e41418e122b5e4bd0b547c1f04f07505882344545b52019460ae307811ec03aa

Analysis

max time kernel
121s
max time network
127s
platform
windows7_x64
resource
win7-20231023-en
resource tags

arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system
submitted
01/11/2023, 14:21

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

NEAS.d55b18c75ff974f35c80231c912fb030.exe
Size

149KB
MD5

d55b18c75ff974f35c80231c912fb030
SHA1

378c3b9257204ac343bf9848cc1fa16066dcf262
SHA256

e41418e122b5e4bd0b547c1f04f07505882344545b52019460ae307811ec03aa
SHA512

8dd879a38e93d6c0bf212a71be765c424697120cf98fbe9a2bdc17bbf8d9474339f1b267cc9b671217e16e4e1275cea76dac00f5b0b804da47c93d99b042ff9f
SSDEEP

3072:7jQTRuqkO3ONdZR4bVcyCq6F2N431v/MepeTP6NyGDtB8YPas2AB+sF:aRuqp+NdZR4sFMeG6MGDtV2YF

Score

8^/10

persistence

Malware Config

Signatures

Modifies AppInit DLL entries 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1547.001

Modify Registry
T1112

Executes dropped EXE 1 IoCs

pid	Process
1260	suvkbwn.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\PROGRA~3\Mozilla\suvkbwn.exe	NEAS.d55b18c75ff974f35c80231c912fb030.exe
File created	C:\PROGRA~3\Mozilla\wfwcssm.dll	suvkbwn.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2252	NEAS.d55b18c75ff974f35c80231c912fb030.exe
1260	suvkbwn.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2236 wrote to memory of 1260	2236	taskeng.exe	29
PID 2236 wrote to memory of 1260	2236	taskeng.exe	29
PID 2236 wrote to memory of 1260	2236	taskeng.exe	29
PID 2236 wrote to memory of 1260	2236	taskeng.exe	29

C:\Users\Admin\AppData\Local\Temp\NEAS.d55b18c75ff974f35c80231c912fb030.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.d55b18c75ff974f35c80231c912fb030.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of UnmapMainImage
PID:2252

C:\Windows\system32\taskeng.exe
taskeng.exe {3F43E005-5C78-4B65-A132-5322506EB33D} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:2236
- C:\PROGRA~3\Mozilla\suvkbwn.exe
  C:\PROGRA~3\Mozilla\suvkbwn.exe -tlhykym
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Suspicious use of UnmapMainImage
  PID:1260

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~3\Mozilla\suvkbwn.exe

Filesize
149KB

MD5
aa82bdfeabb81e7cb52556da117599f3

SHA1
b41c7f77b313feee2f0b9d4f7b448b85a15ead61

SHA256
c60938db912e22e58b4d5765ac56638c114918d5207dcba8626f390bfa16f14d

SHA512
98f2b7e5aee72e3a3d5d3a74070d07f18b725932d8d10114927776c6628e131883af589239dd809e7f083109193510b9eecadc483174e8707b74b2101a6839ec

Download Submit
C:\PROGRA~3\Mozilla\suvkbwn.exe

Filesize
149KB

MD5
aa82bdfeabb81e7cb52556da117599f3

SHA1
b41c7f77b313feee2f0b9d4f7b448b85a15ead61

SHA256
c60938db912e22e58b4d5765ac56638c114918d5207dcba8626f390bfa16f14d

SHA512
98f2b7e5aee72e3a3d5d3a74070d07f18b725932d8d10114927776c6628e131883af589239dd809e7f083109193510b9eecadc483174e8707b74b2101a6839ec

Download Submit
memory/1260-8-0x0000000000490000-0x00000000004EB000-memory.dmp

Filesize
364KB

Download
memory/1260-9-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1260-12-0x0000000000490000-0x00000000004EB000-memory.dmp

Filesize
364KB

Download
memory/1260-11-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2252-0-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/2252-2-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2252-1-0x00000000003A0000-0x00000000003FB000-memory.dmp

Filesize
364KB

Download
memory/2252-4-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2252-5-0x00000000003A0000-0x00000000003FB000-memory.dmp

Filesize
364KB

Download