Analysis
-
max time kernel
120s -
max time network
127s -
platform
windows7_x64 -
resource
win7-20230831-en -
resource tags
arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system -
submitted
20/10/2023, 17:32
Behavioral task
behavioral1
Sample
NEAS.47df846f2474f2d5f3740bab34809780.exe
Resource
win7-20230831-en
Behavioral task
behavioral2
Sample
NEAS.47df846f2474f2d5f3740bab34809780.exe
Resource
win10v2004-20230915-en
General
-
Target
NEAS.47df846f2474f2d5f3740bab34809780.exe
-
Size
503KB
-
MD5
47df846f2474f2d5f3740bab34809780
-
SHA1
61a374d20110e81c795b4e030eb68a4557f999e7
-
SHA256
28b32e9aca33e5a25b11cb6969e19a510ae61de995360757f44617e81b3e51ad
-
SHA512
6f1425bb910ca7f5e14ee127eaa9092cb2578180ee2ec0c1a405220e0e1e943bf944bab04861207a03754fe07e2306b37edc071cc98cdb9213a0da0ca66936fe
-
SSDEEP
6144:HVlQoVHWO7MMJlfJIcSOPlgvmZgk/zDg5Ag2X80DMSFsv5mP84kYCs5uUTcPbLUp:1bV9MMJfLESiwPoWTc8ogV9MMJfL
Malware Config
Signatures
-
Loads dropped DLL 1 IoCs
pid Process 652 NEAS.47df846f2474f2d5f3740bab34809780.exe -
Obfuscated with Agile.Net obfuscator 1 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
resource yara_rule behavioral1/memory/652-0-0x0000000000A90000-0x0000000000B12000-memory.dmp agile_net -
Program crash 1 IoCs
pid pid_target Process procid_target 2636 652 WerFault.exe 26 -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 652 NEAS.47df846f2474f2d5f3740bab34809780.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 652 wrote to memory of 2636 652 NEAS.47df846f2474f2d5f3740bab34809780.exe 27 PID 652 wrote to memory of 2636 652 NEAS.47df846f2474f2d5f3740bab34809780.exe 27 PID 652 wrote to memory of 2636 652 NEAS.47df846f2474f2d5f3740bab34809780.exe 27 PID 652 wrote to memory of 2636 652 NEAS.47df846f2474f2d5f3740bab34809780.exe 27
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.47df846f2474f2d5f3740bab34809780.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.47df846f2474f2d5f3740bab34809780.exe"1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:652 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 652 -s 6882⤵
- Program crash
PID:2636
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
128KB
MD5ddb59f5d58f9ef6ca1baae89fa7dc8c6
SHA1eb761e6e5925c8f0c97248338fa4e4ff863d35d5
SHA2562318fe71778c615fc54f58c0347c58ce2a0c2d6e2eed50bffddde7ccb24e924d
SHA512662a345535f12acd240a206906f40a7e09b95dc5c79eafcd99ef1e9c398360791d38e0522724c594c572256af06070349875637d8a7c939a041103c327b4c33e
-
Filesize
128KB
MD5ddb59f5d58f9ef6ca1baae89fa7dc8c6
SHA1eb761e6e5925c8f0c97248338fa4e4ff863d35d5
SHA2562318fe71778c615fc54f58c0347c58ce2a0c2d6e2eed50bffddde7ccb24e924d
SHA512662a345535f12acd240a206906f40a7e09b95dc5c79eafcd99ef1e9c398360791d38e0522724c594c572256af06070349875637d8a7c939a041103c327b4c33e