Analysis
-
max time kernel
141s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20231020-en -
resource tags
arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system -
submitted
22-10-2023 17:33
Static task
static1
Behavioral task
behavioral1
Sample
NEAS.f9e72ea3f19ec221ee2e8c4031e6dbc0.exe
Resource
win7-20231020-en
Behavioral task
behavioral2
Sample
NEAS.f9e72ea3f19ec221ee2e8c4031e6dbc0.exe
Resource
win10v2004-20231020-en
General
-
Target
NEAS.f9e72ea3f19ec221ee2e8c4031e6dbc0.exe
-
Size
5.5MB
-
MD5
f9e72ea3f19ec221ee2e8c4031e6dbc0
-
SHA1
50ceac00cd610527575efd7241b36109b1735d7c
-
SHA256
1f5a860978c34461bd769c8fcc9f1025961f20fc2a17572a049157ecc8894009
-
SHA512
b8beea68948f271da3847369b6884c5562c0fd2f77210abc74a001288360931c88e17b86e3f080c2bf82f8a858a18ae569e56d9db0d116a211255260ccc2f7eb
-
SSDEEP
98304:k4MMnWqJMfPq1ERQTI3ADC+NF2grGhC4sqz3pOswlYnyuDsK1l+qB5OQYXOdAE:TMf4ERQTIwDC+NVrKR33plwanZs81sgP
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 1904 NEAS.f9e72ea3f19ec221ee2e8c4031e6dbc0.tmp -
Loads dropped DLL 3 IoCs
pid Process 2120 NEAS.f9e72ea3f19ec221ee2e8c4031e6dbc0.exe 1904 NEAS.f9e72ea3f19ec221ee2e8c4031e6dbc0.tmp 1904 NEAS.f9e72ea3f19ec221ee2e8c4031e6dbc0.tmp -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1904 NEAS.f9e72ea3f19ec221ee2e8c4031e6dbc0.tmp -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 2120 wrote to memory of 1904 2120 NEAS.f9e72ea3f19ec221ee2e8c4031e6dbc0.exe 28 PID 2120 wrote to memory of 1904 2120 NEAS.f9e72ea3f19ec221ee2e8c4031e6dbc0.exe 28 PID 2120 wrote to memory of 1904 2120 NEAS.f9e72ea3f19ec221ee2e8c4031e6dbc0.exe 28 PID 2120 wrote to memory of 1904 2120 NEAS.f9e72ea3f19ec221ee2e8c4031e6dbc0.exe 28 PID 2120 wrote to memory of 1904 2120 NEAS.f9e72ea3f19ec221ee2e8c4031e6dbc0.exe 28 PID 2120 wrote to memory of 1904 2120 NEAS.f9e72ea3f19ec221ee2e8c4031e6dbc0.exe 28 PID 2120 wrote to memory of 1904 2120 NEAS.f9e72ea3f19ec221ee2e8c4031e6dbc0.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.f9e72ea3f19ec221ee2e8c4031e6dbc0.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.f9e72ea3f19ec221ee2e8c4031e6dbc0.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2120 -
C:\Users\Admin\AppData\Local\Temp\is-41C80.tmp\NEAS.f9e72ea3f19ec221ee2e8c4031e6dbc0.tmp"C:\Users\Admin\AppData\Local\Temp\is-41C80.tmp\NEAS.f9e72ea3f19ec221ee2e8c4031e6dbc0.tmp" /SL5="$70124,5417837,152064,C:\Users\Admin\AppData\Local\Temp\NEAS.f9e72ea3f19ec221ee2e8c4031e6dbc0.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: GetForegroundWindowSpam
PID:1904
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
784KB
MD50d86315d73892d977cfd1feda63b08d5
SHA156dd946c724e0e77ac04f87ce1880ce9bb1c9eb7
SHA256763b5c6eb8afb82da189779659add3c4dbe697df598cf53708a2b8fbe370d5b5
SHA512366f6b552bbdb2daf23cac76886fe443b1f71d22849eea1c373c3fde3553b72aaee29e58bf94b01611cb3283c11411913dd2ce966d658e6d5dc2c7e09ddc7bbb
-
Filesize
784KB
MD50d86315d73892d977cfd1feda63b08d5
SHA156dd946c724e0e77ac04f87ce1880ce9bb1c9eb7
SHA256763b5c6eb8afb82da189779659add3c4dbe697df598cf53708a2b8fbe370d5b5
SHA512366f6b552bbdb2daf23cac76886fe443b1f71d22849eea1c373c3fde3553b72aaee29e58bf94b01611cb3283c11411913dd2ce966d658e6d5dc2c7e09ddc7bbb
-
Filesize
22KB
MD592dc6ef532fbb4a5c3201469a5b5eb63
SHA13e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA2569884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA5129908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3
-
Filesize
22KB
MD592dc6ef532fbb4a5c3201469a5b5eb63
SHA13e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA2569884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA5129908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3