f75e0a4e2131bc44d59714e0c05e889543a5b323e8ad7d8557458f47d2cd1438

Analysis

max time kernel
17s
max time network
121s
platform
windows7_x64
resource
win7-20231020-en
resource tags

arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system
submitted
01/11/2023, 14:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.7c1af0f7ac00183f9075d4124e746b50.exe
Size

2.1MB
MD5

7c1af0f7ac00183f9075d4124e746b50
SHA1

864892eff1772c7a4191136c20a02e38ab8eea8e
SHA256

f75e0a4e2131bc44d59714e0c05e889543a5b323e8ad7d8557458f47d2cd1438
SHA512

2641247e875db75a1cba83e7f3344d347d8e144160ad058f4d26e8ce677b74825c141e6c17bb4ac7bbad9513769aa3eadb8ff35577a45a7709638d7530c8473e
SSDEEP

49152:MtGcS4neHbyfYTOYKPu/gEjiEO5ItD9pYqY:Mt7S4neHvZjiEO5Ih963

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
1652	MSWDM.EXE
832	MSWDM.EXE
2164	NEAS.7C1AF0F7AC00183F9075D4124E746B50.EXE
2804	MSWDM.EXE

Loads dropped DLL 2 IoCs

pid	Process
832	MSWDM.EXE
2728	Process not Found

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE"	MSWDM.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE"	MSWDM.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE"	NEAS.7c1af0f7ac00183f9075d4124e746b50.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE"	NEAS.7c1af0f7ac00183f9075d4124e746b50.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\WINDOWS\MSWDM.EXE	NEAS.7c1af0f7ac00183f9075d4124e746b50.exe
File opened for modification	C:\Windows\dev47CA.tmp	NEAS.7c1af0f7ac00183f9075d4124e746b50.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
832	MSWDM.EXE

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2216 wrote to memory of 1652	2216	NEAS.7c1af0f7ac00183f9075d4124e746b50.exe	28
PID 2216 wrote to memory of 1652	2216	NEAS.7c1af0f7ac00183f9075d4124e746b50.exe	28
PID 2216 wrote to memory of 1652	2216	NEAS.7c1af0f7ac00183f9075d4124e746b50.exe	28
PID 2216 wrote to memory of 1652	2216	NEAS.7c1af0f7ac00183f9075d4124e746b50.exe	28
PID 2216 wrote to memory of 832	2216	NEAS.7c1af0f7ac00183f9075d4124e746b50.exe	29
PID 2216 wrote to memory of 832	2216	NEAS.7c1af0f7ac00183f9075d4124e746b50.exe	29
PID 2216 wrote to memory of 832	2216	NEAS.7c1af0f7ac00183f9075d4124e746b50.exe	29
PID 2216 wrote to memory of 832	2216	NEAS.7c1af0f7ac00183f9075d4124e746b50.exe	29
PID 832 wrote to memory of 2164	832	MSWDM.EXE	30
PID 832 wrote to memory of 2164	832	MSWDM.EXE	30
PID 832 wrote to memory of 2164	832	MSWDM.EXE	30
PID 832 wrote to memory of 2164	832	MSWDM.EXE	30
PID 832 wrote to memory of 2804	832	MSWDM.EXE	32
PID 832 wrote to memory of 2804	832	MSWDM.EXE	32
PID 832 wrote to memory of 2804	832	MSWDM.EXE	32
PID 832 wrote to memory of 2804	832	MSWDM.EXE	32

C:\Users\Admin\AppData\Local\Temp\NEAS.7c1af0f7ac00183f9075d4124e746b50.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.7c1af0f7ac00183f9075d4124e746b50.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2216
- C:\WINDOWS\MSWDM.EXE
  "C:\WINDOWS\MSWDM.EXE"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:1652
- C:\WINDOWS\MSWDM.EXE
  -r!C:\Windows\dev47CA.tmp!C:\Users\Admin\AppData\Local\Temp\NEAS.7c1af0f7ac00183f9075d4124e746b50.exe! !
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:832
- - C:\Users\Admin\AppData\Local\Temp\NEAS.7C1AF0F7AC00183F9075D4124E746B50.EXE
    3⤵
    - Executes dropped EXE
    PID:2164
- - C:\WINDOWS\MSWDM.EXE
    -e!C:\Windows\dev47CA.tmp!C:\Users\Admin\AppData\Local\Temp\NEAS.7C1AF0F7AC00183F9075D4124E746B50.EXE!
    3⤵
    - Executes dropped EXE
    PID:2804

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\NEAS.7c1af0f7ac00183f9075d4124e746b50.exe

Filesize
458KB

MD5
619f7135621b50fd1900ff24aade1524

SHA1
6c7ea8bbd435163ae3945cbef30ef6b9872a4591

SHA256
344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2

SHA512
2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628

Download Submit
C:\WINDOWS\MSWDM.EXE

Filesize
1.6MB

MD5
5be7a42cfd2599c461941adb6f6e3b5b

SHA1
d3b826aa9987ee5f9bfdef96d294c0b1c1df9efd

SHA256
48f0039fb4e8d71f9700b31f061038aab1e6f5fb591b908d82eeb97ff11b3414

SHA512
d923b1858303f410fa2bb904d4ffe87022776c84790b5247a40fa7a8f7aea391bf9ee8ce63f9100d226648956c2e54158008ced2b3c767512a5743927662a92c

Download Submit
C:\Windows\MSWDM.EXE

Filesize
1.6MB

MD5
5be7a42cfd2599c461941adb6f6e3b5b

SHA1
d3b826aa9987ee5f9bfdef96d294c0b1c1df9efd

SHA256
48f0039fb4e8d71f9700b31f061038aab1e6f5fb591b908d82eeb97ff11b3414

SHA512
d923b1858303f410fa2bb904d4ffe87022776c84790b5247a40fa7a8f7aea391bf9ee8ce63f9100d226648956c2e54158008ced2b3c767512a5743927662a92c

Download Submit
C:\Windows\MSWDM.EXE

Filesize
1.6MB

MD5
5be7a42cfd2599c461941adb6f6e3b5b

SHA1
d3b826aa9987ee5f9bfdef96d294c0b1c1df9efd

SHA256
48f0039fb4e8d71f9700b31f061038aab1e6f5fb591b908d82eeb97ff11b3414

SHA512
d923b1858303f410fa2bb904d4ffe87022776c84790b5247a40fa7a8f7aea391bf9ee8ce63f9100d226648956c2e54158008ced2b3c767512a5743927662a92c

Download Submit
C:\Windows\MSWDM.EXE

Filesize
1.6MB

MD5
5be7a42cfd2599c461941adb6f6e3b5b

SHA1
d3b826aa9987ee5f9bfdef96d294c0b1c1df9efd

SHA256
48f0039fb4e8d71f9700b31f061038aab1e6f5fb591b908d82eeb97ff11b3414

SHA512
d923b1858303f410fa2bb904d4ffe87022776c84790b5247a40fa7a8f7aea391bf9ee8ce63f9100d226648956c2e54158008ced2b3c767512a5743927662a92c

Download Submit
C:\Windows\MSWDM.EXE

Filesize
1.6MB

MD5
5be7a42cfd2599c461941adb6f6e3b5b

SHA1
d3b826aa9987ee5f9bfdef96d294c0b1c1df9efd

SHA256
48f0039fb4e8d71f9700b31f061038aab1e6f5fb591b908d82eeb97ff11b3414

SHA512
d923b1858303f410fa2bb904d4ffe87022776c84790b5247a40fa7a8f7aea391bf9ee8ce63f9100d226648956c2e54158008ced2b3c767512a5743927662a92c

Download Submit
C:\Windows\dev47CA.tmp

Filesize
458KB

MD5
619f7135621b50fd1900ff24aade1524

SHA1
6c7ea8bbd435163ae3945cbef30ef6b9872a4591

SHA256
344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2

SHA512
2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628

Download Submit
\Users\Admin\AppData\Local\Temp\NEAS.7c1af0f7ac00183f9075d4124e746b50.exe

Filesize
458KB

MD5
619f7135621b50fd1900ff24aade1524

SHA1
6c7ea8bbd435163ae3945cbef30ef6b9872a4591

SHA256
344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2

SHA512
2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628

Download Submit
\Users\Admin\AppData\Local\Temp\NEAS.7c1af0f7ac00183f9075d4124e746b50.exe

Filesize
458KB

MD5
619f7135621b50fd1900ff24aade1524

SHA1
6c7ea8bbd435163ae3945cbef30ef6b9872a4591

SHA256
344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2

SHA512
2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628

Download Submit
memory/832-18-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/832-29-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/832-27-0x0000000000220000-0x0000000000234000-memory.dmp

Filesize
80KB

Download
memory/1652-19-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1652-31-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2216-0-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2216-12-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2216-6-0x00000000003A0000-0x00000000003B4000-memory.dmp

Filesize
80KB

Download
memory/2216-16-0x00000000003A0000-0x00000000003B4000-memory.dmp

Filesize
80KB

Download
memory/2216-30-0x00000000003A0000-0x00000000003B4000-memory.dmp

Filesize
80KB

Download
memory/2804-26-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download