b771f04baa0225541d0e377d07843b6cee0fbd67ba0917b5db424afeed4f901a

Analysis

max time kernel
203s
max time network
139s
platform
windows7_x64
resource
win7-20231023-en
resource tags

arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system
submitted
05-11-2023 07:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.1a177e44ce0af6e9a0de20d7e8b854b0.exe
Size

171KB
MD5

1a177e44ce0af6e9a0de20d7e8b854b0
SHA1

e5dbcb6bc0c5c0bd4eaabc5c4e47743d8b015343
SHA256

b771f04baa0225541d0e377d07843b6cee0fbd67ba0917b5db424afeed4f901a
SHA512

dedb45de432a31178ad4098fcef00b81b13fedbeee4321cfae45c8da27e84051f48121b1b7bcc4419a7a6f051ec84598bf4b52137ac3e000aaf140694380d065
SSDEEP

3072:S2qTc8JsfA/rpTeieAp0jVMz52M7I2yOUXjbF3dz8mrvX54IE:SvTc8J0WpTedSz5dc2yOUTxFnrvX54/

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2740	pwhehon.exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\PROGRA~3\Mozilla\pwhehon.exe	NEAS.1a177e44ce0af6e9a0de20d7e8b854b0.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2740	pwhehon.exe
1376	Explorer.EXE
1376	Explorer.EXE
1376	Explorer.EXE
1376	Explorer.EXE
1376	Explorer.EXE
1376	Explorer.EXE
1376	Explorer.EXE
1376	Explorer.EXE
1376	Explorer.EXE
1376	Explorer.EXE
1376	Explorer.EXE
1376	Explorer.EXE
1376	Explorer.EXE
1376	Explorer.EXE
1376	Explorer.EXE
1376	Explorer.EXE
1376	Explorer.EXE
1376	Explorer.EXE
1376	Explorer.EXE
1376	Explorer.EXE
1376	Explorer.EXE
1376	Explorer.EXE
1376	Explorer.EXE
1376	Explorer.EXE
1376	Explorer.EXE
1376	Explorer.EXE
1376	Explorer.EXE
1376	Explorer.EXE
1376	Explorer.EXE
1376	Explorer.EXE
1376	Explorer.EXE
1376	Explorer.EXE
1376	Explorer.EXE
1376	Explorer.EXE
1376	Explorer.EXE
1376	Explorer.EXE
1376	Explorer.EXE
1376	Explorer.EXE
1376	Explorer.EXE
1376	Explorer.EXE
1376	Explorer.EXE
1376	Explorer.EXE
1376	Explorer.EXE
1376	Explorer.EXE
1376	Explorer.EXE
1376	Explorer.EXE
1376	Explorer.EXE
1376	Explorer.EXE
1376	Explorer.EXE
1376	Explorer.EXE
1376	Explorer.EXE
1376	Explorer.EXE
1376	Explorer.EXE
1376	Explorer.EXE
1376	Explorer.EXE
1376	Explorer.EXE
1376	Explorer.EXE
1376	Explorer.EXE
1376	Explorer.EXE
1376	Explorer.EXE
1376	Explorer.EXE
1376	Explorer.EXE
1376	Explorer.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1376	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2740	pwhehon.exe
Token: SeDebugPrivilege	1376	Explorer.EXE

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2820	NEAS.1a177e44ce0af6e9a0de20d7e8b854b0.exe
2740	pwhehon.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 2760 wrote to memory of 2740	2760	taskeng.exe	30
PID 2760 wrote to memory of 2740	2760	taskeng.exe	30
PID 2760 wrote to memory of 2740	2760	taskeng.exe	30
PID 2760 wrote to memory of 2740	2760	taskeng.exe	30
PID 2740 wrote to memory of 1376	2740	pwhehon.exe	16

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:1376
- C:\Users\Admin\AppData\Local\Temp\NEAS.1a177e44ce0af6e9a0de20d7e8b854b0.exe
  "C:\Users\Admin\AppData\Local\Temp\NEAS.1a177e44ce0af6e9a0de20d7e8b854b0.exe"
  2⤵
  - Drops file in Program Files directory
  - Suspicious use of UnmapMainImage
  PID:2820

C:\Windows\system32\taskeng.exe
taskeng.exe {FBF9E662-F7D1-4564-91AB-542A266E6708} S-1-5-21-3425689832-2386927309-2650718742-1000:AWDHTXES\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:2760
- C:\PROGRA~3\Mozilla\pwhehon.exe
  C:\PROGRA~3\Mozilla\pwhehon.exe -arzwbsb
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:2740

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~3\Mozilla\pwhehon.exe

Filesize
171KB

MD5
b56acd96fcf955573169c4e6283f3bf1

SHA1
938f2fd5b97512329b0f7e49501c8c3c096991aa

SHA256
89d14246ea11029d556104173431d95a626e20c5fb25685aa33d109070fbd59e

SHA512
086bb26cbdaebe449ff4446b70c49edf615182708495282d523751a7db1507b9abcf17ed40912586c5bed6f4038ce73afcfbd78683707dd3fc0c38b201024b69

Download Submit
C:\PROGRA~3\Mozilla\pwhehon.exe

Filesize
171KB

MD5
b56acd96fcf955573169c4e6283f3bf1

SHA1
938f2fd5b97512329b0f7e49501c8c3c096991aa

SHA256
89d14246ea11029d556104173431d95a626e20c5fb25685aa33d109070fbd59e

SHA512
086bb26cbdaebe449ff4446b70c49edf615182708495282d523751a7db1507b9abcf17ed40912586c5bed6f4038ce73afcfbd78683707dd3fc0c38b201024b69

Download Submit
memory/1376-10-0x0000000002610000-0x000000000262C000-memory.dmp

Filesize
112KB

Download
memory/1376-12-0x0000000002610000-0x000000000262C000-memory.dmp

Filesize
112KB

Download
memory/2740-9-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/2740-8-0x0000000001C70000-0x0000000001CCF000-memory.dmp

Filesize
380KB

Download
memory/2740-14-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/2740-15-0x0000000001C70000-0x0000000001CCF000-memory.dmp

Filesize
380KB

Download
memory/2820-4-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/2820-5-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/2820-3-0x0000000000460000-0x00000000004BF000-memory.dmp

Filesize
380KB

Download
memory/2820-1-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/2820-0-0x0000000000460000-0x00000000004BF000-memory.dmp

Filesize
380KB

Download