110d794c8205c95f4a3fb0fb64616838ad53a7219bbb4c9864d5ae1938f63915

Analysis

max time kernel
23s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20231020-en
resource tags

arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
submitted
05-11-2023 18:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.bfd38b2c1bffe34910c48b660e8069e0_JC.exe
Size

2.4MB
MD5

bfd38b2c1bffe34910c48b660e8069e0
SHA1

1af3b20bfb36540bf523226a3c1f053ae509bd1c
SHA256

110d794c8205c95f4a3fb0fb64616838ad53a7219bbb4c9864d5ae1938f63915
SHA512

92f60e97fa553749995258fb89317c02e00a7fb40a5c643e30da8295e3c77c326e61a82e96f516aa329adbca5ed1d3438ceb2f98678b5ec3d8e49c1717d40319
SSDEEP

49152:MtKcS4neHbyfYTOYKPu/gEjiEO5ItDEm9wN:MtvS4neHvZjiEO5IhE7N

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
3344	MSWDM.EXE
2316	MSWDM.EXE
2184	NEAS.BFD38B2C1BFFE34910C48B660E8069E0_JC.EXE
3820	MSWDM.EXE

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE"	NEAS.bfd38b2c1bffe34910c48b660e8069e0_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE"	NEAS.bfd38b2c1bffe34910c48b660e8069e0_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE"	MSWDM.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE"	MSWDM.EXE

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\dev857C.tmp	MSWDM.EXE
File created	C:\WINDOWS\MSWDM.EXE	NEAS.bfd38b2c1bffe34910c48b660e8069e0_JC.exe
File opened for modification	C:\Windows\dev857C.tmp	NEAS.bfd38b2c1bffe34910c48b660e8069e0_JC.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2316	MSWDM.EXE
2316	MSWDM.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3120 wrote to memory of 3344	3120	NEAS.bfd38b2c1bffe34910c48b660e8069e0_JC.exe	86
PID 3120 wrote to memory of 3344	3120	NEAS.bfd38b2c1bffe34910c48b660e8069e0_JC.exe	86
PID 3120 wrote to memory of 3344	3120	NEAS.bfd38b2c1bffe34910c48b660e8069e0_JC.exe	86
PID 3120 wrote to memory of 2316	3120	NEAS.bfd38b2c1bffe34910c48b660e8069e0_JC.exe	87
PID 3120 wrote to memory of 2316	3120	NEAS.bfd38b2c1bffe34910c48b660e8069e0_JC.exe	87
PID 3120 wrote to memory of 2316	3120	NEAS.bfd38b2c1bffe34910c48b660e8069e0_JC.exe	87
PID 2316 wrote to memory of 2184	2316	MSWDM.EXE	88
PID 2316 wrote to memory of 2184	2316	MSWDM.EXE	88
PID 2316 wrote to memory of 2184	2316	MSWDM.EXE	88
PID 2316 wrote to memory of 3820	2316	MSWDM.EXE	91
PID 2316 wrote to memory of 3820	2316	MSWDM.EXE	91
PID 2316 wrote to memory of 3820	2316	MSWDM.EXE	91

C:\Users\Admin\AppData\Local\Temp\NEAS.bfd38b2c1bffe34910c48b660e8069e0_JC.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.bfd38b2c1bffe34910c48b660e8069e0_JC.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3120
- C:\WINDOWS\MSWDM.EXE
  "C:\WINDOWS\MSWDM.EXE"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:3344
- C:\WINDOWS\MSWDM.EXE
  -r!C:\Windows\dev857C.tmp!C:\Users\Admin\AppData\Local\Temp\NEAS.bfd38b2c1bffe34910c48b660e8069e0_JC.exe! !
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2316
- - C:\Users\Admin\AppData\Local\Temp\NEAS.BFD38B2C1BFFE34910C48B660E8069E0_JC.EXE
    3⤵
    - Executes dropped EXE
    PID:2184
- - C:\WINDOWS\MSWDM.EXE
    -e!C:\Windows\dev857C.tmp!C:\Users\Admin\AppData\Local\Temp\NEAS.BFD38B2C1BFFE34910C48B660E8069E0_JC.EXE!
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    PID:3820

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\NEAS.BFD38B2C1BFFE34910C48B660E8069E0_JC.EXE

Filesize
2.4MB

MD5
c90aa251949127dc77da462a97ed96a6

SHA1
7eab573faa677009dd9b9a208994de690c2e99e9

SHA256
18fed01a207ca871fa5e6fe9faa2c5b3d40d55d97df4767f5c7262d61bc44574

SHA512
db62129fe530fc303f99576f3479066d5457813c69d02a71990ab6ba73c29c96da4325f1e762328add1e2f89aa7678b00305fa5c2110f367e44aba7691817712

Download Submit
C:\Users\Admin\AppData\Local\Temp\NEAS.BFD38B2C1BFFE34910C48B660E8069E0_JC.EXE

Filesize
2.4MB

MD5
c90aa251949127dc77da462a97ed96a6

SHA1
7eab573faa677009dd9b9a208994de690c2e99e9

SHA256
18fed01a207ca871fa5e6fe9faa2c5b3d40d55d97df4767f5c7262d61bc44574

SHA512
db62129fe530fc303f99576f3479066d5457813c69d02a71990ab6ba73c29c96da4325f1e762328add1e2f89aa7678b00305fa5c2110f367e44aba7691817712

Download Submit
C:\Users\Admin\AppData\Local\Temp\NEAS.bfd38b2c1bffe34910c48b660e8069e0_JC.exe

Filesize
831KB

MD5
a1ac20a3ee76bed62a327706beea2f70

SHA1
188e1bcf4f27271eaefb1a8683c1cd6e4e700970

SHA256
4f218719f01dc26bd82372cb9cde5c0bd3faa0276e26e78b2d792cd1ef2ce6b3

SHA512
9bf8afd610257ba00d7a3303456ff8a30a979b8bbc23467d1c1d8d58a462b3da52ca4bfd0227b78df701b3c8c8f33c1eac3fac4ddf3ae1e09281ba19774fbc6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\NEAS.bfd38b2c1bffe34910c48b660e8069e0_JC.exe

Filesize
2.4MB

MD5
c90aa251949127dc77da462a97ed96a6

SHA1
7eab573faa677009dd9b9a208994de690c2e99e9

SHA256
18fed01a207ca871fa5e6fe9faa2c5b3d40d55d97df4767f5c7262d61bc44574

SHA512
db62129fe530fc303f99576f3479066d5457813c69d02a71990ab6ba73c29c96da4325f1e762328add1e2f89aa7678b00305fa5c2110f367e44aba7691817712

Download Submit
C:\WINDOWS\MSWDM.EXE

Filesize
1.6MB

MD5
27e85f44a6f4d602aa24038fda61a66f

SHA1
f712dd5a8457c4d61e3f704419b01b5048671c34

SHA256
6b7a428e91131990690eaa7cf10182bbe60da4e24a946872167d6aadd905c574

SHA512
53e9d21a59fe38cb8ecdedf3e1fc065d99fd55003b1f4eeda789c871e16cda70fadd787418d93e5d8f66d4513dbb46f6635c566662a79e8b5767b81694001d9a

Download Submit
C:\Windows\MSWDM.EXE

Filesize
1.6MB

MD5
27e85f44a6f4d602aa24038fda61a66f

SHA1
f712dd5a8457c4d61e3f704419b01b5048671c34

SHA256
6b7a428e91131990690eaa7cf10182bbe60da4e24a946872167d6aadd905c574

SHA512
53e9d21a59fe38cb8ecdedf3e1fc065d99fd55003b1f4eeda789c871e16cda70fadd787418d93e5d8f66d4513dbb46f6635c566662a79e8b5767b81694001d9a

Download Submit
C:\Windows\MSWDM.EXE

Filesize
1.6MB

MD5
27e85f44a6f4d602aa24038fda61a66f

SHA1
f712dd5a8457c4d61e3f704419b01b5048671c34

SHA256
6b7a428e91131990690eaa7cf10182bbe60da4e24a946872167d6aadd905c574

SHA512
53e9d21a59fe38cb8ecdedf3e1fc065d99fd55003b1f4eeda789c871e16cda70fadd787418d93e5d8f66d4513dbb46f6635c566662a79e8b5767b81694001d9a

Download Submit
C:\Windows\MSWDM.EXE

Filesize
1.6MB

MD5
27e85f44a6f4d602aa24038fda61a66f

SHA1
f712dd5a8457c4d61e3f704419b01b5048671c34

SHA256
6b7a428e91131990690eaa7cf10182bbe60da4e24a946872167d6aadd905c574

SHA512
53e9d21a59fe38cb8ecdedf3e1fc065d99fd55003b1f4eeda789c871e16cda70fadd787418d93e5d8f66d4513dbb46f6635c566662a79e8b5767b81694001d9a

Download Submit
C:\Windows\dev857C.tmp

Filesize
831KB

MD5
a1ac20a3ee76bed62a327706beea2f70

SHA1
188e1bcf4f27271eaefb1a8683c1cd6e4e700970

SHA256
4f218719f01dc26bd82372cb9cde5c0bd3faa0276e26e78b2d792cd1ef2ce6b3

SHA512
9bf8afd610257ba00d7a3303456ff8a30a979b8bbc23467d1c1d8d58a462b3da52ca4bfd0227b78df701b3c8c8f33c1eac3fac4ddf3ae1e09281ba19774fbc6d

Download Submit
memory/2184-14-0x0000000000540000-0x0000000000660000-memory.dmp

Filesize
1.1MB

Download
memory/2184-15-0x0000000000540000-0x0000000000660000-memory.dmp

Filesize
1.1MB

Download
memory/2316-22-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2316-9-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/3120-0-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/3120-8-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/3344-23-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/3820-20-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download