Analysis
-
max time kernel
9s -
max time network
46s -
platform
windows10-2004_x64 -
resource
win10v2004-20230915-en -
resource tags
arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system -
submitted
16-10-2023 18:21
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
NEAS.5419f5b3d979348fc46eb5ab2f481fa0.exe
Resource
win7-20230831-en
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
NEAS.5419f5b3d979348fc46eb5ab2f481fa0.exe
Resource
win10v2004-20230915-en
5 signatures
150 seconds
General
-
Target
NEAS.5419f5b3d979348fc46eb5ab2f481fa0.exe
-
Size
88KB
-
MD5
5419f5b3d979348fc46eb5ab2f481fa0
-
SHA1
10f32778e77b72bc2b34676da8645cd3fd1d7951
-
SHA256
9fa38e28d723a422103dcf6c4855c1585c2c9ca2ae10abb37c2e04943627d527
-
SHA512
8c7093eb99af8cbaeee325a5e5bf03b19abfb8f63cbd994e7ffbf62b1b5933534c95e21449717d43fe49ef8637a91fff0c2afb1ec03a4bf7ea42a1e793bd6fc9
-
SSDEEP
1536:v5nfmIpxDWbUfd3aOPmxxEhvgCooXqRQqjh+rmKVsN:v5fvp12UFKcD/6jwqWsN
Score
10/10
Malware Config
Signatures
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\C829CD41 = "C:\\Users\\Admin\\AppData\\Roaming\\C829CD41\\bin.exe" winver.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4856 winver.exe 4856 winver.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 4856 winver.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 4128 wrote to memory of 4856 4128 NEAS.5419f5b3d979348fc46eb5ab2f481fa0.exe 83 PID 4128 wrote to memory of 4856 4128 NEAS.5419f5b3d979348fc46eb5ab2f481fa0.exe 83 PID 4128 wrote to memory of 4856 4128 NEAS.5419f5b3d979348fc46eb5ab2f481fa0.exe 83 PID 4128 wrote to memory of 4856 4128 NEAS.5419f5b3d979348fc46eb5ab2f481fa0.exe 83 PID 4856 wrote to memory of 772 4856 winver.exe 58 PID 4856 wrote to memory of 2440 4856 winver.exe 67 PID 4856 wrote to memory of 2448 4856 winver.exe 66
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:772
-
C:\Users\Admin\AppData\Local\Temp\NEAS.5419f5b3d979348fc46eb5ab2f481fa0.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.5419f5b3d979348fc46eb5ab2f481fa0.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:4128 -
C:\Windows\SysWOW64\winver.exewinver3⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4856
-
-
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2448
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2440