b9a9b6f6cad2cc71eb18f7a4f6da3c9c30caf0833c8b376f1e93f0d9be2400ae

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20231020-en
resource tags

arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
submitted
05-11-2023 02:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.a1d1236f11c6a62c4faff280bc84ddd0_JC.exe
Size

178KB
MD5

a1d1236f11c6a62c4faff280bc84ddd0
SHA1

fc71a8327a91de579ae21ac6442fbb1c8caafbcb
SHA256

b9a9b6f6cad2cc71eb18f7a4f6da3c9c30caf0833c8b376f1e93f0d9be2400ae
SHA512

1687cc9c7aa24040ec71fa1f210e72a015f4c4c043abd1ac4a9e768e90f868a00fa017e813b8d23f80652fd09b2d5af10cf9eab42f221f1a4bd012cf83e1e3ea
SSDEEP

3072:M/047M+14BEHzWqgUfPNrXuSKp18z2Odknu+vmmWBuxBl11cRQycLRbpgjDD2UK:SwhBEHzWpUfPNr+DRD5fWBuxBl11tbpm

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
1668	bitsmmc.exe
1548	Picknced.exe
2268	~8CFE.tmp

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\agenicli = "C:\\Users\\Admin\\AppData\\Roaming\\doskance\\bitsmmc.exe"	NEAS.a1d1236f11c6a62c4faff280bc84ddd0_JC.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Picknced.exe	NEAS.a1d1236f11c6a62c4faff280bc84ddd0_JC.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1668	bitsmmc.exe
1668	bitsmmc.exe
3324	Explorer.EXE
3324	Explorer.EXE
1548	Picknced.exe
1548	Picknced.exe
3324	Explorer.EXE
3324	Explorer.EXE
1548	Picknced.exe
1548	Picknced.exe
3324	Explorer.EXE
1548	Picknced.exe
3324	Explorer.EXE
1548	Picknced.exe
3324	Explorer.EXE
1548	Picknced.exe
1548	Picknced.exe
3324	Explorer.EXE
3324	Explorer.EXE
1548	Picknced.exe
3324	Explorer.EXE
1548	Picknced.exe
3324	Explorer.EXE
1548	Picknced.exe
3324	Explorer.EXE
1548	Picknced.exe
3324	Explorer.EXE
1548	Picknced.exe
1548	Picknced.exe
3324	Explorer.EXE
3324	Explorer.EXE
3324	Explorer.EXE
1548	Picknced.exe
1548	Picknced.exe
1548	Picknced.exe
3324	Explorer.EXE
1548	Picknced.exe
3324	Explorer.EXE
3324	Explorer.EXE
1548	Picknced.exe
3324	Explorer.EXE
1548	Picknced.exe
3324	Explorer.EXE
1548	Picknced.exe
1548	Picknced.exe
3324	Explorer.EXE
3324	Explorer.EXE
1548	Picknced.exe
1548	Picknced.exe
3324	Explorer.EXE
3324	Explorer.EXE
3324	Explorer.EXE
1548	Picknced.exe
1548	Picknced.exe
3324	Explorer.EXE
1548	Picknced.exe
3324	Explorer.EXE
1548	Picknced.exe
3324	Explorer.EXE
1548	Picknced.exe
1548	Picknced.exe
3324	Explorer.EXE
3324	Explorer.EXE
1548	Picknced.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3324	Explorer.EXE

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
3324	Explorer.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3016 wrote to memory of 1668	3016	NEAS.a1d1236f11c6a62c4faff280bc84ddd0_JC.exe	93
PID 3016 wrote to memory of 1668	3016	NEAS.a1d1236f11c6a62c4faff280bc84ddd0_JC.exe	93
PID 3016 wrote to memory of 1668	3016	NEAS.a1d1236f11c6a62c4faff280bc84ddd0_JC.exe	93
PID 1668 wrote to memory of 2268	1668	bitsmmc.exe	92
PID 1668 wrote to memory of 2268	1668	bitsmmc.exe	92
PID 2268 wrote to memory of 3324	2268	~8CFE.tmp	37
PID 3016 wrote to memory of 3416	3016	NEAS.a1d1236f11c6a62c4faff280bc84ddd0_JC.exe	96
PID 3016 wrote to memory of 3416	3016	NEAS.a1d1236f11c6a62c4faff280bc84ddd0_JC.exe	96
PID 3016 wrote to memory of 3416	3016	NEAS.a1d1236f11c6a62c4faff280bc84ddd0_JC.exe	96
PID 3416 wrote to memory of 2536	3416	cmd.exe	94
PID 3416 wrote to memory of 2536	3416	cmd.exe	94
PID 3416 wrote to memory of 2536	3416	cmd.exe	94

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
2536	attrib.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of UnmapMainImage
PID:3324
- C:\Users\Admin\AppData\Local\Temp\NEAS.a1d1236f11c6a62c4faff280bc84ddd0_JC.exe
  "C:\Users\Admin\AppData\Local\Temp\NEAS.a1d1236f11c6a62c4faff280bc84ddd0_JC.exe"
  2⤵
  - Adds Run key to start application
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:3016
- - C:\Users\Admin\AppData\Roaming\doskance\bitsmmc.exe
    "C:\Users\Admin\AppData\Roaming\doskance\bitsmmc.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1668
- - C:\Windows\SysWOW64\cmd.exe
    /C 240618812.cmd
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3416

C:\Windows\SysWOW64\Picknced.exe
C:\Windows\SysWOW64\Picknced.exe -k
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1548

C:\Users\Admin\AppData\Local\Temp\~8CFE.tmp
"C:\Users\Admin\AppData\Local\Temp\~8CFE.tmp"
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2268

C:\Windows\SysWOW64\attrib.exe
attrib -r -s -h "NEAS.a1d1236f11c6a62c4faff280bc84ddd0_JC.exe"
1⤵
- Views/modifies file attributes
PID:2536

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\240618812.cmd

Filesize
219B

MD5
5393cfaf369075d874b0c7ecaf6a2cc3

SHA1
9a12b6161035a83ccfa14c4dc46651fc2b55902b

SHA256
a6b3480070827f8fdf48e9113e0d5f86b9db1f5dc51bb17708fa0d7b50aa0807

SHA512
70191f54f2e03630d722a29a30630484755362b99efa813fec66b8313202167c53637f40823ff7d3e0f1fdda375357d33ebf3b707853c1591f47ac117f2bf300

Download Submit
C:\Users\Admin\AppData\Local\Temp\~8CFE.tmp

Filesize
6KB

MD5
5a7a16802deed257fb4683e20432d26a

SHA1
088b15b5bc8a1efbc5193faebc50c85ace29faf4

SHA256
a16bfca1da1bf3b6f5dc994e929aa2b97e8a5fa8de6aa9ffa10296d09567df26

SHA512
a525407f099500a1997986932821625aa927502777e61e51ad1b8fff6912f19d0c59995b388da0945268ed376f12bceade444489742250f12f48d30cbe019168

Download Submit
C:\Users\Admin\AppData\Local\Temp\~8CFE.tmp

Filesize
6KB

MD5
5a7a16802deed257fb4683e20432d26a

SHA1
088b15b5bc8a1efbc5193faebc50c85ace29faf4

SHA256
a16bfca1da1bf3b6f5dc994e929aa2b97e8a5fa8de6aa9ffa10296d09567df26

SHA512
a525407f099500a1997986932821625aa927502777e61e51ad1b8fff6912f19d0c59995b388da0945268ed376f12bceade444489742250f12f48d30cbe019168

Download Submit
C:\Users\Admin\AppData\Roaming\doskance\bitsmmc.exe

Filesize
178KB

MD5
ba0eebc80eba87e3c76b0daa0303b589

SHA1
b3ddbada3daadbf8cdca91598639e0093b03a67f

SHA256
7d8931881053cbf709c7716d235ae649fa9a3149e0beee4df1880b46e8bf6020

SHA512
8f832b021c3cabfcc623c046513abb34e5d4a2d58325278974c03879100b19c9954a420fa2ea3c59b24e6d1c39950a8812377f2b4d75fd6f9a641eb2a0bd9a3a

Download Submit
C:\Users\Admin\AppData\Roaming\doskance\bitsmmc.exe

Filesize
178KB

MD5
ba0eebc80eba87e3c76b0daa0303b589

SHA1
b3ddbada3daadbf8cdca91598639e0093b03a67f

SHA256
7d8931881053cbf709c7716d235ae649fa9a3149e0beee4df1880b46e8bf6020

SHA512
8f832b021c3cabfcc623c046513abb34e5d4a2d58325278974c03879100b19c9954a420fa2ea3c59b24e6d1c39950a8812377f2b4d75fd6f9a641eb2a0bd9a3a

Download Submit
C:\Windows\SysWOW64\Picknced.exe

Filesize
178KB

MD5
a1d1236f11c6a62c4faff280bc84ddd0

SHA1
fc71a8327a91de579ae21ac6442fbb1c8caafbcb

SHA256
b9a9b6f6cad2cc71eb18f7a4f6da3c9c30caf0833c8b376f1e93f0d9be2400ae

SHA512
1687cc9c7aa24040ec71fa1f210e72a015f4c4c043abd1ac4a9e768e90f868a00fa017e813b8d23f80652fd09b2d5af10cf9eab42f221f1a4bd012cf83e1e3ea

Download Submit
C:\Windows\SysWOW64\Picknced.exe

Filesize
178KB

MD5
a1d1236f11c6a62c4faff280bc84ddd0

SHA1
fc71a8327a91de579ae21ac6442fbb1c8caafbcb

SHA256
b9a9b6f6cad2cc71eb18f7a4f6da3c9c30caf0833c8b376f1e93f0d9be2400ae

SHA512
1687cc9c7aa24040ec71fa1f210e72a015f4c4c043abd1ac4a9e768e90f868a00fa017e813b8d23f80652fd09b2d5af10cf9eab42f221f1a4bd012cf83e1e3ea

Download Submit
memory/1548-20-0x0000000000E80000-0x0000000000EB1000-memory.dmp

Filesize
196KB

Download
memory/1548-24-0x0000000000C00000-0x0000000000C40000-memory.dmp

Filesize
256KB

Download
memory/1548-18-0x0000000000C00000-0x0000000000C40000-memory.dmp

Filesize
256KB

Download
memory/1548-17-0x0000000000C00000-0x0000000000C40000-memory.dmp

Filesize
256KB

Download
memory/1668-8-0x0000000000AA0000-0x0000000000AD1000-memory.dmp

Filesize
196KB

Download
memory/1668-11-0x0000000000900000-0x0000000000940000-memory.dmp

Filesize
256KB

Download
memory/3016-0-0x0000000000010000-0x0000000000041000-memory.dmp

Filesize
196KB

Download
memory/3016-21-0x0000000000010000-0x0000000000041000-memory.dmp

Filesize
196KB

Download
memory/3016-1-0x00000000005D0000-0x0000000000610000-memory.dmp

Filesize
256KB

Download
memory/3324-19-0x0000000002A30000-0x0000000002A73000-memory.dmp

Filesize
268KB

Download
memory/3324-15-0x0000000002A30000-0x0000000002A73000-memory.dmp

Filesize
268KB

Download