eec8cae0b3bab92864fc513b45f991ab9720ce5d71aec9c70d5761c6fbfd8638

Analysis

max time kernel
17s
max time network
124s
platform
windows7_x64
resource
win7-20231023-en
resource tags

arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system
submitted
03/11/2023, 16:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.dc5679d0690879da7e134a2b96a3d2e0.exe
Size

1.7MB
MD5

dc5679d0690879da7e134a2b96a3d2e0
SHA1

2dda0d6115908df85eae0f8203ed390c62dfbcbe
SHA256

eec8cae0b3bab92864fc513b45f991ab9720ce5d71aec9c70d5761c6fbfd8638
SHA512

98f4933d1da0d795d9f1a74109aab008ed7df8ba71a4538cedf452a4d65743373d8f466e3b94f4594c361bccd1bcc9713963ed52df6ae3eb8383b0fb73c2e1a6
SSDEEP

24576:M51xYOcS9in6bxcqbF8fYTOYKbDurSUQN7kBG+JqJS+WOZseId9x0FOXr2rly8:MtYOcS4neHbyfYTOYKPu/gEjiEO5ItDe

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
1716	MSWDM.EXE
2580	MSWDM.EXE
2808	NEAS.DC5679D0690879DA7E134A2B96A3D2E0.EXE
368	MSWDM.EXE

Loads dropped DLL 1 IoCs

pid	Process
2580	MSWDM.EXE

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE"	NEAS.dc5679d0690879da7e134a2b96a3d2e0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE"	NEAS.dc5679d0690879da7e134a2b96a3d2e0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE"	MSWDM.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE"	MSWDM.EXE

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\WINDOWS\MSWDM.EXE	NEAS.dc5679d0690879da7e134a2b96a3d2e0.exe
File opened for modification	C:\Windows\dev67E7.tmp	NEAS.dc5679d0690879da7e134a2b96a3d2e0.exe
File opened for modification	C:\Windows\dev67E7.tmp	MSWDM.EXE

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2580	MSWDM.EXE

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2568 wrote to memory of 1716	2568	NEAS.dc5679d0690879da7e134a2b96a3d2e0.exe	29
PID 2568 wrote to memory of 1716	2568	NEAS.dc5679d0690879da7e134a2b96a3d2e0.exe	29
PID 2568 wrote to memory of 1716	2568	NEAS.dc5679d0690879da7e134a2b96a3d2e0.exe	29
PID 2568 wrote to memory of 1716	2568	NEAS.dc5679d0690879da7e134a2b96a3d2e0.exe	29
PID 2568 wrote to memory of 2580	2568	NEAS.dc5679d0690879da7e134a2b96a3d2e0.exe	28
PID 2568 wrote to memory of 2580	2568	NEAS.dc5679d0690879da7e134a2b96a3d2e0.exe	28
PID 2568 wrote to memory of 2580	2568	NEAS.dc5679d0690879da7e134a2b96a3d2e0.exe	28
PID 2568 wrote to memory of 2580	2568	NEAS.dc5679d0690879da7e134a2b96a3d2e0.exe	28
PID 2580 wrote to memory of 2808	2580	MSWDM.EXE	31
PID 2580 wrote to memory of 2808	2580	MSWDM.EXE	31
PID 2580 wrote to memory of 2808	2580	MSWDM.EXE	31
PID 2580 wrote to memory of 2808	2580	MSWDM.EXE	31
PID 2580 wrote to memory of 368	2580	MSWDM.EXE	32
PID 2580 wrote to memory of 368	2580	MSWDM.EXE	32
PID 2580 wrote to memory of 368	2580	MSWDM.EXE	32
PID 2580 wrote to memory of 368	2580	MSWDM.EXE	32

C:\Users\Admin\AppData\Local\Temp\NEAS.dc5679d0690879da7e134a2b96a3d2e0.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.dc5679d0690879da7e134a2b96a3d2e0.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2568
- C:\WINDOWS\MSWDM.EXE
  -r!C:\Windows\dev67E7.tmp!C:\Users\Admin\AppData\Local\Temp\NEAS.dc5679d0690879da7e134a2b96a3d2e0.exe! !
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2580
- - C:\Users\Admin\AppData\Local\Temp\NEAS.DC5679D0690879DA7E134A2B96A3D2E0.EXE
    3⤵
    - Executes dropped EXE
    PID:2808
- - C:\WINDOWS\MSWDM.EXE
    -e!C:\Windows\dev67E7.tmp!C:\Users\Admin\AppData\Local\Temp\NEAS.DC5679D0690879DA7E134A2B96A3D2E0.EXE!
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    PID:368
- C:\WINDOWS\MSWDM.EXE
  "C:\WINDOWS\MSWDM.EXE"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:1716

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\NEAS.DC5679D0690879DA7E134A2B96A3D2E0.EXE

Filesize
1.7MB

MD5
b18297cdf2d6838e0d8bb89a39ff897e

SHA1
98dfd89b6e1b7f6a6822f01b804506a11814edc1

SHA256
4794234ff5370cecfaf779da311b8d2f1ab27466b9412b341704545b3ec64964

SHA512
55f732817f0bc777cbf2f2f7d006bb731318ed1307018ac4eae2725c34ad9aab2fdf34f4724c40be6e0e9cd3a3f3e43b9f0835d2b28a80111a4892989dafd60c

Download Submit
C:\Users\Admin\AppData\Local\Temp\NEAS.DC5679D0690879DA7E134A2B96A3D2E0.EXE

Filesize
1.7MB

MD5
b18297cdf2d6838e0d8bb89a39ff897e

SHA1
98dfd89b6e1b7f6a6822f01b804506a11814edc1

SHA256
4794234ff5370cecfaf779da311b8d2f1ab27466b9412b341704545b3ec64964

SHA512
55f732817f0bc777cbf2f2f7d006bb731318ed1307018ac4eae2725c34ad9aab2fdf34f4724c40be6e0e9cd3a3f3e43b9f0835d2b28a80111a4892989dafd60c

Download Submit
C:\Users\Admin\AppData\Local\Temp\NEAS.dc5679d0690879da7e134a2b96a3d2e0.exe

Filesize
35KB

MD5
6a7c4dc0fe5a8a33154566b5071b47c4

SHA1
265a1bcc6b6a6be7a7ad35194fb4984d7bb7ef88

SHA256
152944690bb39772fc594430205be704f7068c7a4bbcbe58074ebceab9911cf4

SHA512
8340ed45634757d05c95031541e8f655aabc7c7f4eab2caaf623c8b34bd0b2b08bb2c30f5f34faaee176b18730607308d492b1be10e098837fb6a450f344cf3e

Download Submit
C:\WINDOWS\MSWDM.EXE

Filesize
1.6MB

MD5
f9ed12858fd2b6abe080629b84d15a55

SHA1
d4479bd054238237663ea0183e6b51312f724268

SHA256
585d1d779c5b2ed597675e6a1a807762e7c6122ba001d732253df04162fe809e

SHA512
df440dbaf60f360fff2ea150f48f9f88d8f0c41ac9222b5f774c734410b6b31cf603096b341ea2ee85a552eb201a2982addd8979e2a59002918288d81da6c783

Download Submit
C:\Windows\MSWDM.EXE

Filesize
1.6MB

MD5
f9ed12858fd2b6abe080629b84d15a55

SHA1
d4479bd054238237663ea0183e6b51312f724268

SHA256
585d1d779c5b2ed597675e6a1a807762e7c6122ba001d732253df04162fe809e

SHA512
df440dbaf60f360fff2ea150f48f9f88d8f0c41ac9222b5f774c734410b6b31cf603096b341ea2ee85a552eb201a2982addd8979e2a59002918288d81da6c783

Download Submit
C:\Windows\MSWDM.EXE

Filesize
1.6MB

MD5
f9ed12858fd2b6abe080629b84d15a55

SHA1
d4479bd054238237663ea0183e6b51312f724268

SHA256
585d1d779c5b2ed597675e6a1a807762e7c6122ba001d732253df04162fe809e

SHA512
df440dbaf60f360fff2ea150f48f9f88d8f0c41ac9222b5f774c734410b6b31cf603096b341ea2ee85a552eb201a2982addd8979e2a59002918288d81da6c783

Download Submit
C:\Windows\MSWDM.EXE

Filesize
1.6MB

MD5
f9ed12858fd2b6abe080629b84d15a55

SHA1
d4479bd054238237663ea0183e6b51312f724268

SHA256
585d1d779c5b2ed597675e6a1a807762e7c6122ba001d732253df04162fe809e

SHA512
df440dbaf60f360fff2ea150f48f9f88d8f0c41ac9222b5f774c734410b6b31cf603096b341ea2ee85a552eb201a2982addd8979e2a59002918288d81da6c783

Download Submit
C:\Windows\MSWDM.EXE

Filesize
1.6MB

MD5
f9ed12858fd2b6abe080629b84d15a55

SHA1
d4479bd054238237663ea0183e6b51312f724268

SHA256
585d1d779c5b2ed597675e6a1a807762e7c6122ba001d732253df04162fe809e

SHA512
df440dbaf60f360fff2ea150f48f9f88d8f0c41ac9222b5f774c734410b6b31cf603096b341ea2ee85a552eb201a2982addd8979e2a59002918288d81da6c783

Download Submit
C:\Windows\dev67E7.tmp

Filesize
35KB

MD5
6a7c4dc0fe5a8a33154566b5071b47c4

SHA1
265a1bcc6b6a6be7a7ad35194fb4984d7bb7ef88

SHA256
152944690bb39772fc594430205be704f7068c7a4bbcbe58074ebceab9911cf4

SHA512
8340ed45634757d05c95031541e8f655aabc7c7f4eab2caaf623c8b34bd0b2b08bb2c30f5f34faaee176b18730607308d492b1be10e098837fb6a450f344cf3e

Download Submit
\Users\Admin\AppData\Local\Temp\NEAS.dc5679d0690879da7e134a2b96a3d2e0.exe

Filesize
35KB

MD5
6a7c4dc0fe5a8a33154566b5071b47c4

SHA1
265a1bcc6b6a6be7a7ad35194fb4984d7bb7ef88

SHA256
152944690bb39772fc594430205be704f7068c7a4bbcbe58074ebceab9911cf4

SHA512
8340ed45634757d05c95031541e8f655aabc7c7f4eab2caaf623c8b34bd0b2b08bb2c30f5f34faaee176b18730607308d492b1be10e098837fb6a450f344cf3e

Download Submit
memory/368-28-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1716-13-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1716-31-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2568-12-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2568-17-0x0000000000220000-0x0000000000234000-memory.dmp

Filesize
80KB

Download
memory/2568-0-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2568-32-0x0000000000220000-0x0000000000234000-memory.dmp

Filesize
80KB

Download
memory/2580-19-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2580-30-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download