Analysis Overview
SHA256
aa8236bb683502bfe7e061ea42e0b252174895596324fef42392c4dc86d68a1e
Threat Level: Shows suspicious behavior
The file NEAS.d723b4ca982a1f9bb574bc26d8aad480.exe was found to be: Shows suspicious behavior.
Malicious Activity Summary
Obfuscated with Agile.Net obfuscator
Unsigned PE
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2023-10-16 18:39
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-10-16 18:39
Reported
2023-10-17 04:25
Platform
win7-20230831-en
Max time kernel
120s
Max time network
123s
Command Line
Signatures
Obfuscated with Agile.Net obfuscator
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2456 wrote to memory of 2728 | N/A | C:\Users\Admin\AppData\Local\Temp\NEAS.d723b4ca982a1f9bb574bc26d8aad480.exe | C:\Windows\system32\WerFault.exe |
| PID 2456 wrote to memory of 2728 | N/A | C:\Users\Admin\AppData\Local\Temp\NEAS.d723b4ca982a1f9bb574bc26d8aad480.exe | C:\Windows\system32\WerFault.exe |
| PID 2456 wrote to memory of 2728 | N/A | C:\Users\Admin\AppData\Local\Temp\NEAS.d723b4ca982a1f9bb574bc26d8aad480.exe | C:\Windows\system32\WerFault.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\NEAS.d723b4ca982a1f9bb574bc26d8aad480.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.d723b4ca982a1f9bb574bc26d8aad480.exe"
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2456 -s 864
Network
Files
memory/2456-0-0x0000000001350000-0x0000000001A74000-memory.dmp
memory/2456-1-0x000007FEF5F00000-0x000007FEF68EC000-memory.dmp
memory/2456-2-0x000000001B440000-0x000000001B4C0000-memory.dmp
memory/2456-3-0x000000001CBB0000-0x000000001CDFE000-memory.dmp
memory/2456-4-0x00000000012E0000-0x000000000132E000-memory.dmp
memory/2456-5-0x000000001CE00000-0x000000001CF4A000-memory.dmp
memory/2456-6-0x000000001CF50000-0x000000001D066000-memory.dmp
memory/2456-7-0x0000000000190000-0x00000000001C0000-memory.dmp
memory/2456-8-0x000007FEF5F00000-0x000007FEF68EC000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2023-10-16 18:39
Reported
2023-10-17 04:25
Platform
win10v2004-20230915-en
Max time kernel
150s
Max time network
156s
Command Line
Signatures
Obfuscated with Agile.Net obfuscator
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\NEAS.d723b4ca982a1f9bb574bc26d8aad480.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.d723b4ca982a1f9bb574bc26d8aad480.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 158.240.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 254.21.238.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 20.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 108.211.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 59.128.231.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.136.104.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 112.208.253.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.173.189.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 38.148.119.40.in-addr.arpa | udp |
Files
memory/3772-0-0x00000222864A0000-0x0000022286BC4000-memory.dmp
memory/3772-1-0x00007FFAE9000000-0x00007FFAE9AC1000-memory.dmp
memory/3772-2-0x00000222A10B0000-0x00000222A10C0000-memory.dmp
memory/3772-3-0x00000222A12D0000-0x00000222A151E000-memory.dmp
memory/3772-4-0x00000222A1250000-0x00000222A129E000-memory.dmp
memory/3772-5-0x00000222A1520000-0x00000222A166A000-memory.dmp
memory/3772-6-0x00000222A1670000-0x00000222A1786000-memory.dmp
memory/3772-7-0x00000222887B0000-0x00000222887E0000-memory.dmp
memory/3772-8-0x00007FFAE9000000-0x00007FFAE9AC1000-memory.dmp