baeb1c1dd0c2ad00ce59764f78e9f34d5995a63dbfb6a58c97b500841607ff84

General

Target

5258942609db0285b209bd7433e251a0_NEAS.exe
Size

538KB
MD5

5258942609db0285b209bd7433e251a0
SHA1

3b61eca07be033684616a720d6ae4c286ba20746
SHA256

baeb1c1dd0c2ad00ce59764f78e9f34d5995a63dbfb6a58c97b500841607ff84
SHA512

b5d409a3141a0852f8d1e55ffa2d814dab310339a627ea7f2ddad16adfce60c569a22222610b03ac34f6af89aa189aa62e4cb40040a860fccbd8cf6cd76153de
SSDEEP

12288:wlbL+h1gL5pRTcAkS/3hzN8qE43fm78V4:WbL+w5jcAkSYqyE4

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
2876	MSWDM.EXE
3408	MSWDM.EXE
1436	5258942609DB0285B209BD7433E251A0_NEAS.EXE
2228	MSWDM.EXE

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE"	5258942609db0285b209bd7433e251a0_NEAS.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE"	5258942609db0285b209bd7433e251a0_NEAS.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE"	MSWDM.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE"	MSWDM.EXE

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\WINDOWS\MSWDM.EXE	5258942609db0285b209bd7433e251a0_NEAS.exe
File opened for modification	C:\Windows\dev1587.tmp	5258942609db0285b209bd7433e251a0_NEAS.exe
File opened for modification	C:\Windows\dev1587.tmp	MSWDM.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3408	MSWDM.EXE
3408	MSWDM.EXE

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 5020 wrote to memory of 2876	5020	5258942609db0285b209bd7433e251a0_NEAS.exe	90
PID 5020 wrote to memory of 2876	5020	5258942609db0285b209bd7433e251a0_NEAS.exe	90
PID 5020 wrote to memory of 2876	5020	5258942609db0285b209bd7433e251a0_NEAS.exe	90
PID 5020 wrote to memory of 3408	5020	5258942609db0285b209bd7433e251a0_NEAS.exe	91
PID 5020 wrote to memory of 3408	5020	5258942609db0285b209bd7433e251a0_NEAS.exe	91
PID 5020 wrote to memory of 3408	5020	5258942609db0285b209bd7433e251a0_NEAS.exe	91
PID 3408 wrote to memory of 1436	3408	MSWDM.EXE	92
PID 3408 wrote to memory of 1436	3408	MSWDM.EXE	92
PID 3408 wrote to memory of 2228	3408	MSWDM.EXE	94
PID 3408 wrote to memory of 2228	3408	MSWDM.EXE	94
PID 3408 wrote to memory of 2228	3408	MSWDM.EXE	94

C:\Users\Admin\AppData\Local\Temp\5258942609db0285b209bd7433e251a0_NEAS.exe
"C:\Users\Admin\AppData\Local\Temp\5258942609db0285b209bd7433e251a0_NEAS.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:5020
- C:\WINDOWS\MSWDM.EXE
  "C:\WINDOWS\MSWDM.EXE"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:2876
- C:\WINDOWS\MSWDM.EXE
  -r!C:\Windows\dev1587.tmp!C:\Users\Admin\AppData\Local\Temp\5258942609db0285b209bd7433e251a0_NEAS.exe! !
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3408
- - C:\Users\Admin\AppData\Local\Temp\5258942609DB0285B209BD7433E251A0_NEAS.EXE
    3⤵
    - Executes dropped EXE
    PID:1436
- - C:\WINDOWS\MSWDM.EXE
    -e!C:\Windows\dev1587.tmp!C:\Users\Admin\AppData\Local\Temp\5258942609DB0285B209BD7433E251A0_NEAS.EXE!
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    PID:2228

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3768 --field-trial-handle=3088,i,14310325015283915034,7660943942870463106,262144 --variations-seed-version /prefetch:8
1⤵
PID:1036

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\5258942609DB0285B209BD7433E251A0_NEAS.EXE

Filesize
538KB

MD5
fba975d849a1da2c85fa951270dacdee

SHA1
60068fb4a660d6f6788c548ed84b30e56e267e16

SHA256
5fe52ed6701014f8eaea8a440622d760df8f9feed9a007ab116bc3158d1dd87f

SHA512
baf6cd10d95362199054cda8dfa4965d06fcc7f3afe1b8819b2e488e25a8fdee047b94532d439e52ffe81a87d04dfeac56bae638f1853ecc97392451c8233f10

Download Submit
C:\Windows\MSWDM.EXE

Filesize
80KB

MD5
cbdca767c9edc21917e56ab846f609b3

SHA1
5de65ff67fe6cf19645e225a2a92c601f5f116d6

SHA256
6145afa2e6f036a3cd727dfcbf5afee3c785cce880e9e731a2e028d825ac12df

SHA512
dd32955a29f82fabed003ecb60d84f7fbe04a5064b76f9f0802aa1fcf0ba6f90572870ccdda515d9dac2c85baeb8f0874afe6ff3b0d77dc0b15282b911e5990b

Download Submit
C:\Windows\dev1587.tmp

Filesize
458KB

MD5
619f7135621b50fd1900ff24aade1524

SHA1
6c7ea8bbd435163ae3945cbef30ef6b9872a4591

SHA256
344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2

SHA512
2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628

Download Submit
memory/2228-17-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2228-19-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2876-23-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3408-9-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3408-22-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/5020-0-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/5020-8-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads