fb97ce44cea92bdd8c61da3d357399143205f8ef64197bc0d3d9f316366e9dbe

Analysis

max time kernel
117s
max time network
120s
platform
windows7_x64
resource
win7-20231020-en
resource tags

arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system
submitted
15/11/2023, 06:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.bdf0cfc7be3ee8deb029202ee225cec0.exe
Size

159KB
MD5

bdf0cfc7be3ee8deb029202ee225cec0
SHA1

d8ef3c4d68b38a9736ff8ac6ccdfbeb5674b7937
SHA256

fb97ce44cea92bdd8c61da3d357399143205f8ef64197bc0d3d9f316366e9dbe
SHA512

dcea6af5fad83eee9cebec0eb3464092c09dd9cb196c94eb4509de9cc6e038474e45ffd49a83ac6244ae1140dbdfbf04dddddc87f8a47e6e0020ba76daf0a20c
SSDEEP

3072:Qr6wY2Igs7T2G7Sj8GomX5VltS2gS1l8BhhGxbek1hAnwbGEUPIWmHbNh4qeAy:QraM8GomJVl82gglkGxb1taPIrHJh4qe

Score

8^/10

persistence

Malware Config

Signatures

Modifies AppInit DLL entries 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1547.001

Modify Registry
T1112

Executes dropped EXE 1 IoCs

pid	Process
2776	dhuqaed.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\PROGRA~3\Mozilla\dhuqaed.exe	NEAS.bdf0cfc7be3ee8deb029202ee225cec0.exe
File created	C:\PROGRA~3\Mozilla\fjgblbm.dll	dhuqaed.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2264 wrote to memory of 2776	2264	taskeng.exe	29
PID 2264 wrote to memory of 2776	2264	taskeng.exe	29
PID 2264 wrote to memory of 2776	2264	taskeng.exe	29
PID 2264 wrote to memory of 2776	2264	taskeng.exe	29

C:\Users\Admin\AppData\Local\Temp\NEAS.bdf0cfc7be3ee8deb029202ee225cec0.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.bdf0cfc7be3ee8deb029202ee225cec0.exe"
1⤵
- Drops file in Program Files directory
PID:1716

C:\Windows\system32\taskeng.exe
taskeng.exe {DC0733A2-87D8-431F-8958-655F7B00B5C9} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:2264
- C:\PROGRA~3\Mozilla\dhuqaed.exe
  C:\PROGRA~3\Mozilla\dhuqaed.exe -vpwggce
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  PID:2776

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~3\Mozilla\dhuqaed.exe

Filesize
159KB

MD5
79b307ff98db31f205eda9d973ca8af6

SHA1
207933f706faa27ffa8b7ee23673e3300f97eecf

SHA256
4091b6c766e642e1c0684e76b5e1178c95c17e5443629b5bd0778c5fdf69fcbf

SHA512
25c063254d4fb70cf78c516ba0ec3dc8d4ddf134c16b7b2d6793f74de39c75121d7efeaa6671e3eb0386701cf31be4cb3c68d6dd275890bf3ef859166d2cb958

Download Submit
C:\PROGRA~3\Mozilla\dhuqaed.exe

Filesize
159KB

MD5
79b307ff98db31f205eda9d973ca8af6

SHA1
207933f706faa27ffa8b7ee23673e3300f97eecf

SHA256
4091b6c766e642e1c0684e76b5e1178c95c17e5443629b5bd0778c5fdf69fcbf

SHA512
25c063254d4fb70cf78c516ba0ec3dc8d4ddf134c16b7b2d6793f74de39c75121d7efeaa6671e3eb0386701cf31be4cb3c68d6dd275890bf3ef859166d2cb958

Download Submit
memory/1716-0-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1716-1-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1716-2-0x00000000003A0000-0x00000000003FB000-memory.dmp

Filesize
364KB

Download
memory/1716-8-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2776-12-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2776-13-0x0000000000220000-0x000000000027B000-memory.dmp

Filesize
364KB

Download
memory/2776-19-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download