310bedbba09566b7c6cbbcd945173229ace30d35c27289f7b12c6f1d64f8e2e4

Analysis

max time kernel
177s
max time network
203s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
14/10/2023, 17:56

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

NEAS.5b8da1a8856af709276f4310ecf226d0.exe
Size

614KB
MD5

5b8da1a8856af709276f4310ecf226d0
SHA1

793c97a43970b2be2bd350a46b4a28eabe494af1
SHA256

310bedbba09566b7c6cbbcd945173229ace30d35c27289f7b12c6f1d64f8e2e4
SHA512

e114d2854fb73e66e8d8d9a60b484e10edd4e8ec486d70e371fb9607cec6d315dfa841a153092a19a9e115edc043ae478c9679d03124419d38fa7f7c21a49539
SSDEEP

12288:rXuG1T0elw03WKwJs8yv0PtZn7gTSWTpQzMeqvmrexkknxQzBIp:rXu2nlw6WJyyRKTZuSxlx8

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
468	Process not Found
2728	alg.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\alg.exe	NEAS.5b8da1a8856af709276f4310ecf226d0.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\b4f317fb204f420c.bin	alg.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe	NEAS.5b8da1a8856af709276f4310ecf226d0.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2828	2696	WerFault.exe	28

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2696	NEAS.5b8da1a8856af709276f4310ecf226d0.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2696 wrote to memory of 2828	2696	NEAS.5b8da1a8856af709276f4310ecf226d0.exe	29
PID 2696 wrote to memory of 2828	2696	NEAS.5b8da1a8856af709276f4310ecf226d0.exe	29
PID 2696 wrote to memory of 2828	2696	NEAS.5b8da1a8856af709276f4310ecf226d0.exe	29
PID 2696 wrote to memory of 2828	2696	NEAS.5b8da1a8856af709276f4310ecf226d0.exe	29

C:\Users\Admin\AppData\Local\Temp\NEAS.5b8da1a8856af709276f4310ecf226d0.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.5b8da1a8856af709276f4310ecf226d0.exe"
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2696
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2696 -s 304
  2⤵
  - Program crash
  PID:2828

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2728

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System32\alg.exe

Filesize
644KB

MD5
f624d77b9aaf8e0e946962da84d8ff38

SHA1
0bf7539ba1aac577dd5002f90b1cbb96f8adfe3b

SHA256
6d08bc1edb52159ac24e9a273444767206cf19eead11b95bb8a3273a48be7c92

SHA512
67768d9b2a085be8c76634b5c1dabb54c27063da592ba4c416930695e594a2c263b421bf7f1898f6e1f39c54b7b50041b7610d788d9204f4edaca28527585c9c

Download Submit
\Windows\System32\alg.exe

Filesize
644KB

MD5
f624d77b9aaf8e0e946962da84d8ff38

SHA1
0bf7539ba1aac577dd5002f90b1cbb96f8adfe3b

SHA256
6d08bc1edb52159ac24e9a273444767206cf19eead11b95bb8a3273a48be7c92

SHA512
67768d9b2a085be8c76634b5c1dabb54c27063da592ba4c416930695e594a2c263b421bf7f1898f6e1f39c54b7b50041b7610d788d9204f4edaca28527585c9c

Download Submit
memory/2696-0-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/2696-1-0x0000000000230000-0x0000000000297000-memory.dmp

Filesize
412KB

Download
memory/2696-6-0x0000000000230000-0x0000000000297000-memory.dmp

Filesize
412KB

Download
memory/2696-24-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/2728-12-0x0000000100000000-0x00000001000A4000-memory.dmp

Filesize
656KB

Download
memory/2728-13-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/2728-19-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/2728-20-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/2728-25-0x0000000100000000-0x00000001000A4000-memory.dmp

Filesize
656KB

Download