10a736f6a2185269463df21e9d44bc41e63e29c68eba0f61ea9424fbe0ffa787

Analysis

max time kernel
25s
max time network
141s
platform
windows10-2004_x64
resource
win10v2004-20231020-en
resource tags

arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
submitted
01/11/2023, 13:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.45107224d38a84b731bc4e54bc711fa0.exe
Size

2.0MB
MD5

45107224d38a84b731bc4e54bc711fa0
SHA1

1c86c0a389ea6f1094572a63e1df3200386d762e
SHA256

10a736f6a2185269463df21e9d44bc41e63e29c68eba0f61ea9424fbe0ffa787
SHA512

456a74cde6722b535e7ff1c53fe62eda944eec5cdb35fbf8d83fdc2b71f80190197fa1c830a2275921b46f1dc82b39e9587d40a9d892162787471da99167f5f0
SSDEEP

49152:MtUcS4neHbyfYTOYKPu/gEjiEO5ItWpYqM:MtlS4neHvZjiEO5Io67

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
724	MSWDM.EXE
1136	MSWDM.EXE
1188	NEAS.45107224D38A84B731BC4E54BC711FA0.EXE
3972	MSWDM.EXE

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE"	NEAS.45107224d38a84b731bc4e54bc711fa0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE"	NEAS.45107224d38a84b731bc4e54bc711fa0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE"	MSWDM.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE"	MSWDM.EXE

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\WINDOWS\MSWDM.EXE	NEAS.45107224d38a84b731bc4e54bc711fa0.exe
File opened for modification	C:\Windows\devE000.tmp	NEAS.45107224d38a84b731bc4e54bc711fa0.exe
File opened for modification	C:\Windows\devE000.tmp	MSWDM.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1136	MSWDM.EXE
1136	MSWDM.EXE

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 4704 wrote to memory of 724	4704	NEAS.45107224d38a84b731bc4e54bc711fa0.exe	87
PID 4704 wrote to memory of 724	4704	NEAS.45107224d38a84b731bc4e54bc711fa0.exe	87
PID 4704 wrote to memory of 724	4704	NEAS.45107224d38a84b731bc4e54bc711fa0.exe	87
PID 4704 wrote to memory of 1136	4704	NEAS.45107224d38a84b731bc4e54bc711fa0.exe	88
PID 4704 wrote to memory of 1136	4704	NEAS.45107224d38a84b731bc4e54bc711fa0.exe	88
PID 4704 wrote to memory of 1136	4704	NEAS.45107224d38a84b731bc4e54bc711fa0.exe	88
PID 1136 wrote to memory of 1188	1136	MSWDM.EXE	89
PID 1136 wrote to memory of 1188	1136	MSWDM.EXE	89
PID 1136 wrote to memory of 3972	1136	MSWDM.EXE	91
PID 1136 wrote to memory of 3972	1136	MSWDM.EXE	91
PID 1136 wrote to memory of 3972	1136	MSWDM.EXE	91

C:\Users\Admin\AppData\Local\Temp\NEAS.45107224d38a84b731bc4e54bc711fa0.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.45107224d38a84b731bc4e54bc711fa0.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4704
- C:\WINDOWS\MSWDM.EXE
  "C:\WINDOWS\MSWDM.EXE"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:724
- C:\WINDOWS\MSWDM.EXE
  -r!C:\Windows\devE000.tmp!C:\Users\Admin\AppData\Local\Temp\NEAS.45107224d38a84b731bc4e54bc711fa0.exe! !
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1136
- - C:\Users\Admin\AppData\Local\Temp\NEAS.45107224D38A84B731BC4E54BC711FA0.EXE
    3⤵
    - Executes dropped EXE
    PID:1188
- - C:\WINDOWS\MSWDM.EXE
    -e!C:\Windows\devE000.tmp!C:\Users\Admin\AppData\Local\Temp\NEAS.45107224D38A84B731BC4E54BC711FA0.EXE!
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    PID:3972

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\NEAS.45107224D38A84B731BC4E54BC711FA0.EXE

Filesize
2.0MB

MD5
f01910a606a63f34430f5e42833a1d95

SHA1
7ced4143dce092a732a98f2fd856b6dd42ae25d3

SHA256
b8de735a8c936f07091d3fe6c8e6474c1c4594eb76968340c7918ca4533be1f1

SHA512
509d424895c990a219cd5813834d39b475ac49c5114160151cfc35207b453dc8723d2c253fbdd0d2520995b0fbbd678725b3d6643743844ca4cd9463d1e873a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\NEAS.45107224D38A84B731BC4E54BC711FA0.EXE

Filesize
2.0MB

MD5
f01910a606a63f34430f5e42833a1d95

SHA1
7ced4143dce092a732a98f2fd856b6dd42ae25d3

SHA256
b8de735a8c936f07091d3fe6c8e6474c1c4594eb76968340c7918ca4533be1f1

SHA512
509d424895c990a219cd5813834d39b475ac49c5114160151cfc35207b453dc8723d2c253fbdd0d2520995b0fbbd678725b3d6643743844ca4cd9463d1e873a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\NEAS.45107224d38a84b731bc4e54bc711fa0.exe

Filesize
458KB

MD5
619f7135621b50fd1900ff24aade1524

SHA1
6c7ea8bbd435163ae3945cbef30ef6b9872a4591

SHA256
344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2

SHA512
2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628

Download Submit
C:\Users\Admin\AppData\Local\Temp\NEAS.45107224d38a84b731bc4e54bc711fa0.exe

Filesize
2.0MB

MD5
f01910a606a63f34430f5e42833a1d95

SHA1
7ced4143dce092a732a98f2fd856b6dd42ae25d3

SHA256
b8de735a8c936f07091d3fe6c8e6474c1c4594eb76968340c7918ca4533be1f1

SHA512
509d424895c990a219cd5813834d39b475ac49c5114160151cfc35207b453dc8723d2c253fbdd0d2520995b0fbbd678725b3d6643743844ca4cd9463d1e873a8

Download Submit
C:\WINDOWS\MSWDM.EXE

Filesize
1.5MB

MD5
eea683ae287b3dd0fa21a540862d9ff3

SHA1
2be71348606b187600f5d22ddc139be5c7b8243a

SHA256
180bc972b62d2a3efa422623c86aca8d1804a086b606f060dc0d4b799b13a9fc

SHA512
6be156d2eebeb58b48d60438c5288078a4b3c581081ebd2198c5b03d80673d2c0ad7fa8901643be4e34553245bb8186644b2c5a8f8bd1088018641b1f4054efe

Download Submit
C:\Windows\MSWDM.EXE

Filesize
1.5MB

MD5
eea683ae287b3dd0fa21a540862d9ff3

SHA1
2be71348606b187600f5d22ddc139be5c7b8243a

SHA256
180bc972b62d2a3efa422623c86aca8d1804a086b606f060dc0d4b799b13a9fc

SHA512
6be156d2eebeb58b48d60438c5288078a4b3c581081ebd2198c5b03d80673d2c0ad7fa8901643be4e34553245bb8186644b2c5a8f8bd1088018641b1f4054efe

Download Submit
C:\Windows\MSWDM.EXE

Filesize
1.5MB

MD5
eea683ae287b3dd0fa21a540862d9ff3

SHA1
2be71348606b187600f5d22ddc139be5c7b8243a

SHA256
180bc972b62d2a3efa422623c86aca8d1804a086b606f060dc0d4b799b13a9fc

SHA512
6be156d2eebeb58b48d60438c5288078a4b3c581081ebd2198c5b03d80673d2c0ad7fa8901643be4e34553245bb8186644b2c5a8f8bd1088018641b1f4054efe

Download Submit
C:\Windows\MSWDM.EXE

Filesize
1.5MB

MD5
eea683ae287b3dd0fa21a540862d9ff3

SHA1
2be71348606b187600f5d22ddc139be5c7b8243a

SHA256
180bc972b62d2a3efa422623c86aca8d1804a086b606f060dc0d4b799b13a9fc

SHA512
6be156d2eebeb58b48d60438c5288078a4b3c581081ebd2198c5b03d80673d2c0ad7fa8901643be4e34553245bb8186644b2c5a8f8bd1088018641b1f4054efe

Download Submit
C:\Windows\devE000.tmp

Filesize
458KB

MD5
619f7135621b50fd1900ff24aade1524

SHA1
6c7ea8bbd435163ae3945cbef30ef6b9872a4591

SHA256
344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2

SHA512
2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628

Download Submit
memory/724-8-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/724-21-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1136-20-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/3972-18-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4704-0-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4704-9-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download