e44dd47252086fa6bf3c9469c7e5dd7491511054f428d9e3eccadfef067ad335

General

Target

NEAS.616f36c63491a35fc4d8d942dafd80f3.exe
Size

2.1MB
MD5

616f36c63491a35fc4d8d942dafd80f3
SHA1

99297c54e5e32346da38f59375ae3ad9e636ec4c
SHA256

e44dd47252086fa6bf3c9469c7e5dd7491511054f428d9e3eccadfef067ad335
SHA512

9447a08281f4d50dde117aceef750b5f45e896beafc87a7dc04cacb95e9fb34f6c471c3e1f2cafb1c31e1a4391dd35c9af172764f0b9f2d3e13ef628541d6660
SSDEEP

49152:MtX8cS4neHbyfYTOYKPu/gEjiEO5ItDqLnHFLHkJEU:MttS4neHvZjiEO5IhCDQ

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1196	MSWDM.EXE
2448	MSWDM.EXE

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE"	NEAS.616f36c63491a35fc4d8d942dafd80f3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE"	NEAS.616f36c63491a35fc4d8d942dafd80f3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE"	MSWDM.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE"	MSWDM.EXE

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\WINDOWS\MSWDM.EXE	NEAS.616f36c63491a35fc4d8d942dafd80f3.exe
File opened for modification	C:\Windows\dev9F3D.tmp	NEAS.616f36c63491a35fc4d8d942dafd80f3.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2448	MSWDM.EXE
2448	MSWDM.EXE

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3628 wrote to memory of 1196	3628	NEAS.616f36c63491a35fc4d8d942dafd80f3.exe	26
PID 3628 wrote to memory of 1196	3628	NEAS.616f36c63491a35fc4d8d942dafd80f3.exe	26
PID 3628 wrote to memory of 1196	3628	NEAS.616f36c63491a35fc4d8d942dafd80f3.exe	26
PID 3628 wrote to memory of 2448	3628	NEAS.616f36c63491a35fc4d8d942dafd80f3.exe	25
PID 3628 wrote to memory of 2448	3628	NEAS.616f36c63491a35fc4d8d942dafd80f3.exe	25
PID 3628 wrote to memory of 2448	3628	NEAS.616f36c63491a35fc4d8d942dafd80f3.exe	25

C:\Users\Admin\AppData\Local\Temp\NEAS.616f36c63491a35fc4d8d942dafd80f3.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.616f36c63491a35fc4d8d942dafd80f3.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3628
- C:\WINDOWS\MSWDM.EXE
  -r!C:\Windows\dev9F3D.tmp!C:\Users\Admin\AppData\Local\Temp\NEAS.616f36c63491a35fc4d8d942dafd80f3.exe! !
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2448
- C:\WINDOWS\MSWDM.EXE
  "C:\WINDOWS\MSWDM.EXE"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:1196

C:\Users\Admin\AppData\Local\Temp\NEAS.616F36C63491A35FC4D8D942DAFD80F3.EXE
1⤵
PID:2624

C:\WINDOWS\MSWDM.EXE
-e!C:\Windows\dev9F3D.tmp!C:\Users\Admin\AppData\Local\Temp\NEAS.616F36C63491A35FC4D8D942DAFD80F3.EXE!
1⤵
PID:5008

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\NEAS.616F36C63491A35FC4D8D942DAFD80F3.EXE

Filesize
1.4MB

MD5
47cbf1643d43b66d1b66a4c133105a4b

SHA1
74165bbd9e58273ef28e281234ef236fc3ca78b0

SHA256
bc47895ab27acc5ea1a846dd49dda7977b27ba2bc15e096053767747a84519f2

SHA512
c574f4a186779278361cc81e1e6297091883015d80ce3971f927559b54d3c6a3e730490b11f42fed48882076709918ac2519464e22bc68cc41c09dbddec2d2b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\NEAS.616F36C63491A35FC4D8D942DAFD80F3.EXE

Filesize
1.9MB

MD5
56da5ff6aad79ad416fc676a03290988

SHA1
bff67b21dde145bb5e63fd3a9184def2b434fccc

SHA256
ee7d89137e39c0448452062a94a59410ad66bf5725c4d4d86e94a189b17d081e

SHA512
191a7cc74877f2afd9010bfb1a6e0b286c15d5e3e4b56595ffe0231c4d6a9a1afea83dad2feceea91f1eaf0062ba043561228888f5097089c858e062a5a72c6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\NEAS.616f36c63491a35fc4d8d942dafd80f3.exe

Filesize
1.6MB

MD5
b60d891d830644dd6100aa7dd2cb8eed

SHA1
3e4eb04a003b120d3984198df31eef192458a1e6

SHA256
935889b1502b2f443749dac5ec882261f80875e235c1b4bb77bd6d920a99188f

SHA512
c2c176e3382e60c84c6f33c8d1e1ed75ba6aede48ca8c07e11f275aebb03c9619939e757a7c68d5cc93e70cd52d9c4efff4b14f42bdc176adf518793451c8205

Download Submit
C:\WINDOWS\MSWDM.EXE

Filesize
1.4MB

MD5
47cbf1643d43b66d1b66a4c133105a4b

SHA1
74165bbd9e58273ef28e281234ef236fc3ca78b0

SHA256
bc47895ab27acc5ea1a846dd49dda7977b27ba2bc15e096053767747a84519f2

SHA512
c574f4a186779278361cc81e1e6297091883015d80ce3971f927559b54d3c6a3e730490b11f42fed48882076709918ac2519464e22bc68cc41c09dbddec2d2b7

Download Submit
C:\Windows\MSWDM.EXE

Filesize
1.4MB

MD5
47cbf1643d43b66d1b66a4c133105a4b

SHA1
74165bbd9e58273ef28e281234ef236fc3ca78b0

SHA256
bc47895ab27acc5ea1a846dd49dda7977b27ba2bc15e096053767747a84519f2

SHA512
c574f4a186779278361cc81e1e6297091883015d80ce3971f927559b54d3c6a3e730490b11f42fed48882076709918ac2519464e22bc68cc41c09dbddec2d2b7

Download Submit
C:\Windows\MSWDM.EXE

Filesize
1.4MB

MD5
47cbf1643d43b66d1b66a4c133105a4b

SHA1
74165bbd9e58273ef28e281234ef236fc3ca78b0

SHA256
bc47895ab27acc5ea1a846dd49dda7977b27ba2bc15e096053767747a84519f2

SHA512
c574f4a186779278361cc81e1e6297091883015d80ce3971f927559b54d3c6a3e730490b11f42fed48882076709918ac2519464e22bc68cc41c09dbddec2d2b7

Download Submit
C:\Windows\MSWDM.EXE

Filesize
1.4MB

MD5
47cbf1643d43b66d1b66a4c133105a4b

SHA1
74165bbd9e58273ef28e281234ef236fc3ca78b0

SHA256
bc47895ab27acc5ea1a846dd49dda7977b27ba2bc15e096053767747a84519f2

SHA512
c574f4a186779278361cc81e1e6297091883015d80ce3971f927559b54d3c6a3e730490b11f42fed48882076709918ac2519464e22bc68cc41c09dbddec2d2b7

Download Submit
C:\Windows\dev9F3D.tmp

Filesize
424KB

MD5
29e177c7bb7343f365f12ad9a8af4c48

SHA1
116569c0e97853f01a2bd1c2c8b5a9c0c8e1c6b3

SHA256
197fc8bbd50333cde901ca625937407b6c11a393d019dfe56fcee17719f1053c

SHA512
635777358e113ca2abcd2a301d50cb8dacfd48d1055dee6060fe2b38b3106e172ce828169385762936a23782ee6d5e6b10b607183576de4dbea1e3c20ec802f3

Download Submit
memory/2448-7-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2448-19-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/3628-0-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/3628-9-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/5008-16-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads