63f02523abaa19b64ca313c5844995d5c0c7cb477fe8f49415ee98a8b6a793fc

Analysis

max time kernel
32s
max time network
125s
platform
windows7_x64
resource
win7-20231020-en
resource tags

arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system
submitted
02/11/2023, 16:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.1804487f82bdd0e7c063e4013260b730.exe
Size

1.7MB
MD5

1804487f82bdd0e7c063e4013260b730
SHA1

86e845f1039d6cbd7c9f21803a275ca0c8433166
SHA256

63f02523abaa19b64ca313c5844995d5c0c7cb477fe8f49415ee98a8b6a793fc
SHA512

02e3777483a9aeb3424248b5a962a676ea2dc3b5a59731e0d0fad27a99c073f6f1c8541b1c30dd072c350eb4ad0c1c19479d6d3c7ce2f67c3e886e1c89624c50
SSDEEP

24576:M51xbcS9in6bxcqbF8fYTOYKbDurSUQN7kBG+JqJS+WOZseId9x0FOXr2rlnM:MtbcS4neHbyfYTOYKPu/gEjiEO5ItDz

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
2420	MSWDM.EXE
2764	MSWDM.EXE
2732	NEAS.1804487F82BDD0E7C063E4013260B730.EXE
2748	MSWDM.EXE

Loads dropped DLL 2 IoCs

pid	Process
2420	MSWDM.EXE
2420	MSWDM.EXE

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE"	NEAS.1804487f82bdd0e7c063e4013260b730.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE"	NEAS.1804487f82bdd0e7c063e4013260b730.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE"	MSWDM.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE"	MSWDM.EXE

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\WINDOWS\MSWDM.EXE	NEAS.1804487f82bdd0e7c063e4013260b730.exe
File opened for modification	C:\Windows\dev8E0D.tmp	NEAS.1804487f82bdd0e7c063e4013260b730.exe
File opened for modification	C:\Windows\dev8E0D.tmp	MSWDM.EXE

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2420	MSWDM.EXE

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2528 wrote to memory of 2764	2528	NEAS.1804487f82bdd0e7c063e4013260b730.exe	28
PID 2528 wrote to memory of 2764	2528	NEAS.1804487f82bdd0e7c063e4013260b730.exe	28
PID 2528 wrote to memory of 2764	2528	NEAS.1804487f82bdd0e7c063e4013260b730.exe	28
PID 2528 wrote to memory of 2764	2528	NEAS.1804487f82bdd0e7c063e4013260b730.exe	28
PID 2528 wrote to memory of 2420	2528	NEAS.1804487f82bdd0e7c063e4013260b730.exe	31
PID 2528 wrote to memory of 2420	2528	NEAS.1804487f82bdd0e7c063e4013260b730.exe	31
PID 2528 wrote to memory of 2420	2528	NEAS.1804487f82bdd0e7c063e4013260b730.exe	31
PID 2528 wrote to memory of 2420	2528	NEAS.1804487f82bdd0e7c063e4013260b730.exe	31
PID 2420 wrote to memory of 2732	2420	MSWDM.EXE	29
PID 2420 wrote to memory of 2732	2420	MSWDM.EXE	29
PID 2420 wrote to memory of 2732	2420	MSWDM.EXE	29
PID 2420 wrote to memory of 2732	2420	MSWDM.EXE	29
PID 2420 wrote to memory of 2748	2420	MSWDM.EXE	32
PID 2420 wrote to memory of 2748	2420	MSWDM.EXE	32
PID 2420 wrote to memory of 2748	2420	MSWDM.EXE	32
PID 2420 wrote to memory of 2748	2420	MSWDM.EXE	32

C:\Users\Admin\AppData\Local\Temp\NEAS.1804487f82bdd0e7c063e4013260b730.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.1804487f82bdd0e7c063e4013260b730.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2528
- C:\WINDOWS\MSWDM.EXE
  "C:\WINDOWS\MSWDM.EXE"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:2764
- C:\WINDOWS\MSWDM.EXE
  -r!C:\Windows\dev8E0D.tmp!C:\Users\Admin\AppData\Local\Temp\NEAS.1804487f82bdd0e7c063e4013260b730.exe! !
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2420
- - C:\WINDOWS\MSWDM.EXE
    -e!C:\Windows\dev8E0D.tmp!C:\Users\Admin\AppData\Local\Temp\NEAS.1804487F82BDD0E7C063E4013260B730.EXE!
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    PID:2748

C:\Users\Admin\AppData\Local\Temp\NEAS.1804487F82BDD0E7C063E4013260B730.EXE
1⤵
- Executes dropped EXE
PID:2732

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\NEAS.1804487F82BDD0E7C063E4013260B730.EXE

Filesize
1.7MB

MD5
95387527d2e3e0b0d919d54d6ebb11d2

SHA1
bf783d116893aab24f66c0211c5267e5047fd4a0

SHA256
936e4791b161d02001edbaf1416aea19080d6c6183311e013b768d1713f3eceb

SHA512
0de39b7452a7bb52922a2beadefceed151c1527b5ce1a1b8660a64653403e82ab54a0ca6a686e0dc35baeeb7ffca00bfb32d1d0f38bb2048f7af03e54a76b7cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\NEAS.1804487F82BDD0E7C063E4013260B730.EXE

Filesize
1.7MB

MD5
95387527d2e3e0b0d919d54d6ebb11d2

SHA1
bf783d116893aab24f66c0211c5267e5047fd4a0

SHA256
936e4791b161d02001edbaf1416aea19080d6c6183311e013b768d1713f3eceb

SHA512
0de39b7452a7bb52922a2beadefceed151c1527b5ce1a1b8660a64653403e82ab54a0ca6a686e0dc35baeeb7ffca00bfb32d1d0f38bb2048f7af03e54a76b7cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\NEAS.1804487f82bdd0e7c063e4013260b730.exe

Filesize
34KB

MD5
f521965bf3c3f38dc3df43f0df339e95

SHA1
5ab377d59cb07f5d21fbe20418a4e0c9991ed570

SHA256
893c8af4fb2456a681b4c8106735323073cbcc7494353a8f0d4b087a4469d2f0

SHA512
c02c0593bc17c163a64d179877a47ed7896b1df719caa957c4586d00a42ce3cfbe46355a21a855290e5b5eb0b8566a70a9a35edf7e7ae6deec77f56501cdbdc2

Download Submit
C:\Users\Admin\AppData\Local\Temp\NEAS.1804487f82bdd0e7c063e4013260b730.exe

Filesize
34KB

MD5
f521965bf3c3f38dc3df43f0df339e95

SHA1
5ab377d59cb07f5d21fbe20418a4e0c9991ed570

SHA256
893c8af4fb2456a681b4c8106735323073cbcc7494353a8f0d4b087a4469d2f0

SHA512
c02c0593bc17c163a64d179877a47ed7896b1df719caa957c4586d00a42ce3cfbe46355a21a855290e5b5eb0b8566a70a9a35edf7e7ae6deec77f56501cdbdc2

Download Submit
C:\WINDOWS\MSWDM.EXE

Filesize
1.6MB

MD5
7c43a5e859201698d2d4edfb455e9759

SHA1
d68520b0d263638913d06d07569bca8224aba407

SHA256
f9a74c45c24f6f4a117a0ccfb16f8a4e35fa2511b05d0d643b66897e8402d845

SHA512
833a299e67dc22a757af67a857939d5554b581514d26af3f14c8e8b2a773dbba7ce6b8df81c7a743886d122a45dc7d5b416c6a2108fde45523273721cc3bba3f

Download Submit
C:\Windows\MSWDM.EXE

Filesize
1.6MB

MD5
7c43a5e859201698d2d4edfb455e9759

SHA1
d68520b0d263638913d06d07569bca8224aba407

SHA256
f9a74c45c24f6f4a117a0ccfb16f8a4e35fa2511b05d0d643b66897e8402d845

SHA512
833a299e67dc22a757af67a857939d5554b581514d26af3f14c8e8b2a773dbba7ce6b8df81c7a743886d122a45dc7d5b416c6a2108fde45523273721cc3bba3f

Download Submit
C:\Windows\MSWDM.EXE

Filesize
1.6MB

MD5
7c43a5e859201698d2d4edfb455e9759

SHA1
d68520b0d263638913d06d07569bca8224aba407

SHA256
f9a74c45c24f6f4a117a0ccfb16f8a4e35fa2511b05d0d643b66897e8402d845

SHA512
833a299e67dc22a757af67a857939d5554b581514d26af3f14c8e8b2a773dbba7ce6b8df81c7a743886d122a45dc7d5b416c6a2108fde45523273721cc3bba3f

Download Submit
C:\Windows\MSWDM.EXE

Filesize
1.6MB

MD5
7c43a5e859201698d2d4edfb455e9759

SHA1
d68520b0d263638913d06d07569bca8224aba407

SHA256
f9a74c45c24f6f4a117a0ccfb16f8a4e35fa2511b05d0d643b66897e8402d845

SHA512
833a299e67dc22a757af67a857939d5554b581514d26af3f14c8e8b2a773dbba7ce6b8df81c7a743886d122a45dc7d5b416c6a2108fde45523273721cc3bba3f

Download Submit
C:\Windows\MSWDM.EXE

Filesize
1.6MB

MD5
7c43a5e859201698d2d4edfb455e9759

SHA1
d68520b0d263638913d06d07569bca8224aba407

SHA256
f9a74c45c24f6f4a117a0ccfb16f8a4e35fa2511b05d0d643b66897e8402d845

SHA512
833a299e67dc22a757af67a857939d5554b581514d26af3f14c8e8b2a773dbba7ce6b8df81c7a743886d122a45dc7d5b416c6a2108fde45523273721cc3bba3f

Download Submit
C:\Windows\dev8E0D.tmp

Filesize
34KB

MD5
f521965bf3c3f38dc3df43f0df339e95

SHA1
5ab377d59cb07f5d21fbe20418a4e0c9991ed570

SHA256
893c8af4fb2456a681b4c8106735323073cbcc7494353a8f0d4b087a4469d2f0

SHA512
c02c0593bc17c163a64d179877a47ed7896b1df719caa957c4586d00a42ce3cfbe46355a21a855290e5b5eb0b8566a70a9a35edf7e7ae6deec77f56501cdbdc2

Download Submit
\Users\Admin\AppData\Local\Temp\NEAS.1804487f82bdd0e7c063e4013260b730.exe

Filesize
34KB

MD5
f521965bf3c3f38dc3df43f0df339e95

SHA1
5ab377d59cb07f5d21fbe20418a4e0c9991ed570

SHA256
893c8af4fb2456a681b4c8106735323073cbcc7494353a8f0d4b087a4469d2f0

SHA512
c02c0593bc17c163a64d179877a47ed7896b1df719caa957c4586d00a42ce3cfbe46355a21a855290e5b5eb0b8566a70a9a35edf7e7ae6deec77f56501cdbdc2

Download Submit
\Users\Admin\AppData\Local\Temp\NEAS.1804487f82bdd0e7c063e4013260b730.exe

Filesize
34KB

MD5
f521965bf3c3f38dc3df43f0df339e95

SHA1
5ab377d59cb07f5d21fbe20418a4e0c9991ed570

SHA256
893c8af4fb2456a681b4c8106735323073cbcc7494353a8f0d4b087a4469d2f0

SHA512
c02c0593bc17c163a64d179877a47ed7896b1df719caa957c4586d00a42ce3cfbe46355a21a855290e5b5eb0b8566a70a9a35edf7e7ae6deec77f56501cdbdc2

Download Submit
memory/2420-19-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2420-33-0x00000000002F0000-0x0000000000304000-memory.dmp

Filesize
80KB

Download
memory/2420-35-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2528-0-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2528-12-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2528-17-0x0000000000220000-0x0000000000234000-memory.dmp

Filesize
80KB

Download
memory/2528-3-0x0000000000220000-0x0000000000234000-memory.dmp

Filesize
80KB

Download
memory/2528-36-0x0000000000220000-0x0000000000234000-memory.dmp

Filesize
80KB

Download
memory/2748-32-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2764-18-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2764-37-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download