ea9c24297b83213d80a2c3a6c4d5cab35855a0cd7e2f780e53fe7b5e9eb2b904

Analysis

max time kernel
117s
max time network
130s
platform
windows7_x64
resource
win7-20231025-en
resource tags

arch:x64arch:x86image:win7-20231025-enlocale:en-usos:windows7-x64system
submitted
01/11/2023, 14:23

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

NEAS.ed3b2b93edadb11fc424cff68586aed0.exe
Size

145KB
MD5

ed3b2b93edadb11fc424cff68586aed0
SHA1

1591de70c5e94750b76e7103f4c47accc03cf60a
SHA256

ea9c24297b83213d80a2c3a6c4d5cab35855a0cd7e2f780e53fe7b5e9eb2b904
SHA512

770681722c5cb989ca277be7c21439647b931abcefe73be4e849f9f922ecb0b0db68dc789d4ac7e2f736086a0b7da4b6d8b362777f4f4f9c524b330c828dc895
SSDEEP

3072:H0FcokNlIts/eEieyYr5czW2BmQ6GEq03Ivi8Lv:H05WJWE+hS2h0Ivi8Lv

Score

8^/10

persistence

Malware Config

Signatures

Modifies AppInit DLL entries 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1547.001

Modify Registry
T1112

Executes dropped EXE 1 IoCs

pid	Process
2844	kymnayk.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\PROGRA~3\Mozilla\kymnayk.exe	NEAS.ed3b2b93edadb11fc424cff68586aed0.exe
File created	C:\PROGRA~3\Mozilla\iuxrktg.dll	kymnayk.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2540 wrote to memory of 2844	2540	taskeng.exe	31
PID 2540 wrote to memory of 2844	2540	taskeng.exe	31
PID 2540 wrote to memory of 2844	2540	taskeng.exe	31
PID 2540 wrote to memory of 2844	2540	taskeng.exe	31

C:\Users\Admin\AppData\Local\Temp\NEAS.ed3b2b93edadb11fc424cff68586aed0.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.ed3b2b93edadb11fc424cff68586aed0.exe"
1⤵
- Drops file in Program Files directory
PID:2248

C:\Windows\system32\taskeng.exe
taskeng.exe {24E377C0-45A6-4AC1-B277-7E445A969272} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:2540
- C:\PROGRA~3\Mozilla\kymnayk.exe
  C:\PROGRA~3\Mozilla\kymnayk.exe -dtmxjcd
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  PID:2844

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~3\Mozilla\kymnayk.exe

Filesize
145KB

MD5
8c996ec1a23b93c566ec07c8ca1d6f4c

SHA1
b43a2e18c99364c8c5e8cfd3d245bb501a062fc6

SHA256
c881348bc8daa4b1250a2cafbe0f4e2d47d7ee0b7045aff2b227878a8d8941ea

SHA512
9aec5093f2a9d1620499bb43047f260fb9285d52a5457b4d4f90a9fdc9a7681b22f6fd5a859a2f5bfac3d5d9d20de57765e6937b4fd1728c16a17bb9168f8752

Download Submit
C:\PROGRA~3\Mozilla\kymnayk.exe

Filesize
145KB

MD5
8c996ec1a23b93c566ec07c8ca1d6f4c

SHA1
b43a2e18c99364c8c5e8cfd3d245bb501a062fc6

SHA256
c881348bc8daa4b1250a2cafbe0f4e2d47d7ee0b7045aff2b227878a8d8941ea

SHA512
9aec5093f2a9d1620499bb43047f260fb9285d52a5457b4d4f90a9fdc9a7681b22f6fd5a859a2f5bfac3d5d9d20de57765e6937b4fd1728c16a17bb9168f8752

Download Submit
memory/2248-0-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2248-1-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2248-3-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2248-2-0x0000000000330000-0x0000000000331000-memory.dmp

Filesize
4KB

Download
memory/2248-7-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2248-11-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2844-14-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2844-15-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2844-16-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2844-20-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download