Analysis
-
max time kernel
121s -
max time network
130s -
platform
windows7_x64 -
resource
win7-20231020-en -
resource tags
arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system -
submitted
21-10-2023 21:16
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
NEAS.312a629f71fc711d2c3f21fb0226b4b0.exe
Resource
win7-20231020-en
windows7-x64
4 signatures
150 seconds
Behavioral task
behavioral2
Sample
NEAS.312a629f71fc711d2c3f21fb0226b4b0.exe
Resource
win10v2004-20231020-en
windows10-2004-x64
3 signatures
150 seconds
General
-
Target
NEAS.312a629f71fc711d2c3f21fb0226b4b0.exe
-
Size
8.5MB
-
MD5
312a629f71fc711d2c3f21fb0226b4b0
-
SHA1
9d6da5804b4f58acbde3c419276ce255c338812e
-
SHA256
0e2c9c41d0d9e5f72e6d875f960ce08f0a92bc4ba5d412c9cbaadd1c3d5a1644
-
SHA512
b9819dce8b98fb83387b96e2867a7d6b0b969740d6d23d565cd8dc728cb0944a716772fa15c50de7cc29e3018297a29d39718df688cc63697f937acc26f66fe7
-
SSDEEP
196608:A4B9KPY67aLHOGHV2aOsntswWbtYJt/6p3KB6jNQ0CS:j9KA1LHOH7CtswWZ4u7+S
Score
3/10
Malware Config
Signatures
-
Program crash 1 IoCs
pid pid_target Process procid_target 2828 3000 WerFault.exe 27 -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436 NEAS.312a629f71fc711d2c3f21fb0226b4b0.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde NEAS.312a629f71fc711d2c3f21fb0226b4b0.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 3000 NEAS.312a629f71fc711d2c3f21fb0226b4b0.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 3000 wrote to memory of 2828 3000 NEAS.312a629f71fc711d2c3f21fb0226b4b0.exe 30 PID 3000 wrote to memory of 2828 3000 NEAS.312a629f71fc711d2c3f21fb0226b4b0.exe 30 PID 3000 wrote to memory of 2828 3000 NEAS.312a629f71fc711d2c3f21fb0226b4b0.exe 30 PID 3000 wrote to memory of 2828 3000 NEAS.312a629f71fc711d2c3f21fb0226b4b0.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.312a629f71fc711d2c3f21fb0226b4b0.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.312a629f71fc711d2c3f21fb0226b4b0.exe"1⤵
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3000 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3000 -s 22762⤵
- Program crash
PID:2828
-