7072520926c9407cb7c15b774b2293e7bed8619760c929babdce900ad18ff87e

Analysis

max time kernel
118s
max time network
133s
platform
windows7_x64
resource
win7-20231025-en
resource tags

arch:x64arch:x86image:win7-20231025-enlocale:en-usos:windows7-x64system
submitted
04/11/2023, 09:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.a9deabd117149645e2ba0d3e35550020_JC.exe
Size

157KB
MD5

a9deabd117149645e2ba0d3e35550020
SHA1

fea4a005e7032062090e109068ca4511fba97ec3
SHA256

7072520926c9407cb7c15b774b2293e7bed8619760c929babdce900ad18ff87e
SHA512

addd64a9dbea9cd71f12fe589909f26ebc9e8362cbad70fb496d5c63947af6c22c2600974cb9023f1cb94a7ded7ea8e2fded6144cc7a5370df7775fd51214846
SSDEEP

3072:qmZT2G7Sj8GomX5VltS2gS1l8BhhGxbek1hAnwbGEUPIWmHbc4qer:qmk8GomJVl82gglkGxb1taPIrHQ4qer

Score

8^/10

persistence

Malware Config

Signatures

Modifies AppInit DLL entries 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1547.001

Modify Registry
T1112

Executes dropped EXE 1 IoCs

pid	Process
2776	kymnayk.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\PROGRA~3\Mozilla\iuxrktg.dll	kymnayk.exe
File created	C:\PROGRA~3\Mozilla\kymnayk.exe	NEAS.a9deabd117149645e2ba0d3e35550020_JC.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1448 wrote to memory of 2776	1448	taskeng.exe	29
PID 1448 wrote to memory of 2776	1448	taskeng.exe	29
PID 1448 wrote to memory of 2776	1448	taskeng.exe	29
PID 1448 wrote to memory of 2776	1448	taskeng.exe	29

C:\Users\Admin\AppData\Local\Temp\NEAS.a9deabd117149645e2ba0d3e35550020_JC.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.a9deabd117149645e2ba0d3e35550020_JC.exe"
1⤵
- Drops file in Program Files directory
PID:2100

C:\Windows\system32\taskeng.exe
taskeng.exe {46EE27CD-FE11-471B-A835-07BE4B964BDB} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:1448
- C:\PROGRA~3\Mozilla\kymnayk.exe
  C:\PROGRA~3\Mozilla\kymnayk.exe -dtmxjcd
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  PID:2776

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~3\Mozilla\kymnayk.exe

Filesize
157KB

MD5
52fe775fdefccfdcc6588124ef991d12

SHA1
fe31a7daa45e14740faf57fe6eaafe32a10a39b7

SHA256
01b478f31df1a008b99de4f8cd6866c2fd19913d8a70c2c1d85ce2f62d4c07a3

SHA512
ead9d76435288535ef642b6f6aaa626710b8b6c01d548c6c226eb846a4d5a3ee59657862d54720fecec7fc26f4516ba55cce7bf12fcc74b1d7d60756c70fa231

Download Submit
C:\PROGRA~3\Mozilla\kymnayk.exe

Filesize
157KB

MD5
52fe775fdefccfdcc6588124ef991d12

SHA1
fe31a7daa45e14740faf57fe6eaafe32a10a39b7

SHA256
01b478f31df1a008b99de4f8cd6866c2fd19913d8a70c2c1d85ce2f62d4c07a3

SHA512
ead9d76435288535ef642b6f6aaa626710b8b6c01d548c6c226eb846a4d5a3ee59657862d54720fecec7fc26f4516ba55cce7bf12fcc74b1d7d60756c70fa231

Download Submit
memory/2100-0-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2100-1-0x0000000000430000-0x000000000048B000-memory.dmp

Filesize
364KB

Download
memory/2100-7-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2776-10-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2776-11-0x0000000000370000-0x00000000003CB000-memory.dmp

Filesize
364KB

Download
memory/2776-17-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download