Analysis
-
max time kernel
7s -
max time network
10s -
platform
windows10-2004_x64 -
resource
win10v2004-20231025-en -
resource tags
arch:x64arch:x86image:win10v2004-20231025-enlocale:en-usos:windows10-2004-x64system -
submitted
31-10-2023 21:55
Behavioral task
behavioral1
Sample
NEAS.74f0bdb3e02972bc39ef7b2899c19550_JC.exe
Resource
win7-20231020-en
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
NEAS.74f0bdb3e02972bc39ef7b2899c19550_JC.exe
Resource
win10v2004-20231025-en
6 signatures
150 seconds
General
-
Target
NEAS.74f0bdb3e02972bc39ef7b2899c19550_JC.exe
-
Size
45KB
-
MD5
74f0bdb3e02972bc39ef7b2899c19550
-
SHA1
68e2652d9e3deb0a649879172abd4b9a65e61fae
-
SHA256
da8ad29f0274e7a7e3c3369d5be1e05b784d8e755b47bd542f1e3a3952d91a73
-
SHA512
08b6ae343f248240f87a41e44702e39096478d587a1db0b4e8f66ffc84427b724728f3e23b5e29518092895e46a27a3304ca30a1082a66f9ddc0b25ea4d2f0ac
-
SSDEEP
768:chP0kDE9N5dCA8J7VHXdrIniQaBTT+QQ+r1n4K8+C9TtIuCjaqUODvJVQ2f:QsWE9N5dFu53dsniQaB/xZ14n7zIF+qr
Score
10/10
Malware Config
Signatures
-
resource yara_rule behavioral2/memory/4452-0-0x0000000000400000-0x000000000041D000-memory.dmp upx -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\782E447E = "C:\\Users\\Admin\\AppData\\Roaming\\782E447E\\bin.exe" winver.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4796 winver.exe 4796 winver.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 4796 winver.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 4452 wrote to memory of 4796 4452 NEAS.74f0bdb3e02972bc39ef7b2899c19550_JC.exe 88 PID 4452 wrote to memory of 4796 4452 NEAS.74f0bdb3e02972bc39ef7b2899c19550_JC.exe 88 PID 4452 wrote to memory of 4796 4452 NEAS.74f0bdb3e02972bc39ef7b2899c19550_JC.exe 88 PID 4452 wrote to memory of 4796 4452 NEAS.74f0bdb3e02972bc39ef7b2899c19550_JC.exe 88 PID 4796 wrote to memory of 3228 4796 winver.exe 41 PID 4796 wrote to memory of 2404 4796 winver.exe 53 PID 4796 wrote to memory of 2440 4796 winver.exe 52
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3228
-
C:\Users\Admin\AppData\Local\Temp\NEAS.74f0bdb3e02972bc39ef7b2899c19550_JC.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.74f0bdb3e02972bc39ef7b2899c19550_JC.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:4452 -
C:\Windows\SysWOW64\winver.exewinver3⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4796
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2440
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2404