bea894ae7b0479299cc913606246ae14cbcbd9e75369fc1b8eac2b8f1fd52459

Analysis

max time kernel
196s
max time network
150s
platform
windows7_x64
resource
win7-20231023-en
resource tags

arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system
submitted
01/11/2023, 14:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.e67998d904b8c8a907b1e3bfc6f252b0.exe
Size

484KB
MD5

e67998d904b8c8a907b1e3bfc6f252b0
SHA1

5a865a81df7219511c330bb4cf49e02a544f3e69
SHA256

bea894ae7b0479299cc913606246ae14cbcbd9e75369fc1b8eac2b8f1fd52459
SHA512

0efb942be80b7a783bc1db5c7acd59128e5dd9da258b613f099c3d6da90a07c708c3e141294efc459b5e9842f911e9fa9ee5ecef8e890e9dcf1cef08e222cb8a
SSDEEP

12288:Gclc87eqqV5e+wBV6O+UI7zcVjpFJp0IkVe09fhqYo:GcSqqHeVBxuzujXJlkVfYYo

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
2716	disk_ssp.exe
2764	~77EE.tmp
3064	mshtcaui.exe

Loads dropped DLL 3 IoCs

pid	Process
2636	NEAS.e67998d904b8c8a907b1e3bfc6f252b0.exe
2636	NEAS.e67998d904b8c8a907b1e3bfc6f252b0.exe
2716	disk_ssp.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Windows\CurrentVersion\Run\bthunify = "C:\\Users\\Admin\\AppData\\Roaming\\Dispkmgr\\disk_ssp.exe"	NEAS.e67998d904b8c8a907b1e3bfc6f252b0.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\mshtcaui.exe	NEAS.e67998d904b8c8a907b1e3bfc6f252b0.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2716	disk_ssp.exe
1388	Explorer.EXE
1388	Explorer.EXE
1388	Explorer.EXE
1388	Explorer.EXE
1388	Explorer.EXE
1388	Explorer.EXE
1388	Explorer.EXE
1388	Explorer.EXE
1388	Explorer.EXE
1388	Explorer.EXE
1388	Explorer.EXE
1388	Explorer.EXE
1388	Explorer.EXE
1388	Explorer.EXE
1388	Explorer.EXE
1388	Explorer.EXE
1388	Explorer.EXE
1388	Explorer.EXE
1388	Explorer.EXE
1388	Explorer.EXE
1388	Explorer.EXE
1388	Explorer.EXE
1388	Explorer.EXE
1388	Explorer.EXE
1388	Explorer.EXE
1388	Explorer.EXE
1388	Explorer.EXE
1388	Explorer.EXE
1388	Explorer.EXE
1388	Explorer.EXE
1388	Explorer.EXE
1388	Explorer.EXE
1388	Explorer.EXE
1388	Explorer.EXE
1388	Explorer.EXE
1388	Explorer.EXE
1388	Explorer.EXE
1388	Explorer.EXE
1388	Explorer.EXE
1388	Explorer.EXE
1388	Explorer.EXE
1388	Explorer.EXE
1388	Explorer.EXE
1388	Explorer.EXE
1388	Explorer.EXE
1388	Explorer.EXE
1388	Explorer.EXE
1388	Explorer.EXE
1388	Explorer.EXE
1388	Explorer.EXE
1388	Explorer.EXE
1388	Explorer.EXE
1388	Explorer.EXE
1388	Explorer.EXE
1388	Explorer.EXE
1388	Explorer.EXE
1388	Explorer.EXE
1388	Explorer.EXE
1388	Explorer.EXE
1388	Explorer.EXE
1388	Explorer.EXE
1388	Explorer.EXE
1388	Explorer.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1388	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2716	disk_ssp.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2636 wrote to memory of 2716	2636	NEAS.e67998d904b8c8a907b1e3bfc6f252b0.exe	29
PID 2636 wrote to memory of 2716	2636	NEAS.e67998d904b8c8a907b1e3bfc6f252b0.exe	29
PID 2636 wrote to memory of 2716	2636	NEAS.e67998d904b8c8a907b1e3bfc6f252b0.exe	29
PID 2636 wrote to memory of 2716	2636	NEAS.e67998d904b8c8a907b1e3bfc6f252b0.exe	29
PID 2716 wrote to memory of 2764	2716	disk_ssp.exe	30
PID 2716 wrote to memory of 2764	2716	disk_ssp.exe	30
PID 2716 wrote to memory of 2764	2716	disk_ssp.exe	30
PID 2716 wrote to memory of 2764	2716	disk_ssp.exe	30
PID 2764 wrote to memory of 1388	2764	~77EE.tmp	12

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
PID:1388
- C:\Users\Admin\AppData\Local\Temp\NEAS.e67998d904b8c8a907b1e3bfc6f252b0.exe
  "C:\Users\Admin\AppData\Local\Temp\NEAS.e67998d904b8c8a907b1e3bfc6f252b0.exe"
  2⤵
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:2636
- - C:\Users\Admin\AppData\Roaming\Dispkmgr\disk_ssp.exe
    "C:\Users\Admin\AppData\Roaming\Dispkmgr"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2716
  - - C:\Users\Admin\AppData\Local\Temp\~77EE.tmp
      1388 496136 2716 1
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:2764

C:\Windows\SysWOW64\mshtcaui.exe
C:\Windows\SysWOW64\mshtcaui.exe -s
1⤵
- Executes dropped EXE
PID:3064

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\~77EE.tmp

Filesize
8KB

MD5
86dc243576cf5c7445451af37631eea9

SHA1
99a81c47c4c02f32c0ab456bfa23c306c7a09bf9

SHA256
25d2a671e1b5b5b95697ac0234ce4d46e0d0894919521b54aabebd9daecf994a

SHA512
c7310524f9b65f811146c1eb6ae944966351ac88a95fbc1ac422d8810730e5e212a7e28090ad758ea23c96ba38073e7fcf42460575e7f09dbc759a45c5d5a4a4

Download Submit
C:\Users\Admin\AppData\Roaming\Dispkmgr\disk_ssp.exe

Filesize
484KB

MD5
032362afe67746de3335974c7224ca44

SHA1
c92cd50c5927bb9ad7b98f6762da93d78f8d118f

SHA256
be868ca272a52fd2483b732065b78d21e880e3dfdda49678cd7b2deb5e0a0ac2

SHA512
1b20b5c113caa174b4c2acfac5abe2132f41fb6365090248ac676eaa08f1255959fe4aaa966352c5dadc8bc8fb941a9ae87ef8e5340503a35bf06c77a5bdd3ab

Download Submit
C:\Users\Admin\AppData\Roaming\Dispkmgr\disk_ssp.exe

Filesize
484KB

MD5
032362afe67746de3335974c7224ca44

SHA1
c92cd50c5927bb9ad7b98f6762da93d78f8d118f

SHA256
be868ca272a52fd2483b732065b78d21e880e3dfdda49678cd7b2deb5e0a0ac2

SHA512
1b20b5c113caa174b4c2acfac5abe2132f41fb6365090248ac676eaa08f1255959fe4aaa966352c5dadc8bc8fb941a9ae87ef8e5340503a35bf06c77a5bdd3ab

Download Submit
C:\Users\Admin\AppData\Roaming\Dispkmgr\disk_ssp.exe

Filesize
484KB

MD5
032362afe67746de3335974c7224ca44

SHA1
c92cd50c5927bb9ad7b98f6762da93d78f8d118f

SHA256
be868ca272a52fd2483b732065b78d21e880e3dfdda49678cd7b2deb5e0a0ac2

SHA512
1b20b5c113caa174b4c2acfac5abe2132f41fb6365090248ac676eaa08f1255959fe4aaa966352c5dadc8bc8fb941a9ae87ef8e5340503a35bf06c77a5bdd3ab

Download Submit
C:\Windows\SysWOW64\mshtcaui.exe

Filesize
484KB

MD5
032362afe67746de3335974c7224ca44

SHA1
c92cd50c5927bb9ad7b98f6762da93d78f8d118f

SHA256
be868ca272a52fd2483b732065b78d21e880e3dfdda49678cd7b2deb5e0a0ac2

SHA512
1b20b5c113caa174b4c2acfac5abe2132f41fb6365090248ac676eaa08f1255959fe4aaa966352c5dadc8bc8fb941a9ae87ef8e5340503a35bf06c77a5bdd3ab

Download Submit
C:\Windows\SysWOW64\mshtcaui.exe

Filesize
484KB

MD5
032362afe67746de3335974c7224ca44

SHA1
c92cd50c5927bb9ad7b98f6762da93d78f8d118f

SHA256
be868ca272a52fd2483b732065b78d21e880e3dfdda49678cd7b2deb5e0a0ac2

SHA512
1b20b5c113caa174b4c2acfac5abe2132f41fb6365090248ac676eaa08f1255959fe4aaa966352c5dadc8bc8fb941a9ae87ef8e5340503a35bf06c77a5bdd3ab

Download Submit
\Users\Admin\AppData\Local\Temp\~77EE.tmp

Filesize
8KB

MD5
86dc243576cf5c7445451af37631eea9

SHA1
99a81c47c4c02f32c0ab456bfa23c306c7a09bf9

SHA256
25d2a671e1b5b5b95697ac0234ce4d46e0d0894919521b54aabebd9daecf994a

SHA512
c7310524f9b65f811146c1eb6ae944966351ac88a95fbc1ac422d8810730e5e212a7e28090ad758ea23c96ba38073e7fcf42460575e7f09dbc759a45c5d5a4a4

Download Submit
\Users\Admin\AppData\Roaming\Dispkmgr\disk_ssp.exe

Filesize
484KB

MD5
032362afe67746de3335974c7224ca44

SHA1
c92cd50c5927bb9ad7b98f6762da93d78f8d118f

SHA256
be868ca272a52fd2483b732065b78d21e880e3dfdda49678cd7b2deb5e0a0ac2

SHA512
1b20b5c113caa174b4c2acfac5abe2132f41fb6365090248ac676eaa08f1255959fe4aaa966352c5dadc8bc8fb941a9ae87ef8e5340503a35bf06c77a5bdd3ab

Download Submit
\Users\Admin\AppData\Roaming\Dispkmgr\disk_ssp.exe

Filesize
484KB

MD5
032362afe67746de3335974c7224ca44

SHA1
c92cd50c5927bb9ad7b98f6762da93d78f8d118f

SHA256
be868ca272a52fd2483b732065b78d21e880e3dfdda49678cd7b2deb5e0a0ac2

SHA512
1b20b5c113caa174b4c2acfac5abe2132f41fb6365090248ac676eaa08f1255959fe4aaa966352c5dadc8bc8fb941a9ae87ef8e5340503a35bf06c77a5bdd3ab

Download Submit
memory/1388-26-0x00000000039D0000-0x00000000039D6000-memory.dmp

Filesize
24KB

Download
memory/1388-28-0x00000000039E0000-0x00000000039ED000-memory.dmp

Filesize
52KB

Download
memory/1388-23-0x0000000003940000-0x00000000039C9000-memory.dmp

Filesize
548KB

Download
memory/1388-22-0x0000000003940000-0x00000000039C9000-memory.dmp

Filesize
548KB

Download
memory/1388-21-0x0000000003940000-0x00000000039C9000-memory.dmp

Filesize
548KB

Download
memory/2636-5-0x0000000008560000-0x00000000085E3000-memory.dmp

Filesize
524KB

Download
memory/2636-13-0x0000000008560000-0x00000000085E3000-memory.dmp

Filesize
524KB

Download
memory/2636-0-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/2636-33-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/2636-3-0x0000000000220000-0x00000000002A2000-memory.dmp

Filesize
520KB

Download
memory/2636-1-0x0000000000220000-0x00000000002A2000-memory.dmp

Filesize
520KB

Download
memory/2716-17-0x0000000000360000-0x0000000000365000-memory.dmp

Filesize
20KB

Download
memory/2716-16-0x00000000002A0000-0x0000000000322000-memory.dmp

Filesize
520KB

Download
memory/2716-30-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/3064-37-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/3064-36-0x0000000000220000-0x00000000002A2000-memory.dmp

Filesize
520KB

Download
memory/3064-38-0x0000000000220000-0x00000000002A2000-memory.dmp

Filesize
520KB

Download