7121d11bbd9ac90ef638a941723de2d6a595d04a5302e9712e862f57da042175

Analysis

max time kernel
13s
max time network
124s
platform
windows7_x64
resource
win7-20231023-en
resource tags

arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system
submitted
02/11/2023, 02:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.17c96bf77edad2d153a5e20bd1c37aa0_JC.exe
Size

1.8MB
MD5

17c96bf77edad2d153a5e20bd1c37aa0
SHA1

1254c082754cccff445be886021d5485c21d54b1
SHA256

7121d11bbd9ac90ef638a941723de2d6a595d04a5302e9712e862f57da042175
SHA512

df544d63e720d9d8caabb6b93ec690e4ddec8382bebb1d5757baab8c231f52715cd8e394777d3d02ed9e5b3c9c4b0df9314524ac5cd1b74c8361d011cf1549f7
SSDEEP

49152:MtwcS4neHbyfYTOYKPu/gEjiEO5ItDVrW:MtxS4neHvZjiEO5Ih4

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
2116	MSWDM.EXE
2520	MSWDM.EXE
3068	NEAS.17C96BF77EDAD2D153A5E20BD1C37AA0_JC.EXE
2700	MSWDM.EXE

Loads dropped DLL 1 IoCs

pid	Process
2520	MSWDM.EXE

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE"	NEAS.17c96bf77edad2d153a5e20bd1c37aa0_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE"	NEAS.17c96bf77edad2d153a5e20bd1c37aa0_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE"	MSWDM.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE"	MSWDM.EXE

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\WINDOWS\MSWDM.EXE	NEAS.17c96bf77edad2d153a5e20bd1c37aa0_JC.exe
File opened for modification	C:\Windows\dev4E20.tmp	NEAS.17c96bf77edad2d153a5e20bd1c37aa0_JC.exe
File opened for modification	C:\Windows\dev4E20.tmp	MSWDM.EXE

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2520	MSWDM.EXE

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1680 wrote to memory of 2116	1680	NEAS.17c96bf77edad2d153a5e20bd1c37aa0_JC.exe	28
PID 1680 wrote to memory of 2116	1680	NEAS.17c96bf77edad2d153a5e20bd1c37aa0_JC.exe	28
PID 1680 wrote to memory of 2116	1680	NEAS.17c96bf77edad2d153a5e20bd1c37aa0_JC.exe	28
PID 1680 wrote to memory of 2116	1680	NEAS.17c96bf77edad2d153a5e20bd1c37aa0_JC.exe	28
PID 1680 wrote to memory of 2520	1680	NEAS.17c96bf77edad2d153a5e20bd1c37aa0_JC.exe	29
PID 1680 wrote to memory of 2520	1680	NEAS.17c96bf77edad2d153a5e20bd1c37aa0_JC.exe	29
PID 1680 wrote to memory of 2520	1680	NEAS.17c96bf77edad2d153a5e20bd1c37aa0_JC.exe	29
PID 1680 wrote to memory of 2520	1680	NEAS.17c96bf77edad2d153a5e20bd1c37aa0_JC.exe	29
PID 2520 wrote to memory of 3068	2520	MSWDM.EXE	30
PID 2520 wrote to memory of 3068	2520	MSWDM.EXE	30
PID 2520 wrote to memory of 3068	2520	MSWDM.EXE	30
PID 2520 wrote to memory of 3068	2520	MSWDM.EXE	30
PID 2520 wrote to memory of 2700	2520	MSWDM.EXE	32
PID 2520 wrote to memory of 2700	2520	MSWDM.EXE	32
PID 2520 wrote to memory of 2700	2520	MSWDM.EXE	32
PID 2520 wrote to memory of 2700	2520	MSWDM.EXE	32

C:\Users\Admin\AppData\Local\Temp\NEAS.17c96bf77edad2d153a5e20bd1c37aa0_JC.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.17c96bf77edad2d153a5e20bd1c37aa0_JC.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1680
- C:\WINDOWS\MSWDM.EXE
  "C:\WINDOWS\MSWDM.EXE"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:2116
- C:\WINDOWS\MSWDM.EXE
  -r!C:\Windows\dev4E20.tmp!C:\Users\Admin\AppData\Local\Temp\NEAS.17c96bf77edad2d153a5e20bd1c37aa0_JC.exe! !
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2520
- - C:\Users\Admin\AppData\Local\Temp\NEAS.17C96BF77EDAD2D153A5E20BD1C37AA0_JC.EXE
    3⤵
    - Executes dropped EXE
    PID:3068
- - C:\WINDOWS\MSWDM.EXE
    -e!C:\Windows\dev4E20.tmp!C:\Users\Admin\AppData\Local\Temp\NEAS.17C96BF77EDAD2D153A5E20BD1C37AA0_JC.EXE!
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    PID:2700

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\NEAS.17C96BF77EDAD2D153A5E20BD1C37AA0_JC.EXE

Filesize
1.8MB

MD5
f9e9c2853b95c73b28d71b0616764e13

SHA1
07a8b66b8bbcfdb41e0141902ec19f40f085d328

SHA256
0d8b04de211eb07569dba24d6ae1572ba7b1a7316b72a569581be45f335abdcb

SHA512
55451b4139e94634a697a57a395d3c060478206cffb6d6fef134bc1062ce75c3c0ded94bf20e5fe94766c0385ef1ab0b14964ac203434e5e88d565174d3adb04

Download Submit
C:\Users\Admin\AppData\Local\Temp\NEAS.17C96BF77EDAD2D153A5E20BD1C37AA0_JC.EXE

Filesize
1.8MB

MD5
f9e9c2853b95c73b28d71b0616764e13

SHA1
07a8b66b8bbcfdb41e0141902ec19f40f085d328

SHA256
0d8b04de211eb07569dba24d6ae1572ba7b1a7316b72a569581be45f335abdcb

SHA512
55451b4139e94634a697a57a395d3c060478206cffb6d6fef134bc1062ce75c3c0ded94bf20e5fe94766c0385ef1ab0b14964ac203434e5e88d565174d3adb04

Download Submit
C:\Users\Admin\AppData\Local\Temp\NEAS.17c96bf77edad2d153a5e20bd1c37aa0_JC.exe

Filesize
35KB

MD5
2c66df25d30b2ea67ab2fd18f3058fd8

SHA1
ae92d355903d25afb6113c3bae6a40305e5857f9

SHA256
4f7262d45f0b95840d41511d3658281080a3a66e2d59541b5e52acf887b9b6bb

SHA512
5275be29af642a6220fc9930c3daccb0e74c8989d4d2ac573fae8465d96e501532d19130786d673f75f171ab7a2b55984673d5ccba37972ff5c3c9e3dfadac79

Download Submit
C:\WINDOWS\MSWDM.EXE

Filesize
1.8MB

MD5
00e943f43bce67e718dec53f7805d859

SHA1
4f82ecb16bf07297524a8f167729616d0899946e

SHA256
27e7d4acf299c760a7f1eb0a1d35f7c917c95412e49c8e949f9a15408ec2c4a8

SHA512
7384cbcabfd4e94ff47182625aa546e13fba961dd248f512e467bf88785199157fdc6e360a7f6b35d1cb9225f6d2adbab732bb31fa7ebff3c221a3692bf2cf2c

Download Submit
C:\Windows\MSWDM.EXE

Filesize
1.8MB

MD5
00e943f43bce67e718dec53f7805d859

SHA1
4f82ecb16bf07297524a8f167729616d0899946e

SHA256
27e7d4acf299c760a7f1eb0a1d35f7c917c95412e49c8e949f9a15408ec2c4a8

SHA512
7384cbcabfd4e94ff47182625aa546e13fba961dd248f512e467bf88785199157fdc6e360a7f6b35d1cb9225f6d2adbab732bb31fa7ebff3c221a3692bf2cf2c

Download Submit
C:\Windows\MSWDM.EXE

Filesize
1.8MB

MD5
00e943f43bce67e718dec53f7805d859

SHA1
4f82ecb16bf07297524a8f167729616d0899946e

SHA256
27e7d4acf299c760a7f1eb0a1d35f7c917c95412e49c8e949f9a15408ec2c4a8

SHA512
7384cbcabfd4e94ff47182625aa546e13fba961dd248f512e467bf88785199157fdc6e360a7f6b35d1cb9225f6d2adbab732bb31fa7ebff3c221a3692bf2cf2c

Download Submit
C:\Windows\MSWDM.EXE

Filesize
1.8MB

MD5
00e943f43bce67e718dec53f7805d859

SHA1
4f82ecb16bf07297524a8f167729616d0899946e

SHA256
27e7d4acf299c760a7f1eb0a1d35f7c917c95412e49c8e949f9a15408ec2c4a8

SHA512
7384cbcabfd4e94ff47182625aa546e13fba961dd248f512e467bf88785199157fdc6e360a7f6b35d1cb9225f6d2adbab732bb31fa7ebff3c221a3692bf2cf2c

Download Submit
C:\Windows\MSWDM.EXE

Filesize
1.8MB

MD5
00e943f43bce67e718dec53f7805d859

SHA1
4f82ecb16bf07297524a8f167729616d0899946e

SHA256
27e7d4acf299c760a7f1eb0a1d35f7c917c95412e49c8e949f9a15408ec2c4a8

SHA512
7384cbcabfd4e94ff47182625aa546e13fba961dd248f512e467bf88785199157fdc6e360a7f6b35d1cb9225f6d2adbab732bb31fa7ebff3c221a3692bf2cf2c

Download Submit
C:\Windows\dev4E20.tmp

Filesize
35KB

MD5
2c66df25d30b2ea67ab2fd18f3058fd8

SHA1
ae92d355903d25afb6113c3bae6a40305e5857f9

SHA256
4f7262d45f0b95840d41511d3658281080a3a66e2d59541b5e52acf887b9b6bb

SHA512
5275be29af642a6220fc9930c3daccb0e74c8989d4d2ac573fae8465d96e501532d19130786d673f75f171ab7a2b55984673d5ccba37972ff5c3c9e3dfadac79

Download Submit
\Users\Admin\AppData\Local\Temp\NEAS.17c96bf77edad2d153a5e20bd1c37aa0_JC.exe

Filesize
35KB

MD5
2c66df25d30b2ea67ab2fd18f3058fd8

SHA1
ae92d355903d25afb6113c3bae6a40305e5857f9

SHA256
4f7262d45f0b95840d41511d3658281080a3a66e2d59541b5e52acf887b9b6bb

SHA512
5275be29af642a6220fc9930c3daccb0e74c8989d4d2ac573fae8465d96e501532d19130786d673f75f171ab7a2b55984673d5ccba37972ff5c3c9e3dfadac79

Download Submit
memory/1680-12-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1680-0-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1680-32-0x0000000000300000-0x0000000000314000-memory.dmp

Filesize
80KB

Download
memory/2116-14-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2116-33-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2520-22-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2520-31-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2520-23-0x00000000003C0000-0x00000000003D4000-memory.dmp

Filesize
80KB

Download
memory/2700-29-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2700-25-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download