Analysis
-
max time kernel
8s -
max time network
13s -
platform
windows10-2004_x64 -
resource
win10v2004-20231020-en -
resource tags
arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system -
submitted
23-10-2023 20:38
Behavioral task
behavioral1
Sample
NEAS.58b676aff7e20b6ac7be762ade641020_JC.exe
Resource
win7-20231020-en
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
NEAS.58b676aff7e20b6ac7be762ade641020_JC.exe
Resource
win10v2004-20231020-en
6 signatures
150 seconds
General
-
Target
NEAS.58b676aff7e20b6ac7be762ade641020_JC.exe
-
Size
49KB
-
MD5
58b676aff7e20b6ac7be762ade641020
-
SHA1
7b6862b3cd4a3837e97bbef4d81a367363ae190e
-
SHA256
77f97efe1a861cd368ad54d18a79a6d5cb0298496b9c777eef538367c414d390
-
SHA512
e6a0f8a1b8213e22c370d7bccef0bf4fd5c2245eb374e8422ef84fbcb9736ddf3af5138007713effaae5313a91f7b92af82ebe68f933bf6e4cc1a75d2af182ef
-
SSDEEP
1536:uOBLXNqgzf2v6b6NkXklZlogHGe9eBXW:uYLduv6OqXIlogmjW
Score
10/10
Malware Config
Signatures
-
resource yara_rule behavioral2/memory/4164-0-0x0000000000400000-0x000000000041D000-memory.dmp upx -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\0789389D = "C:\\Users\\Admin\\AppData\\Roaming\\0789389D\\bin.exe" winver.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2820 winver.exe 2820 winver.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2820 winver.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 4164 wrote to memory of 2820 4164 NEAS.58b676aff7e20b6ac7be762ade641020_JC.exe 88 PID 4164 wrote to memory of 2820 4164 NEAS.58b676aff7e20b6ac7be762ade641020_JC.exe 88 PID 4164 wrote to memory of 2820 4164 NEAS.58b676aff7e20b6ac7be762ade641020_JC.exe 88 PID 4164 wrote to memory of 2820 4164 NEAS.58b676aff7e20b6ac7be762ade641020_JC.exe 88 PID 2820 wrote to memory of 3144 2820 winver.exe 33 PID 2820 wrote to memory of 2312 2820 winver.exe 48 PID 2820 wrote to memory of 2332 2820 winver.exe 47
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3144
-
C:\Users\Admin\AppData\Local\Temp\NEAS.58b676aff7e20b6ac7be762ade641020_JC.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.58b676aff7e20b6ac7be762ade641020_JC.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:4164 -
C:\Windows\SysWOW64\winver.exewinver3⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2820
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2332
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2312