110d794c8205c95f4a3fb0fb64616838ad53a7219bbb4c9864d5ae1938f63915

Analysis

max time kernel
30s
max time network
145s
platform
windows7_x64
resource
win7-20231020-en
resource tags

arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system
submitted
05-11-2023 18:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.bfd38b2c1bffe34910c48b660e8069e0_JC.exe
Size

2.4MB
MD5

bfd38b2c1bffe34910c48b660e8069e0
SHA1

1af3b20bfb36540bf523226a3c1f053ae509bd1c
SHA256

110d794c8205c95f4a3fb0fb64616838ad53a7219bbb4c9864d5ae1938f63915
SHA512

92f60e97fa553749995258fb89317c02e00a7fb40a5c643e30da8295e3c77c326e61a82e96f516aa329adbca5ed1d3438ceb2f98678b5ec3d8e49c1717d40319
SSDEEP

49152:MtKcS4neHbyfYTOYKPu/gEjiEO5ItDEm9wN:MtvS4neHvZjiEO5IhE7N

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
2128	MSWDM.EXE
2044	MSWDM.EXE
2340	NEAS.BFD38B2C1BFFE34910C48B660E8069E0_JC.EXE
2688	MSWDM.EXE

Loads dropped DLL 1 IoCs

pid	Process
2044	MSWDM.EXE

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE"	NEAS.bfd38b2c1bffe34910c48b660e8069e0_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE"	NEAS.bfd38b2c1bffe34910c48b660e8069e0_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE"	MSWDM.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE"	MSWDM.EXE

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\devB606.tmp	NEAS.bfd38b2c1bffe34910c48b660e8069e0_JC.exe
File opened for modification	C:\Windows\devB606.tmp	MSWDM.EXE
File created	C:\WINDOWS\MSWDM.EXE	NEAS.bfd38b2c1bffe34910c48b660e8069e0_JC.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2044	MSWDM.EXE

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2032 wrote to memory of 2128	2032	NEAS.bfd38b2c1bffe34910c48b660e8069e0_JC.exe	27
PID 2032 wrote to memory of 2128	2032	NEAS.bfd38b2c1bffe34910c48b660e8069e0_JC.exe	27
PID 2032 wrote to memory of 2128	2032	NEAS.bfd38b2c1bffe34910c48b660e8069e0_JC.exe	27
PID 2032 wrote to memory of 2128	2032	NEAS.bfd38b2c1bffe34910c48b660e8069e0_JC.exe	27
PID 2032 wrote to memory of 2044	2032	NEAS.bfd38b2c1bffe34910c48b660e8069e0_JC.exe	28
PID 2032 wrote to memory of 2044	2032	NEAS.bfd38b2c1bffe34910c48b660e8069e0_JC.exe	28
PID 2032 wrote to memory of 2044	2032	NEAS.bfd38b2c1bffe34910c48b660e8069e0_JC.exe	28
PID 2032 wrote to memory of 2044	2032	NEAS.bfd38b2c1bffe34910c48b660e8069e0_JC.exe	28
PID 2044 wrote to memory of 2340	2044	MSWDM.EXE	29
PID 2044 wrote to memory of 2340	2044	MSWDM.EXE	29
PID 2044 wrote to memory of 2340	2044	MSWDM.EXE	29
PID 2044 wrote to memory of 2340	2044	MSWDM.EXE	29
PID 2044 wrote to memory of 2688	2044	MSWDM.EXE	31
PID 2044 wrote to memory of 2688	2044	MSWDM.EXE	31
PID 2044 wrote to memory of 2688	2044	MSWDM.EXE	31
PID 2044 wrote to memory of 2688	2044	MSWDM.EXE	31

C:\Users\Admin\AppData\Local\Temp\NEAS.bfd38b2c1bffe34910c48b660e8069e0_JC.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.bfd38b2c1bffe34910c48b660e8069e0_JC.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2032
- C:\WINDOWS\MSWDM.EXE
  "C:\WINDOWS\MSWDM.EXE"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:2128
- C:\WINDOWS\MSWDM.EXE
  -r!C:\Windows\devB606.tmp!C:\Users\Admin\AppData\Local\Temp\NEAS.bfd38b2c1bffe34910c48b660e8069e0_JC.exe! !
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2044
- - C:\Users\Admin\AppData\Local\Temp\NEAS.BFD38B2C1BFFE34910C48B660E8069E0_JC.EXE
    3⤵
    - Executes dropped EXE
    PID:2340
- - C:\WINDOWS\MSWDM.EXE
    -e!C:\Windows\devB606.tmp!C:\Users\Admin\AppData\Local\Temp\NEAS.BFD38B2C1BFFE34910C48B660E8069E0_JC.EXE!
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    PID:2688

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\NEAS.BFD38B2C1BFFE34910C48B660E8069E0_JC.EXE

Filesize
2.4MB

MD5
7fa59e91bad62fbbe8d85492c9cfd6d3

SHA1
26f6d3e9c4324f2b7a3394de5658f42acbb64120

SHA256
a7d96f954836100d13abc07d6f67379b29972803f28104d428c44c569683d04e

SHA512
9dfe97d5f719aa60c78b6dbf30e95eef24f3094b4c1911d3dbc6109de229195e4bfa06e8b66439543aeb182bd1c0726785ebf9b018e3a080c1c7f6cf2841fa5c

Download Submit
C:\Users\Admin\AppData\Local\Temp\NEAS.BFD38B2C1BFFE34910C48B660E8069E0_JC.EXE

Filesize
2.4MB

MD5
7fa59e91bad62fbbe8d85492c9cfd6d3

SHA1
26f6d3e9c4324f2b7a3394de5658f42acbb64120

SHA256
a7d96f954836100d13abc07d6f67379b29972803f28104d428c44c569683d04e

SHA512
9dfe97d5f719aa60c78b6dbf30e95eef24f3094b4c1911d3dbc6109de229195e4bfa06e8b66439543aeb182bd1c0726785ebf9b018e3a080c1c7f6cf2841fa5c

Download Submit
C:\Users\Admin\AppData\Local\Temp\NEAS.bfd38b2c1bffe34910c48b660e8069e0_JC.exe

Filesize
831KB

MD5
a1ac20a3ee76bed62a327706beea2f70

SHA1
188e1bcf4f27271eaefb1a8683c1cd6e4e700970

SHA256
4f218719f01dc26bd82372cb9cde5c0bd3faa0276e26e78b2d792cd1ef2ce6b3

SHA512
9bf8afd610257ba00d7a3303456ff8a30a979b8bbc23467d1c1d8d58a462b3da52ca4bfd0227b78df701b3c8c8f33c1eac3fac4ddf3ae1e09281ba19774fbc6d

Download Submit
C:\WINDOWS\MSWDM.EXE

Filesize
1.6MB

MD5
27e85f44a6f4d602aa24038fda61a66f

SHA1
f712dd5a8457c4d61e3f704419b01b5048671c34

SHA256
6b7a428e91131990690eaa7cf10182bbe60da4e24a946872167d6aadd905c574

SHA512
53e9d21a59fe38cb8ecdedf3e1fc065d99fd55003b1f4eeda789c871e16cda70fadd787418d93e5d8f66d4513dbb46f6635c566662a79e8b5767b81694001d9a

Download Submit
C:\Windows\MSWDM.EXE

Filesize
1.6MB

MD5
27e85f44a6f4d602aa24038fda61a66f

SHA1
f712dd5a8457c4d61e3f704419b01b5048671c34

SHA256
6b7a428e91131990690eaa7cf10182bbe60da4e24a946872167d6aadd905c574

SHA512
53e9d21a59fe38cb8ecdedf3e1fc065d99fd55003b1f4eeda789c871e16cda70fadd787418d93e5d8f66d4513dbb46f6635c566662a79e8b5767b81694001d9a

Download Submit
C:\Windows\MSWDM.EXE

Filesize
1.6MB

MD5
27e85f44a6f4d602aa24038fda61a66f

SHA1
f712dd5a8457c4d61e3f704419b01b5048671c34

SHA256
6b7a428e91131990690eaa7cf10182bbe60da4e24a946872167d6aadd905c574

SHA512
53e9d21a59fe38cb8ecdedf3e1fc065d99fd55003b1f4eeda789c871e16cda70fadd787418d93e5d8f66d4513dbb46f6635c566662a79e8b5767b81694001d9a

Download Submit
C:\Windows\MSWDM.EXE

Filesize
1.6MB

MD5
27e85f44a6f4d602aa24038fda61a66f

SHA1
f712dd5a8457c4d61e3f704419b01b5048671c34

SHA256
6b7a428e91131990690eaa7cf10182bbe60da4e24a946872167d6aadd905c574

SHA512
53e9d21a59fe38cb8ecdedf3e1fc065d99fd55003b1f4eeda789c871e16cda70fadd787418d93e5d8f66d4513dbb46f6635c566662a79e8b5767b81694001d9a

Download Submit
C:\Windows\MSWDM.EXE

Filesize
1.6MB

MD5
27e85f44a6f4d602aa24038fda61a66f

SHA1
f712dd5a8457c4d61e3f704419b01b5048671c34

SHA256
6b7a428e91131990690eaa7cf10182bbe60da4e24a946872167d6aadd905c574

SHA512
53e9d21a59fe38cb8ecdedf3e1fc065d99fd55003b1f4eeda789c871e16cda70fadd787418d93e5d8f66d4513dbb46f6635c566662a79e8b5767b81694001d9a

Download Submit
C:\Windows\devB606.tmp

Filesize
831KB

MD5
a1ac20a3ee76bed62a327706beea2f70

SHA1
188e1bcf4f27271eaefb1a8683c1cd6e4e700970

SHA256
4f218719f01dc26bd82372cb9cde5c0bd3faa0276e26e78b2d792cd1ef2ce6b3

SHA512
9bf8afd610257ba00d7a3303456ff8a30a979b8bbc23467d1c1d8d58a462b3da52ca4bfd0227b78df701b3c8c8f33c1eac3fac4ddf3ae1e09281ba19774fbc6d

Download Submit
\Users\Admin\AppData\Local\Temp\NEAS.bfd38b2c1bffe34910c48b660e8069e0_JC.exe

Filesize
831KB

MD5
a1ac20a3ee76bed62a327706beea2f70

SHA1
188e1bcf4f27271eaefb1a8683c1cd6e4e700970

SHA256
4f218719f01dc26bd82372cb9cde5c0bd3faa0276e26e78b2d792cd1ef2ce6b3

SHA512
9bf8afd610257ba00d7a3303456ff8a30a979b8bbc23467d1c1d8d58a462b3da52ca4bfd0227b78df701b3c8c8f33c1eac3fac4ddf3ae1e09281ba19774fbc6d

Download Submit
memory/2032-0-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2032-12-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2032-13-0x0000000000220000-0x0000000000234000-memory.dmp

Filesize
80KB

Download
memory/2044-24-0x00000000021B0000-0x00000000022D0000-memory.dmp

Filesize
1.1MB

Download
memory/2044-32-0x00000000001B0000-0x00000000001C4000-memory.dmp

Filesize
80KB

Download
memory/2044-18-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2044-34-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2128-17-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2128-35-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2340-26-0x0000000000EC0000-0x0000000000FE0000-memory.dmp

Filesize
1.1MB

Download
memory/2340-25-0x0000000000EC0000-0x0000000000FE0000-memory.dmp

Filesize
1.1MB

Download
memory/2688-31-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download