Overview

overview

10

Static

static

3

NEAS.0f1bd...JC.exe

windows7-x64

10

NEAS.0f1bd...JC.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    141s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230915-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
  • submitted
    14/10/2023, 12:25

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    NEAS.0f1bd6117e909bd57dfadb3cb6548350_JC.exe

  • Size

    549KB

  • MD5

    0f1bd6117e909bd57dfadb3cb6548350

  • SHA1

    a2ed73c1b5446c372c70718eed58e61de1addcdb

  • SHA256

    0286ac684a2a657681baff90fd6ac78563917d1d98728273e0acc49a60e14dec

  • SHA512

    d8cb4565aa23c12a27bd52b6034f665b33d5220bbd70715c8ab32b4f5844bf9ea7ccdf94214f156abc9b2deef3f5370937e930654420e8e92851c26a1df1fe04

  • SSDEEP

    12288:OMrry90iOenEo7jPBFi6n70jq9ql+aLZl4HOvOqDen6:FylOeB7jpFigqoUG6

Score
10/10
evasionpersistencetrojan

Malware Config

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • Executes dropped EXE 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 2 IoCs
  • Program crash 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 30 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\NEAS.0f1bd6117e909bd57dfadb3cb6548350_JC.exe
    "C:\Users\Admin\AppData\Local\Temp\NEAS.0f1bd6117e909bd57dfadb3cb6548350_JC.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:3732
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1ci04bI1.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1ci04bI1.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:3560
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        3⤵
          PID:4504
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
          3⤵
          • Modifies Windows Defender Real-time Protection settings
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:3636
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 3560 -s 584
          3⤵
          • Program crash
          PID:912
      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\2tT2115.exe
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\2tT2115.exe
        2⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:2652
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
          3⤵
            PID:2972
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
            3⤵
              PID:1360
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -u -p 1360 -s 540
                4⤵
                • Program crash
                PID:3204
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 2652 -s 572
              3⤵
              • Program crash
              PID:4472
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 3560 -ip 3560
          1⤵
            PID:4476
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 2652 -ip 2652
            1⤵
              PID:2020
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 1360 -ip 1360
              1⤵
                PID:4640

              Network

                    MITRE ATT&CK Enterprise v15

                    Replay Monitor

                    Loading Replay Monitor...

                    Downloads

                    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1ci04bI1.exe
                      Filesize

                      232KB

                      MD5

                      3ff825411b1fe07e712a5dcae34f80eb

                      SHA1

                      e3e4358cabfa74d6e36e26754b01ed78434a6877

                      SHA256

                      69bba958a5dcd8650921b25d978c4847819eb83adc143ba2bd396811d7d73739

                      SHA512

                      325c098b5a0a0ffee16a6074616126f9f4c7930b74507d38c63a294f659ab26fe1674af85a8ff495bd268aa821cc9d85f80f11ab1e7f828015920220e456ab81

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1ci04bI1.exe
                      Filesize

                      232KB

                      MD5

                      3ff825411b1fe07e712a5dcae34f80eb

                      SHA1

                      e3e4358cabfa74d6e36e26754b01ed78434a6877

                      SHA256

                      69bba958a5dcd8650921b25d978c4847819eb83adc143ba2bd396811d7d73739

                      SHA512

                      325c098b5a0a0ffee16a6074616126f9f4c7930b74507d38c63a294f659ab26fe1674af85a8ff495bd268aa821cc9d85f80f11ab1e7f828015920220e456ab81

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\2tT2115.exe
                      Filesize

                      1.1MB

                      MD5

                      aff391887d64d7fad618f3353eff87a5

                      SHA1

                      f9a4de0fc9c0731761ccc9104cbe1dcc6546e317

                      SHA256

                      dc992344284f1c5af01ca599efafa4740396f1a9cd5e41f8b4e60367d43bb863

                      SHA512

                      b1ee0443d21a815a5a62c0f413ab8ca5dfe2a4af472050f755cf95ad56f2d4242f9755e7d733c0340baf5c4b921756e5456e6f962e8b76cc743b0087c8a3a4b1

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\2tT2115.exe
                      Filesize

                      1.1MB

                      MD5

                      aff391887d64d7fad618f3353eff87a5

                      SHA1

                      f9a4de0fc9c0731761ccc9104cbe1dcc6546e317

                      SHA256

                      dc992344284f1c5af01ca599efafa4740396f1a9cd5e41f8b4e60367d43bb863

                      SHA512

                      b1ee0443d21a815a5a62c0f413ab8ca5dfe2a4af472050f755cf95ad56f2d4242f9755e7d733c0340baf5c4b921756e5456e6f962e8b76cc743b0087c8a3a4b1

                      Download Submit

                    • memory/1360-12-0x0000000000400000-0x0000000000433000-memory.dmp

                      Filesize

                      204KB

                      Download

                    • memory/1360-13-0x0000000000400000-0x0000000000433000-memory.dmp

                      Filesize

                      204KB

                      Download

                    • memory/1360-14-0x0000000000400000-0x0000000000433000-memory.dmp

                      Filesize

                      204KB

                      Download

                    • memory/1360-16-0x0000000000400000-0x0000000000433000-memory.dmp

                      Filesize

                      204KB

                      Download

                    • memory/3636-7-0x0000000000400000-0x000000000040A000-memory.dmp

                      Filesize

                      40KB

                      Download

                    • memory/3636-8-0x0000000074000000-0x00000000747B0000-memory.dmp

                      Filesize

                      7.7MB

                      Download

                    • memory/3636-17-0x0000000074000000-0x00000000747B0000-memory.dmp

                      Filesize

                      7.7MB

                      Download

                    • memory/3636-19-0x0000000074000000-0x00000000747B0000-memory.dmp

                      Filesize

                      7.7MB

                      Download