Analysis

  • max time kernel
    146s
  • max time network
    169s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230915-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20/10/2023, 17:32

General

  • Target

    NEAS.47df846f2474f2d5f3740bab34809780.exe

  • Size

    503KB

  • MD5

    47df846f2474f2d5f3740bab34809780

  • SHA1

    61a374d20110e81c795b4e030eb68a4557f999e7

  • SHA256

    28b32e9aca33e5a25b11cb6969e19a510ae61de995360757f44617e81b3e51ad

  • SHA512

    6f1425bb910ca7f5e14ee127eaa9092cb2578180ee2ec0c1a405220e0e1e943bf944bab04861207a03754fe07e2306b37edc071cc98cdb9213a0da0ca66936fe

  • SSDEEP

    6144:HVlQoVHWO7MMJlfJIcSOPlgvmZgk/zDg5Ag2X80DMSFsv5mP84kYCs5uUTcPbLUp:1bV9MMJfLESiwPoWTc8ogV9MMJfL

Score
7/10

Malware Config

Signatures

  • Loads dropped DLL 1 IoCs
  • Obfuscated with Agile.Net obfuscator 1 IoCs

    Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\NEAS.47df846f2474f2d5f3740bab34809780.exe
    "C:\Users\Admin\AppData\Local\Temp\NEAS.47df846f2474f2d5f3740bab34809780.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious behavior: EnumeratesProcesses
    PID:4232
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4232 -s 1096
      2⤵
      • Program crash
      PID:1524
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 4232 -ip 4232
    1⤵
      PID:3336

    Network

    MITRE ATT&CK Matrix

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\d72ef588-252f-4e4f-9dd2-638a8a91caf1\CliSecureRT.dll

      Filesize

      128KB

      MD5

      ddb59f5d58f9ef6ca1baae89fa7dc8c6

      SHA1

      eb761e6e5925c8f0c97248338fa4e4ff863d35d5

      SHA256

      2318fe71778c615fc54f58c0347c58ce2a0c2d6e2eed50bffddde7ccb24e924d

      SHA512

      662a345535f12acd240a206906f40a7e09b95dc5c79eafcd99ef1e9c398360791d38e0522724c594c572256af06070349875637d8a7c939a041103c327b4c33e

    • C:\Users\Admin\AppData\Local\Temp\d72ef588-252f-4e4f-9dd2-638a8a91caf1\CliSecureRT.dll

      Filesize

      128KB

      MD5

      ddb59f5d58f9ef6ca1baae89fa7dc8c6

      SHA1

      eb761e6e5925c8f0c97248338fa4e4ff863d35d5

      SHA256

      2318fe71778c615fc54f58c0347c58ce2a0c2d6e2eed50bffddde7ccb24e924d

      SHA512

      662a345535f12acd240a206906f40a7e09b95dc5c79eafcd99ef1e9c398360791d38e0522724c594c572256af06070349875637d8a7c939a041103c327b4c33e

    • memory/4232-0-0x00000000007B0000-0x0000000000832000-memory.dmp

      Filesize

      520KB

    • memory/4232-1-0x0000000074B50000-0x0000000075300000-memory.dmp

      Filesize

      7.7MB

    • memory/4232-10-0x0000000010000000-0x0000000010031000-memory.dmp

      Filesize

      196KB

    • memory/4232-2-0x00000000052F0000-0x0000000005300000-memory.dmp

      Filesize

      64KB

    • memory/4232-11-0x0000000073560000-0x00000000735E9000-memory.dmp

      Filesize

      548KB

    • memory/4232-13-0x00000000059B0000-0x0000000005F54000-memory.dmp

      Filesize

      5.6MB

    • memory/4232-14-0x00000000054A0000-0x0000000005532000-memory.dmp

      Filesize

      584KB

    • memory/4232-15-0x0000000005540000-0x000000000554A000-memory.dmp

      Filesize

      40KB

    • memory/4232-16-0x0000000074B50000-0x0000000075300000-memory.dmp

      Filesize

      7.7MB

    • memory/4232-17-0x0000000010000000-0x0000000010031000-memory.dmp

      Filesize

      196KB