eec8cae0b3bab92864fc513b45f991ab9720ce5d71aec9c70d5761c6fbfd8638

General

Target

NEAS.dc5679d0690879da7e134a2b96a3d2e0.exe
Size

1.7MB
MD5

dc5679d0690879da7e134a2b96a3d2e0
SHA1

2dda0d6115908df85eae0f8203ed390c62dfbcbe
SHA256

eec8cae0b3bab92864fc513b45f991ab9720ce5d71aec9c70d5761c6fbfd8638
SHA512

98f4933d1da0d795d9f1a74109aab008ed7df8ba71a4538cedf452a4d65743373d8f466e3b94f4594c361bccd1bcc9713963ed52df6ae3eb8383b0fb73c2e1a6
SSDEEP

24576:M51xYOcS9in6bxcqbF8fYTOYKbDurSUQN7kBG+JqJS+WOZseId9x0FOXr2rly8:MtYOcS4neHbyfYTOYKPu/gEjiEO5ItDe

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
3440	MSWDM.EXE
4064	MSWDM.EXE
4060	NEAS.DC5679D0690879DA7E134A2B96A3D2E0.EXE
3068	MSWDM.EXE

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE"	NEAS.dc5679d0690879da7e134a2b96a3d2e0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE"	NEAS.dc5679d0690879da7e134a2b96a3d2e0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE"	MSWDM.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE"	MSWDM.EXE

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\WINDOWS\MSWDM.EXE	NEAS.dc5679d0690879da7e134a2b96a3d2e0.exe
File opened for modification	C:\Windows\dev6FCC.tmp	NEAS.dc5679d0690879da7e134a2b96a3d2e0.exe
File opened for modification	C:\Windows\dev6FCC.tmp	MSWDM.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4064	MSWDM.EXE
4064	MSWDM.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2056 wrote to memory of 3440	2056	NEAS.dc5679d0690879da7e134a2b96a3d2e0.exe	90
PID 2056 wrote to memory of 3440	2056	NEAS.dc5679d0690879da7e134a2b96a3d2e0.exe	90
PID 2056 wrote to memory of 3440	2056	NEAS.dc5679d0690879da7e134a2b96a3d2e0.exe	90
PID 2056 wrote to memory of 4064	2056	NEAS.dc5679d0690879da7e134a2b96a3d2e0.exe	91
PID 2056 wrote to memory of 4064	2056	NEAS.dc5679d0690879da7e134a2b96a3d2e0.exe	91
PID 2056 wrote to memory of 4064	2056	NEAS.dc5679d0690879da7e134a2b96a3d2e0.exe	91
PID 4064 wrote to memory of 4060	4064	MSWDM.EXE	92
PID 4064 wrote to memory of 4060	4064	MSWDM.EXE	92
PID 4064 wrote to memory of 4060	4064	MSWDM.EXE	92
PID 4064 wrote to memory of 3068	4064	MSWDM.EXE	94
PID 4064 wrote to memory of 3068	4064	MSWDM.EXE	94
PID 4064 wrote to memory of 3068	4064	MSWDM.EXE	94

C:\Users\Admin\AppData\Local\Temp\NEAS.dc5679d0690879da7e134a2b96a3d2e0.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.dc5679d0690879da7e134a2b96a3d2e0.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2056
- C:\WINDOWS\MSWDM.EXE
  "C:\WINDOWS\MSWDM.EXE"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:3440
- C:\WINDOWS\MSWDM.EXE
  -r!C:\Windows\dev6FCC.tmp!C:\Users\Admin\AppData\Local\Temp\NEAS.dc5679d0690879da7e134a2b96a3d2e0.exe! !
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4064
- - C:\Users\Admin\AppData\Local\Temp\NEAS.DC5679D0690879DA7E134A2B96A3D2E0.EXE
    3⤵
    - Executes dropped EXE
    PID:4060
- - C:\WINDOWS\MSWDM.EXE
    -e!C:\Windows\dev6FCC.tmp!C:\Users\Admin\AppData\Local\Temp\NEAS.DC5679D0690879DA7E134A2B96A3D2E0.EXE!
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    PID:3068

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\NEAS.DC5679D0690879DA7E134A2B96A3D2E0.EXE

Filesize
1.7MB

MD5
4acf7411d7a88b85c37e93c516d9d3b2

SHA1
b102bffa652374ee0b0335c7b81127005db2ad19

SHA256
f60184c3d59d74f81ff21626455dd74b287337c50ccbe854868973b6b940845f

SHA512
c3cbcce16197a4cc7ee92c72ae838a7646271f3c4a7273bb19969bd3ad464952e050c6a58acf714f6f419344ac8fa5fe3c4bae0cb8fa91d48af07136b664a2c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\NEAS.DC5679D0690879DA7E134A2B96A3D2E0.EXE

Filesize
1.7MB

MD5
4acf7411d7a88b85c37e93c516d9d3b2

SHA1
b102bffa652374ee0b0335c7b81127005db2ad19

SHA256
f60184c3d59d74f81ff21626455dd74b287337c50ccbe854868973b6b940845f

SHA512
c3cbcce16197a4cc7ee92c72ae838a7646271f3c4a7273bb19969bd3ad464952e050c6a58acf714f6f419344ac8fa5fe3c4bae0cb8fa91d48af07136b664a2c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\NEAS.dc5679d0690879da7e134a2b96a3d2e0.exe

Filesize
35KB

MD5
6a7c4dc0fe5a8a33154566b5071b47c4

SHA1
265a1bcc6b6a6be7a7ad35194fb4984d7bb7ef88

SHA256
152944690bb39772fc594430205be704f7068c7a4bbcbe58074ebceab9911cf4

SHA512
8340ed45634757d05c95031541e8f655aabc7c7f4eab2caaf623c8b34bd0b2b08bb2c30f5f34faaee176b18730607308d492b1be10e098837fb6a450f344cf3e

Download Submit
C:\WINDOWS\MSWDM.EXE

Filesize
1.6MB

MD5
f9ed12858fd2b6abe080629b84d15a55

SHA1
d4479bd054238237663ea0183e6b51312f724268

SHA256
585d1d779c5b2ed597675e6a1a807762e7c6122ba001d732253df04162fe809e

SHA512
df440dbaf60f360fff2ea150f48f9f88d8f0c41ac9222b5f774c734410b6b31cf603096b341ea2ee85a552eb201a2982addd8979e2a59002918288d81da6c783

Download Submit
C:\Windows\MSWDM.EXE

Filesize
1.6MB

MD5
f9ed12858fd2b6abe080629b84d15a55

SHA1
d4479bd054238237663ea0183e6b51312f724268

SHA256
585d1d779c5b2ed597675e6a1a807762e7c6122ba001d732253df04162fe809e

SHA512
df440dbaf60f360fff2ea150f48f9f88d8f0c41ac9222b5f774c734410b6b31cf603096b341ea2ee85a552eb201a2982addd8979e2a59002918288d81da6c783

Download Submit
C:\Windows\MSWDM.EXE

Filesize
1.6MB

MD5
f9ed12858fd2b6abe080629b84d15a55

SHA1
d4479bd054238237663ea0183e6b51312f724268

SHA256
585d1d779c5b2ed597675e6a1a807762e7c6122ba001d732253df04162fe809e

SHA512
df440dbaf60f360fff2ea150f48f9f88d8f0c41ac9222b5f774c734410b6b31cf603096b341ea2ee85a552eb201a2982addd8979e2a59002918288d81da6c783

Download Submit
C:\Windows\MSWDM.EXE

Filesize
1.6MB

MD5
f9ed12858fd2b6abe080629b84d15a55

SHA1
d4479bd054238237663ea0183e6b51312f724268

SHA256
585d1d779c5b2ed597675e6a1a807762e7c6122ba001d732253df04162fe809e

SHA512
df440dbaf60f360fff2ea150f48f9f88d8f0c41ac9222b5f774c734410b6b31cf603096b341ea2ee85a552eb201a2982addd8979e2a59002918288d81da6c783

Download Submit
C:\Windows\dev6FCC.tmp

Filesize
35KB

MD5
6a7c4dc0fe5a8a33154566b5071b47c4

SHA1
265a1bcc6b6a6be7a7ad35194fb4984d7bb7ef88

SHA256
152944690bb39772fc594430205be704f7068c7a4bbcbe58074ebceab9911cf4

SHA512
8340ed45634757d05c95031541e8f655aabc7c7f4eab2caaf623c8b34bd0b2b08bb2c30f5f34faaee176b18730607308d492b1be10e098837fb6a450f344cf3e

Download Submit
memory/2056-0-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2056-8-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/3068-17-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/3440-20-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4064-7-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4064-19-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads