4a40e3fc9e14ec1d3088b933bb7ac1df25200c0a8255710d20e2a9a397e0efca

Analysis

max time kernel
150s
max time network
125s
platform
windows7_x64
resource
win7-20231023-en
resource tags

arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system
submitted
02/11/2023, 01:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.21093638102b2bc9c56e6af2d530aba0_JC.exe
Size

98KB
MD5

21093638102b2bc9c56e6af2d530aba0
SHA1

43847a428bb91644194a13f35bae3ccf33822f1e
SHA256

4a40e3fc9e14ec1d3088b933bb7ac1df25200c0a8255710d20e2a9a397e0efca
SHA512

e9f3c1341f5bfa9047f3eb4ea18d337492f2a67afe1bc486413662b7fd5d87a1c3840524b8863db0194229e885d18e9b97dd39d26e5f8ed94ecf1c1f5ba5c139
SSDEEP

3072:u2bPVlKnQMeEP+8vIjBWpi4rELdC/T5bu:uiKLt+8viBWpTALcu

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3064	suvkbwn.exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\PROGRA~3\Mozilla\suvkbwn.exe	NEAS.21093638102b2bc9c56e6af2d530aba0_JC.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3064	suvkbwn.exe
1188	Explorer.EXE
1188	Explorer.EXE
1188	Explorer.EXE
1188	Explorer.EXE
1188	Explorer.EXE
1188	Explorer.EXE
1188	Explorer.EXE
1188	Explorer.EXE
1188	Explorer.EXE
1188	Explorer.EXE
1188	Explorer.EXE
1188	Explorer.EXE
1188	Explorer.EXE
1188	Explorer.EXE
1188	Explorer.EXE
1188	Explorer.EXE
1188	Explorer.EXE
1188	Explorer.EXE
1188	Explorer.EXE
1188	Explorer.EXE
1188	Explorer.EXE
1188	Explorer.EXE
1188	Explorer.EXE
1188	Explorer.EXE
1188	Explorer.EXE
1188	Explorer.EXE
1188	Explorer.EXE
1188	Explorer.EXE
1188	Explorer.EXE
1188	Explorer.EXE
1188	Explorer.EXE
1188	Explorer.EXE
1188	Explorer.EXE
1188	Explorer.EXE
1188	Explorer.EXE
1188	Explorer.EXE
1188	Explorer.EXE
1188	Explorer.EXE
1188	Explorer.EXE
1188	Explorer.EXE
1188	Explorer.EXE
1188	Explorer.EXE
1188	Explorer.EXE
1188	Explorer.EXE
1188	Explorer.EXE
1188	Explorer.EXE
1188	Explorer.EXE
1188	Explorer.EXE
1188	Explorer.EXE
1188	Explorer.EXE
1188	Explorer.EXE
1188	Explorer.EXE
1188	Explorer.EXE
1188	Explorer.EXE
1188	Explorer.EXE
1188	Explorer.EXE
1188	Explorer.EXE
1188	Explorer.EXE
1188	Explorer.EXE
1188	Explorer.EXE
1188	Explorer.EXE
1188	Explorer.EXE
1188	Explorer.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1188	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3064	suvkbwn.exe
Token: SeDebugPrivilege	1188	Explorer.EXE

Suspicious use of UnmapMainImage 3 IoCs

pid	Process
1500	NEAS.21093638102b2bc9c56e6af2d530aba0_JC.exe
3064	suvkbwn.exe
1188	Explorer.EXE

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 2664 wrote to memory of 3064	2664	taskeng.exe	29
PID 2664 wrote to memory of 3064	2664	taskeng.exe	29
PID 2664 wrote to memory of 3064	2664	taskeng.exe	29
PID 2664 wrote to memory of 3064	2664	taskeng.exe	29
PID 3064 wrote to memory of 1188	3064	suvkbwn.exe	17

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
PID:1188
- C:\Users\Admin\AppData\Local\Temp\NEAS.21093638102b2bc9c56e6af2d530aba0_JC.exe
  "C:\Users\Admin\AppData\Local\Temp\NEAS.21093638102b2bc9c56e6af2d530aba0_JC.exe"
  2⤵
  - Drops file in Program Files directory
  - Suspicious use of UnmapMainImage
  PID:1500

C:\Windows\system32\taskeng.exe
taskeng.exe {53628919-7B0D-48A7-9E3B-B7E476244E9B} S-1-5-21-2085049433-1067986815-1244098655-1000:AHLBRYJO\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:2664
- C:\PROGRA~3\Mozilla\suvkbwn.exe
  C:\PROGRA~3\Mozilla\suvkbwn.exe -tlhykym
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:3064

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~3\Mozilla\suvkbwn.exe

Filesize
98KB

MD5
dff46345d60003c1dede004384119571

SHA1
1b6dd25fd5d5984f9146ef56c3154427161124bf

SHA256
ae0de03f8b68417c1e431971d39745527803ef6e433dc613fa16fe16e096b1cb

SHA512
e03732ca3bb9a90bb528490ee6cfbe8579639f7725d60ac988d0be73c4bd4b295b7d18c7969c81f4c59617bbf22062297fe310d8d46651c2ef352c972f41627a

Download Submit
C:\PROGRA~3\Mozilla\suvkbwn.exe

Filesize
98KB

MD5
dff46345d60003c1dede004384119571

SHA1
1b6dd25fd5d5984f9146ef56c3154427161124bf

SHA256
ae0de03f8b68417c1e431971d39745527803ef6e433dc613fa16fe16e096b1cb

SHA512
e03732ca3bb9a90bb528490ee6cfbe8579639f7725d60ac988d0be73c4bd4b295b7d18c7969c81f4c59617bbf22062297fe310d8d46651c2ef352c972f41627a

Download Submit
memory/1188-10-0x00000000029A0000-0x00000000029BC000-memory.dmp

Filesize
112KB

Download
memory/1188-12-0x00000000029A0000-0x00000000029BC000-memory.dmp

Filesize
112KB

Download
memory/1500-1-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/1500-0-0x0000000000400000-0x0000000000461000-memory.dmp

Filesize
388KB

Download
memory/1500-2-0x0000000000240000-0x000000000029F000-memory.dmp

Filesize
380KB

Download
memory/1500-4-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/3064-7-0x0000000000400000-0x0000000000461000-memory.dmp

Filesize
388KB

Download
memory/3064-9-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/3064-8-0x0000000000240000-0x000000000029F000-memory.dmp

Filesize
380KB

Download
memory/3064-14-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download