5767e0afaba947458e0f40afff664b925265b1c9615543f6cf910491767369ce

Analysis

max time kernel
118s
max time network
140s
platform
windows7_x64
resource
win7-20231023-en
resource tags

arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system
submitted
01-11-2023 13:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.0503ba2642f8f6e5fb8a09c5c40fb300.exe
Size

1.0MB
MD5

0503ba2642f8f6e5fb8a09c5c40fb300
SHA1

edc685d911f19d109c69956c7b6818d3ad6edd67
SHA256

5767e0afaba947458e0f40afff664b925265b1c9615543f6cf910491767369ce
SHA512

721a2ba1e5ef8b931ee795ed54d5d26e51f3eedf1cca9c9f37163f81cb1b96330308dcd4e8d9be4ab7b726ddd751bcdfb5e0ba5c7dcce7740f7d85b38bf8e7c3
SSDEEP

12288:PmRZxm/GA0c4UWjVDa/ZSVDkHnhvMCtj7:P6A0c4UUa/ZSVDCue3

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2080	NEAS.0503ba2642f8f6e5fb8a09c5c40fb300.exe

Executes dropped EXE 1 IoCs

pid	Process
2080	NEAS.0503ba2642f8f6e5fb8a09c5c40fb300.exe

Loads dropped DLL 4 IoCs

pid	Process
2584	NEAS.0503ba2642f8f6e5fb8a09c5c40fb300.exe
2700	WerFault.exe
2700	WerFault.exe
2700	WerFault.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2700	2080	WerFault.exe	29

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2584	NEAS.0503ba2642f8f6e5fb8a09c5c40fb300.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
2080	NEAS.0503ba2642f8f6e5fb8a09c5c40fb300.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2584 wrote to memory of 2080	2584	NEAS.0503ba2642f8f6e5fb8a09c5c40fb300.exe	29
PID 2584 wrote to memory of 2080	2584	NEAS.0503ba2642f8f6e5fb8a09c5c40fb300.exe	29
PID 2584 wrote to memory of 2080	2584	NEAS.0503ba2642f8f6e5fb8a09c5c40fb300.exe	29
PID 2584 wrote to memory of 2080	2584	NEAS.0503ba2642f8f6e5fb8a09c5c40fb300.exe	29
PID 2080 wrote to memory of 2700	2080	NEAS.0503ba2642f8f6e5fb8a09c5c40fb300.exe	30
PID 2080 wrote to memory of 2700	2080	NEAS.0503ba2642f8f6e5fb8a09c5c40fb300.exe	30
PID 2080 wrote to memory of 2700	2080	NEAS.0503ba2642f8f6e5fb8a09c5c40fb300.exe	30
PID 2080 wrote to memory of 2700	2080	NEAS.0503ba2642f8f6e5fb8a09c5c40fb300.exe	30

C:\Users\Admin\AppData\Local\Temp\NEAS.0503ba2642f8f6e5fb8a09c5c40fb300.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.0503ba2642f8f6e5fb8a09c5c40fb300.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:2584
- C:\Users\Admin\AppData\Local\Temp\NEAS.0503ba2642f8f6e5fb8a09c5c40fb300.exe
  C:\Users\Admin\AppData\Local\Temp\NEAS.0503ba2642f8f6e5fb8a09c5c40fb300.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:2080
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2080 -s 144
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:2700

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\NEAS.0503ba2642f8f6e5fb8a09c5c40fb300.exe

Filesize
1.0MB

MD5
36f4caeee3242209222ea7ee7c0f2ac1

SHA1
4bf3974e39d9f3bba8a011319f936628e9e27954

SHA256
ec903d37abbdcb6029815d6615799295afa8f24532923e520ffc21821bf01525

SHA512
845188958571d92340f5eab16391695592c1b22a93efd83e9d8520e8cadb854f1ee3a7b0e50c00f01444247fd2de50eca29a37a9959b43ecd8a70b3f7c730a38

Download Submit
\Users\Admin\AppData\Local\Temp\NEAS.0503ba2642f8f6e5fb8a09c5c40fb300.exe

Filesize
1.0MB

MD5
36f4caeee3242209222ea7ee7c0f2ac1

SHA1
4bf3974e39d9f3bba8a011319f936628e9e27954

SHA256
ec903d37abbdcb6029815d6615799295afa8f24532923e520ffc21821bf01525

SHA512
845188958571d92340f5eab16391695592c1b22a93efd83e9d8520e8cadb854f1ee3a7b0e50c00f01444247fd2de50eca29a37a9959b43ecd8a70b3f7c730a38

Download Submit
\Users\Admin\AppData\Local\Temp\NEAS.0503ba2642f8f6e5fb8a09c5c40fb300.exe

Filesize
1.0MB

MD5
36f4caeee3242209222ea7ee7c0f2ac1

SHA1
4bf3974e39d9f3bba8a011319f936628e9e27954

SHA256
ec903d37abbdcb6029815d6615799295afa8f24532923e520ffc21821bf01525

SHA512
845188958571d92340f5eab16391695592c1b22a93efd83e9d8520e8cadb854f1ee3a7b0e50c00f01444247fd2de50eca29a37a9959b43ecd8a70b3f7c730a38

Download Submit
\Users\Admin\AppData\Local\Temp\NEAS.0503ba2642f8f6e5fb8a09c5c40fb300.exe

Filesize
1.0MB

MD5
36f4caeee3242209222ea7ee7c0f2ac1

SHA1
4bf3974e39d9f3bba8a011319f936628e9e27954

SHA256
ec903d37abbdcb6029815d6615799295afa8f24532923e520ffc21821bf01525

SHA512
845188958571d92340f5eab16391695592c1b22a93efd83e9d8520e8cadb854f1ee3a7b0e50c00f01444247fd2de50eca29a37a9959b43ecd8a70b3f7c730a38

Download Submit
\Users\Admin\AppData\Local\Temp\NEAS.0503ba2642f8f6e5fb8a09c5c40fb300.exe

Filesize
1.0MB

MD5
36f4caeee3242209222ea7ee7c0f2ac1

SHA1
4bf3974e39d9f3bba8a011319f936628e9e27954

SHA256
ec903d37abbdcb6029815d6615799295afa8f24532923e520ffc21821bf01525

SHA512
845188958571d92340f5eab16391695592c1b22a93efd83e9d8520e8cadb854f1ee3a7b0e50c00f01444247fd2de50eca29a37a9959b43ecd8a70b3f7c730a38

Download Submit
memory/2080-11-0x0000000002CF0000-0x0000000002DDD000-memory.dmp

Filesize
948KB

Download
memory/2080-10-0x0000000000400000-0x00000000004ED000-memory.dmp

Filesize
948KB

Download
memory/2080-16-0x0000000000400000-0x00000000004ED000-memory.dmp

Filesize
948KB

Download
memory/2584-0-0x0000000000400000-0x00000000004ED000-memory.dmp

Filesize
948KB

Download
memory/2584-8-0x0000000002E10000-0x0000000002EFD000-memory.dmp

Filesize
948KB

Download
memory/2584-7-0x0000000000400000-0x00000000004ED000-memory.dmp

Filesize
948KB

Download
memory/2584-15-0x0000000002E10000-0x0000000002EFD000-memory.dmp

Filesize
948KB

Download