63f02523abaa19b64ca313c5844995d5c0c7cb477fe8f49415ee98a8b6a793fc

Analysis

max time kernel
26s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20231023-en
resource tags

arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
submitted
02/11/2023, 16:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.1804487f82bdd0e7c063e4013260b730.exe
Size

1.7MB
MD5

1804487f82bdd0e7c063e4013260b730
SHA1

86e845f1039d6cbd7c9f21803a275ca0c8433166
SHA256

63f02523abaa19b64ca313c5844995d5c0c7cb477fe8f49415ee98a8b6a793fc
SHA512

02e3777483a9aeb3424248b5a962a676ea2dc3b5a59731e0d0fad27a99c073f6f1c8541b1c30dd072c350eb4ad0c1c19479d6d3c7ce2f67c3e886e1c89624c50
SSDEEP

24576:M51xbcS9in6bxcqbF8fYTOYKbDurSUQN7kBG+JqJS+WOZseId9x0FOXr2rlnM:MtbcS4neHbyfYTOYKPu/gEjiEO5ItDz

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
8	MSWDM.EXE
3188	MSWDM.EXE
4504	NEAS.1804487F82BDD0E7C063E4013260B730.EXE
1536	MSWDM.EXE

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE"	NEAS.1804487f82bdd0e7c063e4013260b730.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE"	MSWDM.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE"	MSWDM.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE"	NEAS.1804487f82bdd0e7c063e4013260b730.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\devD8BC.tmp	NEAS.1804487f82bdd0e7c063e4013260b730.exe
File opened for modification	C:\Windows\devD8BC.tmp	MSWDM.EXE
File created	C:\WINDOWS\MSWDM.EXE	NEAS.1804487f82bdd0e7c063e4013260b730.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3188	MSWDM.EXE
3188	MSWDM.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2080 wrote to memory of 8	2080	NEAS.1804487f82bdd0e7c063e4013260b730.exe	84
PID 2080 wrote to memory of 8	2080	NEAS.1804487f82bdd0e7c063e4013260b730.exe	84
PID 2080 wrote to memory of 8	2080	NEAS.1804487f82bdd0e7c063e4013260b730.exe	84
PID 2080 wrote to memory of 3188	2080	NEAS.1804487f82bdd0e7c063e4013260b730.exe	85
PID 2080 wrote to memory of 3188	2080	NEAS.1804487f82bdd0e7c063e4013260b730.exe	85
PID 2080 wrote to memory of 3188	2080	NEAS.1804487f82bdd0e7c063e4013260b730.exe	85
PID 3188 wrote to memory of 4504	3188	MSWDM.EXE	86
PID 3188 wrote to memory of 4504	3188	MSWDM.EXE	86
PID 3188 wrote to memory of 4504	3188	MSWDM.EXE	86
PID 3188 wrote to memory of 1536	3188	MSWDM.EXE	88
PID 3188 wrote to memory of 1536	3188	MSWDM.EXE	88
PID 3188 wrote to memory of 1536	3188	MSWDM.EXE	88

C:\Users\Admin\AppData\Local\Temp\NEAS.1804487f82bdd0e7c063e4013260b730.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.1804487f82bdd0e7c063e4013260b730.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2080
- C:\WINDOWS\MSWDM.EXE
  "C:\WINDOWS\MSWDM.EXE"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:8
- C:\WINDOWS\MSWDM.EXE
  -r!C:\Windows\devD8BC.tmp!C:\Users\Admin\AppData\Local\Temp\NEAS.1804487f82bdd0e7c063e4013260b730.exe! !
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3188
- - C:\Users\Admin\AppData\Local\Temp\NEAS.1804487F82BDD0E7C063E4013260B730.EXE
    3⤵
    - Executes dropped EXE
    PID:4504
- - C:\WINDOWS\MSWDM.EXE
    -e!C:\Windows\devD8BC.tmp!C:\Users\Admin\AppData\Local\Temp\NEAS.1804487F82BDD0E7C063E4013260B730.EXE!
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    PID:1536

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\NEAS.1804487F82BDD0E7C063E4013260B730.EXE

Filesize
1.7MB

MD5
547bb71b3894abf493cb65bd34c997d5

SHA1
5c7115f9290eb067e790a276429e8dbee5b13508

SHA256
0030783f86c794c192ac7e4c13636d6e0d3e18450963682ea73f37e7d0889488

SHA512
b9b3bca59ab3359918c3cba460fe2a306bd3193a303a6d0a70a99eee65c54821a4f1a15930aeeb230ba46d1d36f3c7d28c6ce4afb6435768882a01f89f8333d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\NEAS.1804487F82BDD0E7C063E4013260B730.EXE

Filesize
1.7MB

MD5
547bb71b3894abf493cb65bd34c997d5

SHA1
5c7115f9290eb067e790a276429e8dbee5b13508

SHA256
0030783f86c794c192ac7e4c13636d6e0d3e18450963682ea73f37e7d0889488

SHA512
b9b3bca59ab3359918c3cba460fe2a306bd3193a303a6d0a70a99eee65c54821a4f1a15930aeeb230ba46d1d36f3c7d28c6ce4afb6435768882a01f89f8333d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\NEAS.1804487f82bdd0e7c063e4013260b730.exe

Filesize
34KB

MD5
f521965bf3c3f38dc3df43f0df339e95

SHA1
5ab377d59cb07f5d21fbe20418a4e0c9991ed570

SHA256
893c8af4fb2456a681b4c8106735323073cbcc7494353a8f0d4b087a4469d2f0

SHA512
c02c0593bc17c163a64d179877a47ed7896b1df719caa957c4586d00a42ce3cfbe46355a21a855290e5b5eb0b8566a70a9a35edf7e7ae6deec77f56501cdbdc2

Download Submit
C:\Users\Admin\AppData\Local\Temp\NEAS.1804487f82bdd0e7c063e4013260b730.exe

Filesize
1.7MB

MD5
547bb71b3894abf493cb65bd34c997d5

SHA1
5c7115f9290eb067e790a276429e8dbee5b13508

SHA256
0030783f86c794c192ac7e4c13636d6e0d3e18450963682ea73f37e7d0889488

SHA512
b9b3bca59ab3359918c3cba460fe2a306bd3193a303a6d0a70a99eee65c54821a4f1a15930aeeb230ba46d1d36f3c7d28c6ce4afb6435768882a01f89f8333d3

Download Submit
C:\WINDOWS\MSWDM.EXE

Filesize
1.6MB

MD5
7c43a5e859201698d2d4edfb455e9759

SHA1
d68520b0d263638913d06d07569bca8224aba407

SHA256
f9a74c45c24f6f4a117a0ccfb16f8a4e35fa2511b05d0d643b66897e8402d845

SHA512
833a299e67dc22a757af67a857939d5554b581514d26af3f14c8e8b2a773dbba7ce6b8df81c7a743886d122a45dc7d5b416c6a2108fde45523273721cc3bba3f

Download Submit
C:\Windows\MSWDM.EXE

Filesize
1.6MB

MD5
7c43a5e859201698d2d4edfb455e9759

SHA1
d68520b0d263638913d06d07569bca8224aba407

SHA256
f9a74c45c24f6f4a117a0ccfb16f8a4e35fa2511b05d0d643b66897e8402d845

SHA512
833a299e67dc22a757af67a857939d5554b581514d26af3f14c8e8b2a773dbba7ce6b8df81c7a743886d122a45dc7d5b416c6a2108fde45523273721cc3bba3f

Download Submit
C:\Windows\MSWDM.EXE

Filesize
1.6MB

MD5
7c43a5e859201698d2d4edfb455e9759

SHA1
d68520b0d263638913d06d07569bca8224aba407

SHA256
f9a74c45c24f6f4a117a0ccfb16f8a4e35fa2511b05d0d643b66897e8402d845

SHA512
833a299e67dc22a757af67a857939d5554b581514d26af3f14c8e8b2a773dbba7ce6b8df81c7a743886d122a45dc7d5b416c6a2108fde45523273721cc3bba3f

Download Submit
C:\Windows\MSWDM.EXE

Filesize
1.6MB

MD5
7c43a5e859201698d2d4edfb455e9759

SHA1
d68520b0d263638913d06d07569bca8224aba407

SHA256
f9a74c45c24f6f4a117a0ccfb16f8a4e35fa2511b05d0d643b66897e8402d845

SHA512
833a299e67dc22a757af67a857939d5554b581514d26af3f14c8e8b2a773dbba7ce6b8df81c7a743886d122a45dc7d5b416c6a2108fde45523273721cc3bba3f

Download Submit
C:\Windows\devD8BC.tmp

Filesize
34KB

MD5
f521965bf3c3f38dc3df43f0df339e95

SHA1
5ab377d59cb07f5d21fbe20418a4e0c9991ed570

SHA256
893c8af4fb2456a681b4c8106735323073cbcc7494353a8f0d4b087a4469d2f0

SHA512
c02c0593bc17c163a64d179877a47ed7896b1df719caa957c4586d00a42ce3cfbe46355a21a855290e5b5eb0b8566a70a9a35edf7e7ae6deec77f56501cdbdc2

Download Submit
memory/8-7-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/8-22-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1536-19-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2080-0-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2080-9-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/3188-10-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/3188-21-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download