10a736f6a2185269463df21e9d44bc41e63e29c68eba0f61ea9424fbe0ffa787

Analysis

max time kernel
19s
max time network
126s
platform
windows7_x64
resource
win7-20231023-en
resource tags

arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system
submitted
01/11/2023, 13:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.45107224d38a84b731bc4e54bc711fa0.exe
Size

2.0MB
MD5

45107224d38a84b731bc4e54bc711fa0
SHA1

1c86c0a389ea6f1094572a63e1df3200386d762e
SHA256

10a736f6a2185269463df21e9d44bc41e63e29c68eba0f61ea9424fbe0ffa787
SHA512

456a74cde6722b535e7ff1c53fe62eda944eec5cdb35fbf8d83fdc2b71f80190197fa1c830a2275921b46f1dc82b39e9587d40a9d892162787471da99167f5f0
SSDEEP

49152:MtUcS4neHbyfYTOYKPu/gEjiEO5ItWpYqM:MtlS4neHvZjiEO5Io67

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
2872	MSWDM.EXE
2704	MSWDM.EXE
2572	NEAS.45107224D38A84B731BC4E54BC711FA0.EXE
2636	MSWDM.EXE

Loads dropped DLL 2 IoCs

pid	Process
2704	MSWDM.EXE
2424	Process not Found

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE"	MSWDM.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE"	NEAS.45107224d38a84b731bc4e54bc711fa0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE"	NEAS.45107224d38a84b731bc4e54bc711fa0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE"	MSWDM.EXE

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\WINDOWS\MSWDM.EXE	NEAS.45107224d38a84b731bc4e54bc711fa0.exe
File opened for modification	C:\Windows\dev9981.tmp	NEAS.45107224d38a84b731bc4e54bc711fa0.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2704	MSWDM.EXE

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2744 wrote to memory of 2872	2744	NEAS.45107224d38a84b731bc4e54bc711fa0.exe	28
PID 2744 wrote to memory of 2872	2744	NEAS.45107224d38a84b731bc4e54bc711fa0.exe	28
PID 2744 wrote to memory of 2872	2744	NEAS.45107224d38a84b731bc4e54bc711fa0.exe	28
PID 2744 wrote to memory of 2872	2744	NEAS.45107224d38a84b731bc4e54bc711fa0.exe	28
PID 2744 wrote to memory of 2704	2744	NEAS.45107224d38a84b731bc4e54bc711fa0.exe	31
PID 2744 wrote to memory of 2704	2744	NEAS.45107224d38a84b731bc4e54bc711fa0.exe	31
PID 2744 wrote to memory of 2704	2744	NEAS.45107224d38a84b731bc4e54bc711fa0.exe	31
PID 2744 wrote to memory of 2704	2744	NEAS.45107224d38a84b731bc4e54bc711fa0.exe	31
PID 2704 wrote to memory of 2572	2704	MSWDM.EXE	29
PID 2704 wrote to memory of 2572	2704	MSWDM.EXE	29
PID 2704 wrote to memory of 2572	2704	MSWDM.EXE	29
PID 2704 wrote to memory of 2572	2704	MSWDM.EXE	29
PID 2704 wrote to memory of 2636	2704	MSWDM.EXE	32
PID 2704 wrote to memory of 2636	2704	MSWDM.EXE	32
PID 2704 wrote to memory of 2636	2704	MSWDM.EXE	32
PID 2704 wrote to memory of 2636	2704	MSWDM.EXE	32

C:\Users\Admin\AppData\Local\Temp\NEAS.45107224d38a84b731bc4e54bc711fa0.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.45107224d38a84b731bc4e54bc711fa0.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2744
- C:\WINDOWS\MSWDM.EXE
  "C:\WINDOWS\MSWDM.EXE"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:2872
- C:\WINDOWS\MSWDM.EXE
  -r!C:\Windows\dev9981.tmp!C:\Users\Admin\AppData\Local\Temp\NEAS.45107224d38a84b731bc4e54bc711fa0.exe! !
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2704
- - C:\WINDOWS\MSWDM.EXE
    -e!C:\Windows\dev9981.tmp!C:\Users\Admin\AppData\Local\Temp\NEAS.45107224D38A84B731BC4E54BC711FA0.EXE!
    3⤵
    - Executes dropped EXE
    PID:2636

C:\Users\Admin\AppData\Local\Temp\NEAS.45107224D38A84B731BC4E54BC711FA0.EXE
1⤵
- Executes dropped EXE
PID:2572

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\NEAS.45107224d38a84b731bc4e54bc711fa0.exe

Filesize
458KB

MD5
619f7135621b50fd1900ff24aade1524

SHA1
6c7ea8bbd435163ae3945cbef30ef6b9872a4591

SHA256
344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2

SHA512
2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628

Download Submit
C:\Users\Admin\AppData\Local\Temp\NEAS.45107224d38a84b731bc4e54bc711fa0.exe

Filesize
458KB

MD5
619f7135621b50fd1900ff24aade1524

SHA1
6c7ea8bbd435163ae3945cbef30ef6b9872a4591

SHA256
344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2

SHA512
2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628

Download Submit
C:\WINDOWS\MSWDM.EXE

Filesize
1.5MB

MD5
eea683ae287b3dd0fa21a540862d9ff3

SHA1
2be71348606b187600f5d22ddc139be5c7b8243a

SHA256
180bc972b62d2a3efa422623c86aca8d1804a086b606f060dc0d4b799b13a9fc

SHA512
6be156d2eebeb58b48d60438c5288078a4b3c581081ebd2198c5b03d80673d2c0ad7fa8901643be4e34553245bb8186644b2c5a8f8bd1088018641b1f4054efe

Download Submit
C:\Windows\MSWDM.EXE

Filesize
1.5MB

MD5
eea683ae287b3dd0fa21a540862d9ff3

SHA1
2be71348606b187600f5d22ddc139be5c7b8243a

SHA256
180bc972b62d2a3efa422623c86aca8d1804a086b606f060dc0d4b799b13a9fc

SHA512
6be156d2eebeb58b48d60438c5288078a4b3c581081ebd2198c5b03d80673d2c0ad7fa8901643be4e34553245bb8186644b2c5a8f8bd1088018641b1f4054efe

Download Submit
C:\Windows\MSWDM.EXE

Filesize
1.5MB

MD5
eea683ae287b3dd0fa21a540862d9ff3

SHA1
2be71348606b187600f5d22ddc139be5c7b8243a

SHA256
180bc972b62d2a3efa422623c86aca8d1804a086b606f060dc0d4b799b13a9fc

SHA512
6be156d2eebeb58b48d60438c5288078a4b3c581081ebd2198c5b03d80673d2c0ad7fa8901643be4e34553245bb8186644b2c5a8f8bd1088018641b1f4054efe

Download Submit
C:\Windows\MSWDM.EXE

Filesize
1.5MB

MD5
eea683ae287b3dd0fa21a540862d9ff3

SHA1
2be71348606b187600f5d22ddc139be5c7b8243a

SHA256
180bc972b62d2a3efa422623c86aca8d1804a086b606f060dc0d4b799b13a9fc

SHA512
6be156d2eebeb58b48d60438c5288078a4b3c581081ebd2198c5b03d80673d2c0ad7fa8901643be4e34553245bb8186644b2c5a8f8bd1088018641b1f4054efe

Download Submit
C:\Windows\MSWDM.EXE

Filesize
1.5MB

MD5
eea683ae287b3dd0fa21a540862d9ff3

SHA1
2be71348606b187600f5d22ddc139be5c7b8243a

SHA256
180bc972b62d2a3efa422623c86aca8d1804a086b606f060dc0d4b799b13a9fc

SHA512
6be156d2eebeb58b48d60438c5288078a4b3c581081ebd2198c5b03d80673d2c0ad7fa8901643be4e34553245bb8186644b2c5a8f8bd1088018641b1f4054efe

Download Submit
C:\Windows\dev9981.tmp

Filesize
458KB

MD5
619f7135621b50fd1900ff24aade1524

SHA1
6c7ea8bbd435163ae3945cbef30ef6b9872a4591

SHA256
344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2

SHA512
2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628

Download Submit
\Users\Admin\AppData\Local\Temp\NEAS.45107224d38a84b731bc4e54bc711fa0.exe

Filesize
458KB

MD5
619f7135621b50fd1900ff24aade1524

SHA1
6c7ea8bbd435163ae3945cbef30ef6b9872a4591

SHA256
344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2

SHA512
2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628

Download Submit
\Users\Admin\AppData\Local\Temp\NEAS.45107224d38a84b731bc4e54bc711fa0.exe

Filesize
458KB

MD5
619f7135621b50fd1900ff24aade1524

SHA1
6c7ea8bbd435163ae3945cbef30ef6b9872a4591

SHA256
344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2

SHA512
2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628

Download Submit
memory/2636-26-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2704-19-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2704-30-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2704-27-0x00000000002B0000-0x00000000002C4000-memory.dmp

Filesize
80KB

Download
memory/2744-4-0x0000000000220000-0x0000000000234000-memory.dmp

Filesize
80KB

Download
memory/2744-12-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2744-14-0x0000000000220000-0x0000000000234000-memory.dmp

Filesize
80KB

Download
memory/2744-0-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2744-31-0x0000000000220000-0x0000000000234000-memory.dmp

Filesize
80KB

Download
memory/2872-18-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2872-32-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download