aac7ce1e93f343ade213fed9c6ac0da077f9d8895a07a3d3e74e3976436d333d

Analysis

max time kernel
31s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20231020-en
resource tags

arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
submitted
05/11/2023, 07:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.a6b877e55405b6e06fd6fc177d3a9c80.exe
Size

2.4MB
MD5

a6b877e55405b6e06fd6fc177d3a9c80
SHA1

43cb8be01ad3d9955d9c55821016964fc3d0ae95
SHA256

aac7ce1e93f343ade213fed9c6ac0da077f9d8895a07a3d3e74e3976436d333d
SHA512

f8d1c065d64e74f64c0fb7ba5159d5eb81359369470c211399cd68acdf8d51aa2ff8e738a4cca93b951cb3b62c415e12aa122a9aefefe5e8174c38609b8dacf2
SSDEEP

49152:MttcS4neHbyfYTOYKPu/gEjiEO5ItDEm9wq:MtWS4neHvZjiEO5IhE7q

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
1104	MSWDM.EXE
3296	MSWDM.EXE
3820	NEAS.A6B877E55405B6E06FD6FC177D3A9C80.EXE
4012	MSWDM.EXE

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE"	MSWDM.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE"	NEAS.a6b877e55405b6e06fd6fc177d3a9c80.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE"	NEAS.a6b877e55405b6e06fd6fc177d3a9c80.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE"	MSWDM.EXE

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\dev781E.tmp	MSWDM.EXE
File created	C:\WINDOWS\MSWDM.EXE	NEAS.a6b877e55405b6e06fd6fc177d3a9c80.exe
File opened for modification	C:\Windows\dev781E.tmp	NEAS.a6b877e55405b6e06fd6fc177d3a9c80.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3296	MSWDM.EXE
3296	MSWDM.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1580 wrote to memory of 1104	1580	NEAS.a6b877e55405b6e06fd6fc177d3a9c80.exe	86
PID 1580 wrote to memory of 1104	1580	NEAS.a6b877e55405b6e06fd6fc177d3a9c80.exe	86
PID 1580 wrote to memory of 1104	1580	NEAS.a6b877e55405b6e06fd6fc177d3a9c80.exe	86
PID 1580 wrote to memory of 3296	1580	NEAS.a6b877e55405b6e06fd6fc177d3a9c80.exe	87
PID 1580 wrote to memory of 3296	1580	NEAS.a6b877e55405b6e06fd6fc177d3a9c80.exe	87
PID 1580 wrote to memory of 3296	1580	NEAS.a6b877e55405b6e06fd6fc177d3a9c80.exe	87
PID 3296 wrote to memory of 3820	3296	MSWDM.EXE	88
PID 3296 wrote to memory of 3820	3296	MSWDM.EXE	88
PID 3296 wrote to memory of 3820	3296	MSWDM.EXE	88
PID 3296 wrote to memory of 4012	3296	MSWDM.EXE	90
PID 3296 wrote to memory of 4012	3296	MSWDM.EXE	90
PID 3296 wrote to memory of 4012	3296	MSWDM.EXE	90

C:\Users\Admin\AppData\Local\Temp\NEAS.a6b877e55405b6e06fd6fc177d3a9c80.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.a6b877e55405b6e06fd6fc177d3a9c80.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1580
- C:\WINDOWS\MSWDM.EXE
  "C:\WINDOWS\MSWDM.EXE"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:1104
- C:\WINDOWS\MSWDM.EXE
  -r!C:\Windows\dev781E.tmp!C:\Users\Admin\AppData\Local\Temp\NEAS.a6b877e55405b6e06fd6fc177d3a9c80.exe! !
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3296
- - C:\Users\Admin\AppData\Local\Temp\NEAS.A6B877E55405B6E06FD6FC177D3A9C80.EXE
    3⤵
    - Executes dropped EXE
    PID:3820
- - C:\WINDOWS\MSWDM.EXE
    -e!C:\Windows\dev781E.tmp!C:\Users\Admin\AppData\Local\Temp\NEAS.A6B877E55405B6E06FD6FC177D3A9C80.EXE!
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    PID:4012

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\NEAS.A6B877E55405B6E06FD6FC177D3A9C80.EXE

Filesize
2.4MB

MD5
b80738fa83f2e75506d9ac99128b9d98

SHA1
91606ab8442475550b58203b5c06f1067721b0f9

SHA256
c459f92de87671bff67fdc34a96174c32470eafba003627b2bb7ad56f37f1d1b

SHA512
a38d424dfcc28e16c2d3cb3f24736fefbb228f77dd91bf2a666cd9e1093948005c9347933c89d42a028f7d7742c513111bab008d454a540b4fd29d8f0370b747

Download Submit
C:\Users\Admin\AppData\Local\Temp\NEAS.A6B877E55405B6E06FD6FC177D3A9C80.EXE

Filesize
2.4MB

MD5
b80738fa83f2e75506d9ac99128b9d98

SHA1
91606ab8442475550b58203b5c06f1067721b0f9

SHA256
c459f92de87671bff67fdc34a96174c32470eafba003627b2bb7ad56f37f1d1b

SHA512
a38d424dfcc28e16c2d3cb3f24736fefbb228f77dd91bf2a666cd9e1093948005c9347933c89d42a028f7d7742c513111bab008d454a540b4fd29d8f0370b747

Download Submit
C:\Users\Admin\AppData\Local\Temp\NEAS.a6b877e55405b6e06fd6fc177d3a9c80.exe

Filesize
2.4MB

MD5
15d78328a3cc37ffa733260577933654

SHA1
76c3925db42044773b2e130b5717536f5b0d87e7

SHA256
8a4e042d295392675eef97ed7c9fd67f67673703adff6d4eca819761d6b24cfb

SHA512
2a25517da49e4e6f6f3dd494f417bb76c0654e7169d6b26c4002c8ceba09f253b14af6b4a00876fb5363cfce0d2206f2c679b965466d0470a47f13278c7fc2a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\NEAS.a6b877e55405b6e06fd6fc177d3a9c80.exe

Filesize
2.4MB

MD5
b80738fa83f2e75506d9ac99128b9d98

SHA1
91606ab8442475550b58203b5c06f1067721b0f9

SHA256
c459f92de87671bff67fdc34a96174c32470eafba003627b2bb7ad56f37f1d1b

SHA512
a38d424dfcc28e16c2d3cb3f24736fefbb228f77dd91bf2a666cd9e1093948005c9347933c89d42a028f7d7742c513111bab008d454a540b4fd29d8f0370b747

Download Submit
C:\WINDOWS\MSWDM.EXE

Filesize
1.6MB

MD5
e8d2f472272621a1a9b48352ca6a6576

SHA1
f3184bc8c6d6354d02e566ed762c8faa38c10a3d

SHA256
cb8c6aba01393dd2b03e303e7dbaa2a3d2d6eb7b71e50c59a5162af8d60a825e

SHA512
da09fbcd23d619008a79c43a6946f0b284ac9a854d00aeba94b12212716f616a60cc46fa26152f8d33d2f8c169eb24053c1fb21e43d416345268dc318d9564df

Download Submit
C:\Windows\MSWDM.EXE

Filesize
1.6MB

MD5
e8d2f472272621a1a9b48352ca6a6576

SHA1
f3184bc8c6d6354d02e566ed762c8faa38c10a3d

SHA256
cb8c6aba01393dd2b03e303e7dbaa2a3d2d6eb7b71e50c59a5162af8d60a825e

SHA512
da09fbcd23d619008a79c43a6946f0b284ac9a854d00aeba94b12212716f616a60cc46fa26152f8d33d2f8c169eb24053c1fb21e43d416345268dc318d9564df

Download Submit
C:\Windows\MSWDM.EXE

Filesize
1.6MB

MD5
e8d2f472272621a1a9b48352ca6a6576

SHA1
f3184bc8c6d6354d02e566ed762c8faa38c10a3d

SHA256
cb8c6aba01393dd2b03e303e7dbaa2a3d2d6eb7b71e50c59a5162af8d60a825e

SHA512
da09fbcd23d619008a79c43a6946f0b284ac9a854d00aeba94b12212716f616a60cc46fa26152f8d33d2f8c169eb24053c1fb21e43d416345268dc318d9564df

Download Submit
C:\Windows\MSWDM.EXE

Filesize
1.6MB

MD5
e8d2f472272621a1a9b48352ca6a6576

SHA1
f3184bc8c6d6354d02e566ed762c8faa38c10a3d

SHA256
cb8c6aba01393dd2b03e303e7dbaa2a3d2d6eb7b71e50c59a5162af8d60a825e

SHA512
da09fbcd23d619008a79c43a6946f0b284ac9a854d00aeba94b12212716f616a60cc46fa26152f8d33d2f8c169eb24053c1fb21e43d416345268dc318d9564df

Download Submit
C:\Windows\dev781E.tmp

Filesize
831KB

MD5
a1ac20a3ee76bed62a327706beea2f70

SHA1
188e1bcf4f27271eaefb1a8683c1cd6e4e700970

SHA256
4f218719f01dc26bd82372cb9cde5c0bd3faa0276e26e78b2d792cd1ef2ce6b3

SHA512
9bf8afd610257ba00d7a3303456ff8a30a979b8bbc23467d1c1d8d58a462b3da52ca4bfd0227b78df701b3c8c8f33c1eac3fac4ddf3ae1e09281ba19774fbc6d

Download Submit
memory/1104-8-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1104-25-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1580-0-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1580-6-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/3296-11-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/3296-24-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/3820-15-0x0000000000D20000-0x0000000000E40000-memory.dmp

Filesize
1.1MB

Download
memory/3820-16-0x0000000000D20000-0x0000000000E40000-memory.dmp

Filesize
1.1MB

Download
memory/4012-22-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4012-20-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download