5847e8b9aaa0a724dd1a1bc37efcb0eb2172c98bf193422a5dee9facf4f0de13

Analysis

max time kernel
276s
max time network
320s
platform
windows7_x64
resource
win7-20231023-en
resource tags

arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system
submitted
07/11/2023, 18:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.4827258c4c294249aa1805980ddf63a0.exe
Size

154KB
MD5

4827258c4c294249aa1805980ddf63a0
SHA1

f832263ad3b6f311a2d56f9afa9fcf7a0e868126
SHA256

5847e8b9aaa0a724dd1a1bc37efcb0eb2172c98bf193422a5dee9facf4f0de13
SHA512

8d6b7b83130caf64bf20ebc59543769936a2a07b8a4ed1ac5a2784569e79958e5590dbabd681c8f165c29d69a3d8fede94e1bedf42161161f5ba8646d50d4543
SSDEEP

3072:oDBH9p/3K+AEkzgXrGqJM4qd3bGjhkqsXb:29pTAEkz6rGq4Bbq2b

Score

8^/10

persistence

Malware Config

Signatures

Modifies AppInit DLL entries 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1547.001

Modify Registry
T1112

Executes dropped EXE 1 IoCs

pid	Process
2536	pwhehon.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\PROGRA~3\Mozilla\pwhehon.exe	NEAS.4827258c4c294249aa1805980ddf63a0.exe
File created	C:\PROGRA~3\Mozilla\mudzpnf.dll	pwhehon.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2680 wrote to memory of 2536	2680	taskeng.exe	29
PID 2680 wrote to memory of 2536	2680	taskeng.exe	29
PID 2680 wrote to memory of 2536	2680	taskeng.exe	29
PID 2680 wrote to memory of 2536	2680	taskeng.exe	29

C:\Users\Admin\AppData\Local\Temp\NEAS.4827258c4c294249aa1805980ddf63a0.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.4827258c4c294249aa1805980ddf63a0.exe"
1⤵
- Drops file in Program Files directory
PID:2528

C:\Windows\system32\taskeng.exe
taskeng.exe {66777AD2-ECAB-42D9-A75A-3372A57A3CB0} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:2680
- C:\PROGRA~3\Mozilla\pwhehon.exe
  C:\PROGRA~3\Mozilla\pwhehon.exe -arzwbsb
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  PID:2536

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~3\Mozilla\pwhehon.exe

Filesize
154KB

MD5
19b66d84bee6e89d935cae0b3695632c

SHA1
198512fb9b834c78d04d0b4436d5f8c11458dc62

SHA256
fcb4c36b405c5451008fa6794cec1ff39f05de7864efa9bab9ac80b79ed2a97d

SHA512
001304ec37fcb73c65e4c3dd40837ebbf1d0ab19e70f33ed3c1d924f7bb2d9ef25bae8354624faed4f350553a367599e0de7fa748a84fe68b08fd50df3c240f4

Download Submit
C:\PROGRA~3\Mozilla\pwhehon.exe

Filesize
154KB

MD5
19b66d84bee6e89d935cae0b3695632c

SHA1
198512fb9b834c78d04d0b4436d5f8c11458dc62

SHA256
fcb4c36b405c5451008fa6794cec1ff39f05de7864efa9bab9ac80b79ed2a97d

SHA512
001304ec37fcb73c65e4c3dd40837ebbf1d0ab19e70f33ed3c1d924f7bb2d9ef25bae8354624faed4f350553a367599e0de7fa748a84fe68b08fd50df3c240f4

Download Submit
memory/2528-0-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2528-1-0x00000000004A0000-0x00000000004FB000-memory.dmp

Filesize
364KB

Download
memory/2528-6-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2536-10-0x0000000000360000-0x00000000003BB000-memory.dmp

Filesize
364KB

Download
memory/2536-16-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download