5b96a419427d262c6975fa05a509afb3d6de97f6d4afe0d36a379c1585fe1c69

Analysis

max time kernel
122s
max time network
127s
platform
windows7_x64
resource
win7-20231023-en
resource tags

arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system
submitted
05-11-2023 09:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.5cf4dac4209192852f3926a8ff75b670_JC.exe
Size

195KB
MD5

5cf4dac4209192852f3926a8ff75b670
SHA1

d80565281a7afe8bc24a8aef60e66d9c9cff4a3d
SHA256

5b96a419427d262c6975fa05a509afb3d6de97f6d4afe0d36a379c1585fe1c69
SHA512

86d9f5476b179cbf9666ffefb859f71dfb2fe7f041d5cb9c4b58e63f711479d94ccee26d81beea63599ad3eef71c4f0ad161c9fd5934820f3d8ac40f4a697921
SSDEEP

3072:R2n7CoWd07esc3BUEgiahMdnZylqQFB07dnajNo4atrcvpoNpVC6BYz0:aCoWd0kSEgiiAZc1B07ZaJo6iNq6BYQ

Score

8^/10

persistence

Malware Config

Signatures

Modifies AppInit DLL entries 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1547.001

Modify Registry
T1112

Executes dropped EXE 1 IoCs

pid	Process
3008	suvkbwn.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\PROGRA~3\Mozilla\suvkbwn.exe	NEAS.5cf4dac4209192852f3926a8ff75b670_JC.exe
File created	C:\PROGRA~3\Mozilla\wfwcssm.dll	suvkbwn.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2224 wrote to memory of 3008	2224	taskeng.exe	29
PID 2224 wrote to memory of 3008	2224	taskeng.exe	29
PID 2224 wrote to memory of 3008	2224	taskeng.exe	29
PID 2224 wrote to memory of 3008	2224	taskeng.exe	29

C:\Users\Admin\AppData\Local\Temp\NEAS.5cf4dac4209192852f3926a8ff75b670_JC.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.5cf4dac4209192852f3926a8ff75b670_JC.exe"
1⤵
- Drops file in Program Files directory
PID:2964

C:\Windows\system32\taskeng.exe
taskeng.exe {F18B92B6-C6EB-44B9-88DE-4C99E147CF7F} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:2224
- C:\PROGRA~3\Mozilla\suvkbwn.exe
  C:\PROGRA~3\Mozilla\suvkbwn.exe -tlhykym
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  PID:3008

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~3\Mozilla\suvkbwn.exe

Filesize
195KB

MD5
b250abb2f09faef340022a12a989b2be

SHA1
f5a0ad79b6c78d54b89f96451ffbd2aa83298a05

SHA256
62a4980978b4e9df33da409ecf6d14bfa1247f06a8aac34100fa157071285c9d

SHA512
0f94f3cfd7ed2ff53a44cce51fa27a39ce162f43df2ceeb24dfa2a80d3cd6f258758d987fc485d760bb35ea39ca72fd65c1916f197f7d2c1c3b3f216f152ac03

Download Submit
C:\PROGRA~3\Mozilla\suvkbwn.exe

Filesize
195KB

MD5
b250abb2f09faef340022a12a989b2be

SHA1
f5a0ad79b6c78d54b89f96451ffbd2aa83298a05

SHA256
62a4980978b4e9df33da409ecf6d14bfa1247f06a8aac34100fa157071285c9d

SHA512
0f94f3cfd7ed2ff53a44cce51fa27a39ce162f43df2ceeb24dfa2a80d3cd6f258758d987fc485d760bb35ea39ca72fd65c1916f197f7d2c1c3b3f216f152ac03

Download Submit
memory/2964-0-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2964-1-0x00000000002F0000-0x000000000034B000-memory.dmp

Filesize
364KB

Download
memory/2964-7-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3008-10-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3008-11-0x0000000000210000-0x000000000026B000-memory.dmp

Filesize
364KB

Download