5fed03dbf899d0d28931fe3714e3c11e8776a7006478ceb4151d403a924078d8

Analysis

max time kernel
31s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
07/05/2024, 12:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8621cce2bd48a6b5056b9e2cbef7f0d0_NEAS.exe
Size

229KB
MD5

8621cce2bd48a6b5056b9e2cbef7f0d0
SHA1

d6cbfc6bf0a81c6951bb260e934a8a39185e6f3d
SHA256

5fed03dbf899d0d28931fe3714e3c11e8776a7006478ceb4151d403a924078d8
SHA512

c5652b574965de7e88610da74507d81703065a2e8bb7623b473f97f316003cc679eb21ac6322cab044721168064a71e4cdcad4a127521da8c9dcdf978af61d5b
SSDEEP

3072:uTCDYDg+vr87rnj3WCW2EW51HKKnLwMGmSzWFuHM:IooZIFH5nLwVW3

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
656	MSWDM.EXE
5096	MSWDM.EXE
2268	8621CCE2BD48A6B5056B9E2CBEF7F0D0_NEAS.EXE

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE"	MSWDM.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE"	8621cce2bd48a6b5056b9e2cbef7f0d0_NEAS.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE"	8621cce2bd48a6b5056b9e2cbef7f0d0_NEAS.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE"	MSWDM.EXE

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\WINDOWS\MSWDM.EXE	8621cce2bd48a6b5056b9e2cbef7f0d0_NEAS.exe
File opened for modification	C:\Windows\dev2E15.tmp	8621cce2bd48a6b5056b9e2cbef7f0d0_NEAS.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
5096	MSWDM.EXE
5096	MSWDM.EXE

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3404 wrote to memory of 656	3404	8621cce2bd48a6b5056b9e2cbef7f0d0_NEAS.exe	83
PID 3404 wrote to memory of 656	3404	8621cce2bd48a6b5056b9e2cbef7f0d0_NEAS.exe	83
PID 3404 wrote to memory of 656	3404	8621cce2bd48a6b5056b9e2cbef7f0d0_NEAS.exe	83
PID 3404 wrote to memory of 5096	3404	8621cce2bd48a6b5056b9e2cbef7f0d0_NEAS.exe	84
PID 3404 wrote to memory of 5096	3404	8621cce2bd48a6b5056b9e2cbef7f0d0_NEAS.exe	84
PID 3404 wrote to memory of 5096	3404	8621cce2bd48a6b5056b9e2cbef7f0d0_NEAS.exe	84
PID 5096 wrote to memory of 2268	5096	MSWDM.EXE	85
PID 5096 wrote to memory of 2268	5096	MSWDM.EXE	85
PID 5096 wrote to memory of 2268	5096	MSWDM.EXE	85

C:\Users\Admin\AppData\Local\Temp\8621cce2bd48a6b5056b9e2cbef7f0d0_NEAS.exe
"C:\Users\Admin\AppData\Local\Temp\8621cce2bd48a6b5056b9e2cbef7f0d0_NEAS.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3404
- C:\WINDOWS\MSWDM.EXE
  "C:\WINDOWS\MSWDM.EXE"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:656
- C:\WINDOWS\MSWDM.EXE
  -r!C:\Windows\dev2E15.tmp!C:\Users\Admin\AppData\Local\Temp\8621cce2bd48a6b5056b9e2cbef7f0d0_NEAS.exe! !
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:5096
- - C:\Users\Admin\AppData\Local\Temp\8621CCE2BD48A6B5056B9E2CBEF7F0D0_NEAS.EXE
    3⤵
    - Executes dropped EXE
    PID:2268

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\MSWDM.EXE

Filesize
176KB

MD5
df5582eee8a9cba2f03c0c5c97c8c2a1

SHA1
ccb7485e10d8755a2771ce604a98228ab1eb8d23

SHA256
aa1e6b454e17330a15d6335af058b7b68772896ac165fd916cb3b7ec8cc49d46

SHA512
7ea4c7ead571e0256f81db562f5d87172e20da6e4f0d87230a22ae81cff9c438cdd6db9072481e533ce095fba476315989d0412a2f20c5dffef828e2ab59b428

Download Submit
C:\Windows\dev2E15.tmp

Filesize
53KB

MD5
31adeb442f0ad898198304d87bfccfdc

SHA1
e77b6df8560150dc9c972ee28c8a88c85bc2bfc0

SHA256
8a8d788b058502af1893a9b43939c3c75a3cfda3cce2fd68669eb519814cb78d

SHA512
274b6ab545e7103f17f11effcc60b47547b03c8e5b80a3d7c74215496bb081a13811a5675eb3ee0d7d9ab167a8dc496fcbbf6473728805b5f3d50c12481b3368

Download Submit
memory/656-8-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/656-15-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/3404-0-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/3404-11-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/5096-9-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/5096-16-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download