Analysis
-
max time kernel
12s -
max time network
18s -
platform
windows10-2004_x64 -
resource
win10v2004-20231020-en -
resource tags
arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system -
submitted
28-10-2023 10:44
Behavioral task
behavioral1
Sample
NEAS.b629945c89457faa408981dcdd008f40.exe
Resource
win7-20231020-en
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
NEAS.b629945c89457faa408981dcdd008f40.exe
Resource
win10v2004-20231020-en
6 signatures
150 seconds
General
-
Target
NEAS.b629945c89457faa408981dcdd008f40.exe
-
Size
113KB
-
MD5
b629945c89457faa408981dcdd008f40
-
SHA1
665111f8903c947ecc23f96af998473ff17ddcfc
-
SHA256
05a8f963d6f5d95515eebc21af34608ccc5ae92528b9bcb3ee5e25a0497a4d40
-
SHA512
b92cba64c6392bf47ec3a19415f5f4ef1ce2ae1cc2b38d1650bfd8d58affe6005e13cb457814aa6998d93f9f54c15d46c68b2a1beadf1934eb6cdf6649175ecc
-
SSDEEP
1536:QiLOvRmmQegJfBbmAQ256/ZrwWhwqjhurmKFcbL86WV0E:QiyvRmDLs/ZrwWjjAqGcfzWH
Score
10/10
Malware Config
Signatures
-
resource yara_rule behavioral2/memory/2280-0-0x0000000000400000-0x000000000041E000-memory.dmp upx -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\5E5389CD = "C:\\Users\\Admin\\AppData\\Roaming\\5E5389CD\\bin.exe" winver.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 5064 winver.exe 5064 winver.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 5064 winver.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 2280 wrote to memory of 5064 2280 NEAS.b629945c89457faa408981dcdd008f40.exe 87 PID 2280 wrote to memory of 5064 2280 NEAS.b629945c89457faa408981dcdd008f40.exe 87 PID 2280 wrote to memory of 5064 2280 NEAS.b629945c89457faa408981dcdd008f40.exe 87 PID 2280 wrote to memory of 5064 2280 NEAS.b629945c89457faa408981dcdd008f40.exe 87 PID 5064 wrote to memory of 3324 5064 winver.exe 41 PID 5064 wrote to memory of 2504 5064 winver.exe 53 PID 5064 wrote to memory of 2564 5064 winver.exe 52
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3324
-
C:\Users\Admin\AppData\Local\Temp\NEAS.b629945c89457faa408981dcdd008f40.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.b629945c89457faa408981dcdd008f40.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:2280 -
C:\Windows\SysWOW64\winver.exewinver3⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:5064
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2564
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2504