de3205cabfa42025139f9808240faa0456f306e2abc952d42ed32d9c3e0ee9e1

Analysis

max time kernel
117s
max time network
124s
platform
windows7_x64
resource
win7-20231023-en
resource tags

arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system
submitted
02/11/2023, 16:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.26399a2e1a3b2f254107fb813ec157c0.exe
Size

143KB
MD5

26399a2e1a3b2f254107fb813ec157c0
SHA1

2dd417352f54ee9afff8b82ce974d9d55193c574
SHA256

de3205cabfa42025139f9808240faa0456f306e2abc952d42ed32d9c3e0ee9e1
SHA512

b2044daec843a4806361496db92f57e993d48e3b248250b1e242207054465aeb3e1d1b4192ff49c7bb52dbdd01ea2837ac6264a9d87b24c9dc78b22946ad8f39
SSDEEP

3072:UijxHNG5Kl6b8et/e3l3Z8YxITyHJx3yC:RjxoxdkZ8YhHJMC

Score

8^/10

persistence

Malware Config

Signatures

Modifies AppInit DLL entries 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1547.001

Modify Registry
T1112

Executes dropped EXE 1 IoCs

pid	Process
2764	wwljcul.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\PROGRA~3\Mozilla\wwljcul.exe	NEAS.26399a2e1a3b2f254107fb813ec157c0.exe
File created	C:\PROGRA~3\Mozilla\sdwojsn.dll	wwljcul.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2692 wrote to memory of 2764	2692	taskeng.exe	31
PID 2692 wrote to memory of 2764	2692	taskeng.exe	31
PID 2692 wrote to memory of 2764	2692	taskeng.exe	31
PID 2692 wrote to memory of 2764	2692	taskeng.exe	31

C:\Users\Admin\AppData\Local\Temp\NEAS.26399a2e1a3b2f254107fb813ec157c0.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.26399a2e1a3b2f254107fb813ec157c0.exe"
1⤵
- Drops file in Program Files directory
PID:1280

C:\Windows\system32\taskeng.exe
taskeng.exe {72CB3D98-6F5B-4853-8A68-99BDE3C57A65} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:2692
- C:\PROGRA~3\Mozilla\wwljcul.exe
  C:\PROGRA~3\Mozilla\wwljcul.exe -anxczaj
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  PID:2764

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~3\Mozilla\wwljcul.exe

Filesize
143KB

MD5
4ea6ababd1c697f186f4d42c29199b0f

SHA1
04bdcacc48858ed5ce844dd7f966cdaa07a23e96

SHA256
120ba2df886dc788a51276ec829c3f57ee03eec1af527b85428e5fc313f75811

SHA512
b202d320a0a13a86f97c50b352f028b1c45528ae4048eedb71748f53de725310cc9224e38f31d40b082e8655dfcbb3f3d8c82a98873ac2daa531b1813d98fd90

Download Submit
C:\PROGRA~3\Mozilla\wwljcul.exe

Filesize
143KB

MD5
4ea6ababd1c697f186f4d42c29199b0f

SHA1
04bdcacc48858ed5ce844dd7f966cdaa07a23e96

SHA256
120ba2df886dc788a51276ec829c3f57ee03eec1af527b85428e5fc313f75811

SHA512
b202d320a0a13a86f97c50b352f028b1c45528ae4048eedb71748f53de725310cc9224e38f31d40b082e8655dfcbb3f3d8c82a98873ac2daa531b1813d98fd90

Download Submit
memory/1280-0-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/1280-1-0x0000000000220000-0x000000000027B000-memory.dmp

Filesize
364KB

Download
memory/1280-7-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/2764-15-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/2764-16-0x00000000002B0000-0x000000000030B000-memory.dmp

Filesize
364KB

Download
memory/2764-22-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download