b9a9b6f6cad2cc71eb18f7a4f6da3c9c30caf0833c8b376f1e93f0d9be2400ae

Analysis

max time kernel
150s
max time network
121s
platform
windows7_x64
resource
win7-20231020-en
resource tags

arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system
submitted
05/11/2023, 02:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.a1d1236f11c6a62c4faff280bc84ddd0_JC.exe
Size

178KB
MD5

a1d1236f11c6a62c4faff280bc84ddd0
SHA1

fc71a8327a91de579ae21ac6442fbb1c8caafbcb
SHA256

b9a9b6f6cad2cc71eb18f7a4f6da3c9c30caf0833c8b376f1e93f0d9be2400ae
SHA512

1687cc9c7aa24040ec71fa1f210e72a015f4c4c043abd1ac4a9e768e90f868a00fa017e813b8d23f80652fd09b2d5af10cf9eab42f221f1a4bd012cf83e1e3ea
SSDEEP

3072:M/047M+14BEHzWqgUfPNrXuSKp18z2Odknu+vmmWBuxBl11cRQycLRbpgjDD2UK:SwhBEHzWpUfPNr+DRD5fWBuxBl11tbpm

Score

7^/10

persistence

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2960	cmd.exe

Executes dropped EXE 3 IoCs

pid	Process
2848	forfskey.exe
2688	~4F77.tmp
2716	sdiadctr.exe

Loads dropped DLL 3 IoCs

pid	Process
2252	NEAS.a1d1236f11c6a62c4faff280bc84ddd0_JC.exe
2252	NEAS.a1d1236f11c6a62c4faff280bc84ddd0_JC.exe
2848	forfskey.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Windows\CurrentVersion\Run\dxdistsc = "C:\\Users\\Admin\\AppData\\Roaming\\cttufWrp\\forfskey.exe"	NEAS.a1d1236f11c6a62c4faff280bc84ddd0_JC.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\sdiadctr.exe	NEAS.a1d1236f11c6a62c4faff280bc84ddd0_JC.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2848	forfskey.exe
1248	Explorer.EXE
2716	sdiadctr.exe
1248	Explorer.EXE
2716	sdiadctr.exe
1248	Explorer.EXE
2716	sdiadctr.exe
1248	Explorer.EXE
2716	sdiadctr.exe
1248	Explorer.EXE
2716	sdiadctr.exe
1248	Explorer.EXE
2716	sdiadctr.exe
1248	Explorer.EXE
2716	sdiadctr.exe
1248	Explorer.EXE
2716	sdiadctr.exe
1248	Explorer.EXE
2716	sdiadctr.exe
1248	Explorer.EXE
2716	sdiadctr.exe
1248	Explorer.EXE
2716	sdiadctr.exe
1248	Explorer.EXE
2716	sdiadctr.exe
1248	Explorer.EXE
2716	sdiadctr.exe
1248	Explorer.EXE
2716	sdiadctr.exe
1248	Explorer.EXE
2716	sdiadctr.exe
1248	Explorer.EXE
2716	sdiadctr.exe
1248	Explorer.EXE
2716	sdiadctr.exe
1248	Explorer.EXE
2716	sdiadctr.exe
1248	Explorer.EXE
2716	sdiadctr.exe
1248	Explorer.EXE
2716	sdiadctr.exe
1248	Explorer.EXE
2716	sdiadctr.exe
1248	Explorer.EXE
2716	sdiadctr.exe
1248	Explorer.EXE
2716	sdiadctr.exe
1248	Explorer.EXE
2716	sdiadctr.exe
1248	Explorer.EXE
2716	sdiadctr.exe
1248	Explorer.EXE
2716	sdiadctr.exe
1248	Explorer.EXE
2716	sdiadctr.exe
1248	Explorer.EXE
2716	sdiadctr.exe
1248	Explorer.EXE
2716	sdiadctr.exe
1248	Explorer.EXE
2716	sdiadctr.exe
1248	Explorer.EXE
2716	sdiadctr.exe
1248	Explorer.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1248	Explorer.EXE

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 2252 wrote to memory of 2848	2252	NEAS.a1d1236f11c6a62c4faff280bc84ddd0_JC.exe	28
PID 2252 wrote to memory of 2848	2252	NEAS.a1d1236f11c6a62c4faff280bc84ddd0_JC.exe	28
PID 2252 wrote to memory of 2848	2252	NEAS.a1d1236f11c6a62c4faff280bc84ddd0_JC.exe	28
PID 2252 wrote to memory of 2848	2252	NEAS.a1d1236f11c6a62c4faff280bc84ddd0_JC.exe	28
PID 2848 wrote to memory of 2688	2848	forfskey.exe	29
PID 2848 wrote to memory of 2688	2848	forfskey.exe	29
PID 2848 wrote to memory of 2688	2848	forfskey.exe	29
PID 2848 wrote to memory of 2688	2848	forfskey.exe	29
PID 2688 wrote to memory of 1248	2688	~4F77.tmp	16
PID 2252 wrote to memory of 2960	2252	NEAS.a1d1236f11c6a62c4faff280bc84ddd0_JC.exe	31
PID 2252 wrote to memory of 2960	2252	NEAS.a1d1236f11c6a62c4faff280bc84ddd0_JC.exe	31
PID 2252 wrote to memory of 2960	2252	NEAS.a1d1236f11c6a62c4faff280bc84ddd0_JC.exe	31
PID 2252 wrote to memory of 2960	2252	NEAS.a1d1236f11c6a62c4faff280bc84ddd0_JC.exe	31
PID 2960 wrote to memory of 2732	2960	cmd.exe	33
PID 2960 wrote to memory of 2732	2960	cmd.exe	33
PID 2960 wrote to memory of 2732	2960	cmd.exe	33
PID 2960 wrote to memory of 2732	2960	cmd.exe	33

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
2732	attrib.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
PID:1248
- C:\Users\Admin\AppData\Local\Temp\NEAS.a1d1236f11c6a62c4faff280bc84ddd0_JC.exe
  "C:\Users\Admin\AppData\Local\Temp\NEAS.a1d1236f11c6a62c4faff280bc84ddd0_JC.exe"
  2⤵
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:2252
- - C:\Users\Admin\AppData\Roaming\cttufWrp\forfskey.exe
    "C:\Users\Admin\AppData\Roaming\cttufWrp\forfskey.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2848
  - - C:\Users\Admin\AppData\Local\Temp\~4F77.tmp
      "C:\Users\Admin\AppData\Local\Temp\~4F77.tmp"
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:2688
- - C:\Windows\SysWOW64\cmd.exe
    /C 259412299.cmd
    3⤵
    - Deletes itself
    - Suspicious use of WriteProcessMemory
    PID:2960
  - - C:\Windows\SysWOW64\attrib.exe
      attrib -r -s -h "NEAS.a1d1236f11c6a62c4faff280bc84ddd0_JC.exe"
      4⤵
      Views/modifies file attributes
      PID:2732

C:\Windows\SysWOW64\sdiadctr.exe
C:\Windows\SysWOW64\sdiadctr.exe -k
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2716

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\259412299.cmd

Filesize
219B

MD5
6847aa2fab4e4c10baf6cacbf6c86445

SHA1
b9fb7e2c21698efd8c9363af5b052196b13ad5aa

SHA256
699d25295aec01008b183b216f7d4353640b1b605a6b2f407fb98f17fd008a5c

SHA512
81a8336f9a78767a3899479ce1f49f8efb4c064a53eff283b685e1383cb43440bff94bd4fdcb87359c610004009b20cae2d75154768744cf0944f8ee1be3a464

Download Submit
C:\Users\Admin\AppData\Local\Temp\~4F77.tmp

Filesize
6KB

MD5
73274db14be8da5a43e41541352959fb

SHA1
3c3be1e96df95e269aeb89178815e6442ef631da

SHA256
d7718034a89128e44b6ba6e73e24a765560016982c10284b50b1f9aec51cbff4

SHA512
993cb99f95d18a6ca7d86e96b1844003484a2aff970e964cccefeb3f48fbe448875b83c4dc82a2e8db8621ab97dcf2b485c648304e194e82e8f622a1ede9bd78

Download Submit
C:\Users\Admin\AppData\Roaming\cttufWrp\forfskey.exe

Filesize
178KB

MD5
c60209ded555d9866bbd864af73574d1

SHA1
22e03f9b8f3091301266eaa4834c97479d3d67a7

SHA256
737f4def29045dde8b5087734b9f120fd56a83b03f832c95680aeefe3f69fb76

SHA512
be5b445cb55a950631eeeec74823ffbd2cb57080bae6f6893ee59d228be17c1d939b738adf257f9d6ec5548eb182d07369edf62c574edc24314dc00baa3a46db

Download Submit
C:\Users\Admin\AppData\Roaming\cttufWrp\forfskey.exe

Filesize
178KB

MD5
c60209ded555d9866bbd864af73574d1

SHA1
22e03f9b8f3091301266eaa4834c97479d3d67a7

SHA256
737f4def29045dde8b5087734b9f120fd56a83b03f832c95680aeefe3f69fb76

SHA512
be5b445cb55a950631eeeec74823ffbd2cb57080bae6f6893ee59d228be17c1d939b738adf257f9d6ec5548eb182d07369edf62c574edc24314dc00baa3a46db

Download Submit
C:\Users\Admin\AppData\Roaming\cttufWrp\forfskey.exe

Filesize
178KB

MD5
c60209ded555d9866bbd864af73574d1

SHA1
22e03f9b8f3091301266eaa4834c97479d3d67a7

SHA256
737f4def29045dde8b5087734b9f120fd56a83b03f832c95680aeefe3f69fb76

SHA512
be5b445cb55a950631eeeec74823ffbd2cb57080bae6f6893ee59d228be17c1d939b738adf257f9d6ec5548eb182d07369edf62c574edc24314dc00baa3a46db

Download Submit
C:\Windows\SysWOW64\sdiadctr.exe

Filesize
178KB

MD5
a1d1236f11c6a62c4faff280bc84ddd0

SHA1
fc71a8327a91de579ae21ac6442fbb1c8caafbcb

SHA256
b9a9b6f6cad2cc71eb18f7a4f6da3c9c30caf0833c8b376f1e93f0d9be2400ae

SHA512
1687cc9c7aa24040ec71fa1f210e72a015f4c4c043abd1ac4a9e768e90f868a00fa017e813b8d23f80652fd09b2d5af10cf9eab42f221f1a4bd012cf83e1e3ea

Download Submit
C:\Windows\SysWOW64\sdiadctr.exe

Filesize
178KB

MD5
a1d1236f11c6a62c4faff280bc84ddd0

SHA1
fc71a8327a91de579ae21ac6442fbb1c8caafbcb

SHA256
b9a9b6f6cad2cc71eb18f7a4f6da3c9c30caf0833c8b376f1e93f0d9be2400ae

SHA512
1687cc9c7aa24040ec71fa1f210e72a015f4c4c043abd1ac4a9e768e90f868a00fa017e813b8d23f80652fd09b2d5af10cf9eab42f221f1a4bd012cf83e1e3ea

Download Submit
\Users\Admin\AppData\Local\Temp\~4F77.tmp

Filesize
6KB

MD5
73274db14be8da5a43e41541352959fb

SHA1
3c3be1e96df95e269aeb89178815e6442ef631da

SHA256
d7718034a89128e44b6ba6e73e24a765560016982c10284b50b1f9aec51cbff4

SHA512
993cb99f95d18a6ca7d86e96b1844003484a2aff970e964cccefeb3f48fbe448875b83c4dc82a2e8db8621ab97dcf2b485c648304e194e82e8f622a1ede9bd78

Download Submit
\Users\Admin\AppData\Roaming\cttufWrp\forfskey.exe

Filesize
178KB

MD5
c60209ded555d9866bbd864af73574d1

SHA1
22e03f9b8f3091301266eaa4834c97479d3d67a7

SHA256
737f4def29045dde8b5087734b9f120fd56a83b03f832c95680aeefe3f69fb76

SHA512
be5b445cb55a950631eeeec74823ffbd2cb57080bae6f6893ee59d228be17c1d939b738adf257f9d6ec5548eb182d07369edf62c574edc24314dc00baa3a46db

Download Submit
\Users\Admin\AppData\Roaming\cttufWrp\forfskey.exe

Filesize
178KB

MD5
c60209ded555d9866bbd864af73574d1

SHA1
22e03f9b8f3091301266eaa4834c97479d3d67a7

SHA256
737f4def29045dde8b5087734b9f120fd56a83b03f832c95680aeefe3f69fb76

SHA512
be5b445cb55a950631eeeec74823ffbd2cb57080bae6f6893ee59d228be17c1d939b738adf257f9d6ec5548eb182d07369edf62c574edc24314dc00baa3a46db

Download Submit
memory/1248-20-0x0000000002A10000-0x0000000002A53000-memory.dmp

Filesize
268KB

Download
memory/1248-23-0x0000000002A10000-0x0000000002A53000-memory.dmp

Filesize
268KB

Download
memory/1248-19-0x0000000002A10000-0x0000000002A53000-memory.dmp

Filesize
268KB

Download
memory/2252-10-0x0000000000160000-0x0000000000191000-memory.dmp

Filesize
196KB

Download
memory/2252-0-0x0000000000AE0000-0x0000000000B11000-memory.dmp

Filesize
196KB

Download
memory/2252-1-0x0000000000070000-0x00000000000B0000-memory.dmp

Filesize
256KB

Download
memory/2716-28-0x00000000001F0000-0x0000000000221000-memory.dmp

Filesize
196KB

Download
memory/2716-30-0x00000000000E0000-0x0000000000120000-memory.dmp

Filesize
256KB

Download
memory/2716-34-0x00000000000E0000-0x0000000000120000-memory.dmp

Filesize
256KB

Download
memory/2716-33-0x00000000000E0000-0x0000000000120000-memory.dmp

Filesize
256KB

Download
memory/2848-14-0x0000000000070000-0x00000000000B0000-memory.dmp

Filesize
256KB

Download
memory/2848-17-0x0000000000300000-0x0000000000331000-memory.dmp

Filesize
196KB

Download