71c83bc08587be2dd2114027acb1f827da1440136411d02a51c34e601d610f61

Analysis

max time kernel
121s
max time network
124s
platform
windows7_x64
resource
win7-20231023-en
resource tags

arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system
submitted
03/11/2023, 08:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.d965b988b4d6ea6aa808dab36eb470d0.exe
Size

153KB
MD5

d965b988b4d6ea6aa808dab36eb470d0
SHA1

11b366e16c16c0005857a2404a7817574125cd5a
SHA256

71c83bc08587be2dd2114027acb1f827da1440136411d02a51c34e601d610f61
SHA512

fc1e5d6158fcffc91a823263b223b1d508556e2b192e7ad723d2b02553ba9f8991c77eee3ce95419d3b75bbddaf9bce48d4a77355c952ea521a2d2e987434e58
SSDEEP

3072:ZHrEI6rvvMV0nE17B+TnFnW5/bi13lNvuCLeEPbUXHrJ61e4:5wHMV0nE1l+LtuTS/aSUXLJC

Score

8^/10

persistence

Malware Config

Signatures

Modifies AppInit DLL entries 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1547.001

Modify Registry
T1112

Executes dropped EXE 1 IoCs

pid	Process
2316	wwljcul.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\PROGRA~3\Mozilla\wwljcul.exe	NEAS.d965b988b4d6ea6aa808dab36eb470d0.exe
File created	C:\PROGRA~3\Mozilla\sdwojsn.dll	wwljcul.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2672 wrote to memory of 2316	2672	taskeng.exe	29
PID 2672 wrote to memory of 2316	2672	taskeng.exe	29
PID 2672 wrote to memory of 2316	2672	taskeng.exe	29
PID 2672 wrote to memory of 2316	2672	taskeng.exe	29

C:\Users\Admin\AppData\Local\Temp\NEAS.d965b988b4d6ea6aa808dab36eb470d0.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.d965b988b4d6ea6aa808dab36eb470d0.exe"
1⤵
- Drops file in Program Files directory
PID:2124

C:\Windows\system32\taskeng.exe
taskeng.exe {A748F6D4-B881-49B3-B221-8505D436F671} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:2672
- C:\PROGRA~3\Mozilla\wwljcul.exe
  C:\PROGRA~3\Mozilla\wwljcul.exe -anxczaj
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  PID:2316

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~3\Mozilla\wwljcul.exe

Filesize
153KB

MD5
dad852aa250b4fd27439df820076e709

SHA1
00266b3b467ebe6b9fe321017231e2c5fd935d9a

SHA256
99727b4b39e1d12d3cb9865ee83a89c889233b52a4efb567950aad6b515a2a4f

SHA512
8753331533e4fe805625672c53974d86a7abe80e235b2bad0e3a7b0dc78fbd9fd99603f10d248cee7de5430a8ad8e86b551b59e3ce1510f765b508557408098f

Download Submit
C:\PROGRA~3\Mozilla\wwljcul.exe

Filesize
153KB

MD5
dad852aa250b4fd27439df820076e709

SHA1
00266b3b467ebe6b9fe321017231e2c5fd935d9a

SHA256
99727b4b39e1d12d3cb9865ee83a89c889233b52a4efb567950aad6b515a2a4f

SHA512
8753331533e4fe805625672c53974d86a7abe80e235b2bad0e3a7b0dc78fbd9fd99603f10d248cee7de5430a8ad8e86b551b59e3ce1510f765b508557408098f

Download Submit
memory/2124-0-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2124-1-0x00000000002A0000-0x00000000002A2000-memory.dmp

Filesize
8KB

Download
memory/2124-2-0x00000000002B0000-0x000000000030B000-memory.dmp

Filesize
364KB

Download
memory/2124-8-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2316-11-0x00000000002F0000-0x000000000034B000-memory.dmp

Filesize
364KB

Download
memory/2316-17-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download