3008ffee1c5a6be160b5cb3435b5619f82661f62c8d2917802b20e450af791f8

Analysis

max time kernel
119s
max time network
136s
platform
windows7_x64
resource
win7-20231023-en
resource tags

arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system
submitted
03/11/2023, 18:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.9ba6ee9339bf2fa46842d16aa4f32f40_JC.exe
Size

450KB
MD5

9ba6ee9339bf2fa46842d16aa4f32f40
SHA1

ca72126e209e0e94e4238de0ec00abdd412a2328
SHA256

3008ffee1c5a6be160b5cb3435b5619f82661f62c8d2917802b20e450af791f8
SHA512

d36a45066de313772bb65ff7df12d60e69591cd48e014c9fa51a47463b5005a962ad6ac8e987ef54f5fde7b5a30a41860f01c5011a4ce550f79da4d03599e0de
SSDEEP

12288:9YK7hIQ+gKrkorULq6lFfPnKX0zheI4h3Eyu8c2pfu3Eyu8c2pf:9QU+TI4SR8c4JR8c4

Score

1^/10

Malware Config

Signatures

Gathers network information 2 TTPs 1 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
2620	ipconfig.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2704	dw20.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1464 wrote to memory of 2112	1464	NEAS.9ba6ee9339bf2fa46842d16aa4f32f40_JC.exe	28
PID 1464 wrote to memory of 2112	1464	NEAS.9ba6ee9339bf2fa46842d16aa4f32f40_JC.exe	28
PID 1464 wrote to memory of 2112	1464	NEAS.9ba6ee9339bf2fa46842d16aa4f32f40_JC.exe	28
PID 2112 wrote to memory of 2620	2112	cmd.exe	30
PID 2112 wrote to memory of 2620	2112	cmd.exe	30
PID 2112 wrote to memory of 2620	2112	cmd.exe	30
PID 1464 wrote to memory of 2704	1464	NEAS.9ba6ee9339bf2fa46842d16aa4f32f40_JC.exe	31
PID 1464 wrote to memory of 2704	1464	NEAS.9ba6ee9339bf2fa46842d16aa4f32f40_JC.exe	31
PID 1464 wrote to memory of 2704	1464	NEAS.9ba6ee9339bf2fa46842d16aa4f32f40_JC.exe	31

C:\Users\Admin\AppData\Local\Temp\NEAS.9ba6ee9339bf2fa46842d16aa4f32f40_JC.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.9ba6ee9339bf2fa46842d16aa4f32f40_JC.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1464
- C:\Windows\system32\cmd.exe
  "cmd.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2112
- - C:\Windows\system32\ipconfig.exe
    ipconfig /flushdns
    3⤵
    - Gathers network information
    PID:2620
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
  dw20.exe -x -s 1116
  2⤵
  - Suspicious behavior: GetForegroundWindowSpam
  PID:2704

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1464-0-0x000007FEF6010000-0x000007FEF69AD000-memory.dmp

Filesize
9.6MB

Download
memory/1464-1-0x0000000000AB0000-0x0000000000B30000-memory.dmp

Filesize
512KB

Download
memory/1464-2-0x000007FEF6010000-0x000007FEF69AD000-memory.dmp

Filesize
9.6MB

Download
memory/1464-3-0x0000000000AB0000-0x0000000000B30000-memory.dmp

Filesize
512KB

Download
memory/1464-4-0x0000000000AB0000-0x0000000000B30000-memory.dmp

Filesize
512KB

Download
memory/1464-8-0x000007FEF6010000-0x000007FEF69AD000-memory.dmp

Filesize
9.6MB

Download
memory/1464-9-0x0000000000AB0000-0x0000000000B30000-memory.dmp

Filesize
512KB

Download
memory/2704-7-0x0000000000420000-0x0000000000421000-memory.dmp

Filesize
4KB

Download
memory/2704-10-0x0000000000420000-0x0000000000421000-memory.dmp

Filesize
4KB

Download