Analysis
-
max time kernel
14s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20231020-en -
resource tags
arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system -
submitted
03/11/2023, 17:56
Static task
static1
Behavioral task
behavioral1
Sample
NEAS.d9ea6182e384edab592f8da1b4e74829_JC.exe
Resource
win7-20231020-en
Behavioral task
behavioral2
Sample
NEAS.d9ea6182e384edab592f8da1b4e74829_JC.exe
Resource
win10v2004-20231023-en
General
-
Target
NEAS.d9ea6182e384edab592f8da1b4e74829_JC.exe
-
Size
1.8MB
-
MD5
d9ea6182e384edab592f8da1b4e74829
-
SHA1
ae55575de1569ee31ec2ae83dbed7b2b94e2fe40
-
SHA256
ed7e89f522631e964cae6c525bad9fc727c6db993cddbbbd2b3ee7d0d40bf3a2
-
SHA512
3ddc6606261dbe587b9e9b9d90a012c6fe43790fcaced8ce48efde3708b01c7e249a7ad680daee9da7cb4149f9716c0133e7e840490f627bdb9f92c49ab029ea
-
SSDEEP
49152:MtBcS4neHbyfYTOYKPu/gEjiEO5ItDF4P:MtaS4neHvZjiEO5IhY
Malware Config
Signatures
-
Executes dropped EXE 4 IoCs
pid Process 3024 MSWDM.EXE 2464 MSWDM.EXE 2828 NEAS.D9EA6182E384EDAB592F8DA1B4E74829_JC.EXE 2124 MSWDM.EXE -
Loads dropped DLL 1 IoCs
pid Process 2464 MSWDM.EXE -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE" NEAS.d9ea6182e384edab592f8da1b4e74829_JC.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE" NEAS.d9ea6182e384edab592f8da1b4e74829_JC.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE" MSWDM.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE" MSWDM.EXE -
Drops file in Windows directory 3 IoCs
description ioc Process File opened for modification C:\Windows\dev5DE8.tmp MSWDM.EXE File created C:\WINDOWS\MSWDM.EXE NEAS.d9ea6182e384edab592f8da1b4e74829_JC.exe File opened for modification C:\Windows\dev5DE8.tmp NEAS.d9ea6182e384edab592f8da1b4e74829_JC.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2464 MSWDM.EXE -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 2020 wrote to memory of 3024 2020 NEAS.d9ea6182e384edab592f8da1b4e74829_JC.exe 28 PID 2020 wrote to memory of 3024 2020 NEAS.d9ea6182e384edab592f8da1b4e74829_JC.exe 28 PID 2020 wrote to memory of 3024 2020 NEAS.d9ea6182e384edab592f8da1b4e74829_JC.exe 28 PID 2020 wrote to memory of 3024 2020 NEAS.d9ea6182e384edab592f8da1b4e74829_JC.exe 28 PID 2020 wrote to memory of 2464 2020 NEAS.d9ea6182e384edab592f8da1b4e74829_JC.exe 31 PID 2020 wrote to memory of 2464 2020 NEAS.d9ea6182e384edab592f8da1b4e74829_JC.exe 31 PID 2020 wrote to memory of 2464 2020 NEAS.d9ea6182e384edab592f8da1b4e74829_JC.exe 31 PID 2020 wrote to memory of 2464 2020 NEAS.d9ea6182e384edab592f8da1b4e74829_JC.exe 31 PID 2464 wrote to memory of 2828 2464 MSWDM.EXE 29 PID 2464 wrote to memory of 2828 2464 MSWDM.EXE 29 PID 2464 wrote to memory of 2828 2464 MSWDM.EXE 29 PID 2464 wrote to memory of 2828 2464 MSWDM.EXE 29 PID 2464 wrote to memory of 2124 2464 MSWDM.EXE 30 PID 2464 wrote to memory of 2124 2464 MSWDM.EXE 30 PID 2464 wrote to memory of 2124 2464 MSWDM.EXE 30 PID 2464 wrote to memory of 2124 2464 MSWDM.EXE 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.d9ea6182e384edab592f8da1b4e74829_JC.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.d9ea6182e384edab592f8da1b4e74829_JC.exe"1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2020 -
C:\WINDOWS\MSWDM.EXE"C:\WINDOWS\MSWDM.EXE"2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:3024
-
-
C:\WINDOWS\MSWDM.EXE-r!C:\Windows\dev5DE8.tmp!C:\Users\Admin\AppData\Local\Temp\NEAS.d9ea6182e384edab592f8da1b4e74829_JC.exe! !2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2464
-
-
C:\Users\Admin\AppData\Local\Temp\NEAS.D9EA6182E384EDAB592F8DA1B4E74829_JC.EXE
- Executes dropped EXE
PID:2828
-
C:\WINDOWS\MSWDM.EXE-e!C:\Windows\dev5DE8.tmp!C:\Users\Admin\AppData\Local\Temp\NEAS.D9EA6182E384EDAB592F8DA1B4E74829_JC.EXE!1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2124
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.8MB
MD58388e1134cf3479217e3b61258ba1fb9
SHA139e4353b63d0d7aa15d2e7814f26e51685188a20
SHA256fca56da67b0d869c9dfcd11749e84ac536aae30063130e472d44b5935d774ad2
SHA5127ff33bef839da3294fd0badf98f47f1a7340819ad8aeaa0532a707d77d74f6736cd8f6d819a1d6ae1335f20baf3ab346d0479b1036a9dee89ca7a2e15a977c8a
-
Filesize
1.8MB
MD58388e1134cf3479217e3b61258ba1fb9
SHA139e4353b63d0d7aa15d2e7814f26e51685188a20
SHA256fca56da67b0d869c9dfcd11749e84ac536aae30063130e472d44b5935d774ad2
SHA5127ff33bef839da3294fd0badf98f47f1a7340819ad8aeaa0532a707d77d74f6736cd8f6d819a1d6ae1335f20baf3ab346d0479b1036a9dee89ca7a2e15a977c8a
-
Filesize
141KB
MD55a432a042dae460abe7199b758e8606c
SHA1821b965267ee15c6c59178777ae7a8dcfc80f4ba
SHA2566e5d1f477d290905be27cebf9572bac6b05ffef2fad901d3c8e11f665f8b9a71
SHA51272823cc212c585a8080122c416e66fe28cb5a1787ae384d52b2068aec4a16944ed10731c622c1db0d8035aee7b5706bc7d2a4e6295a6ce3e50eb4895cc968c75
-
Filesize
1.6MB
MD5ea6e5561df9426c79ba0debded2866b6
SHA17965c4bf645798fa5aa5a41199f8f9681925fa29
SHA256071b0053a9795a632c406ce47a6312586bc5de08c9430efc08d21d1f62d743ef
SHA512593a3664ddc245bf3d4d9e7aabd367da804003d462b69d8ddfef4a53968ed0b1efd08d5fbfe6ababe6236e565025fb89df9dc03651158888edfc3950978e31eb
-
Filesize
1.6MB
MD5ea6e5561df9426c79ba0debded2866b6
SHA17965c4bf645798fa5aa5a41199f8f9681925fa29
SHA256071b0053a9795a632c406ce47a6312586bc5de08c9430efc08d21d1f62d743ef
SHA512593a3664ddc245bf3d4d9e7aabd367da804003d462b69d8ddfef4a53968ed0b1efd08d5fbfe6ababe6236e565025fb89df9dc03651158888edfc3950978e31eb
-
Filesize
1.6MB
MD5ea6e5561df9426c79ba0debded2866b6
SHA17965c4bf645798fa5aa5a41199f8f9681925fa29
SHA256071b0053a9795a632c406ce47a6312586bc5de08c9430efc08d21d1f62d743ef
SHA512593a3664ddc245bf3d4d9e7aabd367da804003d462b69d8ddfef4a53968ed0b1efd08d5fbfe6ababe6236e565025fb89df9dc03651158888edfc3950978e31eb
-
Filesize
1.6MB
MD5ea6e5561df9426c79ba0debded2866b6
SHA17965c4bf645798fa5aa5a41199f8f9681925fa29
SHA256071b0053a9795a632c406ce47a6312586bc5de08c9430efc08d21d1f62d743ef
SHA512593a3664ddc245bf3d4d9e7aabd367da804003d462b69d8ddfef4a53968ed0b1efd08d5fbfe6ababe6236e565025fb89df9dc03651158888edfc3950978e31eb
-
Filesize
1.6MB
MD5ea6e5561df9426c79ba0debded2866b6
SHA17965c4bf645798fa5aa5a41199f8f9681925fa29
SHA256071b0053a9795a632c406ce47a6312586bc5de08c9430efc08d21d1f62d743ef
SHA512593a3664ddc245bf3d4d9e7aabd367da804003d462b69d8ddfef4a53968ed0b1efd08d5fbfe6ababe6236e565025fb89df9dc03651158888edfc3950978e31eb
-
Filesize
141KB
MD55a432a042dae460abe7199b758e8606c
SHA1821b965267ee15c6c59178777ae7a8dcfc80f4ba
SHA2566e5d1f477d290905be27cebf9572bac6b05ffef2fad901d3c8e11f665f8b9a71
SHA51272823cc212c585a8080122c416e66fe28cb5a1787ae384d52b2068aec4a16944ed10731c622c1db0d8035aee7b5706bc7d2a4e6295a6ce3e50eb4895cc968c75
-
Filesize
141KB
MD55a432a042dae460abe7199b758e8606c
SHA1821b965267ee15c6c59178777ae7a8dcfc80f4ba
SHA2566e5d1f477d290905be27cebf9572bac6b05ffef2fad901d3c8e11f665f8b9a71
SHA51272823cc212c585a8080122c416e66fe28cb5a1787ae384d52b2068aec4a16944ed10731c622c1db0d8035aee7b5706bc7d2a4e6295a6ce3e50eb4895cc968c75