622d4f77dd5748b8045737011fa954a05ce569a88abfac8d6d53e758d065c476

Analysis

max time kernel
48s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20231023-en
resource tags

arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
submitted
01/11/2023, 10:02

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

NEAS.c44417ac058df8ea9076a1eba1e5fa00_JC.exe
Size

1.7MB
MD5

c44417ac058df8ea9076a1eba1e5fa00
SHA1

e106dde2ef0449d60c144c0e8d9e2c01578c5454
SHA256

622d4f77dd5748b8045737011fa954a05ce569a88abfac8d6d53e758d065c476
SHA512

c5354682ec89f523e8e80c675b23fa0c32e12ff2567d3f55bc39c101ff0fdf14743aa12537c2b0c9d64cd5e638ed81e2a939aa27125acd38e1b60a899b836ad1
SSDEEP

24576:phJ6nTOYKrGEWem1gXq5L9uSWidgpm6hbpOSRKQs:p2nTOYKrzXq5L9uiibpJKQs

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
3628	MSWDM.EXE
3868	MSWDM.EXE
1820	NEAS.C44417AC058DF8EA9076A1EBA1E5FA00_JC.EXE

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE"	MSWDM.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE"	NEAS.c44417ac058df8ea9076a1eba1e5fa00_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE"	NEAS.c44417ac058df8ea9076a1eba1e5fa00_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE"	MSWDM.EXE

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\WINDOWS\MSWDM.EXE	NEAS.c44417ac058df8ea9076a1eba1e5fa00_JC.exe
File opened for modification	C:\Windows\dev1D0.tmp	NEAS.c44417ac058df8ea9076a1eba1e5fa00_JC.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3868	MSWDM.EXE
3868	MSWDM.EXE

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2216 wrote to memory of 3628	2216	NEAS.c44417ac058df8ea9076a1eba1e5fa00_JC.exe	90
PID 2216 wrote to memory of 3628	2216	NEAS.c44417ac058df8ea9076a1eba1e5fa00_JC.exe	90
PID 2216 wrote to memory of 3628	2216	NEAS.c44417ac058df8ea9076a1eba1e5fa00_JC.exe	90
PID 2216 wrote to memory of 3868	2216	NEAS.c44417ac058df8ea9076a1eba1e5fa00_JC.exe	91
PID 2216 wrote to memory of 3868	2216	NEAS.c44417ac058df8ea9076a1eba1e5fa00_JC.exe	91
PID 2216 wrote to memory of 3868	2216	NEAS.c44417ac058df8ea9076a1eba1e5fa00_JC.exe	91
PID 3868 wrote to memory of 1820	3868	MSWDM.EXE	92
PID 3868 wrote to memory of 1820	3868	MSWDM.EXE	92
PID 3868 wrote to memory of 1820	3868	MSWDM.EXE	92

C:\Users\Admin\AppData\Local\Temp\NEAS.c44417ac058df8ea9076a1eba1e5fa00_JC.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.c44417ac058df8ea9076a1eba1e5fa00_JC.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2216
- C:\WINDOWS\MSWDM.EXE
  "C:\WINDOWS\MSWDM.EXE"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:3628
- C:\WINDOWS\MSWDM.EXE
  -r!C:\Windows\dev1D0.tmp!C:\Users\Admin\AppData\Local\Temp\NEAS.c44417ac058df8ea9076a1eba1e5fa00_JC.exe! !
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3868
- - C:\Users\Admin\AppData\Local\Temp\NEAS.C44417AC058DF8EA9076A1EBA1E5FA00_JC.EXE
    3⤵
    - Executes dropped EXE
    PID:1820

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\NEAS.c44417ac058df8ea9076a1eba1e5fa00_JC.exe

Filesize
1.5MB

MD5
0b9b2a847f2a57a401caf53e1c7cd540

SHA1
afb987847a95cf8e4d84e6752f03451eca5fe6c0

SHA256
18d0b07c1a53c8da669106ad1ddc69bfdc532d086f2677ee19256d38bfaf1169

SHA512
7bd06dd488cd9226679140eeaea3f8d4bb8f37a1fed241db820656c87d16baad1ef7a5ef4dbdf6954f90b57a0bc76f31ec7b21f24716b72f5736fc433eca74dc

Download Submit
C:\WINDOWS\MSWDM.EXE

Filesize
256KB

MD5
8a1198209520897514a2d82a912a66d2

SHA1
5dda8ec47f948814d808cd71e89ebe65940a1ff7

SHA256
5ce9e416f5b7811b9e91ec2de680aad0c38aa4a080999853b096b06d409887f0

SHA512
9a6e4e3729f77bcdcc1ace7fa154490717473fb05899e13b1f920ee438dc1c1812eae6fdec8b97da7807e9d626014ad0481d9cf0d4f5a06e327b4b75534f7e00

Download Submit
C:\Windows\MSWDM.EXE

Filesize
256KB

MD5
8a1198209520897514a2d82a912a66d2

SHA1
5dda8ec47f948814d808cd71e89ebe65940a1ff7

SHA256
5ce9e416f5b7811b9e91ec2de680aad0c38aa4a080999853b096b06d409887f0

SHA512
9a6e4e3729f77bcdcc1ace7fa154490717473fb05899e13b1f920ee438dc1c1812eae6fdec8b97da7807e9d626014ad0481d9cf0d4f5a06e327b4b75534f7e00

Download Submit
C:\Windows\MSWDM.EXE

Filesize
256KB

MD5
8a1198209520897514a2d82a912a66d2

SHA1
5dda8ec47f948814d808cd71e89ebe65940a1ff7

SHA256
5ce9e416f5b7811b9e91ec2de680aad0c38aa4a080999853b096b06d409887f0

SHA512
9a6e4e3729f77bcdcc1ace7fa154490717473fb05899e13b1f920ee438dc1c1812eae6fdec8b97da7807e9d626014ad0481d9cf0d4f5a06e327b4b75534f7e00

Download Submit
C:\Windows\dev1D0.tmp

Filesize
1.5MB

MD5
0b9b2a847f2a57a401caf53e1c7cd540

SHA1
afb987847a95cf8e4d84e6752f03451eca5fe6c0

SHA256
18d0b07c1a53c8da669106ad1ddc69bfdc532d086f2677ee19256d38bfaf1169

SHA512
7bd06dd488cd9226679140eeaea3f8d4bb8f37a1fed241db820656c87d16baad1ef7a5ef4dbdf6954f90b57a0bc76f31ec7b21f24716b72f5736fc433eca74dc

Download Submit
memory/1820-10-0x0000000000B10000-0x0000000000D18000-memory.dmp

Filesize
2.0MB

Download
memory/1820-11-0x0000000000B10000-0x0000000000D18000-memory.dmp

Filesize
2.0MB

Download