Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows7_x64 -
resource
win7-20231025-en -
resource tags
arch:x64arch:x86image:win7-20231025-enlocale:en-usos:windows7-x64system -
submitted
28-10-2023 20:11
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
NEAS.b48dc57cf2add016e8c28592e7ae4a40.exe
Resource
win7-20231025-en
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
NEAS.b48dc57cf2add016e8c28592e7ae4a40.exe
Resource
win10v2004-20231023-en
5 signatures
150 seconds
General
-
Target
NEAS.b48dc57cf2add016e8c28592e7ae4a40.exe
-
Size
88KB
-
MD5
b48dc57cf2add016e8c28592e7ae4a40
-
SHA1
ab2e844001c043a5a7ee66469cf00f2da38257d3
-
SHA256
a0d19e38527e7ec077e2c8a1a6ad94f2a37991ee563298b18163cb98395f0241
-
SHA512
64777370adec61f83bff1d8f36687410482acb4b9de071a90ef0c1b4d529c6ce23b9637481596ca60f608872ab79366833b4889c854ceeae8e154d84e383aef3
-
SSDEEP
1536:f5nfmIpxDWbUfd3aOPmxxEhvgCooXqRQqjh+rmKVsN:f5fvp12UFKcD/6jwqWsN
Score
10/10
Malware Config
Signatures
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Windows\CurrentVersion\Run\8042107A = "C:\\Users\\Admin\\AppData\\Roaming\\8042107A\\bin.exe" winver.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1184 winver.exe 1184 winver.exe 1184 winver.exe 1184 winver.exe 1184 winver.exe 1184 winver.exe 1184 winver.exe 1184 winver.exe 1184 winver.exe 1184 winver.exe 1184 winver.exe 1184 winver.exe 1184 winver.exe 1184 winver.exe 1184 winver.exe 1184 winver.exe 1184 winver.exe 1184 winver.exe 1184 winver.exe 1184 winver.exe 1184 winver.exe 1184 winver.exe 1184 winver.exe 1184 winver.exe 1184 winver.exe 1184 winver.exe 1184 winver.exe 1184 winver.exe 1184 winver.exe 1184 winver.exe 1184 winver.exe 1184 winver.exe 1184 winver.exe 1184 winver.exe 1184 winver.exe 1184 winver.exe 1184 winver.exe 1184 winver.exe 1184 winver.exe 1184 winver.exe 1184 winver.exe 1184 winver.exe 1184 winver.exe 1184 winver.exe 1184 winver.exe 1184 winver.exe 1184 winver.exe 1184 winver.exe 1184 winver.exe 1184 winver.exe 1184 winver.exe 1184 winver.exe 1184 winver.exe 1184 winver.exe 1184 winver.exe 1184 winver.exe 1184 winver.exe 1184 winver.exe 1184 winver.exe 1184 winver.exe 1184 winver.exe 1184 winver.exe 1184 winver.exe 1184 winver.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1280 Explorer.EXE -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 1184 winver.exe -
Suspicious use of UnmapMainImage 1 IoCs
pid Process 1280 Explorer.EXE -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 2596 wrote to memory of 1184 2596 NEAS.b48dc57cf2add016e8c28592e7ae4a40.exe 29 PID 2596 wrote to memory of 1184 2596 NEAS.b48dc57cf2add016e8c28592e7ae4a40.exe 29 PID 2596 wrote to memory of 1184 2596 NEAS.b48dc57cf2add016e8c28592e7ae4a40.exe 29 PID 2596 wrote to memory of 1184 2596 NEAS.b48dc57cf2add016e8c28592e7ae4a40.exe 29 PID 2596 wrote to memory of 1184 2596 NEAS.b48dc57cf2add016e8c28592e7ae4a40.exe 29 PID 1184 wrote to memory of 1280 1184 winver.exe 16 PID 1184 wrote to memory of 1144 1184 winver.exe 17 PID 1184 wrote to memory of 1244 1184 winver.exe 10 PID 1184 wrote to memory of 1280 1184 winver.exe 16
Processes
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵PID:1244
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of UnmapMainImage
PID:1280 -
C:\Users\Admin\AppData\Local\Temp\NEAS.b48dc57cf2add016e8c28592e7ae4a40.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.b48dc57cf2add016e8c28592e7ae4a40.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:2596 -
C:\Windows\SysWOW64\winver.exewinver3⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1184
-
-
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵PID:1144