aac7ce1e93f343ade213fed9c6ac0da077f9d8895a07a3d3e74e3976436d333d

Analysis

max time kernel
15s
max time network
122s
platform
windows7_x64
resource
win7-20231020-en
resource tags

arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system
submitted
05-11-2023 07:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.a6b877e55405b6e06fd6fc177d3a9c80.exe
Size

2.4MB
MD5

a6b877e55405b6e06fd6fc177d3a9c80
SHA1

43cb8be01ad3d9955d9c55821016964fc3d0ae95
SHA256

aac7ce1e93f343ade213fed9c6ac0da077f9d8895a07a3d3e74e3976436d333d
SHA512

f8d1c065d64e74f64c0fb7ba5159d5eb81359369470c211399cd68acdf8d51aa2ff8e738a4cca93b951cb3b62c415e12aa122a9aefefe5e8174c38609b8dacf2
SSDEEP

49152:MttcS4neHbyfYTOYKPu/gEjiEO5ItDEm9wq:MtWS4neHvZjiEO5IhE7q

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
2460	MSWDM.EXE
1828	MSWDM.EXE
2824	NEAS.A6B877E55405B6E06FD6FC177D3A9C80.EXE
2760	MSWDM.EXE

Loads dropped DLL 1 IoCs

pid	Process
1828	MSWDM.EXE

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE"	NEAS.a6b877e55405b6e06fd6fc177d3a9c80.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE"	NEAS.a6b877e55405b6e06fd6fc177d3a9c80.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE"	MSWDM.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE"	MSWDM.EXE

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\WINDOWS\MSWDM.EXE	NEAS.a6b877e55405b6e06fd6fc177d3a9c80.exe
File opened for modification	C:\Windows\dev477C.tmp	NEAS.a6b877e55405b6e06fd6fc177d3a9c80.exe
File opened for modification	C:\Windows\dev477C.tmp	MSWDM.EXE

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1828	MSWDM.EXE

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2272 wrote to memory of 2460	2272	NEAS.a6b877e55405b6e06fd6fc177d3a9c80.exe	28
PID 2272 wrote to memory of 2460	2272	NEAS.a6b877e55405b6e06fd6fc177d3a9c80.exe	28
PID 2272 wrote to memory of 2460	2272	NEAS.a6b877e55405b6e06fd6fc177d3a9c80.exe	28
PID 2272 wrote to memory of 2460	2272	NEAS.a6b877e55405b6e06fd6fc177d3a9c80.exe	28
PID 2272 wrote to memory of 1828	2272	NEAS.a6b877e55405b6e06fd6fc177d3a9c80.exe	29
PID 2272 wrote to memory of 1828	2272	NEAS.a6b877e55405b6e06fd6fc177d3a9c80.exe	29
PID 2272 wrote to memory of 1828	2272	NEAS.a6b877e55405b6e06fd6fc177d3a9c80.exe	29
PID 2272 wrote to memory of 1828	2272	NEAS.a6b877e55405b6e06fd6fc177d3a9c80.exe	29
PID 1828 wrote to memory of 2824	1828	MSWDM.EXE	30
PID 1828 wrote to memory of 2824	1828	MSWDM.EXE	30
PID 1828 wrote to memory of 2824	1828	MSWDM.EXE	30
PID 1828 wrote to memory of 2824	1828	MSWDM.EXE	30
PID 1828 wrote to memory of 2760	1828	MSWDM.EXE	32
PID 1828 wrote to memory of 2760	1828	MSWDM.EXE	32
PID 1828 wrote to memory of 2760	1828	MSWDM.EXE	32
PID 1828 wrote to memory of 2760	1828	MSWDM.EXE	32

C:\Users\Admin\AppData\Local\Temp\NEAS.a6b877e55405b6e06fd6fc177d3a9c80.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.a6b877e55405b6e06fd6fc177d3a9c80.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2272
- C:\WINDOWS\MSWDM.EXE
  "C:\WINDOWS\MSWDM.EXE"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:2460
- C:\WINDOWS\MSWDM.EXE
  -r!C:\Windows\dev477C.tmp!C:\Users\Admin\AppData\Local\Temp\NEAS.a6b877e55405b6e06fd6fc177d3a9c80.exe! !
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1828
- - C:\Users\Admin\AppData\Local\Temp\NEAS.A6B877E55405B6E06FD6FC177D3A9C80.EXE
    3⤵
    - Executes dropped EXE
    PID:2824
- - C:\WINDOWS\MSWDM.EXE
    -e!C:\Windows\dev477C.tmp!C:\Users\Admin\AppData\Local\Temp\NEAS.A6B877E55405B6E06FD6FC177D3A9C80.EXE!
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    PID:2760

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\NEAS.A6B877E55405B6E06FD6FC177D3A9C80.EXE

Filesize
2.4MB

MD5
9cc9dcddcd37eb1f7050ff0d1b18b8b4

SHA1
8a580de6f97582933a7427a25eb455e23094f5fb

SHA256
c0df81eec3b3f19a027f5c9e1820450aac442d3b4c08665c0c3070236fdab10f

SHA512
ddc172a7c529a0c4f4c6d068f4a5b54f79ff46180092126a9f9c335e2c080bea72c563eea5bcf775f9f928284ee919741ff2e99452478d36466187d4cecd48c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\NEAS.A6B877E55405B6E06FD6FC177D3A9C80.EXE

Filesize
2.4MB

MD5
9cc9dcddcd37eb1f7050ff0d1b18b8b4

SHA1
8a580de6f97582933a7427a25eb455e23094f5fb

SHA256
c0df81eec3b3f19a027f5c9e1820450aac442d3b4c08665c0c3070236fdab10f

SHA512
ddc172a7c529a0c4f4c6d068f4a5b54f79ff46180092126a9f9c335e2c080bea72c563eea5bcf775f9f928284ee919741ff2e99452478d36466187d4cecd48c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\NEAS.a6b877e55405b6e06fd6fc177d3a9c80.exe

Filesize
831KB

MD5
a1ac20a3ee76bed62a327706beea2f70

SHA1
188e1bcf4f27271eaefb1a8683c1cd6e4e700970

SHA256
4f218719f01dc26bd82372cb9cde5c0bd3faa0276e26e78b2d792cd1ef2ce6b3

SHA512
9bf8afd610257ba00d7a3303456ff8a30a979b8bbc23467d1c1d8d58a462b3da52ca4bfd0227b78df701b3c8c8f33c1eac3fac4ddf3ae1e09281ba19774fbc6d

Download Submit
C:\WINDOWS\MSWDM.EXE

Filesize
1.6MB

MD5
e8d2f472272621a1a9b48352ca6a6576

SHA1
f3184bc8c6d6354d02e566ed762c8faa38c10a3d

SHA256
cb8c6aba01393dd2b03e303e7dbaa2a3d2d6eb7b71e50c59a5162af8d60a825e

SHA512
da09fbcd23d619008a79c43a6946f0b284ac9a854d00aeba94b12212716f616a60cc46fa26152f8d33d2f8c169eb24053c1fb21e43d416345268dc318d9564df

Download Submit
C:\Windows\MSWDM.EXE

Filesize
1.6MB

MD5
e8d2f472272621a1a9b48352ca6a6576

SHA1
f3184bc8c6d6354d02e566ed762c8faa38c10a3d

SHA256
cb8c6aba01393dd2b03e303e7dbaa2a3d2d6eb7b71e50c59a5162af8d60a825e

SHA512
da09fbcd23d619008a79c43a6946f0b284ac9a854d00aeba94b12212716f616a60cc46fa26152f8d33d2f8c169eb24053c1fb21e43d416345268dc318d9564df

Download Submit
C:\Windows\MSWDM.EXE

Filesize
1.6MB

MD5
e8d2f472272621a1a9b48352ca6a6576

SHA1
f3184bc8c6d6354d02e566ed762c8faa38c10a3d

SHA256
cb8c6aba01393dd2b03e303e7dbaa2a3d2d6eb7b71e50c59a5162af8d60a825e

SHA512
da09fbcd23d619008a79c43a6946f0b284ac9a854d00aeba94b12212716f616a60cc46fa26152f8d33d2f8c169eb24053c1fb21e43d416345268dc318d9564df

Download Submit
C:\Windows\MSWDM.EXE

Filesize
1.6MB

MD5
e8d2f472272621a1a9b48352ca6a6576

SHA1
f3184bc8c6d6354d02e566ed762c8faa38c10a3d

SHA256
cb8c6aba01393dd2b03e303e7dbaa2a3d2d6eb7b71e50c59a5162af8d60a825e

SHA512
da09fbcd23d619008a79c43a6946f0b284ac9a854d00aeba94b12212716f616a60cc46fa26152f8d33d2f8c169eb24053c1fb21e43d416345268dc318d9564df

Download Submit
C:\Windows\MSWDM.EXE

Filesize
1.6MB

MD5
e8d2f472272621a1a9b48352ca6a6576

SHA1
f3184bc8c6d6354d02e566ed762c8faa38c10a3d

SHA256
cb8c6aba01393dd2b03e303e7dbaa2a3d2d6eb7b71e50c59a5162af8d60a825e

SHA512
da09fbcd23d619008a79c43a6946f0b284ac9a854d00aeba94b12212716f616a60cc46fa26152f8d33d2f8c169eb24053c1fb21e43d416345268dc318d9564df

Download Submit
C:\Windows\dev477C.tmp

Filesize
831KB

MD5
a1ac20a3ee76bed62a327706beea2f70

SHA1
188e1bcf4f27271eaefb1a8683c1cd6e4e700970

SHA256
4f218719f01dc26bd82372cb9cde5c0bd3faa0276e26e78b2d792cd1ef2ce6b3

SHA512
9bf8afd610257ba00d7a3303456ff8a30a979b8bbc23467d1c1d8d58a462b3da52ca4bfd0227b78df701b3c8c8f33c1eac3fac4ddf3ae1e09281ba19774fbc6d

Download Submit
\Users\Admin\AppData\Local\Temp\NEAS.a6b877e55405b6e06fd6fc177d3a9c80.exe

Filesize
831KB

MD5
a1ac20a3ee76bed62a327706beea2f70

SHA1
188e1bcf4f27271eaefb1a8683c1cd6e4e700970

SHA256
4f218719f01dc26bd82372cb9cde5c0bd3faa0276e26e78b2d792cd1ef2ce6b3

SHA512
9bf8afd610257ba00d7a3303456ff8a30a979b8bbc23467d1c1d8d58a462b3da52ca4bfd0227b78df701b3c8c8f33c1eac3fac4ddf3ae1e09281ba19774fbc6d

Download Submit
memory/1828-32-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1828-23-0x00000000020E0000-0x0000000002200000-memory.dmp

Filesize
1.1MB

Download
memory/2272-6-0x00000000002A0000-0x00000000002B4000-memory.dmp

Filesize
80KB

Download
memory/2272-12-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2272-0-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2460-15-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2460-33-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2760-30-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2824-25-0x0000000000A10000-0x0000000000B30000-memory.dmp

Filesize
1.1MB

Download
memory/2824-24-0x0000000000A10000-0x0000000000B30000-memory.dmp

Filesize
1.1MB

Download