d34b69d7094c286ef9f6e8d5179a9a13355c2072bc081bdd7bccf0a57d6eb949

Analysis

max time kernel
117s
max time network
122s
platform
windows7_x64
resource
win7-20231023-en
resource tags

arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system
submitted
04/11/2023, 21:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.f2c31c62bc7a72453e812e8124498500_JC.exe
Size

168KB
MD5

f2c31c62bc7a72453e812e8124498500
SHA1

2621944902604362686c8795c5d8ade7034038dc
SHA256

d34b69d7094c286ef9f6e8d5179a9a13355c2072bc081bdd7bccf0a57d6eb949
SHA512

4d6e6099cf96f0c0a1d9e4a78512dad127d5687f3afb36622786f2f0f9f95af7e486aaa5216f7480613e7269ee2fef6b267674cab5f1632f78f3730571227623
SSDEEP

3072:7W6h6Y6DxQKBL+UjcvS5is6vZX5Kv8S138WtA7Kzfk0saRQs:7W6h6NR+Uw80g9XA78fJsaRR

Score

8^/10

persistence

Malware Config

Signatures

Modifies AppInit DLL entries 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1547.001

Modify Registry
T1112

Executes dropped EXE 1 IoCs

pid	Process
2640	suvkbwn.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\PROGRA~3\Mozilla\suvkbwn.exe	NEAS.f2c31c62bc7a72453e812e8124498500_JC.exe
File created	C:\PROGRA~3\Mozilla\wfwcssm.dll	suvkbwn.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2720 wrote to memory of 2640	2720	taskeng.exe	29
PID 2720 wrote to memory of 2640	2720	taskeng.exe	29
PID 2720 wrote to memory of 2640	2720	taskeng.exe	29
PID 2720 wrote to memory of 2640	2720	taskeng.exe	29

C:\Users\Admin\AppData\Local\Temp\NEAS.f2c31c62bc7a72453e812e8124498500_JC.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.f2c31c62bc7a72453e812e8124498500_JC.exe"
1⤵
- Drops file in Program Files directory
PID:2780

C:\Windows\system32\taskeng.exe
taskeng.exe {D328821D-ECB1-4693-829D-417C618E4DAC} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:2720
- C:\PROGRA~3\Mozilla\suvkbwn.exe
  C:\PROGRA~3\Mozilla\suvkbwn.exe -tlhykym
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  PID:2640

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~3\Mozilla\suvkbwn.exe

Filesize
168KB

MD5
db28f12d62e74b5cc9569c4bc1b07a58

SHA1
a52e4da1304dfcc6779b022c5c214193bc798222

SHA256
34ce89cc8dd1fa68e1e94c58211816f8b9095e7d0e664d7ac2dbdd2b83825118

SHA512
cbb12ae535fcfd1aa325de79293e18fdcb618fd6192a6851e096fea356fb4369622e78ad61a3e3a20dfb9b3254417fe635f147f3fd019925fdb63f6a8a48c2de

Download Submit
C:\PROGRA~3\Mozilla\suvkbwn.exe

Filesize
168KB

MD5
db28f12d62e74b5cc9569c4bc1b07a58

SHA1
a52e4da1304dfcc6779b022c5c214193bc798222

SHA256
34ce89cc8dd1fa68e1e94c58211816f8b9095e7d0e664d7ac2dbdd2b83825118

SHA512
cbb12ae535fcfd1aa325de79293e18fdcb618fd6192a6851e096fea356fb4369622e78ad61a3e3a20dfb9b3254417fe635f147f3fd019925fdb63f6a8a48c2de

Download Submit
memory/2640-10-0x00000000002E0000-0x000000000033B000-memory.dmp

Filesize
364KB

Download
memory/2640-16-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2780-0-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2780-1-0x0000000000310000-0x000000000036B000-memory.dmp

Filesize
364KB

Download
memory/2780-7-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download