Analysis
-
max time kernel
58s -
max time network
91s -
platform
windows7_x64 -
resource
win7-20231023-en -
resource tags
arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system -
submitted
01-11-2023 10:02
Static task
static1
Behavioral task
behavioral1
Sample
NEAS.c44417ac058df8ea9076a1eba1e5fa00_JC.exe
Resource
win7-20231023-en
Behavioral task
behavioral2
Sample
NEAS.c44417ac058df8ea9076a1eba1e5fa00_JC.exe
Resource
win10v2004-20231023-en
General
-
Target
NEAS.c44417ac058df8ea9076a1eba1e5fa00_JC.exe
-
Size
1.7MB
-
MD5
c44417ac058df8ea9076a1eba1e5fa00
-
SHA1
e106dde2ef0449d60c144c0e8d9e2c01578c5454
-
SHA256
622d4f77dd5748b8045737011fa954a05ce569a88abfac8d6d53e758d065c476
-
SHA512
c5354682ec89f523e8e80c675b23fa0c32e12ff2567d3f55bc39c101ff0fdf14743aa12537c2b0c9d64cd5e638ed81e2a939aa27125acd38e1b60a899b836ad1
-
SSDEEP
24576:phJ6nTOYKrGEWem1gXq5L9uSWidgpm6hbpOSRKQs:p2nTOYKrzXq5L9uiibpJKQs
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 2940 MSWDM.EXE 2520 MSWDM.EXE -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE" NEAS.c44417ac058df8ea9076a1eba1e5fa00_JC.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE" NEAS.c44417ac058df8ea9076a1eba1e5fa00_JC.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE" MSWDM.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE" MSWDM.EXE -
Drops file in Windows directory 2 IoCs
description ioc Process File opened for modification C:\Windows\dev6D53.tmp NEAS.c44417ac058df8ea9076a1eba1e5fa00_JC.exe File created C:\WINDOWS\MSWDM.EXE NEAS.c44417ac058df8ea9076a1eba1e5fa00_JC.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2520 MSWDM.EXE -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2752 wrote to memory of 2940 2752 NEAS.c44417ac058df8ea9076a1eba1e5fa00_JC.exe 29 PID 2752 wrote to memory of 2940 2752 NEAS.c44417ac058df8ea9076a1eba1e5fa00_JC.exe 29 PID 2752 wrote to memory of 2940 2752 NEAS.c44417ac058df8ea9076a1eba1e5fa00_JC.exe 29 PID 2752 wrote to memory of 2940 2752 NEAS.c44417ac058df8ea9076a1eba1e5fa00_JC.exe 29 PID 2752 wrote to memory of 2520 2752 NEAS.c44417ac058df8ea9076a1eba1e5fa00_JC.exe 30 PID 2752 wrote to memory of 2520 2752 NEAS.c44417ac058df8ea9076a1eba1e5fa00_JC.exe 30 PID 2752 wrote to memory of 2520 2752 NEAS.c44417ac058df8ea9076a1eba1e5fa00_JC.exe 30 PID 2752 wrote to memory of 2520 2752 NEAS.c44417ac058df8ea9076a1eba1e5fa00_JC.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.c44417ac058df8ea9076a1eba1e5fa00_JC.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.c44417ac058df8ea9076a1eba1e5fa00_JC.exe"1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2752 -
C:\WINDOWS\MSWDM.EXE"C:\WINDOWS\MSWDM.EXE"2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:2940
-
-
C:\WINDOWS\MSWDM.EXE-r!C:\Windows\dev6D53.tmp!C:\Users\Admin\AppData\Local\Temp\NEAS.c44417ac058df8ea9076a1eba1e5fa00_JC.exe! !2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2520 -
C:\Users\Admin\AppData\Local\Temp\NEAS.C44417AC058DF8EA9076A1EBA1E5FA00_JC.EXEPID:2292
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.5MB
MD50b9b2a847f2a57a401caf53e1c7cd540
SHA1afb987847a95cf8e4d84e6752f03451eca5fe6c0
SHA25618d0b07c1a53c8da669106ad1ddc69bfdc532d086f2677ee19256d38bfaf1169
SHA5127bd06dd488cd9226679140eeaea3f8d4bb8f37a1fed241db820656c87d16baad1ef7a5ef4dbdf6954f90b57a0bc76f31ec7b21f24716b72f5736fc433eca74dc
-
Filesize
256KB
MD58a1198209520897514a2d82a912a66d2
SHA15dda8ec47f948814d808cd71e89ebe65940a1ff7
SHA2565ce9e416f5b7811b9e91ec2de680aad0c38aa4a080999853b096b06d409887f0
SHA5129a6e4e3729f77bcdcc1ace7fa154490717473fb05899e13b1f920ee438dc1c1812eae6fdec8b97da7807e9d626014ad0481d9cf0d4f5a06e327b4b75534f7e00
-
Filesize
256KB
MD58a1198209520897514a2d82a912a66d2
SHA15dda8ec47f948814d808cd71e89ebe65940a1ff7
SHA2565ce9e416f5b7811b9e91ec2de680aad0c38aa4a080999853b096b06d409887f0
SHA5129a6e4e3729f77bcdcc1ace7fa154490717473fb05899e13b1f920ee438dc1c1812eae6fdec8b97da7807e9d626014ad0481d9cf0d4f5a06e327b4b75534f7e00
-
Filesize
256KB
MD58a1198209520897514a2d82a912a66d2
SHA15dda8ec47f948814d808cd71e89ebe65940a1ff7
SHA2565ce9e416f5b7811b9e91ec2de680aad0c38aa4a080999853b096b06d409887f0
SHA5129a6e4e3729f77bcdcc1ace7fa154490717473fb05899e13b1f920ee438dc1c1812eae6fdec8b97da7807e9d626014ad0481d9cf0d4f5a06e327b4b75534f7e00
-
Filesize
256KB
MD58a1198209520897514a2d82a912a66d2
SHA15dda8ec47f948814d808cd71e89ebe65940a1ff7
SHA2565ce9e416f5b7811b9e91ec2de680aad0c38aa4a080999853b096b06d409887f0
SHA5129a6e4e3729f77bcdcc1ace7fa154490717473fb05899e13b1f920ee438dc1c1812eae6fdec8b97da7807e9d626014ad0481d9cf0d4f5a06e327b4b75534f7e00
-
Filesize
1.5MB
MD50b9b2a847f2a57a401caf53e1c7cd540
SHA1afb987847a95cf8e4d84e6752f03451eca5fe6c0
SHA25618d0b07c1a53c8da669106ad1ddc69bfdc532d086f2677ee19256d38bfaf1169
SHA5127bd06dd488cd9226679140eeaea3f8d4bb8f37a1fed241db820656c87d16baad1ef7a5ef4dbdf6954f90b57a0bc76f31ec7b21f24716b72f5736fc433eca74dc
-
Filesize
1.5MB
MD50b9b2a847f2a57a401caf53e1c7cd540
SHA1afb987847a95cf8e4d84e6752f03451eca5fe6c0
SHA25618d0b07c1a53c8da669106ad1ddc69bfdc532d086f2677ee19256d38bfaf1169
SHA5127bd06dd488cd9226679140eeaea3f8d4bb8f37a1fed241db820656c87d16baad1ef7a5ef4dbdf6954f90b57a0bc76f31ec7b21f24716b72f5736fc433eca74dc