7ebf85327a80cf103e255c1d807adee71ac97ec6f38d25ff6d3894ee1e45d5b8

Analysis

max time kernel
151s
max time network
125s
platform
windows7_x64
resource
win7-20231023-en
resource tags

arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system
submitted
05/11/2023, 07:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.922fe25b6ee750d2e100fc4151b45f00.exe
Size

55KB
MD5

922fe25b6ee750d2e100fc4151b45f00
SHA1

e6905dd37bb0860d17fde0f4fb99d148211ed802
SHA256

7ebf85327a80cf103e255c1d807adee71ac97ec6f38d25ff6d3894ee1e45d5b8
SHA512

4243ab98b0f73b2cad869755153a790017574b69d238b210b40a85c848556dc4b024a2e5a92ac8379387541b6ebd65376e88d9e911e6670b56b7ca56d96b4260
SSDEEP

768:Iv9ilrnywLsYg+0yq2vWdT9SOaNou0yWH7oXzO8ZGjSjAsOm7IfCus6YnFAi5y98:fjxsz40yvXHGjUAsOs/ukv

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2260	conwurm.exe

Loads dropped DLL 1 IoCs

pid	Process
884	NEAS.922fe25b6ee750d2e100fc4151b45f00.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/884-0-0x0000000000400000-0x0000000000417000-memory.dmp	upx
behavioral1/files/0x00070000000120ca-5.dat	upx
behavioral1/memory/884-9-0x0000000000400000-0x0000000000417000-memory.dmp	upx
behavioral1/memory/2260-12-0x0000000000400000-0x0000000000417000-memory.dmp	upx
behavioral1/files/0x00070000000120ca-10.dat	upx
behavioral1/files/0x00070000000120ca-14.dat	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 884 wrote to memory of 2260	884	NEAS.922fe25b6ee750d2e100fc4151b45f00.exe	28
PID 884 wrote to memory of 2260	884	NEAS.922fe25b6ee750d2e100fc4151b45f00.exe	28
PID 884 wrote to memory of 2260	884	NEAS.922fe25b6ee750d2e100fc4151b45f00.exe	28
PID 884 wrote to memory of 2260	884	NEAS.922fe25b6ee750d2e100fc4151b45f00.exe	28

C:\Users\Admin\AppData\Local\Temp\NEAS.922fe25b6ee750d2e100fc4151b45f00.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.922fe25b6ee750d2e100fc4151b45f00.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:884
- C:\Users\Admin\AppData\Local\Temp\conwurm.exe
  "C:\Users\Admin\AppData\Local\Temp\conwurm.exe"
  2⤵
  - Executes dropped EXE
  PID:2260

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\conwurm.exe

Filesize
55KB

MD5
360e4e608ac00cdd7a602e34006b3070

SHA1
a6be22d2b077bb7c7b34fb3f96a9e564c93ba8f9

SHA256
2d33aa07306043413058999b0f6ff2f61f92ec2f457470f13a67498e30b9e768

SHA512
3ecdb2f5f84c97df077b93a4ad8af86224bff5f3851f1942761a96abe88e1bb5ce8fb72dc9305271e99ac5f4d4e2f5584ac399dc019cf1fda0240f73c3d71153

Download Submit
C:\Users\Admin\AppData\Local\Temp\conwurm.exe

Filesize
55KB

MD5
360e4e608ac00cdd7a602e34006b3070

SHA1
a6be22d2b077bb7c7b34fb3f96a9e564c93ba8f9

SHA256
2d33aa07306043413058999b0f6ff2f61f92ec2f457470f13a67498e30b9e768

SHA512
3ecdb2f5f84c97df077b93a4ad8af86224bff5f3851f1942761a96abe88e1bb5ce8fb72dc9305271e99ac5f4d4e2f5584ac399dc019cf1fda0240f73c3d71153

Download Submit
\Users\Admin\AppData\Local\Temp\conwurm.exe

Filesize
55KB

MD5
360e4e608ac00cdd7a602e34006b3070

SHA1
a6be22d2b077bb7c7b34fb3f96a9e564c93ba8f9

SHA256
2d33aa07306043413058999b0f6ff2f61f92ec2f457470f13a67498e30b9e768

SHA512
3ecdb2f5f84c97df077b93a4ad8af86224bff5f3851f1942761a96abe88e1bb5ce8fb72dc9305271e99ac5f4d4e2f5584ac399dc019cf1fda0240f73c3d71153

Download Submit
memory/884-0-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/884-1-0x0000000004000000-0x0000000004005000-memory.dmp

Filesize
20KB

Download
memory/884-2-0x0000000004000000-0x0000000004005000-memory.dmp

Filesize
20KB

Download
memory/884-9-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/884-7-0x0000000002C00000-0x0000000002C17000-memory.dmp

Filesize
92KB

Download
memory/2260-12-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2260-16-0x0000000004000000-0x0000000004005000-memory.dmp

Filesize
20KB

Download