84654738800ebd8330086988d333480ec6109952c9e371d6ce8b3a22d7ade716

Analysis

max time kernel
117s
max time network
120s
platform
windows7_x64
resource
win7-20231020-en
resource tags

arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system
submitted
02/11/2023, 03:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.d89c449f637f57789814a9eea6a7b240_JC.exe
Size

127KB
MD5

d89c449f637f57789814a9eea6a7b240
SHA1

7a76c4ac315b33c459bb6f5b48d7631b126ec5ea
SHA256

84654738800ebd8330086988d333480ec6109952c9e371d6ce8b3a22d7ade716
SHA512

8fc74f7e68346677a045a2ab1c59af0b58d03a3c17ccdc4c9db37b74bd73c3fadef64d646be41ff043db06a18676e6e7c73ec46b25977b65ee091f43aba17b36
SSDEEP

3072:bl9X4ATRtqdEY82XLT79O6W/0aC0VrETTrDFzH38dkjJI:x9ZtqqY82X3RObR4frxzsdkjJI

Score

8^/10

persistence

Malware Config

Signatures

Modifies AppInit DLL entries 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1547.001

Modify Registry
T1112

Executes dropped EXE 1 IoCs

pid	Process
2772	dhuqaed.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\PROGRA~3\Mozilla\dhuqaed.exe	NEAS.d89c449f637f57789814a9eea6a7b240_JC.exe
File created	C:\PROGRA~3\Mozilla\fjgblbm.dll	dhuqaed.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1340 wrote to memory of 2772	1340	taskeng.exe	29
PID 1340 wrote to memory of 2772	1340	taskeng.exe	29
PID 1340 wrote to memory of 2772	1340	taskeng.exe	29
PID 1340 wrote to memory of 2772	1340	taskeng.exe	29

C:\Users\Admin\AppData\Local\Temp\NEAS.d89c449f637f57789814a9eea6a7b240_JC.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.d89c449f637f57789814a9eea6a7b240_JC.exe"
1⤵
- Drops file in Program Files directory
PID:1196

C:\Windows\system32\taskeng.exe
taskeng.exe {4BCDBCC0-112D-4330-B16F-EAE6B95704FF} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:1340
- C:\PROGRA~3\Mozilla\dhuqaed.exe
  C:\PROGRA~3\Mozilla\dhuqaed.exe -vpwggce
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  PID:2772

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~3\Mozilla\dhuqaed.exe

Filesize
127KB

MD5
1b5288759977e3d52bb6cc850d33b66c

SHA1
b69567d958bb695cdd819b3c385c777ce187178a

SHA256
9888fcdd21ab42ec67cb4045a705a59e1f3f4e6c26183de2ff756a422590b987

SHA512
c210e24fcd5d8123de2b16b1c14675acfa01edd4df55ed979cc21c7c3a58a34a99fac2ae91097d4c1030360e5795e2f205f80e9bb77b4f774f746bb4ed545a57

Download Submit
C:\PROGRA~3\Mozilla\dhuqaed.exe

Filesize
127KB

MD5
1b5288759977e3d52bb6cc850d33b66c

SHA1
b69567d958bb695cdd819b3c385c777ce187178a

SHA256
9888fcdd21ab42ec67cb4045a705a59e1f3f4e6c26183de2ff756a422590b987

SHA512
c210e24fcd5d8123de2b16b1c14675acfa01edd4df55ed979cc21c7c3a58a34a99fac2ae91097d4c1030360e5795e2f205f80e9bb77b4f774f746bb4ed545a57

Download Submit
memory/1196-0-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/1196-1-0x0000000000200000-0x000000000025B000-memory.dmp

Filesize
364KB

Download
memory/1196-7-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/2772-10-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/2772-11-0x0000000000430000-0x000000000048B000-memory.dmp

Filesize
364KB

Download