ed7e89f522631e964cae6c525bad9fc727c6db993cddbbbd2b3ee7d0d40bf3a2

Analysis

max time kernel
31s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20231023-en
resource tags

arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
submitted
03/11/2023, 17:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.d9ea6182e384edab592f8da1b4e74829_JC.exe
Size

1.8MB
MD5

d9ea6182e384edab592f8da1b4e74829
SHA1

ae55575de1569ee31ec2ae83dbed7b2b94e2fe40
SHA256

ed7e89f522631e964cae6c525bad9fc727c6db993cddbbbd2b3ee7d0d40bf3a2
SHA512

3ddc6606261dbe587b9e9b9d90a012c6fe43790fcaced8ce48efde3708b01c7e249a7ad680daee9da7cb4149f9716c0133e7e840490f627bdb9f92c49ab029ea
SSDEEP

49152:MtBcS4neHbyfYTOYKPu/gEjiEO5ItDF4P:MtaS4neHvZjiEO5IhY

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
860	MSWDM.EXE
1496	MSWDM.EXE
5000	NEAS.D9EA6182E384EDAB592F8DA1B4E74829_JC.EXE
388	MSWDM.EXE

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE"	MSWDM.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE"	MSWDM.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE"	NEAS.d9ea6182e384edab592f8da1b4e74829_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE"	NEAS.d9ea6182e384edab592f8da1b4e74829_JC.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\WINDOWS\MSWDM.EXE	NEAS.d9ea6182e384edab592f8da1b4e74829_JC.exe
File opened for modification	C:\Windows\devE436.tmp	NEAS.d9ea6182e384edab592f8da1b4e74829_JC.exe
File opened for modification	C:\Windows\devE436.tmp	MSWDM.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1496	MSWDM.EXE
1496	MSWDM.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3324 wrote to memory of 860	3324	NEAS.d9ea6182e384edab592f8da1b4e74829_JC.exe	84
PID 3324 wrote to memory of 860	3324	NEAS.d9ea6182e384edab592f8da1b4e74829_JC.exe	84
PID 3324 wrote to memory of 860	3324	NEAS.d9ea6182e384edab592f8da1b4e74829_JC.exe	84
PID 3324 wrote to memory of 1496	3324	NEAS.d9ea6182e384edab592f8da1b4e74829_JC.exe	85
PID 3324 wrote to memory of 1496	3324	NEAS.d9ea6182e384edab592f8da1b4e74829_JC.exe	85
PID 3324 wrote to memory of 1496	3324	NEAS.d9ea6182e384edab592f8da1b4e74829_JC.exe	85
PID 1496 wrote to memory of 5000	1496	MSWDM.EXE	86
PID 1496 wrote to memory of 5000	1496	MSWDM.EXE	86
PID 1496 wrote to memory of 5000	1496	MSWDM.EXE	86
PID 1496 wrote to memory of 388	1496	MSWDM.EXE	87
PID 1496 wrote to memory of 388	1496	MSWDM.EXE	87
PID 1496 wrote to memory of 388	1496	MSWDM.EXE	87

C:\Users\Admin\AppData\Local\Temp\NEAS.d9ea6182e384edab592f8da1b4e74829_JC.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.d9ea6182e384edab592f8da1b4e74829_JC.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3324
- C:\WINDOWS\MSWDM.EXE
  "C:\WINDOWS\MSWDM.EXE"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:860
- C:\WINDOWS\MSWDM.EXE
  -r!C:\Windows\devE436.tmp!C:\Users\Admin\AppData\Local\Temp\NEAS.d9ea6182e384edab592f8da1b4e74829_JC.exe! !
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1496
- - C:\Users\Admin\AppData\Local\Temp\NEAS.D9EA6182E384EDAB592F8DA1B4E74829_JC.EXE
    3⤵
    - Executes dropped EXE
    PID:5000
- - C:\WINDOWS\MSWDM.EXE
    -e!C:\Windows\devE436.tmp!C:\Users\Admin\AppData\Local\Temp\NEAS.D9EA6182E384EDAB592F8DA1B4E74829_JC.EXE!
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    PID:388

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\NEAS.D9EA6182E384EDAB592F8DA1B4E74829_JC.EXE

Filesize
1.8MB

MD5
2378d31a0ebfea9fee612bd05de6d90d

SHA1
73eb04e6efe9c01a948068bc54b5f8dd8d091b9a

SHA256
7eaea02498724c4e6a5a8d51fc437849276efdc04fd823e024d64b9eb5bddd88

SHA512
03f6c2f49288ab1d82c90af370c1480c461dab46877479cdd9f2c0615ba20549fdceaf636bc46dedf1fa09c4d3ff436007821ff74861b10451df8c8a8e56200e

Download Submit
C:\Users\Admin\AppData\Local\Temp\NEAS.D9EA6182E384EDAB592F8DA1B4E74829_JC.EXE

Filesize
1.8MB

MD5
2378d31a0ebfea9fee612bd05de6d90d

SHA1
73eb04e6efe9c01a948068bc54b5f8dd8d091b9a

SHA256
7eaea02498724c4e6a5a8d51fc437849276efdc04fd823e024d64b9eb5bddd88

SHA512
03f6c2f49288ab1d82c90af370c1480c461dab46877479cdd9f2c0615ba20549fdceaf636bc46dedf1fa09c4d3ff436007821ff74861b10451df8c8a8e56200e

Download Submit
C:\Users\Admin\AppData\Local\Temp\NEAS.d9ea6182e384edab592f8da1b4e74829_JC.exe

Filesize
141KB

MD5
5a432a042dae460abe7199b758e8606c

SHA1
821b965267ee15c6c59178777ae7a8dcfc80f4ba

SHA256
6e5d1f477d290905be27cebf9572bac6b05ffef2fad901d3c8e11f665f8b9a71

SHA512
72823cc212c585a8080122c416e66fe28cb5a1787ae384d52b2068aec4a16944ed10731c622c1db0d8035aee7b5706bc7d2a4e6295a6ce3e50eb4895cc968c75

Download Submit
C:\Users\Admin\AppData\Local\Temp\NEAS.d9ea6182e384edab592f8da1b4e74829_JC.exe

Filesize
1.8MB

MD5
2378d31a0ebfea9fee612bd05de6d90d

SHA1
73eb04e6efe9c01a948068bc54b5f8dd8d091b9a

SHA256
7eaea02498724c4e6a5a8d51fc437849276efdc04fd823e024d64b9eb5bddd88

SHA512
03f6c2f49288ab1d82c90af370c1480c461dab46877479cdd9f2c0615ba20549fdceaf636bc46dedf1fa09c4d3ff436007821ff74861b10451df8c8a8e56200e

Download Submit
C:\WINDOWS\MSWDM.EXE

Filesize
1.6MB

MD5
ea6e5561df9426c79ba0debded2866b6

SHA1
7965c4bf645798fa5aa5a41199f8f9681925fa29

SHA256
071b0053a9795a632c406ce47a6312586bc5de08c9430efc08d21d1f62d743ef

SHA512
593a3664ddc245bf3d4d9e7aabd367da804003d462b69d8ddfef4a53968ed0b1efd08d5fbfe6ababe6236e565025fb89df9dc03651158888edfc3950978e31eb

Download Submit
C:\Windows\MSWDM.EXE

Filesize
1.6MB

MD5
ea6e5561df9426c79ba0debded2866b6

SHA1
7965c4bf645798fa5aa5a41199f8f9681925fa29

SHA256
071b0053a9795a632c406ce47a6312586bc5de08c9430efc08d21d1f62d743ef

SHA512
593a3664ddc245bf3d4d9e7aabd367da804003d462b69d8ddfef4a53968ed0b1efd08d5fbfe6ababe6236e565025fb89df9dc03651158888edfc3950978e31eb

Download Submit
C:\Windows\MSWDM.EXE

Filesize
1.6MB

MD5
ea6e5561df9426c79ba0debded2866b6

SHA1
7965c4bf645798fa5aa5a41199f8f9681925fa29

SHA256
071b0053a9795a632c406ce47a6312586bc5de08c9430efc08d21d1f62d743ef

SHA512
593a3664ddc245bf3d4d9e7aabd367da804003d462b69d8ddfef4a53968ed0b1efd08d5fbfe6ababe6236e565025fb89df9dc03651158888edfc3950978e31eb

Download Submit
C:\Windows\MSWDM.EXE

Filesize
1.6MB

MD5
ea6e5561df9426c79ba0debded2866b6

SHA1
7965c4bf645798fa5aa5a41199f8f9681925fa29

SHA256
071b0053a9795a632c406ce47a6312586bc5de08c9430efc08d21d1f62d743ef

SHA512
593a3664ddc245bf3d4d9e7aabd367da804003d462b69d8ddfef4a53968ed0b1efd08d5fbfe6ababe6236e565025fb89df9dc03651158888edfc3950978e31eb

Download Submit
C:\Windows\devE436.tmp

Filesize
141KB

MD5
5a432a042dae460abe7199b758e8606c

SHA1
821b965267ee15c6c59178777ae7a8dcfc80f4ba

SHA256
6e5d1f477d290905be27cebf9572bac6b05ffef2fad901d3c8e11f665f8b9a71

SHA512
72823cc212c585a8080122c416e66fe28cb5a1787ae384d52b2068aec4a16944ed10731c622c1db0d8035aee7b5706bc7d2a4e6295a6ce3e50eb4895cc968c75

Download Submit
memory/388-15-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/388-18-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/860-21-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1496-20-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/3324-8-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/3324-0-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download