f3322bead069396c577a27fd93699d86a43ff76b42b2c77896afceb400b7abbd

General

Target

NEAS.650b9c6c7b55fdefe2315a74fb9a73a2_JC.exe
Size

1.7MB
MD5

650b9c6c7b55fdefe2315a74fb9a73a2
SHA1

f251b090ef7c7fda8b8bb09552f569faf6004a1b
SHA256

f3322bead069396c577a27fd93699d86a43ff76b42b2c77896afceb400b7abbd
SHA512

5d4d038f2a362b76b44aa19da81bacb5122d365f29ad5e994e0be33dd8b40cfebdee5541316a85f45bd53cac3c7f2c2c79035369978f8dc934e04da5e4dbd683
SSDEEP

24576:M51xWcS9in6bxcqbF8fYTOYKbDurSUQN7kBG+JqJS+WOZseId9x0FOXr2rl+NX:MtWcS4neHbyfYTOYKPu/gEjiEO5ItDdt

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
5000	MSWDM.EXE
2648	MSWDM.EXE
4940	NEAS.650B9C6C7B55FDEFE2315A74FB9A73A2_JC.EXE
3248	MSWDM.EXE

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE"	MSWDM.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE"	MSWDM.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE"	NEAS.650b9c6c7b55fdefe2315a74fb9a73a2_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE"	NEAS.650b9c6c7b55fdefe2315a74fb9a73a2_JC.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\devE57E.tmp	NEAS.650b9c6c7b55fdefe2315a74fb9a73a2_JC.exe
File opened for modification	C:\Windows\devE57E.tmp	MSWDM.EXE
File created	C:\WINDOWS\MSWDM.EXE	NEAS.650b9c6c7b55fdefe2315a74fb9a73a2_JC.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2648	MSWDM.EXE
2648	MSWDM.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2568 wrote to memory of 5000	2568	NEAS.650b9c6c7b55fdefe2315a74fb9a73a2_JC.exe	87
PID 2568 wrote to memory of 5000	2568	NEAS.650b9c6c7b55fdefe2315a74fb9a73a2_JC.exe	87
PID 2568 wrote to memory of 5000	2568	NEAS.650b9c6c7b55fdefe2315a74fb9a73a2_JC.exe	87
PID 2568 wrote to memory of 2648	2568	NEAS.650b9c6c7b55fdefe2315a74fb9a73a2_JC.exe	88
PID 2568 wrote to memory of 2648	2568	NEAS.650b9c6c7b55fdefe2315a74fb9a73a2_JC.exe	88
PID 2568 wrote to memory of 2648	2568	NEAS.650b9c6c7b55fdefe2315a74fb9a73a2_JC.exe	88
PID 2648 wrote to memory of 4940	2648	MSWDM.EXE	89
PID 2648 wrote to memory of 4940	2648	MSWDM.EXE	89
PID 2648 wrote to memory of 4940	2648	MSWDM.EXE	89
PID 2648 wrote to memory of 3248	2648	MSWDM.EXE	91
PID 2648 wrote to memory of 3248	2648	MSWDM.EXE	91
PID 2648 wrote to memory of 3248	2648	MSWDM.EXE	91

C:\Users\Admin\AppData\Local\Temp\NEAS.650b9c6c7b55fdefe2315a74fb9a73a2_JC.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.650b9c6c7b55fdefe2315a74fb9a73a2_JC.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2568
- C:\WINDOWS\MSWDM.EXE
  "C:\WINDOWS\MSWDM.EXE"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:5000
- C:\WINDOWS\MSWDM.EXE
  -r!C:\Windows\devE57E.tmp!C:\Users\Admin\AppData\Local\Temp\NEAS.650b9c6c7b55fdefe2315a74fb9a73a2_JC.exe! !
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2648
- - C:\Users\Admin\AppData\Local\Temp\NEAS.650B9C6C7B55FDEFE2315A74FB9A73A2_JC.EXE
    3⤵
    - Executes dropped EXE
    PID:4940
- - C:\WINDOWS\MSWDM.EXE
    -e!C:\Windows\devE57E.tmp!C:\Users\Admin\AppData\Local\Temp\NEAS.650B9C6C7B55FDEFE2315A74FB9A73A2_JC.EXE!
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    PID:3248

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\NEAS.650B9C6C7B55FDEFE2315A74FB9A73A2_JC.EXE

Filesize
1.7MB

MD5
c6869ef7211d0efe6f02f498af5f3da3

SHA1
581820a9eba088c9a807db758cd448950eeb01ca

SHA256
ce685aa3bbf399c950533cf91fc2e24905f99f40b7a3b6656f30c3c55a43a349

SHA512
7aa076586148dcf3425da96d17cefed1417cdda1fd3514dd0496b6a792f7591e767762e6318826422754f9a221fc025ed22b281a9745abe1a6f8561987dd2ffa

Download Submit
C:\Users\Admin\AppData\Local\Temp\NEAS.650B9C6C7B55FDEFE2315A74FB9A73A2_JC.EXE

Filesize
1.7MB

MD5
c6869ef7211d0efe6f02f498af5f3da3

SHA1
581820a9eba088c9a807db758cd448950eeb01ca

SHA256
ce685aa3bbf399c950533cf91fc2e24905f99f40b7a3b6656f30c3c55a43a349

SHA512
7aa076586148dcf3425da96d17cefed1417cdda1fd3514dd0496b6a792f7591e767762e6318826422754f9a221fc025ed22b281a9745abe1a6f8561987dd2ffa

Download Submit
C:\Users\Admin\AppData\Local\Temp\NEAS.650b9c6c7b55fdefe2315a74fb9a73a2_JC.exe

Filesize
96KB

MD5
dcb9bf59a0e4a690c759b1755c66cbbd

SHA1
839e1b3e98a189c0cc0466e422ee638a187efc1d

SHA256
d932ad3629b134d2a88e929f1f17822bb54fa86a47df2e07db1b681e1500717a

SHA512
af1f9645dbfe8f2669f3df2f0dc2f4779c1cb8d763e6651eca08e627872040a1cf0baee6bc2aaa76eaa63f165c59689be8c47743229235fe66dd387b7a1a08e6

Download Submit
C:\WINDOWS\MSWDM.EXE

Filesize
1.6MB

MD5
c4691f22a5a2277e39025c6b4ca5b73b

SHA1
9d02101d0732c456701a698ce6602595f526e751

SHA256
5d986d56f720e93a96321eda7aba0c7fcbaf2a5a767579d06f76532b50cb5586

SHA512
70b878ea99c426f48de0781fb76a55cd42d2e23afc1acc0dbee23842ffc54680de5d43a26f86bd1df724656dd205e58f485bb8c093a95f47a31265e929c2cd8f

Download Submit
C:\Windows\MSWDM.EXE

Filesize
1.6MB

MD5
c4691f22a5a2277e39025c6b4ca5b73b

SHA1
9d02101d0732c456701a698ce6602595f526e751

SHA256
5d986d56f720e93a96321eda7aba0c7fcbaf2a5a767579d06f76532b50cb5586

SHA512
70b878ea99c426f48de0781fb76a55cd42d2e23afc1acc0dbee23842ffc54680de5d43a26f86bd1df724656dd205e58f485bb8c093a95f47a31265e929c2cd8f

Download Submit
C:\Windows\MSWDM.EXE

Filesize
1.6MB

MD5
c4691f22a5a2277e39025c6b4ca5b73b

SHA1
9d02101d0732c456701a698ce6602595f526e751

SHA256
5d986d56f720e93a96321eda7aba0c7fcbaf2a5a767579d06f76532b50cb5586

SHA512
70b878ea99c426f48de0781fb76a55cd42d2e23afc1acc0dbee23842ffc54680de5d43a26f86bd1df724656dd205e58f485bb8c093a95f47a31265e929c2cd8f

Download Submit
C:\Windows\MSWDM.EXE

Filesize
1.6MB

MD5
c4691f22a5a2277e39025c6b4ca5b73b

SHA1
9d02101d0732c456701a698ce6602595f526e751

SHA256
5d986d56f720e93a96321eda7aba0c7fcbaf2a5a767579d06f76532b50cb5586

SHA512
70b878ea99c426f48de0781fb76a55cd42d2e23afc1acc0dbee23842ffc54680de5d43a26f86bd1df724656dd205e58f485bb8c093a95f47a31265e929c2cd8f

Download Submit
C:\Windows\devE57E.tmp

Filesize
96KB

MD5
dcb9bf59a0e4a690c759b1755c66cbbd

SHA1
839e1b3e98a189c0cc0466e422ee638a187efc1d

SHA256
d932ad3629b134d2a88e929f1f17822bb54fa86a47df2e07db1b681e1500717a

SHA512
af1f9645dbfe8f2669f3df2f0dc2f4779c1cb8d763e6651eca08e627872040a1cf0baee6bc2aaa76eaa63f165c59689be8c47743229235fe66dd387b7a1a08e6

Download Submit
memory/2568-7-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2568-0-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2648-19-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/3248-14-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/3248-17-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/5000-20-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads