73ae2de93514a15d4f902fdac740c8ea6f29acf7fb459dc7523d471e2ef0e7fa

Analysis

max time kernel
118s
max time network
124s
platform
windows7_x64
resource
win7-20231023-en
resource tags

arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system
submitted
11/11/2023, 04:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.cc4f5fd89260bebc79f7a3a47585d6d0.exe
Size

161KB
MD5

cc4f5fd89260bebc79f7a3a47585d6d0
SHA1

336289221e72c929af0428c1d956319c9ce025a5
SHA256

73ae2de93514a15d4f902fdac740c8ea6f29acf7fb459dc7523d471e2ef0e7fa
SHA512

f56524577d515b255da184f945cc1877a41b442d15a51dfca89ed9e30e98f813e774fb776118bb9cb54637c4e8743f34406c649d49da7ab50151c668843b7ff5
SSDEEP

3072:51oVtum4WHvjVGr8kgB9s8p+uRcKVHM0lma3UroAew5ak23n2MgN8Dljl:5mtmCjkU9Wu6uFYwsegak22TQlh

Score

8^/10

persistence

Malware Config

Signatures

Modifies AppInit DLL entries 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1547.001

Modify Registry
T1112

Executes dropped EXE 1 IoCs

pid	Process
1900	suvkbwn.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\PROGRA~3\Mozilla\suvkbwn.exe	NEAS.cc4f5fd89260bebc79f7a3a47585d6d0.exe
File created	C:\PROGRA~3\Mozilla\wfwcssm.dll	suvkbwn.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2076	NEAS.cc4f5fd89260bebc79f7a3a47585d6d0.exe
1900	suvkbwn.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2332 wrote to memory of 1900	2332	taskeng.exe	29
PID 2332 wrote to memory of 1900	2332	taskeng.exe	29
PID 2332 wrote to memory of 1900	2332	taskeng.exe	29
PID 2332 wrote to memory of 1900	2332	taskeng.exe	29

C:\Users\Admin\AppData\Local\Temp\NEAS.cc4f5fd89260bebc79f7a3a47585d6d0.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.cc4f5fd89260bebc79f7a3a47585d6d0.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of UnmapMainImage
PID:2076

C:\Windows\system32\taskeng.exe
taskeng.exe {1EAC746F-3A38-486E-BADF-E3E2919F3C80} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:2332
- C:\PROGRA~3\Mozilla\suvkbwn.exe
  C:\PROGRA~3\Mozilla\suvkbwn.exe -tlhykym
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Suspicious use of UnmapMainImage
  PID:1900

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~3\Mozilla\suvkbwn.exe

Filesize
161KB

MD5
0b95cd066b38efe5d9f730bff2b0f161

SHA1
c32d48d0d0b69512284394f24eaf97551fd0e53b

SHA256
4a3ae085356a0703a525b055a693466ce38de11df397ebdfeb698885c1c4e066

SHA512
7003b695697a9943c0ecc9035ff54ea9ca6bda50f79fb08efe1e42e55a224c438244e133f4684531ae42c7b7f4ae567c5612d6b5fb1bb8c8d6c716c2f91f7b3f

Download Submit
C:\PROGRA~3\Mozilla\suvkbwn.exe

Filesize
161KB

MD5
0b95cd066b38efe5d9f730bff2b0f161

SHA1
c32d48d0d0b69512284394f24eaf97551fd0e53b

SHA256
4a3ae085356a0703a525b055a693466ce38de11df397ebdfeb698885c1c4e066

SHA512
7003b695697a9943c0ecc9035ff54ea9ca6bda50f79fb08efe1e42e55a224c438244e133f4684531ae42c7b7f4ae567c5612d6b5fb1bb8c8d6c716c2f91f7b3f

Download Submit
memory/1900-8-0x0000000000850000-0x0000000000871000-memory.dmp

Filesize
132KB

Download
memory/1900-10-0x0000000000880000-0x00000000008DB000-memory.dmp

Filesize
364KB

Download
memory/1900-11-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1900-13-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1900-14-0x0000000000850000-0x0000000000871000-memory.dmp

Filesize
132KB

Download
memory/2076-0-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/2076-1-0x0000000000230000-0x0000000000252000-memory.dmp

Filesize
136KB

Download
memory/2076-2-0x00000000002A0000-0x00000000002FB000-memory.dmp

Filesize
364KB

Download
memory/2076-3-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2076-5-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download