Analysis
-
max time kernel
163s -
max time network
183s -
platform
windows10-2004_x64 -
resource
win10v2004-20231023-en -
resource tags
arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system -
submitted
28-10-2023 20:19
Behavioral task
behavioral1
Sample
NEAS.fa5cb8a2c507cc0f4141beceeb3d49d0.exe
Resource
win7-20231020-en
Behavioral task
behavioral2
Sample
NEAS.fa5cb8a2c507cc0f4141beceeb3d49d0.exe
Resource
win10v2004-20231023-en
General
-
Target
NEAS.fa5cb8a2c507cc0f4141beceeb3d49d0.exe
-
Size
45KB
-
MD5
fa5cb8a2c507cc0f4141beceeb3d49d0
-
SHA1
4c4d1a18f943500fd4be8db435382e43cc43e2c6
-
SHA256
9adb63a85b887a2746fc8675947800cc4ee11ea220284d659e700bb2625d6c58
-
SHA512
49c3973ac6de02784060baaeed3062b05aba459e5365bcf78d4104875af233ba36e353273cdaef54d68c03bb3015306531b970effc4b7f073917571a2373a3b1
-
SSDEEP
768:+hP0kDE9N5dCA8J7VHXdrIniQaBTT+QQ+r1n4K8+C9TtIuCjaqUODvJVQ2f:SsWE9N5dFu53dsniQaB/xZ14n7zIF+qr
Malware Config
Signatures
-
resource yara_rule behavioral2/memory/4236-0-0x0000000000400000-0x000000000041D000-memory.dmp upx behavioral2/memory/4236-1-0x0000000000400000-0x000000000041D000-memory.dmp upx -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\73A599E0 = "C:\\Users\\Admin\\AppData\\Roaming\\73A599E0\\bin.exe" winver.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2788 winver.exe 2788 winver.exe 2788 winver.exe 2788 winver.exe 2788 winver.exe 2788 winver.exe 2788 winver.exe 2788 winver.exe 2788 winver.exe 2788 winver.exe 2788 winver.exe 2788 winver.exe 2788 winver.exe 2788 winver.exe 2788 winver.exe 2788 winver.exe 2788 winver.exe 2788 winver.exe 2788 winver.exe 2788 winver.exe 2788 winver.exe 2788 winver.exe 2788 winver.exe 2788 winver.exe 2788 winver.exe 2788 winver.exe 2788 winver.exe 2788 winver.exe 2788 winver.exe 2788 winver.exe 2788 winver.exe 2788 winver.exe 2788 winver.exe 2788 winver.exe 2788 winver.exe 2788 winver.exe 2788 winver.exe 2788 winver.exe 2788 winver.exe 2788 winver.exe 2788 winver.exe 2788 winver.exe 2788 winver.exe 2788 winver.exe 2788 winver.exe 2788 winver.exe 2788 winver.exe 2788 winver.exe 2788 winver.exe 2788 winver.exe 2788 winver.exe 2788 winver.exe 2788 winver.exe 2788 winver.exe 2788 winver.exe 2788 winver.exe 2788 winver.exe 2788 winver.exe 2788 winver.exe 2788 winver.exe 2788 winver.exe 2788 winver.exe 2788 winver.exe 2788 winver.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3380 Explorer.EXE -
Suspicious use of AdjustPrivilegeToken 7 IoCs
description pid Process Token: SeShutdownPrivilege 3380 Explorer.EXE Token: SeCreatePagefilePrivilege 3380 Explorer.EXE Token: SeDebugPrivilege 884 backgroundTaskHost.exe Token: SeDebugPrivilege 884 backgroundTaskHost.exe Token: SeDebugPrivilege 884 backgroundTaskHost.exe Token: SeShutdownPrivilege 3380 Explorer.EXE Token: SeCreatePagefilePrivilege 3380 Explorer.EXE -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2788 winver.exe -
Suspicious use of UnmapMainImage 1 IoCs
pid Process 3380 Explorer.EXE -
Suspicious use of WriteProcessMemory 23 IoCs
description pid Process procid_target PID 4236 wrote to memory of 2788 4236 NEAS.fa5cb8a2c507cc0f4141beceeb3d49d0.exe 93 PID 4236 wrote to memory of 2788 4236 NEAS.fa5cb8a2c507cc0f4141beceeb3d49d0.exe 93 PID 4236 wrote to memory of 2788 4236 NEAS.fa5cb8a2c507cc0f4141beceeb3d49d0.exe 93 PID 4236 wrote to memory of 2788 4236 NEAS.fa5cb8a2c507cc0f4141beceeb3d49d0.exe 93 PID 2788 wrote to memory of 3380 2788 winver.exe 45 PID 2788 wrote to memory of 2336 2788 winver.exe 60 PID 2788 wrote to memory of 2360 2788 winver.exe 59 PID 2788 wrote to memory of 2468 2788 winver.exe 56 PID 2788 wrote to memory of 3380 2788 winver.exe 45 PID 2788 wrote to memory of 3544 2788 winver.exe 44 PID 2788 wrote to memory of 3752 2788 winver.exe 43 PID 2788 wrote to memory of 3876 2788 winver.exe 42 PID 2788 wrote to memory of 3940 2788 winver.exe 41 PID 2788 wrote to memory of 4036 2788 winver.exe 40 PID 2788 wrote to memory of 3860 2788 winver.exe 39 PID 2788 wrote to memory of 3168 2788 winver.exe 37 PID 2788 wrote to memory of 3608 2788 winver.exe 27 PID 2788 wrote to memory of 3672 2788 winver.exe 22 PID 2788 wrote to memory of 2136 2788 winver.exe 20 PID 2788 wrote to memory of 1276 2788 winver.exe 16 PID 2788 wrote to memory of 3540 2788 winver.exe 87 PID 2788 wrote to memory of 3828 2788 winver.exe 95 PID 2788 wrote to memory of 884 2788 winver.exe 96
Processes
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:1276
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca1⤵PID:2136
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppX53ypgrj20bgndg05hj3tc7z654myszwp.mca1⤵PID:3672
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵PID:3608
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3168
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3860
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:4036
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3940
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3876
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3752
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 3752 -s 9402⤵
- Checks processor information in registry
- Enumerates system info in registry
PID:3828
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3544
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
PID:3380 -
C:\Users\Admin\AppData\Local\Temp\NEAS.fa5cb8a2c507cc0f4141beceeb3d49d0.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.fa5cb8a2c507cc0f4141beceeb3d49d0.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:4236 -
C:\Windows\SysWOW64\winver.exewinver3⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2788
-
-
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:2468
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2360
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2336
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3540
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵
- Suspicious use of AdjustPrivilegeToken
PID:884
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\ContentManagementSDK\Creatives\338388\eventbeacons.dat
Filesize416B
MD5e8890f846abcb5ee3c4da468e90416ec
SHA158e2b833908914366eea5f15fb5abd5c5b3d506b
SHA256e5c075bfbc2af2010ca87fa3ccfdc82ae4bf1e50339ce9d5abd188413972d5e1
SHA51281dbe6fe58097c7abb43c6d8f9050314d3ec6a77b0c3c507acb8cf1a5a170a762a05014222032af45c8dc3fae7ab509abe6a75dd6f1f075ed91a3e42409f0819
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\ContentManagementSDK\Creatives\338388\eventbeacons.dat
Filesize213B
MD53c7507d881368edc49e71f7edc63a5ca
SHA1107c244541ced2c5fae7d29cf84111f20315af04
SHA256e91a55567e7ad58aa5b26c16a3bfa82b549a36d68cb73e68367abdcdd8fd6bb7
SHA51260544bae25278c34681c90cdbae4aafa2f695fb57697e84134e98e0106287eea804d012cf7eb829e3658c28094eaa3a892375cc3d88bcda3c0c174ef5313d10e
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\ContentManagementSDK\Creatives\338388\eventbeacons.dat
Filesize629B
MD5d144c76aea7a274f0b4385afb258b02a
SHA17caca7bac05664446c2e772ec7005f48696353d1
SHA256903bb06dfcf737901fb639f2a8db789ac5db1a8e5491ee3b44fd425d47b0b4ae
SHA5129fc62ee7162ca95092effb4df31b13735af56911415caff87b08916a2dffd9ddb6f08d3c35dae9a9de0416c69d1471774a057fcc519f9db52d229e418dd35098
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\TargetedContentCache\v3\310091\7df7dcf9ef7646769b4e060ca2bf74c5_1
Filesize1KB
MD588adfbee8d4da2ae1e76aa45b317c6f5
SHA164aff6b4f2ed8d64ae91d49952164f7673510c27
SHA2560a4971d42e6a2e167c07c76ea983df10189bd6de47b0fb24530d47974de5e569
SHA512d1cd76ca8f4b154b432aee497e971e9b2be83e0ec9974f5e215ed0c68be6273ec3768ded6cc09bc33559cfbf3a91f533af9cb41231a6ef105c3d4d073e41ae9e
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\TargetedContentCache\v3\338388\a863bd3d5bc94564b860a08831d54e5d_1
Filesize2KB
MD559dbfe73a4611f9ba0cfa63af6fcc171
SHA1a95543b78e584e4dc8d34411181b03bc6d628a37
SHA256e1291ee6b1583642a344a4a880377b68140443b3fced2f0112c15d907883b009
SHA51276c97e646826e438e6b723d86ca2f56056163dfd90e64081a37ef499e330ec76d3f2e7ceb2c6912f9d5020d25d37e6cc08d96fb72e38af9a421694d1025d4868
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\TargetedContentCache\v3\338388\a863bd3d5bc94564b860a08831d54e5d_1
Filesize2KB
MD559dbfe73a4611f9ba0cfa63af6fcc171
SHA1a95543b78e584e4dc8d34411181b03bc6d628a37
SHA256e1291ee6b1583642a344a4a880377b68140443b3fced2f0112c15d907883b009
SHA51276c97e646826e438e6b723d86ca2f56056163dfd90e64081a37ef499e330ec76d3f2e7ceb2c6912f9d5020d25d37e6cc08d96fb72e38af9a421694d1025d4868