7b3e4ea690a06c18ed515cf1468f889fd291bec0f432eedb7e69c3389e0e5e6c

Analysis

max time kernel
152s
max time network
137s
platform
windows7_x64
resource
win7-20231020-en
resource tags

arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system
submitted
12/11/2023, 17:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.800a98e2232330956c4ad0492cfdc89a.exe
Size

464KB
MD5

800a98e2232330956c4ad0492cfdc89a
SHA1

7b9dd1c8695cf2be2f5e06d63e4c2f2d54f54478
SHA256

7b3e4ea690a06c18ed515cf1468f889fd291bec0f432eedb7e69c3389e0e5e6c
SHA512

fe5a46da4ee10232ecbeb76af6d5afa3189ad65071017acbb9d3e9b2b815a67442c1550fc79ecedc88e68ab355b682474afca77eff4d582f099649711d62a57f
SSDEEP

12288:pOlc87eqqV5e+wBV6O+A8o9pPyU9805ID2/vCf:pOSqqHeVBx19pVphSf

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
1728	fltMutil.exe
2780	~AA72.tmp
2768	mcbueown.exe

Loads dropped DLL 3 IoCs

pid	Process
1736	NEAS.800a98e2232330956c4ad0492cfdc89a.exe
1736	NEAS.800a98e2232330956c4ad0492cfdc89a.exe
1728	fltMutil.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Windows\CurrentVersion\Run\mcbueown = "C:\\Users\\Admin\\AppData\\Roaming\\Searcont\\fltMutil.exe"	NEAS.800a98e2232330956c4ad0492cfdc89a.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\mcbueown.exe	NEAS.800a98e2232330956c4ad0492cfdc89a.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1728	fltMutil.exe
1240	Explorer.EXE
1240	Explorer.EXE
1240	Explorer.EXE
1240	Explorer.EXE
1240	Explorer.EXE
1240	Explorer.EXE
1240	Explorer.EXE
1240	Explorer.EXE
1240	Explorer.EXE
1240	Explorer.EXE
1240	Explorer.EXE
1240	Explorer.EXE
1240	Explorer.EXE
1240	Explorer.EXE
1240	Explorer.EXE
1240	Explorer.EXE
1240	Explorer.EXE
1240	Explorer.EXE
1240	Explorer.EXE
1240	Explorer.EXE
1240	Explorer.EXE
1240	Explorer.EXE
1240	Explorer.EXE
1240	Explorer.EXE
1240	Explorer.EXE
1240	Explorer.EXE
1240	Explorer.EXE
1240	Explorer.EXE
1240	Explorer.EXE
1240	Explorer.EXE
1240	Explorer.EXE
1240	Explorer.EXE
1240	Explorer.EXE
1240	Explorer.EXE
1240	Explorer.EXE
1240	Explorer.EXE
1240	Explorer.EXE
1240	Explorer.EXE
1240	Explorer.EXE
1240	Explorer.EXE
1240	Explorer.EXE
1240	Explorer.EXE
1240	Explorer.EXE
1240	Explorer.EXE
1240	Explorer.EXE
1240	Explorer.EXE
1240	Explorer.EXE
1240	Explorer.EXE
1240	Explorer.EXE
1240	Explorer.EXE
1240	Explorer.EXE
1240	Explorer.EXE
1240	Explorer.EXE
1240	Explorer.EXE
1240	Explorer.EXE
1240	Explorer.EXE
1240	Explorer.EXE
1240	Explorer.EXE
1240	Explorer.EXE
1240	Explorer.EXE
1240	Explorer.EXE
1240	Explorer.EXE
1240	Explorer.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1240	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1728	fltMutil.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1736 wrote to memory of 1728	1736	NEAS.800a98e2232330956c4ad0492cfdc89a.exe	30
PID 1736 wrote to memory of 1728	1736	NEAS.800a98e2232330956c4ad0492cfdc89a.exe	30
PID 1736 wrote to memory of 1728	1736	NEAS.800a98e2232330956c4ad0492cfdc89a.exe	30
PID 1736 wrote to memory of 1728	1736	NEAS.800a98e2232330956c4ad0492cfdc89a.exe	30
PID 1728 wrote to memory of 2780	1728	fltMutil.exe	28
PID 1728 wrote to memory of 2780	1728	fltMutil.exe	28
PID 1728 wrote to memory of 2780	1728	fltMutil.exe	28
PID 1728 wrote to memory of 2780	1728	fltMutil.exe	28
PID 2780 wrote to memory of 1240	2780	~AA72.tmp	10

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
PID:1240
- C:\Users\Admin\AppData\Local\Temp\NEAS.800a98e2232330956c4ad0492cfdc89a.exe
  "C:\Users\Admin\AppData\Local\Temp\NEAS.800a98e2232330956c4ad0492cfdc89a.exe"
  2⤵
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:1736
- - C:\Users\Admin\AppData\Roaming\Searcont\fltMutil.exe
    "C:\Users\Admin\AppData\Roaming\Searcont"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1728

C:\Users\Admin\AppData\Local\Temp\~AA72.tmp
1240 475144 1728 1
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2780

C:\Windows\SysWOW64\mcbueown.exe
C:\Windows\SysWOW64\mcbueown.exe -s
1⤵
- Executes dropped EXE
PID:2768

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\~AA72.tmp

Filesize
8KB

MD5
86dc243576cf5c7445451af37631eea9

SHA1
99a81c47c4c02f32c0ab456bfa23c306c7a09bf9

SHA256
25d2a671e1b5b5b95697ac0234ce4d46e0d0894919521b54aabebd9daecf994a

SHA512
c7310524f9b65f811146c1eb6ae944966351ac88a95fbc1ac422d8810730e5e212a7e28090ad758ea23c96ba38073e7fcf42460575e7f09dbc759a45c5d5a4a4

Download Submit
C:\Users\Admin\AppData\Roaming\Searcont\fltMutil.exe

Filesize
464KB

MD5
a60bf891044715883031120ea83df6f4

SHA1
ac142ac03eb89b4bbee9613ebc1bc6cc983397bc

SHA256
0499328cd527172bab854f13f6b31811b02e0944e9485c9d576a90518915aa41

SHA512
2d4c175851344adcbb16db92c3d2af29483003bc51db55338cbdd8e6ff181b4c8aa2ced63b233120d2675477877f7fdc9b63a50b473357efff34eeb126112743

Download Submit
C:\Users\Admin\AppData\Roaming\Searcont\fltMutil.exe

Filesize
464KB

MD5
a60bf891044715883031120ea83df6f4

SHA1
ac142ac03eb89b4bbee9613ebc1bc6cc983397bc

SHA256
0499328cd527172bab854f13f6b31811b02e0944e9485c9d576a90518915aa41

SHA512
2d4c175851344adcbb16db92c3d2af29483003bc51db55338cbdd8e6ff181b4c8aa2ced63b233120d2675477877f7fdc9b63a50b473357efff34eeb126112743

Download Submit
C:\Users\Admin\AppData\Roaming\Searcont\fltMutil.exe

Filesize
464KB

MD5
a60bf891044715883031120ea83df6f4

SHA1
ac142ac03eb89b4bbee9613ebc1bc6cc983397bc

SHA256
0499328cd527172bab854f13f6b31811b02e0944e9485c9d576a90518915aa41

SHA512
2d4c175851344adcbb16db92c3d2af29483003bc51db55338cbdd8e6ff181b4c8aa2ced63b233120d2675477877f7fdc9b63a50b473357efff34eeb126112743

Download Submit
C:\Windows\SysWOW64\mcbueown.exe

Filesize
464KB

MD5
a60bf891044715883031120ea83df6f4

SHA1
ac142ac03eb89b4bbee9613ebc1bc6cc983397bc

SHA256
0499328cd527172bab854f13f6b31811b02e0944e9485c9d576a90518915aa41

SHA512
2d4c175851344adcbb16db92c3d2af29483003bc51db55338cbdd8e6ff181b4c8aa2ced63b233120d2675477877f7fdc9b63a50b473357efff34eeb126112743

Download Submit
C:\Windows\SysWOW64\mcbueown.exe

Filesize
464KB

MD5
a60bf891044715883031120ea83df6f4

SHA1
ac142ac03eb89b4bbee9613ebc1bc6cc983397bc

SHA256
0499328cd527172bab854f13f6b31811b02e0944e9485c9d576a90518915aa41

SHA512
2d4c175851344adcbb16db92c3d2af29483003bc51db55338cbdd8e6ff181b4c8aa2ced63b233120d2675477877f7fdc9b63a50b473357efff34eeb126112743

Download Submit
\Users\Admin\AppData\Local\Temp\~AA72.tmp

Filesize
8KB

MD5
86dc243576cf5c7445451af37631eea9

SHA1
99a81c47c4c02f32c0ab456bfa23c306c7a09bf9

SHA256
25d2a671e1b5b5b95697ac0234ce4d46e0d0894919521b54aabebd9daecf994a

SHA512
c7310524f9b65f811146c1eb6ae944966351ac88a95fbc1ac422d8810730e5e212a7e28090ad758ea23c96ba38073e7fcf42460575e7f09dbc759a45c5d5a4a4

Download Submit
\Users\Admin\AppData\Roaming\Searcont\fltMutil.exe

Filesize
464KB

MD5
a60bf891044715883031120ea83df6f4

SHA1
ac142ac03eb89b4bbee9613ebc1bc6cc983397bc

SHA256
0499328cd527172bab854f13f6b31811b02e0944e9485c9d576a90518915aa41

SHA512
2d4c175851344adcbb16db92c3d2af29483003bc51db55338cbdd8e6ff181b4c8aa2ced63b233120d2675477877f7fdc9b63a50b473357efff34eeb126112743

Download Submit
\Users\Admin\AppData\Roaming\Searcont\fltMutil.exe

Filesize
464KB

MD5
a60bf891044715883031120ea83df6f4

SHA1
ac142ac03eb89b4bbee9613ebc1bc6cc983397bc

SHA256
0499328cd527172bab854f13f6b31811b02e0944e9485c9d576a90518915aa41

SHA512
2d4c175851344adcbb16db92c3d2af29483003bc51db55338cbdd8e6ff181b4c8aa2ced63b233120d2675477877f7fdc9b63a50b473357efff34eeb126112743

Download Submit
memory/1240-27-0x0000000002A00000-0x0000000002A06000-memory.dmp

Filesize
24KB

Download
memory/1240-22-0x0000000004460000-0x00000000044E4000-memory.dmp

Filesize
528KB

Download
memory/1240-28-0x0000000002A10000-0x0000000002A1D000-memory.dmp

Filesize
52KB

Download
memory/1240-23-0x0000000004460000-0x00000000044E4000-memory.dmp

Filesize
528KB

Download
memory/1240-21-0x0000000004460000-0x00000000044E4000-memory.dmp

Filesize
528KB

Download
memory/1728-16-0x00000000001D0000-0x00000000001D5000-memory.dmp

Filesize
20KB

Download
memory/1728-15-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/1728-17-0x00000000004F0000-0x000000000056D000-memory.dmp

Filesize
500KB

Download
memory/1736-0-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/1736-11-0x0000000000480000-0x00000000004FA000-memory.dmp

Filesize
488KB

Download
memory/1736-34-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/1736-14-0x0000000000480000-0x00000000004FA000-memory.dmp

Filesize
488KB

Download
memory/1736-1-0x00000000002C0000-0x000000000033D000-memory.dmp

Filesize
500KB

Download
memory/2768-33-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download