Analysis
-
max time kernel
7s -
max time network
14s -
platform
windows10-2004_x64 -
resource
win10v2004-20231023-en -
resource tags
arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system -
submitted
28-10-2023 19:52
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
NEAS.39320d58fc8d98a54fc6b5472a587440.exe
Resource
win7-20231020-en
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
NEAS.39320d58fc8d98a54fc6b5472a587440.exe
Resource
win10v2004-20231023-en
5 signatures
150 seconds
General
-
Target
NEAS.39320d58fc8d98a54fc6b5472a587440.exe
-
Size
88KB
-
MD5
39320d58fc8d98a54fc6b5472a587440
-
SHA1
63353b4e546c1ab11358c8f136301cd63055d931
-
SHA256
f80075d8bf83331c84a6a47c8ac9418f5d80d5e683ed704b0e9dc2f6c4325723
-
SHA512
95645bbb3bd2c825cfe7d7544ad456911527bbe7b576ad3740bfa47317ac4ecddfdaa452bdb9d7c1e3ada60e542a9c3bd6a3bc56505c865408446b0ce081bd50
-
SSDEEP
1536:85nfmIpxDWbUfd3aOPmxxEhvgCooXqRQqjh+rmKVsN:85fvp12UFKcD/6jwqWsN
Score
10/10
Malware Config
Signatures
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\2D8BBD13 = "C:\\Users\\Admin\\AppData\\Roaming\\2D8BBD13\\bin.exe" winver.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 3020 winver.exe 3020 winver.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 3020 winver.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 4700 wrote to memory of 3020 4700 NEAS.39320d58fc8d98a54fc6b5472a587440.exe 84 PID 4700 wrote to memory of 3020 4700 NEAS.39320d58fc8d98a54fc6b5472a587440.exe 84 PID 4700 wrote to memory of 3020 4700 NEAS.39320d58fc8d98a54fc6b5472a587440.exe 84 PID 4700 wrote to memory of 3020 4700 NEAS.39320d58fc8d98a54fc6b5472a587440.exe 84 PID 3020 wrote to memory of 3316 3020 winver.exe 56 PID 3020 wrote to memory of 2344 3020 winver.exe 43 PID 3020 wrote to memory of 2360 3020 winver.exe 42
Processes
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2360
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2344
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3316
-
C:\Users\Admin\AppData\Local\Temp\NEAS.39320d58fc8d98a54fc6b5472a587440.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.39320d58fc8d98a54fc6b5472a587440.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:4700 -
C:\Windows\SysWOW64\winver.exewinver3⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3020
-
-