d9dc996506d136d5f4d6fb4d31cfdceb00c126630a6f98af92785b1fae3a4d64

Analysis

max time kernel
148s
max time network
152s
platform
windows7_x64
resource
win7-20231023-en
resource tags

arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system
submitted
07/11/2023, 16:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.bdcfb446f7aba2144d2172cf22815750.exe
Size

151KB
MD5

bdcfb446f7aba2144d2172cf22815750
SHA1

9116781ddff8bbd8dc97945371850999147884ec
SHA256

d9dc996506d136d5f4d6fb4d31cfdceb00c126630a6f98af92785b1fae3a4d64
SHA512

46faa3d9cd84b52ad235bb7a37390dd7b77514bd0026e4f378fa7c35b14b01b8974b670b6867679d99e638765e709d6eaf15fc513b5b6e1a7a751fe8fadc9480
SSDEEP

3072:oQzrhhx9yuk/4CrNuXsNTTBm5D5LMXqNv:o6fPyH7Nu8BT4lMXqB

Score

8^/10

persistence

Malware Config

Signatures

Modifies AppInit DLL entries 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1547.001

Modify Registry
T1112

Executes dropped EXE 1 IoCs

pid	Process
2608	pwhehon.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\PROGRA~3\Mozilla\pwhehon.exe	NEAS.bdcfb446f7aba2144d2172cf22815750.exe
File created	C:\PROGRA~3\Mozilla\mudzpnf.dll	pwhehon.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2060 wrote to memory of 2608	2060	taskeng.exe	30
PID 2060 wrote to memory of 2608	2060	taskeng.exe	30
PID 2060 wrote to memory of 2608	2060	taskeng.exe	30
PID 2060 wrote to memory of 2608	2060	taskeng.exe	30

C:\Users\Admin\AppData\Local\Temp\NEAS.bdcfb446f7aba2144d2172cf22815750.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.bdcfb446f7aba2144d2172cf22815750.exe"
1⤵
- Drops file in Program Files directory
PID:2652

C:\Windows\system32\taskeng.exe
taskeng.exe {74744E66-AB3B-48B5-9A00-E32DE53ADF9C} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:2060
- C:\PROGRA~3\Mozilla\pwhehon.exe
  C:\PROGRA~3\Mozilla\pwhehon.exe -arzwbsb
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  PID:2608

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~3\Mozilla\pwhehon.exe

Filesize
151KB

MD5
08f21a6f3c72d12b22db50e8c3147d22

SHA1
ef75bff04a658f984c431c368f2b34a914fdc153

SHA256
df203090d0a5eb795734bb6a8e27a2fbb2b046c2c7fb61661af486e483ef2022

SHA512
141525d9fc7525523671ae40980a1c070760934a4990cddef6b218a7cd1bab13fe3c3fbab8b68fa83ca714055d946b5dc6919fa31fc83a62472b4109e0bab241

Download Submit
C:\PROGRA~3\Mozilla\pwhehon.exe

Filesize
151KB

MD5
08f21a6f3c72d12b22db50e8c3147d22

SHA1
ef75bff04a658f984c431c368f2b34a914fdc153

SHA256
df203090d0a5eb795734bb6a8e27a2fbb2b046c2c7fb61661af486e483ef2022

SHA512
141525d9fc7525523671ae40980a1c070760934a4990cddef6b218a7cd1bab13fe3c3fbab8b68fa83ca714055d946b5dc6919fa31fc83a62472b4109e0bab241

Download Submit
memory/2608-10-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2608-11-0x0000000000230000-0x000000000028B000-memory.dmp

Filesize
364KB

Download
memory/2608-17-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2652-0-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2652-1-0x0000000000220000-0x000000000027B000-memory.dmp

Filesize
364KB

Download
memory/2652-7-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download