68b81c704fa291144210408a3774631d45c862f3e050b152e423ee7de6529fc6

Analysis

max time kernel
150s
max time network
118s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
07-05-2024 15:04

Target

c200805a9f303e559fba8ef76459f8b0_NEAS.exe
Size

96KB
MD5

c200805a9f303e559fba8ef76459f8b0
SHA1

0f8babdb6c94bbc0222983a9ae30702c86d5da05
SHA256

68b81c704fa291144210408a3774631d45c862f3e050b152e423ee7de6529fc6
SHA512

ff6d1c28b89ddf8ca0e37fe1e28646bc499d330501d67fc398a9943319a3f39ac7cc32450029ab15532a0fc48cd9428e9603758320e86f60554deb5903c3e0b4
SSDEEP

1536:Y3GfaJfCnTBIcdlKaZt+XBu6FugXxb+utXLZwXWwD+nJGpOfUWuUtKtNDXxoB63E:YxaTBpdvWhugX7t7ZwMJGMMWLymB63E

Score

7^/10

Executes dropped EXE 1 IoCs

pid	Process
2836	pfwoyhh.exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\PROGRA~3\Mozilla\pfwoyhh.exe	c200805a9f303e559fba8ef76459f8b0_NEAS.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2836	pfwoyhh.exe
Token: SeDebugPrivilege	1200	Explorer.EXE

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2100	c200805a9f303e559fba8ef76459f8b0_NEAS.exe
2836	pfwoyhh.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 2956 wrote to memory of 2836	2956	taskeng.exe	29
PID 2956 wrote to memory of 2836	2956	taskeng.exe	29
PID 2956 wrote to memory of 2836	2956	taskeng.exe	29
PID 2956 wrote to memory of 2836	2956	taskeng.exe	29
PID 2836 wrote to memory of 1200	2836	pfwoyhh.exe	21

C:\Windows\system32\taskeng.exe
taskeng.exe {9E7787E9-37AD-44D3-91C3-BEB941440872} S-1-5-21-3452737119-3959686427-228443150-1000:QGTQZTRE\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:2956
- C:\PROGRA~3\Mozilla\pfwoyhh.exe
  C:\PROGRA~3\Mozilla\pfwoyhh.exe -zhxzcvh
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:2836

C:\PROGRA~3\Mozilla\pfwoyhh.exe

Filesize
96KB

MD5
53bb569a2f6fb56d86147e97c9837b14

SHA1
a61d4b2b9c57fc3000fc91a9341ffde77ed438eb

SHA256
ea877d3574827b23f3fda6efc770289e59e14ee154792973a2cadc5c31037b4c

SHA512
4be8e7a81968a72d8c5f7fb7adfe75d7f2694492e4471639924b38a46f1a63ebec0faff93be594c07f2e6a891027b408c9360d66a0819908f40fdfe419ffa248

Download Submit
memory/1200-10-0x0000000002580000-0x000000000259C000-memory.dmp

Filesize
112KB

Download
memory/1200-12-0x0000000002580000-0x000000000259C000-memory.dmp

Filesize
112KB

Download
memory/2100-0-0x0000000000400000-0x0000000000461000-memory.dmp

Filesize
388KB

Download
memory/2100-1-0x0000000000290000-0x00000000002EF000-memory.dmp

Filesize
380KB

Download
memory/2100-2-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/2100-4-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/2836-7-0x0000000000400000-0x0000000000461000-memory.dmp

Filesize
388KB

Download
memory/2836-8-0x0000000000360000-0x00000000003BF000-memory.dmp

Filesize
380KB

Download
memory/2836-9-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/2836-14-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download