d0ba571fc42c87c206065639df5bb45649537b62fe8f29ad3e5b58198f8ed1ec

Analysis

max time kernel
119s
max time network
124s
platform
windows7_x64
resource
win7-20231023-en
resource tags

arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system
submitted
16/11/2023, 21:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.1c93bb6897d28817e722056c4409ca80.exe
Size

225KB
MD5

1c93bb6897d28817e722056c4409ca80
SHA1

e43c5bbb8f7ee5abd514ce17d712d415bfd674b0
SHA256

d0ba571fc42c87c206065639df5bb45649537b62fe8f29ad3e5b58198f8ed1ec
SHA512

e063d4796f506d0763f1890178fe48f10538bbb55ae8fa6e9c36bc73a7b41eabc23e62c858bc5a9b6e52ba270136427585f776a250d3117e23bbd3010afeb0a9
SSDEEP

3072:vtbbbbFLcM92DCfh8fcAMzFzMJvb8RZabP4QEP7EPaERzcUf7lPasVOCvFmqcCzV:vom2efufqcdzfvV4PdAJk0d

Score

8^/10

persistence

Malware Config

Signatures

Modifies AppInit DLL entries 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1547.001

Modify Registry
T1112

Executes dropped EXE 1 IoCs

pid	Process
2544	suvkbwn.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\PROGRA~3\Mozilla\suvkbwn.exe	NEAS.1c93bb6897d28817e722056c4409ca80.exe
File created	C:\PROGRA~3\Mozilla\wfwcssm.dll	suvkbwn.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2904	NEAS.1c93bb6897d28817e722056c4409ca80.exe
2544	suvkbwn.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2680 wrote to memory of 2544	2680	taskeng.exe	29
PID 2680 wrote to memory of 2544	2680	taskeng.exe	29
PID 2680 wrote to memory of 2544	2680	taskeng.exe	29
PID 2680 wrote to memory of 2544	2680	taskeng.exe	29

C:\Users\Admin\AppData\Local\Temp\NEAS.1c93bb6897d28817e722056c4409ca80.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.1c93bb6897d28817e722056c4409ca80.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of UnmapMainImage
PID:2904

C:\Windows\system32\taskeng.exe
taskeng.exe {DD64D4DC-2118-4C66-823E-E2E19D7EF5AB} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:2680
- C:\PROGRA~3\Mozilla\suvkbwn.exe
  C:\PROGRA~3\Mozilla\suvkbwn.exe -tlhykym
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Suspicious use of UnmapMainImage
  PID:2544

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~3\Mozilla\suvkbwn.exe

Filesize
225KB

MD5
4a25aa3eff44923602dfdacc74eed8b2

SHA1
fe7f79f15b410b894a3eebf666b8ca37b89d1063

SHA256
b2887ccd5afc6c68147b2407d2145179cd5f8dcd1c32121795c5b82acbec6416

SHA512
3220bebd79730c4dd242d4a5d08825a8a004ae1bc99d85139f23ed9ce8fb2fba67b6d7332ad3544623249ad072184909c085f1392af87bc5b51b9677fedd4841

Download Submit
C:\PROGRA~3\Mozilla\suvkbwn.exe

Filesize
225KB

MD5
4a25aa3eff44923602dfdacc74eed8b2

SHA1
fe7f79f15b410b894a3eebf666b8ca37b89d1063

SHA256
b2887ccd5afc6c68147b2407d2145179cd5f8dcd1c32121795c5b82acbec6416

SHA512
3220bebd79730c4dd242d4a5d08825a8a004ae1bc99d85139f23ed9ce8fb2fba67b6d7332ad3544623249ad072184909c085f1392af87bc5b51b9677fedd4841

Download Submit
memory/2544-7-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2544-9-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2544-8-0x00000000008F0000-0x000000000094B000-memory.dmp

Filesize
364KB

Download
memory/2544-11-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2904-0-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2904-1-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2904-2-0x00000000002C0000-0x000000000031B000-memory.dmp

Filesize
364KB

Download
memory/2904-4-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download