12084165efaaa4cc8adbe0a3df5d4507e2a867e5b0c6bab90235177cb8488e0b

Analysis

max time kernel
27s
max time network
138s
platform
windows7_x64
resource
win7-20231025-en
resource tags

arch:x64arch:x86image:win7-20231025-enlocale:en-usos:windows7-x64system
submitted
12-11-2023 17:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.46f957ef951ea52097879150f4fa950b.exe
Size

1.4MB
MD5

46f957ef951ea52097879150f4fa950b
SHA1

c0e721bcbe08cdc897e42a1ba1616fa4cbe32599
SHA256

12084165efaaa4cc8adbe0a3df5d4507e2a867e5b0c6bab90235177cb8488e0b
SHA512

04050340b69bda82d5aff63a7e3866696577d86d82603443fe38ee521407b56d08b3f473df5a42e83ab77ad4479dcd2bba75682a640842a2dfc458ef671e5df1
SSDEEP

24576:M51xfWcS9in6bxcqbF8fYTOYKR5jcAkSYqyEt:MtfWcS4neHbyfYTOYK3pYqN

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
1708	MSWDM.EXE
2088	MSWDM.EXE
2604	NEAS.46F957EF951EA52097879150F4FA950B.EXE
2728	MSWDM.EXE

Loads dropped DLL 2 IoCs

pid	Process
1708	MSWDM.EXE
2644	Process not Found

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE"	NEAS.46f957ef951ea52097879150f4fa950b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE"	NEAS.46f957ef951ea52097879150f4fa950b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE"	MSWDM.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE"	MSWDM.EXE

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\WINDOWS\MSWDM.EXE	NEAS.46f957ef951ea52097879150f4fa950b.exe
File opened for modification	C:\Windows\devB1B3.tmp	NEAS.46f957ef951ea52097879150f4fa950b.exe
File opened for modification	C:\Windows\devB1B3.tmp	MSWDM.EXE

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1708	MSWDM.EXE

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2992 wrote to memory of 2088	2992	NEAS.46f957ef951ea52097879150f4fa950b.exe	27
PID 2992 wrote to memory of 2088	2992	NEAS.46f957ef951ea52097879150f4fa950b.exe	27
PID 2992 wrote to memory of 2088	2992	NEAS.46f957ef951ea52097879150f4fa950b.exe	27
PID 2992 wrote to memory of 2088	2992	NEAS.46f957ef951ea52097879150f4fa950b.exe	27
PID 2992 wrote to memory of 1708	2992	NEAS.46f957ef951ea52097879150f4fa950b.exe	28
PID 2992 wrote to memory of 1708	2992	NEAS.46f957ef951ea52097879150f4fa950b.exe	28
PID 2992 wrote to memory of 1708	2992	NEAS.46f957ef951ea52097879150f4fa950b.exe	28
PID 2992 wrote to memory of 1708	2992	NEAS.46f957ef951ea52097879150f4fa950b.exe	28
PID 1708 wrote to memory of 2604	1708	MSWDM.EXE	29
PID 1708 wrote to memory of 2604	1708	MSWDM.EXE	29
PID 1708 wrote to memory of 2604	1708	MSWDM.EXE	29
PID 1708 wrote to memory of 2604	1708	MSWDM.EXE	29
PID 1708 wrote to memory of 2728	1708	MSWDM.EXE	31
PID 1708 wrote to memory of 2728	1708	MSWDM.EXE	31
PID 1708 wrote to memory of 2728	1708	MSWDM.EXE	31
PID 1708 wrote to memory of 2728	1708	MSWDM.EXE	31

C:\Users\Admin\AppData\Local\Temp\NEAS.46f957ef951ea52097879150f4fa950b.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.46f957ef951ea52097879150f4fa950b.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2992
- C:\WINDOWS\MSWDM.EXE
  "C:\WINDOWS\MSWDM.EXE"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:2088
- C:\WINDOWS\MSWDM.EXE
  -r!C:\Windows\devB1B3.tmp!C:\Users\Admin\AppData\Local\Temp\NEAS.46f957ef951ea52097879150f4fa950b.exe! !
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1708
- - C:\Users\Admin\AppData\Local\Temp\NEAS.46F957EF951EA52097879150F4FA950B.EXE
    3⤵
    - Executes dropped EXE
    PID:2604
- - C:\WINDOWS\MSWDM.EXE
    -e!C:\Windows\devB1B3.tmp!C:\Users\Admin\AppData\Local\Temp\NEAS.46F957EF951EA52097879150F4FA950B.EXE!
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    PID:2728

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\NEAS.46F957EF951EA52097879150F4FA950B.EXE

Filesize
1.4MB

MD5
78c13c19aaeac745a42e9aaeaecff955

SHA1
d9192da662955461c31da202f1a3bd4a1e6d6876

SHA256
63d2db90e9d8cf9fef1203794371e4f8a56426c3b659a9a984c7f9d51af403ea

SHA512
90013de26aaa7af5a406e12d5617ac63ac28e6499a85dcabf28ec5f78d0b7e968680a92e38abb09853b4f3c27488456b5d655f79bbff6112d2fd03aa82a62a30

Download Submit
C:\Users\Admin\AppData\Local\Temp\NEAS.46F957EF951EA52097879150F4FA950B.EXE

Filesize
1.4MB

MD5
78c13c19aaeac745a42e9aaeaecff955

SHA1
d9192da662955461c31da202f1a3bd4a1e6d6876

SHA256
63d2db90e9d8cf9fef1203794371e4f8a56426c3b659a9a984c7f9d51af403ea

SHA512
90013de26aaa7af5a406e12d5617ac63ac28e6499a85dcabf28ec5f78d0b7e968680a92e38abb09853b4f3c27488456b5d655f79bbff6112d2fd03aa82a62a30

Download Submit
C:\Users\Admin\AppData\Local\Temp\NEAS.46f957ef951ea52097879150f4fa950b.exe

Filesize
458KB

MD5
619f7135621b50fd1900ff24aade1524

SHA1
6c7ea8bbd435163ae3945cbef30ef6b9872a4591

SHA256
344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2

SHA512
2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628

Download Submit
C:\WINDOWS\MSWDM.EXE

Filesize
960KB

MD5
116e84e7bc1fa0b81641be9ac5cbd0b0

SHA1
6b5eb4bbc1c663214f64b0fe0301d27173771016

SHA256
3138bc3c9e14f39c6580606236d9d4887a5d05f275e9792101d57398e429f698

SHA512
1a17bf5b4ac566c0c0918b3c3488084aca87091b4e9584428634133bfd73288d5d7d78de027ef774e3811130a013655df1411c43ce98d1dcea27be04b224e1b7

Download Submit
C:\Windows\MSWDM.EXE

Filesize
960KB

MD5
116e84e7bc1fa0b81641be9ac5cbd0b0

SHA1
6b5eb4bbc1c663214f64b0fe0301d27173771016

SHA256
3138bc3c9e14f39c6580606236d9d4887a5d05f275e9792101d57398e429f698

SHA512
1a17bf5b4ac566c0c0918b3c3488084aca87091b4e9584428634133bfd73288d5d7d78de027ef774e3811130a013655df1411c43ce98d1dcea27be04b224e1b7

Download Submit
C:\Windows\MSWDM.EXE

Filesize
960KB

MD5
116e84e7bc1fa0b81641be9ac5cbd0b0

SHA1
6b5eb4bbc1c663214f64b0fe0301d27173771016

SHA256
3138bc3c9e14f39c6580606236d9d4887a5d05f275e9792101d57398e429f698

SHA512
1a17bf5b4ac566c0c0918b3c3488084aca87091b4e9584428634133bfd73288d5d7d78de027ef774e3811130a013655df1411c43ce98d1dcea27be04b224e1b7

Download Submit
C:\Windows\MSWDM.EXE

Filesize
960KB

MD5
116e84e7bc1fa0b81641be9ac5cbd0b0

SHA1
6b5eb4bbc1c663214f64b0fe0301d27173771016

SHA256
3138bc3c9e14f39c6580606236d9d4887a5d05f275e9792101d57398e429f698

SHA512
1a17bf5b4ac566c0c0918b3c3488084aca87091b4e9584428634133bfd73288d5d7d78de027ef774e3811130a013655df1411c43ce98d1dcea27be04b224e1b7

Download Submit
C:\Windows\MSWDM.EXE

Filesize
960KB

MD5
116e84e7bc1fa0b81641be9ac5cbd0b0

SHA1
6b5eb4bbc1c663214f64b0fe0301d27173771016

SHA256
3138bc3c9e14f39c6580606236d9d4887a5d05f275e9792101d57398e429f698

SHA512
1a17bf5b4ac566c0c0918b3c3488084aca87091b4e9584428634133bfd73288d5d7d78de027ef774e3811130a013655df1411c43ce98d1dcea27be04b224e1b7

Download Submit
C:\Windows\devB1B3.tmp

Filesize
458KB

MD5
619f7135621b50fd1900ff24aade1524

SHA1
6c7ea8bbd435163ae3945cbef30ef6b9872a4591

SHA256
344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2

SHA512
2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628

Download Submit
\Users\Admin\AppData\Local\Temp\NEAS.46f957ef951ea52097879150f4fa950b.exe

Filesize
458KB

MD5
619f7135621b50fd1900ff24aade1524

SHA1
6c7ea8bbd435163ae3945cbef30ef6b9872a4591

SHA256
344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2

SHA512
2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628

Download Submit
\Users\Admin\AppData\Local\Temp\NEAS.46f957ef951ea52097879150f4fa950b.exe

Filesize
458KB

MD5
619f7135621b50fd1900ff24aade1524

SHA1
6c7ea8bbd435163ae3945cbef30ef6b9872a4591

SHA256
344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2

SHA512
2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628

Download Submit
memory/1708-16-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1708-30-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2088-17-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2728-28-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2992-0-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2992-11-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2992-12-0x0000000000220000-0x0000000000234000-memory.dmp

Filesize
80KB

Download