98ac27468af8ff0aa870322c5e597d289cbf19e77a17654e7f2e33507c68d314

Analysis

max time kernel
146s
max time network
155s
platform
windows7_x64
resource
win7-20231023-en
resource tags

arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system
submitted
07/11/2023, 19:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.f41612bde57866ad2df3741db9b1ed80.exe
Size

126KB
MD5

f41612bde57866ad2df3741db9b1ed80
SHA1

3a22dec5443c4ef4e8d68adbc11713821ed57422
SHA256

98ac27468af8ff0aa870322c5e597d289cbf19e77a17654e7f2e33507c68d314
SHA512

de8f90fca76b35fd3f54ba17f395493d6144491b30eba287a279d4aa733f6bbb10e85291d248c350af6f43ffbe05761f028b911e7bc7f39b9e9ce962adbb4feb
SSDEEP

3072:5COqnKQybPLlGRqXcryRwAF0r+A/nZZaEDgF:5s5ybPL6mcrymK0SEZZXgF

Score

8^/10

persistence

Malware Config

Signatures

Modifies AppInit DLL entries 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1547.001

Modify Registry
T1112

Executes dropped EXE 1 IoCs

pid	Process
2664	pwhehon.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\PROGRA~3\Mozilla\pwhehon.exe	NEAS.f41612bde57866ad2df3741db9b1ed80.exe
File created	C:\PROGRA~3\Mozilla\mudzpnf.dll	pwhehon.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2796 wrote to memory of 2664	2796	taskeng.exe	28
PID 2796 wrote to memory of 2664	2796	taskeng.exe	28
PID 2796 wrote to memory of 2664	2796	taskeng.exe	28
PID 2796 wrote to memory of 2664	2796	taskeng.exe	28

C:\Users\Admin\AppData\Local\Temp\NEAS.f41612bde57866ad2df3741db9b1ed80.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.f41612bde57866ad2df3741db9b1ed80.exe"
1⤵
- Drops file in Program Files directory
PID:2652

C:\Windows\system32\taskeng.exe
taskeng.exe {D8764335-CC12-4DC8-865B-8F604419C157} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:2796
- C:\PROGRA~3\Mozilla\pwhehon.exe
  C:\PROGRA~3\Mozilla\pwhehon.exe -arzwbsb
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  PID:2664

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~3\Mozilla\pwhehon.exe

Filesize
126KB

MD5
7a5a6c2de06d7eba56beee02d37f259f

SHA1
d7e9f30307cdb1c1a6ebd927c04953e75b23c216

SHA256
4ccf982c049290936a3e2b6fc550083ed6071cfb6145fd402279898141d54b22

SHA512
6822ae3cf68c776a07685f91d5c6b5f7f3b814b52d8778b3f42d571c2987622286fad6095975ed5f001873f1db6fbaff7c175e3a9115c5f227da31a3462ca864

Download Submit
C:\PROGRA~3\Mozilla\pwhehon.exe

Filesize
126KB

MD5
7a5a6c2de06d7eba56beee02d37f259f

SHA1
d7e9f30307cdb1c1a6ebd927c04953e75b23c216

SHA256
4ccf982c049290936a3e2b6fc550083ed6071cfb6145fd402279898141d54b22

SHA512
6822ae3cf68c776a07685f91d5c6b5f7f3b814b52d8778b3f42d571c2987622286fad6095975ed5f001873f1db6fbaff7c175e3a9115c5f227da31a3462ca864

Download Submit
memory/2652-0-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2652-1-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2652-2-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2652-3-0x0000000000540000-0x000000000059B000-memory.dmp

Filesize
364KB

Download
memory/2652-8-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2664-16-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2664-17-0x0000000000930000-0x000000000098B000-memory.dmp

Filesize
364KB

Download
memory/2664-23-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download