f53472ea5557b1637115776b6c983e644e66e44fd167f7867d445c2c7e91b661

General

Target

0d56f20004edb0edad4ed9a6e73af750_NEAS.exe
Size

83KB
MD5

0d56f20004edb0edad4ed9a6e73af750
SHA1

81a43daa86c93c56e285d6b80123ccbdd0c18338
SHA256

f53472ea5557b1637115776b6c983e644e66e44fd167f7867d445c2c7e91b661
SHA512

4dbbf4c92c9a27908cf6bb2e54043bb89da38895852716afb2137ba2291a4bfdcd5cb1a2299384c04b31256eba6704eab9e5b3b5c6db1cbeea4382a33aaee0d9
SSDEEP

1536:Hlqls0GgUyj5JxdA4Oj3W2Fsdq4FMG+sO5G0Aox9cJNWIfoEg:HQC/yj5JO3MnMG+V5Lxxu6Ifod

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
1352	MSWDM.EXE
2112	MSWDM.EXE
116	0D56F20004EDB0EDAD4ED9A6E73AF750_NEAS.EXE
4464	MSWDM.EXE

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE"	MSWDM.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE"	0d56f20004edb0edad4ed9a6e73af750_NEAS.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE"	0d56f20004edb0edad4ed9a6e73af750_NEAS.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE"	MSWDM.EXE

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\WINDOWS\MSWDM.EXE	0d56f20004edb0edad4ed9a6e73af750_NEAS.exe
File opened for modification	C:\Windows\dev3AF6.tmp	0d56f20004edb0edad4ed9a6e73af750_NEAS.exe
File opened for modification	C:\Windows\dev3AF6.tmp	MSWDM.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2112	MSWDM.EXE
2112	MSWDM.EXE

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 3576 wrote to memory of 1352	3576	0d56f20004edb0edad4ed9a6e73af750_NEAS.exe	85
PID 3576 wrote to memory of 1352	3576	0d56f20004edb0edad4ed9a6e73af750_NEAS.exe	85
PID 3576 wrote to memory of 1352	3576	0d56f20004edb0edad4ed9a6e73af750_NEAS.exe	85
PID 3576 wrote to memory of 2112	3576	0d56f20004edb0edad4ed9a6e73af750_NEAS.exe	86
PID 3576 wrote to memory of 2112	3576	0d56f20004edb0edad4ed9a6e73af750_NEAS.exe	86
PID 3576 wrote to memory of 2112	3576	0d56f20004edb0edad4ed9a6e73af750_NEAS.exe	86
PID 2112 wrote to memory of 116	2112	MSWDM.EXE	87
PID 2112 wrote to memory of 116	2112	MSWDM.EXE	87
PID 2112 wrote to memory of 4464	2112	MSWDM.EXE	89
PID 2112 wrote to memory of 4464	2112	MSWDM.EXE	89
PID 2112 wrote to memory of 4464	2112	MSWDM.EXE	89

C:\Users\Admin\AppData\Local\Temp\0d56f20004edb0edad4ed9a6e73af750_NEAS.exe
"C:\Users\Admin\AppData\Local\Temp\0d56f20004edb0edad4ed9a6e73af750_NEAS.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3576
- C:\WINDOWS\MSWDM.EXE
  "C:\WINDOWS\MSWDM.EXE"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:1352
- C:\WINDOWS\MSWDM.EXE
  -r!C:\Windows\dev3AF6.tmp!C:\Users\Admin\AppData\Local\Temp\0d56f20004edb0edad4ed9a6e73af750_NEAS.exe! !
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2112
- - C:\Users\Admin\AppData\Local\Temp\0D56F20004EDB0EDAD4ED9A6E73AF750_NEAS.EXE
    3⤵
    - Executes dropped EXE
    PID:116
- - C:\WINDOWS\MSWDM.EXE
    -e!C:\Windows\dev3AF6.tmp!C:\Users\Admin\AppData\Local\Temp\0D56F20004EDB0EDAD4ED9A6E73AF750_NEAS.EXE!
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    PID:4464

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\0D56F20004EDB0EDAD4ED9A6E73AF750_NEAS.EXE

Filesize
83KB

MD5
6d250eb72656635d644146d56abac05b

SHA1
332b49cb51de8ba6622d5c693976faba7401eeb6

SHA256
18c58a898b7ad8e09598cdf588c51baa49035c1c076e8dc21fa2ec613d1cccf8

SHA512
a774e53fa31555260ae6a2e1fd3986f150fafcb203601f34754d295ee087e289e92d473fb7bd6566719071988af9f6724c5419d9d1f2bf03bf46d3aeb93735fc

Download Submit
C:\Windows\MSWDM.EXE

Filesize
48KB

MD5
0f106d5cf3967749fc5a962f6a06df3b

SHA1
253cc6f78acf1d0f3f5cbaf11b67e19f24c55a38

SHA256
c98502529c1b26ee95ba931e121cc28bd47b0c564a9937f754147cc1e5be9595

SHA512
4d4a35119bf16fb0ff7c6c9d52e9c41b7445bebe05fab045520792b61c75063b6ef08419556885206e15237d2c39318a77978f6a36bbdd1cc125f4033539d517

Download Submit
C:\Windows\dev3AF6.tmp

Filesize
35KB

MD5
ea3b798870a5c6e159bb05f432b0438a

SHA1
17cdd851ea58dd00296bd44c031484ef05342ee0

SHA256
3e7a5f7a2c4d88b30de76681d2759119aaf479f5787b6466dc175a852e50a1c7

SHA512
fc3f5089d2a57e38d285e5a90f2be63431d40c2c443dec41b783aaf5c1a6f4ab9b6904cd5fece18d6dc15664f00d7d5d0ba27d226f7623fe02c2f76f57a17524

Download Submit
memory/1352-11-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1352-26-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2112-12-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2112-25-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3576-2-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3576-10-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4464-17-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4464-22-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads