ecaa20a3da295e99c840f6c7f46080c0f6c5567b1fa0d966caecce9197602737

General

Target

NEAS.13d69b164669fead9d0a065ad74c0670_JC.exe
Size

1.1MB
MD5

13d69b164669fead9d0a065ad74c0670
SHA1

3776a0c1d40e8b9ee1e38dda4916b5a2f72e2b72
SHA256

ecaa20a3da295e99c840f6c7f46080c0f6c5567b1fa0d966caecce9197602737
SHA512

3be64789d8843d1be37c52d2190fa8af69df2ba31eec7439fc20c2ecd3b44c667d5fa3aae83002b07f7856b7d5fcc1d8d32062a336de0afb0f2bd7ddd0164745
SSDEEP

24576:c96IumzrmHHI7tEctS7RQLkHaoZta/ZS/Ix77Lv+f6T8Qns7:cYIReoSsMRf6ozgoIxbq7

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
4708	NEAS.13d69b164669fead9d0a065ad74c0670_JC.exe

Executes dropped EXE 1 IoCs

pid	Process
4708	NEAS.13d69b164669fead9d0a065ad74c0670_JC.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Program crash 13 IoCs

pid	pid_target	Process	procid_target
5096	3192	WerFault.exe	84
4480	4708	WerFault.exe	92
4528	4708	WerFault.exe	92
4784	4708	WerFault.exe	92
432	4708	WerFault.exe	92
3980	4708	WerFault.exe	92
4356	4708	WerFault.exe	92
2920	4708	WerFault.exe	92
408	4708	WerFault.exe	92
1740	4708	WerFault.exe	92
3224	4708	WerFault.exe	92
4172	4708	WerFault.exe	92
4996	4708	WerFault.exe	92

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4708	NEAS.13d69b164669fead9d0a065ad74c0670_JC.exe
4708	NEAS.13d69b164669fead9d0a065ad74c0670_JC.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
3192	NEAS.13d69b164669fead9d0a065ad74c0670_JC.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
4708	NEAS.13d69b164669fead9d0a065ad74c0670_JC.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3192 wrote to memory of 4708	3192	NEAS.13d69b164669fead9d0a065ad74c0670_JC.exe	92
PID 3192 wrote to memory of 4708	3192	NEAS.13d69b164669fead9d0a065ad74c0670_JC.exe	92
PID 3192 wrote to memory of 4708	3192	NEAS.13d69b164669fead9d0a065ad74c0670_JC.exe	92

C:\Users\Admin\AppData\Local\Temp\NEAS.13d69b164669fead9d0a065ad74c0670_JC.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.13d69b164669fead9d0a065ad74c0670_JC.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:3192
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3192 -s 344
  2⤵
  - Program crash
  PID:5096
- C:\Users\Admin\AppData\Local\Temp\NEAS.13d69b164669fead9d0a065ad74c0670_JC.exe
  C:\Users\Admin\AppData\Local\Temp\NEAS.13d69b164669fead9d0a065ad74c0670_JC.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of UnmapMainImage
  PID:4708
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4708 -s 344
    3⤵
    - Program crash
    PID:4480
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4708 -s 636
    3⤵
    - Program crash
    PID:4528
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4708 -s 652
    3⤵
    - Program crash
    PID:4784
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4708 -s 652
    3⤵
    - Program crash
    PID:432
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4708 -s 720
    3⤵
    - Program crash
    PID:3980
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4708 -s 904
    3⤵
    - Program crash
    PID:4356
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4708 -s 1416
    3⤵
    - Program crash
    PID:2920
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4708 -s 1464
    3⤵
    - Program crash
    PID:408
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4708 -s 1428
    3⤵
    - Program crash
    PID:1740
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4708 -s 1720
    3⤵
    - Program crash
    PID:3224
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4708 -s 1708
    3⤵
    - Program crash
    PID:4172
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4708 -s 1648
    3⤵
    - Program crash
    PID:4996

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 3192 -ip 3192
1⤵
PID:852

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 4708 -ip 4708
1⤵
PID:1700

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 4708 -ip 4708
1⤵
PID:4640

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 4708 -ip 4708
1⤵
PID:1164

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4708 -ip 4708
1⤵
PID:1944

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4708 -ip 4708
1⤵
PID:3888

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4708 -ip 4708
1⤵
PID:4152

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4708 -ip 4708
1⤵
PID:1160

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4708 -ip 4708
1⤵
PID:4976

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4708 -ip 4708
1⤵
PID:4432

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 4708 -ip 4708
1⤵
PID:4352

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 4708 -ip 4708
1⤵
PID:3988

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 4708 -ip 4708
1⤵
PID:868

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\NEAS.13d69b164669fead9d0a065ad74c0670_JC.exe

Filesize
1.1MB

MD5
847373d4769898f36477c3ae7d900b3c

SHA1
06a60a9e7bc8317544deb53dd66e5b1404a4cf91

SHA256
871b6cde2db92ea318c03334b7fc352611d8dec6ddbe92c4d7b7bd6982dc73af

SHA512
e1668ba3776a5c25d4f679c9ba2096f83e9f08e2c86660e343e2bad0d02e2f0e1567e90265240752327d866b36f9068636810daaade3813c070c2cdd021252ae

Download Submit
memory/3192-0-0x0000000000400000-0x00000000004EF000-memory.dmp

Filesize
956KB

Download
memory/3192-6-0x0000000000400000-0x00000000004EF000-memory.dmp

Filesize
956KB

Download
memory/4708-7-0x0000000000400000-0x00000000004EF000-memory.dmp

Filesize
956KB

Download
memory/4708-8-0x0000000005030000-0x000000000511F000-memory.dmp

Filesize
956KB

Download
memory/4708-9-0x0000000000400000-0x00000000004A3000-memory.dmp

Filesize
652KB

Download
memory/4708-19-0x000000000C9F0000-0x000000000CA93000-memory.dmp

Filesize
652KB

Download
memory/4708-18-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4708-25-0x0000000000400000-0x00000000004EF000-memory.dmp

Filesize
956KB

Download

Analysis

Sharing