08a577f2736fab5156d8c01dcdaa1d2d664edb1c9d3f50f8f203cb1b85560dd5

Analysis

max time kernel
121s
max time network
127s
platform
windows7_x64
resource
win7-20231025-en
resource tags

arch:x64arch:x86image:win7-20231025-enlocale:en-usos:windows7-x64system
submitted
03/11/2023, 08:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.338ea3abcd760c605a5755d49322cad0.exe
Size

134KB
MD5

338ea3abcd760c605a5755d49322cad0
SHA1

20ebf31d149f5ef4700687baf42d619cc5b5fae1
SHA256

08a577f2736fab5156d8c01dcdaa1d2d664edb1c9d3f50f8f203cb1b85560dd5
SHA512

c2e7291c2e386758bf69ae670fd1d415e6e165f029adb6bb56ff906ae67a06e18a545f6bd0ef662582e1a2bdb0278a444661a83cc672937222ed422bd1b1318f
SSDEEP

3072:jcjzzvzm/Z7Uy1tVkBiyyUzGBk9VeFS43tqPJpPso:Ua/ZT/UKBk749Cv

Score

8^/10

persistence

Malware Config

Signatures

Modifies AppInit DLL entries 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1547.001

Modify Registry
T1112

Executes dropped EXE 1 IoCs

pid	Process
2664	kymnayk.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\PROGRA~3\Mozilla\kymnayk.exe	NEAS.338ea3abcd760c605a5755d49322cad0.exe
File created	C:\PROGRA~3\Mozilla\iuxrktg.dll	kymnayk.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2152 wrote to memory of 2664	2152	taskeng.exe	29
PID 2152 wrote to memory of 2664	2152	taskeng.exe	29
PID 2152 wrote to memory of 2664	2152	taskeng.exe	29
PID 2152 wrote to memory of 2664	2152	taskeng.exe	29

C:\Users\Admin\AppData\Local\Temp\NEAS.338ea3abcd760c605a5755d49322cad0.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.338ea3abcd760c605a5755d49322cad0.exe"
1⤵
- Drops file in Program Files directory
PID:3004

C:\Windows\system32\taskeng.exe
taskeng.exe {35224B2B-E9BA-4FDC-8827-20155BDA2805} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:2152
- C:\PROGRA~3\Mozilla\kymnayk.exe
  C:\PROGRA~3\Mozilla\kymnayk.exe -dtmxjcd
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  PID:2664

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~3\Mozilla\kymnayk.exe

Filesize
134KB

MD5
15b0b4a78000b637442b0ed254ddbc58

SHA1
2981ba6c5a47ba515ae1533d361cc214f046848f

SHA256
1ae42000b79ee8203d759a7739ca9028e8053fc880d7365b3f5dcd836ded36c5

SHA512
f6dc8a429c695b0c4e84225464d33abe20ff099e019a9e3fd963433366786d786faf819cc5e1db5256e179a145b24a75e00b07dbcd9d1c00b28d0f9826921493

Download Submit
C:\PROGRA~3\Mozilla\kymnayk.exe

Filesize
134KB

MD5
15b0b4a78000b637442b0ed254ddbc58

SHA1
2981ba6c5a47ba515ae1533d361cc214f046848f

SHA256
1ae42000b79ee8203d759a7739ca9028e8053fc880d7365b3f5dcd836ded36c5

SHA512
f6dc8a429c695b0c4e84225464d33abe20ff099e019a9e3fd963433366786d786faf819cc5e1db5256e179a145b24a75e00b07dbcd9d1c00b28d0f9826921493

Download Submit
memory/2664-10-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/2664-16-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/3004-0-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/3004-1-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/3004-3-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/3004-2-0x0000000000330000-0x0000000000331000-memory.dmp

Filesize
4KB

Download
memory/3004-7-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download