c0c0ebc170331a5221d1cf99eb3445c90d99ca8ecd22bd95c183cef778cbb651

Analysis

max time kernel
21s
max time network
128s
platform
windows7_x64
resource
win7-20231025-en
resource tags

arch:x64arch:x86image:win7-20231025-enlocale:en-usos:windows7-x64system
submitted
01/11/2023, 13:56

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

NEAS.2eb79bd64bf4719b2cb186a0706fd050.exe
Size

1.7MB
MD5

2eb79bd64bf4719b2cb186a0706fd050
SHA1

1f1a2bc6c1f75371667a81c127e88e0e0e463849
SHA256

c0c0ebc170331a5221d1cf99eb3445c90d99ca8ecd22bd95c183cef778cbb651
SHA512

be2e609cc1c8231bde03a3ee035df8bfd4db5a88ada77375fb1c631bb906783925c83f431c08732aa97ef0b7f3c840753f4640d0c6ea8b39e7d37b84321d7d23
SSDEEP

24576:M51xX8cS9in6bxcqbF8fYTOYKbDurSUQN7kBG+JqJS+WOZseId9x0FOXr2rlOp:MtX8cS4neHbyfYTOYKPu/gEjiEO5ItDn

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
2944	MSWDM.EXE
2168	MSWDM.EXE
2772	NEAS.2EB79BD64BF4719B2CB186A0706FD050.EXE
2668	MSWDM.EXE

Loads dropped DLL 2 IoCs

pid	Process
2168	MSWDM.EXE
2692	Process not Found

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE"	NEAS.2eb79bd64bf4719b2cb186a0706fd050.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE"	NEAS.2eb79bd64bf4719b2cb186a0706fd050.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE"	MSWDM.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE"	MSWDM.EXE

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\dev4E4F.tmp	NEAS.2eb79bd64bf4719b2cb186a0706fd050.exe
File opened for modification	C:\Windows\dev4E4F.tmp	MSWDM.EXE
File created	C:\WINDOWS\MSWDM.EXE	NEAS.2eb79bd64bf4719b2cb186a0706fd050.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2168	MSWDM.EXE

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2444 wrote to memory of 2944	2444	NEAS.2eb79bd64bf4719b2cb186a0706fd050.exe	28
PID 2444 wrote to memory of 2944	2444	NEAS.2eb79bd64bf4719b2cb186a0706fd050.exe	28
PID 2444 wrote to memory of 2944	2444	NEAS.2eb79bd64bf4719b2cb186a0706fd050.exe	28
PID 2444 wrote to memory of 2944	2444	NEAS.2eb79bd64bf4719b2cb186a0706fd050.exe	28
PID 2444 wrote to memory of 2168	2444	NEAS.2eb79bd64bf4719b2cb186a0706fd050.exe	29
PID 2444 wrote to memory of 2168	2444	NEAS.2eb79bd64bf4719b2cb186a0706fd050.exe	29
PID 2444 wrote to memory of 2168	2444	NEAS.2eb79bd64bf4719b2cb186a0706fd050.exe	29
PID 2444 wrote to memory of 2168	2444	NEAS.2eb79bd64bf4719b2cb186a0706fd050.exe	29
PID 2168 wrote to memory of 2772	2168	MSWDM.EXE	30
PID 2168 wrote to memory of 2772	2168	MSWDM.EXE	30
PID 2168 wrote to memory of 2772	2168	MSWDM.EXE	30
PID 2168 wrote to memory of 2772	2168	MSWDM.EXE	30
PID 2168 wrote to memory of 2668	2168	MSWDM.EXE	32
PID 2168 wrote to memory of 2668	2168	MSWDM.EXE	32
PID 2168 wrote to memory of 2668	2168	MSWDM.EXE	32
PID 2168 wrote to memory of 2668	2168	MSWDM.EXE	32

C:\Users\Admin\AppData\Local\Temp\NEAS.2eb79bd64bf4719b2cb186a0706fd050.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.2eb79bd64bf4719b2cb186a0706fd050.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2444
- C:\WINDOWS\MSWDM.EXE
  "C:\WINDOWS\MSWDM.EXE"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:2944
- C:\WINDOWS\MSWDM.EXE
  -r!C:\Windows\dev4E4F.tmp!C:\Users\Admin\AppData\Local\Temp\NEAS.2eb79bd64bf4719b2cb186a0706fd050.exe! !
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2168
- - C:\Users\Admin\AppData\Local\Temp\NEAS.2EB79BD64BF4719B2CB186A0706FD050.EXE
    3⤵
    - Executes dropped EXE
    PID:2772
- - C:\WINDOWS\MSWDM.EXE
    -e!C:\Windows\dev4E4F.tmp!C:\Users\Admin\AppData\Local\Temp\NEAS.2EB79BD64BF4719B2CB186A0706FD050.EXE!
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    PID:2668

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\NEAS.2EB79BD64BF4719B2CB186A0706FD050.EXE

Filesize
1.7MB

MD5
bcde14a1ee7b535268ee9984a272da78

SHA1
9e15a8ff85b3ccc5496c316d5a87b7e13bc156ef

SHA256
00fec7e3bf2c284b6cb7d10434d0e248a18e48a96d32d2d7a5082601ea0b80b4

SHA512
ee89548e7c56d6e013918a56228dc6b5ceacb994f81f75b9c20bcd63e94d3537b14026d21199c35944f69698c00bfa749e65487426779a34203c2093f9f2a874

Download Submit
C:\Users\Admin\AppData\Local\Temp\NEAS.2EB79BD64BF4719B2CB186A0706FD050.EXE

Filesize
1.7MB

MD5
bcde14a1ee7b535268ee9984a272da78

SHA1
9e15a8ff85b3ccc5496c316d5a87b7e13bc156ef

SHA256
00fec7e3bf2c284b6cb7d10434d0e248a18e48a96d32d2d7a5082601ea0b80b4

SHA512
ee89548e7c56d6e013918a56228dc6b5ceacb994f81f75b9c20bcd63e94d3537b14026d21199c35944f69698c00bfa749e65487426779a34203c2093f9f2a874

Download Submit
C:\Users\Admin\AppData\Local\Temp\NEAS.2eb79bd64bf4719b2cb186a0706fd050.exe

Filesize
35KB

MD5
ea3b798870a5c6e159bb05f432b0438a

SHA1
17cdd851ea58dd00296bd44c031484ef05342ee0

SHA256
3e7a5f7a2c4d88b30de76681d2759119aaf479f5787b6466dc175a852e50a1c7

SHA512
fc3f5089d2a57e38d285e5a90f2be63431d40c2c443dec41b783aaf5c1a6f4ab9b6904cd5fece18d6dc15664f00d7d5d0ba27d226f7623fe02c2f76f57a17524

Download Submit
C:\WINDOWS\MSWDM.EXE

Filesize
1.7MB

MD5
ea6c40d7f22ccdcb302e4b27b69f4043

SHA1
f87aaf555ccf06419cdedb669dc895b8d579e2cc

SHA256
179617e6cf4dcb4ad6aba1355e9c3550418b63f94b51791e5b380865639e4b81

SHA512
8be548766fb8aa92ce6bbc249a6740f5033f2fe2b468b62e91d27c6e939de9022368bc451190a176425fdd6cea92cbfab2b6a6d40ff146cf8369cbd5ff0dc287

Download Submit
C:\Windows\MSWDM.EXE

Filesize
1.7MB

MD5
ea6c40d7f22ccdcb302e4b27b69f4043

SHA1
f87aaf555ccf06419cdedb669dc895b8d579e2cc

SHA256
179617e6cf4dcb4ad6aba1355e9c3550418b63f94b51791e5b380865639e4b81

SHA512
8be548766fb8aa92ce6bbc249a6740f5033f2fe2b468b62e91d27c6e939de9022368bc451190a176425fdd6cea92cbfab2b6a6d40ff146cf8369cbd5ff0dc287

Download Submit
C:\Windows\MSWDM.EXE

Filesize
1.7MB

MD5
ea6c40d7f22ccdcb302e4b27b69f4043

SHA1
f87aaf555ccf06419cdedb669dc895b8d579e2cc

SHA256
179617e6cf4dcb4ad6aba1355e9c3550418b63f94b51791e5b380865639e4b81

SHA512
8be548766fb8aa92ce6bbc249a6740f5033f2fe2b468b62e91d27c6e939de9022368bc451190a176425fdd6cea92cbfab2b6a6d40ff146cf8369cbd5ff0dc287

Download Submit
C:\Windows\MSWDM.EXE

Filesize
1.7MB

MD5
ea6c40d7f22ccdcb302e4b27b69f4043

SHA1
f87aaf555ccf06419cdedb669dc895b8d579e2cc

SHA256
179617e6cf4dcb4ad6aba1355e9c3550418b63f94b51791e5b380865639e4b81

SHA512
8be548766fb8aa92ce6bbc249a6740f5033f2fe2b468b62e91d27c6e939de9022368bc451190a176425fdd6cea92cbfab2b6a6d40ff146cf8369cbd5ff0dc287

Download Submit
C:\Windows\MSWDM.EXE

Filesize
1.7MB

MD5
ea6c40d7f22ccdcb302e4b27b69f4043

SHA1
f87aaf555ccf06419cdedb669dc895b8d579e2cc

SHA256
179617e6cf4dcb4ad6aba1355e9c3550418b63f94b51791e5b380865639e4b81

SHA512
8be548766fb8aa92ce6bbc249a6740f5033f2fe2b468b62e91d27c6e939de9022368bc451190a176425fdd6cea92cbfab2b6a6d40ff146cf8369cbd5ff0dc287

Download Submit
C:\Windows\dev4E4F.tmp

Filesize
35KB

MD5
ea3b798870a5c6e159bb05f432b0438a

SHA1
17cdd851ea58dd00296bd44c031484ef05342ee0

SHA256
3e7a5f7a2c4d88b30de76681d2759119aaf479f5787b6466dc175a852e50a1c7

SHA512
fc3f5089d2a57e38d285e5a90f2be63431d40c2c443dec41b783aaf5c1a6f4ab9b6904cd5fece18d6dc15664f00d7d5d0ba27d226f7623fe02c2f76f57a17524

Download Submit
\Users\Admin\AppData\Local\Temp\NEAS.2eb79bd64bf4719b2cb186a0706fd050.exe

Filesize
35KB

MD5
ea3b798870a5c6e159bb05f432b0438a

SHA1
17cdd851ea58dd00296bd44c031484ef05342ee0

SHA256
3e7a5f7a2c4d88b30de76681d2759119aaf479f5787b6466dc175a852e50a1c7

SHA512
fc3f5089d2a57e38d285e5a90f2be63431d40c2c443dec41b783aaf5c1a6f4ab9b6904cd5fece18d6dc15664f00d7d5d0ba27d226f7623fe02c2f76f57a17524

Download Submit
\Users\Admin\AppData\Local\Temp\NEAS.2eb79bd64bf4719b2cb186a0706fd050.exe

Filesize
35KB

MD5
ea3b798870a5c6e159bb05f432b0438a

SHA1
17cdd851ea58dd00296bd44c031484ef05342ee0

SHA256
3e7a5f7a2c4d88b30de76681d2759119aaf479f5787b6466dc175a852e50a1c7

SHA512
fc3f5089d2a57e38d285e5a90f2be63431d40c2c443dec41b783aaf5c1a6f4ab9b6904cd5fece18d6dc15664f00d7d5d0ba27d226f7623fe02c2f76f57a17524

Download Submit
memory/2168-15-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2168-29-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2444-0-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2444-12-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2668-27-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2944-20-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2944-30-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download