ed7e89f522631e964cae6c525bad9fc727c6db993cddbbbd2b3ee7d0d40bf3a2

Analysis

max time kernel
14s
max time network
124s
platform
windows7_x64
resource
win7-20231020-en
resource tags

arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system
submitted
03/11/2023, 17:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.d9ea6182e384edab592f8da1b4e74829_JC.exe
Size

1.8MB
MD5

d9ea6182e384edab592f8da1b4e74829
SHA1

ae55575de1569ee31ec2ae83dbed7b2b94e2fe40
SHA256

ed7e89f522631e964cae6c525bad9fc727c6db993cddbbbd2b3ee7d0d40bf3a2
SHA512

3ddc6606261dbe587b9e9b9d90a012c6fe43790fcaced8ce48efde3708b01c7e249a7ad680daee9da7cb4149f9716c0133e7e840490f627bdb9f92c49ab029ea
SSDEEP

49152:MtBcS4neHbyfYTOYKPu/gEjiEO5ItDF4P:MtaS4neHvZjiEO5IhY

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
3024	MSWDM.EXE
2464	MSWDM.EXE
2828	NEAS.D9EA6182E384EDAB592F8DA1B4E74829_JC.EXE
2124	MSWDM.EXE

Loads dropped DLL 1 IoCs

pid	Process
2464	MSWDM.EXE

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE"	NEAS.d9ea6182e384edab592f8da1b4e74829_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE"	NEAS.d9ea6182e384edab592f8da1b4e74829_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE"	MSWDM.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE"	MSWDM.EXE

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\dev5DE8.tmp	MSWDM.EXE
File created	C:\WINDOWS\MSWDM.EXE	NEAS.d9ea6182e384edab592f8da1b4e74829_JC.exe
File opened for modification	C:\Windows\dev5DE8.tmp	NEAS.d9ea6182e384edab592f8da1b4e74829_JC.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2464	MSWDM.EXE

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2020 wrote to memory of 3024	2020	NEAS.d9ea6182e384edab592f8da1b4e74829_JC.exe	28
PID 2020 wrote to memory of 3024	2020	NEAS.d9ea6182e384edab592f8da1b4e74829_JC.exe	28
PID 2020 wrote to memory of 3024	2020	NEAS.d9ea6182e384edab592f8da1b4e74829_JC.exe	28
PID 2020 wrote to memory of 3024	2020	NEAS.d9ea6182e384edab592f8da1b4e74829_JC.exe	28
PID 2020 wrote to memory of 2464	2020	NEAS.d9ea6182e384edab592f8da1b4e74829_JC.exe	31
PID 2020 wrote to memory of 2464	2020	NEAS.d9ea6182e384edab592f8da1b4e74829_JC.exe	31
PID 2020 wrote to memory of 2464	2020	NEAS.d9ea6182e384edab592f8da1b4e74829_JC.exe	31
PID 2020 wrote to memory of 2464	2020	NEAS.d9ea6182e384edab592f8da1b4e74829_JC.exe	31
PID 2464 wrote to memory of 2828	2464	MSWDM.EXE	29
PID 2464 wrote to memory of 2828	2464	MSWDM.EXE	29
PID 2464 wrote to memory of 2828	2464	MSWDM.EXE	29
PID 2464 wrote to memory of 2828	2464	MSWDM.EXE	29
PID 2464 wrote to memory of 2124	2464	MSWDM.EXE	30
PID 2464 wrote to memory of 2124	2464	MSWDM.EXE	30
PID 2464 wrote to memory of 2124	2464	MSWDM.EXE	30
PID 2464 wrote to memory of 2124	2464	MSWDM.EXE	30

C:\Users\Admin\AppData\Local\Temp\NEAS.d9ea6182e384edab592f8da1b4e74829_JC.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.d9ea6182e384edab592f8da1b4e74829_JC.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2020
- C:\WINDOWS\MSWDM.EXE
  "C:\WINDOWS\MSWDM.EXE"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:3024
- C:\WINDOWS\MSWDM.EXE
  -r!C:\Windows\dev5DE8.tmp!C:\Users\Admin\AppData\Local\Temp\NEAS.d9ea6182e384edab592f8da1b4e74829_JC.exe! !
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2464

C:\Users\Admin\AppData\Local\Temp\NEAS.D9EA6182E384EDAB592F8DA1B4E74829_JC.EXE
1⤵
- Executes dropped EXE
PID:2828

C:\WINDOWS\MSWDM.EXE
-e!C:\Windows\dev5DE8.tmp!C:\Users\Admin\AppData\Local\Temp\NEAS.D9EA6182E384EDAB592F8DA1B4E74829_JC.EXE!
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2124

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\NEAS.D9EA6182E384EDAB592F8DA1B4E74829_JC.EXE

Filesize
1.8MB

MD5
8388e1134cf3479217e3b61258ba1fb9

SHA1
39e4353b63d0d7aa15d2e7814f26e51685188a20

SHA256
fca56da67b0d869c9dfcd11749e84ac536aae30063130e472d44b5935d774ad2

SHA512
7ff33bef839da3294fd0badf98f47f1a7340819ad8aeaa0532a707d77d74f6736cd8f6d819a1d6ae1335f20baf3ab346d0479b1036a9dee89ca7a2e15a977c8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\NEAS.D9EA6182E384EDAB592F8DA1B4E74829_JC.EXE

Filesize
1.8MB

MD5
8388e1134cf3479217e3b61258ba1fb9

SHA1
39e4353b63d0d7aa15d2e7814f26e51685188a20

SHA256
fca56da67b0d869c9dfcd11749e84ac536aae30063130e472d44b5935d774ad2

SHA512
7ff33bef839da3294fd0badf98f47f1a7340819ad8aeaa0532a707d77d74f6736cd8f6d819a1d6ae1335f20baf3ab346d0479b1036a9dee89ca7a2e15a977c8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\NEAS.d9ea6182e384edab592f8da1b4e74829_JC.exe

Filesize
141KB

MD5
5a432a042dae460abe7199b758e8606c

SHA1
821b965267ee15c6c59178777ae7a8dcfc80f4ba

SHA256
6e5d1f477d290905be27cebf9572bac6b05ffef2fad901d3c8e11f665f8b9a71

SHA512
72823cc212c585a8080122c416e66fe28cb5a1787ae384d52b2068aec4a16944ed10731c622c1db0d8035aee7b5706bc7d2a4e6295a6ce3e50eb4895cc968c75

Download Submit
C:\WINDOWS\MSWDM.EXE

Filesize
1.6MB

MD5
ea6e5561df9426c79ba0debded2866b6

SHA1
7965c4bf645798fa5aa5a41199f8f9681925fa29

SHA256
071b0053a9795a632c406ce47a6312586bc5de08c9430efc08d21d1f62d743ef

SHA512
593a3664ddc245bf3d4d9e7aabd367da804003d462b69d8ddfef4a53968ed0b1efd08d5fbfe6ababe6236e565025fb89df9dc03651158888edfc3950978e31eb

Download Submit
C:\Windows\MSWDM.EXE

Filesize
1.6MB

MD5
ea6e5561df9426c79ba0debded2866b6

SHA1
7965c4bf645798fa5aa5a41199f8f9681925fa29

SHA256
071b0053a9795a632c406ce47a6312586bc5de08c9430efc08d21d1f62d743ef

SHA512
593a3664ddc245bf3d4d9e7aabd367da804003d462b69d8ddfef4a53968ed0b1efd08d5fbfe6ababe6236e565025fb89df9dc03651158888edfc3950978e31eb

Download Submit
C:\Windows\MSWDM.EXE

Filesize
1.6MB

MD5
ea6e5561df9426c79ba0debded2866b6

SHA1
7965c4bf645798fa5aa5a41199f8f9681925fa29

SHA256
071b0053a9795a632c406ce47a6312586bc5de08c9430efc08d21d1f62d743ef

SHA512
593a3664ddc245bf3d4d9e7aabd367da804003d462b69d8ddfef4a53968ed0b1efd08d5fbfe6ababe6236e565025fb89df9dc03651158888edfc3950978e31eb

Download Submit
C:\Windows\MSWDM.EXE

Filesize
1.6MB

MD5
ea6e5561df9426c79ba0debded2866b6

SHA1
7965c4bf645798fa5aa5a41199f8f9681925fa29

SHA256
071b0053a9795a632c406ce47a6312586bc5de08c9430efc08d21d1f62d743ef

SHA512
593a3664ddc245bf3d4d9e7aabd367da804003d462b69d8ddfef4a53968ed0b1efd08d5fbfe6ababe6236e565025fb89df9dc03651158888edfc3950978e31eb

Download Submit
C:\Windows\MSWDM.EXE

Filesize
1.6MB

MD5
ea6e5561df9426c79ba0debded2866b6

SHA1
7965c4bf645798fa5aa5a41199f8f9681925fa29

SHA256
071b0053a9795a632c406ce47a6312586bc5de08c9430efc08d21d1f62d743ef

SHA512
593a3664ddc245bf3d4d9e7aabd367da804003d462b69d8ddfef4a53968ed0b1efd08d5fbfe6ababe6236e565025fb89df9dc03651158888edfc3950978e31eb

Download Submit
C:\Windows\dev5DE8.tmp

Filesize
141KB

MD5
5a432a042dae460abe7199b758e8606c

SHA1
821b965267ee15c6c59178777ae7a8dcfc80f4ba

SHA256
6e5d1f477d290905be27cebf9572bac6b05ffef2fad901d3c8e11f665f8b9a71

SHA512
72823cc212c585a8080122c416e66fe28cb5a1787ae384d52b2068aec4a16944ed10731c622c1db0d8035aee7b5706bc7d2a4e6295a6ce3e50eb4895cc968c75

Download Submit
\Users\Admin\AppData\Local\Temp\NEAS.d9ea6182e384edab592f8da1b4e74829_JC.exe

Filesize
141KB

MD5
5a432a042dae460abe7199b758e8606c

SHA1
821b965267ee15c6c59178777ae7a8dcfc80f4ba

SHA256
6e5d1f477d290905be27cebf9572bac6b05ffef2fad901d3c8e11f665f8b9a71

SHA512
72823cc212c585a8080122c416e66fe28cb5a1787ae384d52b2068aec4a16944ed10731c622c1db0d8035aee7b5706bc7d2a4e6295a6ce3e50eb4895cc968c75

Download Submit
memory/2020-15-0x0000000000220000-0x0000000000234000-memory.dmp

Filesize
80KB

Download
memory/2020-0-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2020-32-0x0000000000220000-0x0000000000234000-memory.dmp

Filesize
80KB

Download
memory/2020-12-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2020-6-0x0000000000220000-0x0000000000234000-memory.dmp

Filesize
80KB

Download
memory/2124-29-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2464-31-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2464-18-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/3024-23-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/3024-33-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download