Analysis
-
max time kernel
8s -
max time network
12s -
platform
windows10-2004_x64 -
resource
win10v2004-20231020-en -
resource tags
arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system -
submitted
31-10-2023 08:55
Behavioral task
behavioral1
Sample
NEAS.78c6e04d35cf296d569133f4ab0369b0.exe
Resource
win7-20231020-en
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
NEAS.78c6e04d35cf296d569133f4ab0369b0.exe
Resource
win10v2004-20231020-en
6 signatures
150 seconds
General
-
Target
NEAS.78c6e04d35cf296d569133f4ab0369b0.exe
-
Size
113KB
-
MD5
78c6e04d35cf296d569133f4ab0369b0
-
SHA1
dc41526fbf3e3c67d41e1a8f1a4df6dee571b5a4
-
SHA256
806bfe2269333045a12a58d4a142c7e5faf414a1c44485993276c0877c957c1e
-
SHA512
1c47b5f9a26184e39563168d2cf592bb120c384731b9a7954202f0bf921ee9c5382ed6ae70b11a028474fc9aec41216eb8906d21ebf4ea621994a3f3d2c70cd1
-
SSDEEP
1536:giLOvRmmQegJfBbmAQ256/ZrwWhwqjhurmKFcbL86WV0E:giyvRmDLs/ZrwWjjAqGcfzWH
Score
10/10
Malware Config
Signatures
-
resource yara_rule behavioral2/memory/4972-0-0x0000000000400000-0x000000000041E000-memory.dmp upx -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\E1EF544B = "C:\\Users\\Admin\\AppData\\Roaming\\E1EF544B\\bin.exe" winver.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 3848 winver.exe 3848 winver.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 3848 winver.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 4972 wrote to memory of 3848 4972 NEAS.78c6e04d35cf296d569133f4ab0369b0.exe 88 PID 4972 wrote to memory of 3848 4972 NEAS.78c6e04d35cf296d569133f4ab0369b0.exe 88 PID 4972 wrote to memory of 3848 4972 NEAS.78c6e04d35cf296d569133f4ab0369b0.exe 88 PID 4972 wrote to memory of 3848 4972 NEAS.78c6e04d35cf296d569133f4ab0369b0.exe 88 PID 3848 wrote to memory of 3252 3848 winver.exe 38 PID 3848 wrote to memory of 2432 3848 winver.exe 51 PID 3848 wrote to memory of 2440 3848 winver.exe 50 PID 3848 wrote to memory of 2540 3848 winver.exe 48 PID 3848 wrote to memory of 3252 3848 winver.exe 38
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3252
-
C:\Users\Admin\AppData\Local\Temp\NEAS.78c6e04d35cf296d569133f4ab0369b0.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.78c6e04d35cf296d569133f4ab0369b0.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:4972 -
C:\Windows\SysWOW64\winver.exewinver3⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3848
-
-
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:2540
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2440
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2432