d7a1ea2715823fc0b0e060d5d70d3452336ebd3cec732502c4751bc853acbeec

Analysis

max time kernel
150s
max time network
124s
platform
windows7_x64
resource
win7-20231025-en
resource tags

arch:x64arch:x86image:win7-20231025-enlocale:en-usos:windows7-x64system
submitted
07/11/2023, 03:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.6d13441dbcc0eb39c8579143bf1b23e0.exe
Size

168KB
MD5

6d13441dbcc0eb39c8579143bf1b23e0
SHA1

e33af0fa2a43383e80ef9f273456ed6877263151
SHA256

d7a1ea2715823fc0b0e060d5d70d3452336ebd3cec732502c4751bc853acbeec
SHA512

7c8f6d262506d44b3f5d292db116a8ad84f9745092a1a35e47c0a84487f0e8ecfbab4961ff5bb180227e2dd458bbfe1d4b5dddec29efac423c28db84d541ddf3
SSDEEP

3072:4XTTASJKf2n5AxE2NpxOa2XdU2QF4s5XgIDFyHb8kHofL/09rG:4vASJKenie2xT2NU2OTFQb8Fb0I

Score

6^/10

persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Windows\CurrentVersion\Run\IntelPowerAgent4 = "rundll32.exe shell32.dll, ShellExec_RunDLL C:\\PROGRA~3\\4820jb46.exe"	svchost.exe

Checks for any installed AV software in registry 1 TTPs 3 IoCs

Security Software Discovery

T1518.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Software\Wow6432Node\Avira	svchost.exe
Key opened	\REGISTRY\MACHINE\Software\Wow6432Node\AVAST Software\Avast	svchost.exe
Key opened	\REGISTRY\MACHINE\Software\Wow6432Node\Eset\Nod	svchost.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2944 set thread context of 3020	2944	NEAS.6d13441dbcc0eb39c8579143bf1b23e0.exe	28

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3020	svchost.exe
3020	svchost.exe
3020	svchost.exe
3020	svchost.exe
3020	svchost.exe
3020	svchost.exe
3020	svchost.exe
3020	svchost.exe
3020	svchost.exe
3020	svchost.exe
3020	svchost.exe
3020	svchost.exe
3020	svchost.exe
3020	svchost.exe
3020	svchost.exe
3020	svchost.exe
3020	svchost.exe
3020	svchost.exe
3020	svchost.exe
3020	svchost.exe
3020	svchost.exe
3020	svchost.exe
3020	svchost.exe
3020	svchost.exe
3020	svchost.exe
3020	svchost.exe
3020	svchost.exe
3020	svchost.exe
3020	svchost.exe
3020	svchost.exe
3020	svchost.exe
3020	svchost.exe
3020	svchost.exe
3020	svchost.exe
3020	svchost.exe
3020	svchost.exe
3020	svchost.exe
3020	svchost.exe
3020	svchost.exe
3020	svchost.exe
3020	svchost.exe
3020	svchost.exe
3020	svchost.exe
3020	svchost.exe
3020	svchost.exe
3020	svchost.exe
3020	svchost.exe
3020	svchost.exe
3020	svchost.exe
3020	svchost.exe
3020	svchost.exe
3020	svchost.exe
3020	svchost.exe
3020	svchost.exe
3020	svchost.exe
3020	svchost.exe
3020	svchost.exe
3020	svchost.exe
3020	svchost.exe
3020	svchost.exe
3020	svchost.exe
3020	svchost.exe
3020	svchost.exe
3020	svchost.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2944 wrote to memory of 3020	2944	NEAS.6d13441dbcc0eb39c8579143bf1b23e0.exe	28
PID 2944 wrote to memory of 3020	2944	NEAS.6d13441dbcc0eb39c8579143bf1b23e0.exe	28
PID 2944 wrote to memory of 3020	2944	NEAS.6d13441dbcc0eb39c8579143bf1b23e0.exe	28
PID 2944 wrote to memory of 3020	2944	NEAS.6d13441dbcc0eb39c8579143bf1b23e0.exe	28
PID 2944 wrote to memory of 3020	2944	NEAS.6d13441dbcc0eb39c8579143bf1b23e0.exe	28
PID 2944 wrote to memory of 3020	2944	NEAS.6d13441dbcc0eb39c8579143bf1b23e0.exe	28
PID 2944 wrote to memory of 3020	2944	NEAS.6d13441dbcc0eb39c8579143bf1b23e0.exe	28
PID 2944 wrote to memory of 3020	2944	NEAS.6d13441dbcc0eb39c8579143bf1b23e0.exe	28
PID 2944 wrote to memory of 3020	2944	NEAS.6d13441dbcc0eb39c8579143bf1b23e0.exe	28
PID 2944 wrote to memory of 3020	2944	NEAS.6d13441dbcc0eb39c8579143bf1b23e0.exe	28
PID 2944 wrote to memory of 3020	2944	NEAS.6d13441dbcc0eb39c8579143bf1b23e0.exe	28
PID 2944 wrote to memory of 3020	2944	NEAS.6d13441dbcc0eb39c8579143bf1b23e0.exe	28
PID 2944 wrote to memory of 2728	2944	NEAS.6d13441dbcc0eb39c8579143bf1b23e0.exe	29
PID 2944 wrote to memory of 2728	2944	NEAS.6d13441dbcc0eb39c8579143bf1b23e0.exe	29
PID 2944 wrote to memory of 2728	2944	NEAS.6d13441dbcc0eb39c8579143bf1b23e0.exe	29
PID 2944 wrote to memory of 2728	2944	NEAS.6d13441dbcc0eb39c8579143bf1b23e0.exe	29

C:\Users\Admin\AppData\Local\Temp\NEAS.6d13441dbcc0eb39c8579143bf1b23e0.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.6d13441dbcc0eb39c8579143bf1b23e0.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2944
- C:\Windows\SysWOW64\svchost.exe
  C:\ProgramData\4820jb46.exe
  2⤵
  - Adds Run key to start application
  - Checks for any installed AV software in registry
  - Suspicious behavior: EnumeratesProcesses
  PID:3020
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\ProgramData\gsmC2A8.tmp.bat" "C:\Users\Admin\AppData\Local\Temp\NEAS.6d13441dbcc0eb39c8579143bf1b23e0.exe""
  2⤵
  PID:2728

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Software Discovery

T1518

Security Software Discovery

T1518.001

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\gsmC2A8.tmp.bat

Filesize
37B

MD5
61672ea3e7b43c4b02af6e1a227f0ef4

SHA1
e3e6c5e5c88a304514d16129f70593e86be5e060

SHA256
b5c6003ec6090b508bcfd2bfaa422fc41895ad6f17318f559e1a8cf7b7eba656

SHA512
296561ab5a38a6f90f226a090410a8a0700e577d6c7b0acb77fddbc21f0db3e1a34179dbbcf20e26e74087f22ed02116add098f45a249b0529ebad60bd0c4666

Download Submit
C:\ProgramData\gsmC2A8.tmp.bat

Filesize
37B

MD5
61672ea3e7b43c4b02af6e1a227f0ef4

SHA1
e3e6c5e5c88a304514d16129f70593e86be5e060

SHA256
b5c6003ec6090b508bcfd2bfaa422fc41895ad6f17318f559e1a8cf7b7eba656

SHA512
296561ab5a38a6f90f226a090410a8a0700e577d6c7b0acb77fddbc21f0db3e1a34179dbbcf20e26e74087f22ed02116add098f45a249b0529ebad60bd0c4666

Download Submit
memory/3020-310-0x00000000006B0000-0x00000000007B0000-memory.dmp

Filesize
1024KB

Download
memory/3020-4-0x0000000000220000-0x0000000000296000-memory.dmp

Filesize
472KB

Download
memory/3020-5-0x0000000000220000-0x0000000000296000-memory.dmp

Filesize
472KB

Download
memory/3020-6-0x0000000000220000-0x0000000000296000-memory.dmp

Filesize
472KB

Download
memory/3020-7-0x0000000000220000-0x0000000000296000-memory.dmp

Filesize
472KB

Download
memory/3020-8-0x0000000000220000-0x0000000000296000-memory.dmp

Filesize
472KB

Download
memory/3020-9-0x0000000000220000-0x0000000000296000-memory.dmp

Filesize
472KB

Download
memory/3020-10-0x0000000000220000-0x0000000000296000-memory.dmp

Filesize
472KB

Download
memory/3020-3-0x0000000000220000-0x0000000000296000-memory.dmp

Filesize
472KB

Download
memory/3020-2-0x0000000000080000-0x0000000000081000-memory.dmp

Filesize
4KB

Download
memory/3020-302-0x0000000000220000-0x0000000000296000-memory.dmp

Filesize
472KB

Download
memory/3020-305-0x00000000006B0000-0x00000000007B0000-memory.dmp

Filesize
1024KB

Download
memory/3020-307-0x00000000006B0000-0x00000000007B0000-memory.dmp

Filesize
1024KB

Download
memory/3020-304-0x0000000000220000-0x0000000000296000-memory.dmp

Filesize
472KB

Download
memory/3020-303-0x00000000006B0000-0x00000000007B0000-memory.dmp

Filesize
1024KB

Download
memory/3020-309-0x00000000006B0000-0x00000000007B0000-memory.dmp

Filesize
1024KB

Download
memory/3020-311-0x00000000006B0000-0x00000000007B0000-memory.dmp

Filesize
1024KB

Download
memory/3020-1-0x0000000000080000-0x0000000000081000-memory.dmp

Filesize
4KB

Download
memory/3020-326-0x00000000006B0000-0x00000000007B0000-memory.dmp

Filesize
1024KB

Download
memory/3020-313-0x00000000006B0000-0x00000000007B0000-memory.dmp

Filesize
1024KB

Download
memory/3020-314-0x0000000000220000-0x0000000000296000-memory.dmp

Filesize
472KB

Download
memory/3020-315-0x0000000000220000-0x0000000000296000-memory.dmp

Filesize
472KB

Download
memory/3020-316-0x0000000000220000-0x0000000000296000-memory.dmp

Filesize
472KB

Download
memory/3020-318-0x00000000006B0000-0x00000000007B0000-memory.dmp

Filesize
1024KB

Download
memory/3020-319-0x0000000000220000-0x0000000000296000-memory.dmp

Filesize
472KB

Download
memory/3020-321-0x00000000000A0000-0x00000000000B0000-memory.dmp

Filesize
64KB

Download
memory/3020-322-0x0000000000220000-0x0000000000296000-memory.dmp

Filesize
472KB

Download
memory/3020-323-0x0000000000220000-0x0000000000296000-memory.dmp

Filesize
472KB

Download
memory/3020-312-0x00000000006B0000-0x00000000007B0000-memory.dmp

Filesize
1024KB

Download
memory/3020-327-0x0000000000220000-0x0000000000296000-memory.dmp

Filesize
472KB

Download
memory/3020-333-0x00000000006B0000-0x00000000007B0000-memory.dmp

Filesize
1024KB

Download
memory/3020-334-0x00000000006B0000-0x00000000007B0000-memory.dmp

Filesize
1024KB

Download
memory/3020-335-0x00000000006B0000-0x00000000007B0000-memory.dmp

Filesize
1024KB

Download
memory/3020-336-0x00000000006B0000-0x00000000007B0000-memory.dmp

Filesize
1024KB

Download
memory/3020-337-0x00000000006B0000-0x00000000007B0000-memory.dmp

Filesize
1024KB

Download
memory/3020-338-0x00000000006B0000-0x00000000007B0000-memory.dmp

Filesize
1024KB

Download