe	89
PID 4060 wrote to memory of 1888	4060	NEAS.e73b6a0568fff1d4e8de5f3576625400.exe	89
PID 4060 wrote to memory of 4540	4060	NEAS.e73b6a0568fff1d4e8de5f3576625400.exe	90
PID 4060 wrote to memory of 4540	4060	NEAS.e73b6a0568fff1d4e8de5f3576625400.exe	90
PID 4060 wrote to memory of 4540	4060	NEAS.e73b6a0568fff1d4e8de5f3576625400.exe	90
PID 4540 wrote to memory of 440	4540	MSWDM.EXE	92
PID 4540 wrote to memory of 440	4540	MSWDM.EXE	92

C:\Users\Admin\AppData\Local\Temp\NEAS.e73b6a0568fff1d4e8de5f3576625400.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.e73b6a0568fff1d4e8de5f3576625400.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4060
- C:\WINDOWS\MSWDM.EXE
  "C:\WINDOWS\MSWDM.EXE"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:1888
- C:\WINDOWS\MSWDM.EXE
  -r!C:\Windows\devECE0.tmp!C:\Users\Admin\AppData\Local\Temp\NEAS.e73b6a0568fff1d4e8de5f3576625400.exe! !
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4540
- - C:\Users\Admin\AppData\Local\Temp\NEAS.E73B6A0568FFF1D4E8DE5F3576625400.EXE
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:440

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\NEAS.e73b6a0568fff1d4e8de5f3576625400.exe

Filesize
847KB

MD5
c8f40f25f783a52262bdaedeb5555427

SHA1
e45e198607c8d7398745baa71780e3e7a2f6deca

SHA256
e81b44ee7381ae3b630488b6fb7e3d9ffbdd9ac3032181d4ccaaff3409b57316

SHA512
f5944743f54028eb1dd0f2d68468726b177d33185324da0da96cdd20768bab4ca2e507ae9157b2733fd6240c920b7e15a5f5b9f284ee09d0fd385fc895b97191

Download Submit
C:\WINDOWS\MSWDM.EXE

Filesize
256KB

MD5
8a1198209520897514a2d82a912a66d2

SHA1
5dda8ec47f948814d808cd71e89ebe65940a1ff7

SHA256
5ce9e416f5b7811b9e91ec2de680aad0c38aa4a080999853b096b06d409887f0

SHA512
9a6e4e3729f77bcdcc1ace7fa154490717473fb05899e13b1f920ee438dc1c1812eae6fdec8b97da7807e9d626014ad0481d9cf0d4f5a06e327b4b75534f7e00

Download Submit
C:\Windows\MSWDM.EXE

Filesize
256KB

MD5
8a1198209520897514a2d82a912a66d2

SHA1
5dda8ec47f948814d808cd71e89ebe65940a1ff7

SHA256
5ce9e416f5b7811b9e91ec2de680aad0c38aa4a080999853b096b06d409887f0

SHA512
9a6e4e3729f77bcdcc1ace7fa154490717473fb05899e13b1f920ee438dc1c1812eae6fdec8b97da7807e9d626014ad0481d9cf0d4f5a06e327b4b75534f7e00

Download Submit
C:\Windows\MSWDM.EXE

Filesize
256KB

MD5
8a1198209520897514a2d82a912a66d2

SHA1
5dda8ec47f948814d808cd71e89ebe65940a1ff7

SHA256
5ce9e416f5b7811b9e91ec2de680aad0c38aa4a080999853b096b06d409887f0

SHA512
9a6e4e3729f77bcdcc1ace7fa154490717473fb05899e13b1f920ee438dc1c1812eae6fdec8b97da7807e9d626014ad0481d9cf0d4f5a06e327b4b75534f7e00

Download Submit
C:\Windows\devECE0.tmp

Filesize
847KB

MD5
c8f40f25f783a52262bdaedeb5555427

SHA1
e45e198607c8d7398745baa71780e3e7a2f6deca

SHA256
e81b44ee7381ae3b630488b6fb7e3d9ffbdd9ac3032181d4ccaaff3409b57316

SHA512
f5944743f54028eb1dd0f2d68468726b177d33185324da0da96cdd20768bab4ca2e507ae9157b2733fd6240c920b7e15a5f5b9f284ee09d0fd385fc895b97191

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads