5fea23e919d3ffa1fe5ca1ef80165f4d00e97e315098c8601f0b0ab8786bb327

Analysis

max time kernel
150s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20231023-en
resource tags

arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
submitted
03/11/2023, 15:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.08d6a612caf1d5fb25258af7c6857fb0.exe
Size

241KB
MD5

08d6a612caf1d5fb25258af7c6857fb0
SHA1

e9153f122e7d708d2513c1d8a6f0e4ee972e09f3
SHA256

5fea23e919d3ffa1fe5ca1ef80165f4d00e97e315098c8601f0b0ab8786bb327
SHA512

bf3b91eaca64871be8de66a1f8a7944d486112868e72235e265e6b4d98b8a41b48bec7c90a8c6b64c611cd58046da83c2288be9b171eae51357b0dffff8e4608
SSDEEP

3072:oNzztfivMVMYuFkV3qBnFqOLp4mvy2ACh3+j5z8UcTr/C:oVz8YurEmvy2AChozwPC

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1876	winword.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Ieuu = "\"C:\\Users\\Admin\\AppData\\Roaming\\ICROSO~1\\winword.exe\" -vt yazb"	winword.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\ICROSO~1\winword.exe:bla	NEAS.08d6a612caf1d5fb25258af7c6857fb0.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4640 wrote to memory of 1876	4640	NEAS.08d6a612caf1d5fb25258af7c6857fb0.exe	84
PID 4640 wrote to memory of 1876	4640	NEAS.08d6a612caf1d5fb25258af7c6857fb0.exe	84
PID 4640 wrote to memory of 1876	4640	NEAS.08d6a612caf1d5fb25258af7c6857fb0.exe	84

C:\Users\Admin\AppData\Local\Temp\NEAS.08d6a612caf1d5fb25258af7c6857fb0.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.08d6a612caf1d5fb25258af7c6857fb0.exe"
1⤵
- NTFS ADS
- Suspicious use of WriteProcessMemory
PID:4640
- C:\Users\Admin\AppData\Roaming\ICROSO~1\winword.exe
  C:\Users\Admin\AppData\Roaming\ICROSO~1\winword.exe --ru -vt yazb
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:1876

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\ICROSO~1\winword.exe

Filesize
241KB

MD5
48e6383a33e2d57abc7191db048094d8

SHA1
86cf29ef6cb50c64ce8a3f499da1558cd5f4ed9f

SHA256
91192cb6708da1b4029c6baa8fe966f649439d0f8ea12ef5c22d9e036e1d07a9

SHA512
c734f61d09846dcfa57413d6ad37437b65f40f5f32d585a39ba482bf04208afa445e7b7748a8f4e5462887422b65e1d37ff42819ce6538cdbadfd6cb23a938d5

Download Submit
C:\Users\Admin\AppData\Roaming\Мicrosoft\winword.exe

Filesize
241KB

MD5
48e6383a33e2d57abc7191db048094d8

SHA1
86cf29ef6cb50c64ce8a3f499da1558cd5f4ed9f

SHA256
91192cb6708da1b4029c6baa8fe966f649439d0f8ea12ef5c22d9e036e1d07a9

SHA512
c734f61d09846dcfa57413d6ad37437b65f40f5f32d585a39ba482bf04208afa445e7b7748a8f4e5462887422b65e1d37ff42819ce6538cdbadfd6cb23a938d5

Download Submit
memory/4640-0-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads