Analysis
-
max time kernel
150s -
max time network
154s -
platform
windows7_x64 -
resource
win7-20231020-en -
resource tags
arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system -
submitted
28-10-2023 19:52
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
NEAS.39320d58fc8d98a54fc6b5472a587440.exe
Resource
win7-20231020-en
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
NEAS.39320d58fc8d98a54fc6b5472a587440.exe
Resource
win10v2004-20231023-en
5 signatures
150 seconds
General
-
Target
NEAS.39320d58fc8d98a54fc6b5472a587440.exe
-
Size
88KB
-
MD5
39320d58fc8d98a54fc6b5472a587440
-
SHA1
63353b4e546c1ab11358c8f136301cd63055d931
-
SHA256
f80075d8bf83331c84a6a47c8ac9418f5d80d5e683ed704b0e9dc2f6c4325723
-
SHA512
95645bbb3bd2c825cfe7d7544ad456911527bbe7b576ad3740bfa47317ac4ecddfdaa452bdb9d7c1e3ada60e542a9c3bd6a3bc56505c865408446b0ce081bd50
-
SSDEEP
1536:85nfmIpxDWbUfd3aOPmxxEhvgCooXqRQqjh+rmKVsN:85fvp12UFKcD/6jwqWsN
Score
10/10
Malware Config
Signatures
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Windows\CurrentVersion\Run\150F0D9A = "C:\\Users\\Admin\\AppData\\Roaming\\150F0D9A\\bin.exe" winver.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1808 winver.exe 1808 winver.exe 1808 winver.exe 1808 winver.exe 1808 winver.exe 1808 winver.exe 1808 winver.exe 1808 winver.exe 1808 winver.exe 1808 winver.exe 1808 winver.exe 1808 winver.exe 1808 winver.exe 1808 winver.exe 1808 winver.exe 1808 winver.exe 1808 winver.exe 1808 winver.exe 1808 winver.exe 1808 winver.exe 1808 winver.exe 1808 winver.exe 1808 winver.exe 1808 winver.exe 1808 winver.exe 1808 winver.exe 1808 winver.exe 1808 winver.exe 1808 winver.exe 1808 winver.exe 1808 winver.exe 1808 winver.exe 1808 winver.exe 1808 winver.exe 1808 winver.exe 1808 winver.exe 1808 winver.exe 1808 winver.exe 1808 winver.exe 1808 winver.exe 1808 winver.exe 1808 winver.exe 1808 winver.exe 1808 winver.exe 1808 winver.exe 1808 winver.exe 1808 winver.exe 1808 winver.exe 1808 winver.exe 1808 winver.exe 1808 winver.exe 1808 winver.exe 1808 winver.exe 1808 winver.exe 1808 winver.exe 1808 winver.exe 1808 winver.exe 1808 winver.exe 1808 winver.exe 1808 winver.exe 1808 winver.exe 1808 winver.exe 1808 winver.exe 1808 winver.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1200 Explorer.EXE -
Suspicious use of FindShellTrayWindow 3 IoCs
pid Process 1808 winver.exe 1200 Explorer.EXE 1200 Explorer.EXE -
Suspicious use of SendNotifyMessage 2 IoCs
pid Process 1200 Explorer.EXE 1200 Explorer.EXE -
Suspicious use of UnmapMainImage 1 IoCs
pid Process 1200 Explorer.EXE -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 2184 wrote to memory of 1808 2184 NEAS.39320d58fc8d98a54fc6b5472a587440.exe 29 PID 2184 wrote to memory of 1808 2184 NEAS.39320d58fc8d98a54fc6b5472a587440.exe 29 PID 2184 wrote to memory of 1808 2184 NEAS.39320d58fc8d98a54fc6b5472a587440.exe 29 PID 2184 wrote to memory of 1808 2184 NEAS.39320d58fc8d98a54fc6b5472a587440.exe 29 PID 2184 wrote to memory of 1808 2184 NEAS.39320d58fc8d98a54fc6b5472a587440.exe 29 PID 1808 wrote to memory of 1200 1808 winver.exe 15 PID 1808 wrote to memory of 1104 1808 winver.exe 17 PID 1808 wrote to memory of 1152 1808 winver.exe 16 PID 1808 wrote to memory of 1200 1808 winver.exe 15
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of UnmapMainImage
PID:1200 -
C:\Users\Admin\AppData\Local\Temp\NEAS.39320d58fc8d98a54fc6b5472a587440.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.39320d58fc8d98a54fc6b5472a587440.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:2184 -
C:\Windows\SysWOW64\winver.exewinver3⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1808
-
-
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵PID:1152
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵PID:1104