Overview

overview

10

Static

static

3

NEAS.10b25...80.exe

windows7-x64

10

NEAS.10b25...80.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    155s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231020-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01-11-2023 13:53

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    NEAS.10b25594c41492b534f7547668179c80.exe

  • Size

    36KB

  • MD5

    10b25594c41492b534f7547668179c80

  • SHA1

    94a900e0a7b2190976d75c4aa46d1f10c02fc90f

  • SHA256

    331829fc482abe14911c0781da1a67d13a7935516140447d096f94fd5f49a509

  • SHA512

    a2ab8891dd48ff51c13f48d12e488b5b1e93e2dbe7c79e3960218469869788133342981d2b60e2eb8307035200386fc6c75194d328c268c0f6f50ac3d26879d4

  • SSDEEP

    384:Z+k6uBAGaiMv1u95RkMWgHKBcKu0aevN9TOpiK1XZUnI8gdAA:jAQMv1053WdBNuqnTMGI8gKA

Score
10/10
ginkpersistenceworm

Malware Config

Signatures

  • Gink
    wormgink
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops file in System32 directory 3 IoCs
  • Drops file in Windows directory 2 IoCs
  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\NEAS.10b25594c41492b534f7547668179c80.exe
    "C:\Users\Admin\AppData\Local\Temp\NEAS.10b25594c41492b534f7547668179c80.exe"
    1⤵
    • Adds Run key to start application
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    PID:4004
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4004 -s 516
      2⤵
      • Program crash
      PID:2692
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4004 -ip 4004
    1⤵
      PID:4716
    • C:\Windows\system32\rundll32.exe
      "C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe
      1⤵
        PID:3700
      • C:\Windows\System32\svchost.exe
        C:\Windows\System32\svchost.exe -k UnistackSvcGroup
        1⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:2176

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Comms\UnistoreDB\store.jfm
        Filesize

        16KB

        MD5

        966aff50eefad4cd8fe638b3a1e9cb92

        SHA1

        1b731c6583f26837f244be5f87c02443942a7948

        SHA256

        cf64779e4d3f5dfd4f0971567843c212c4408365c402b4fb62fd0601242a7b36

        SHA512

        dc22c9f2f815d579cd283c6db78befec9cae18bb48ac187e745e6dd4aed69ce348582b6278eb87f52d5dd979bf961b7c73ef9a5aebb92b563116675be5e8f1ed

        Download Submit

      • memory/2176-48-0x0000018CE7890000-0x0000018CE7891000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2176-41-0x0000018CE7870000-0x0000018CE7871000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2176-49-0x0000018CE7890000-0x0000018CE7891000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2176-25-0x0000018CDF280000-0x0000018CDF290000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2176-50-0x0000018CE7890000-0x0000018CE7891000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2176-42-0x0000018CE7890000-0x0000018CE7891000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2176-43-0x0000018CE7890000-0x0000018CE7891000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2176-51-0x0000018CE7890000-0x0000018CE7891000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2176-45-0x0000018CE7890000-0x0000018CE7891000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2176-46-0x0000018CE7890000-0x0000018CE7891000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2176-47-0x0000018CE7890000-0x0000018CE7891000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2176-77-0x0000018CE7710000-0x0000018CE7711000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2176-9-0x0000018CDF180000-0x0000018CDF190000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2176-76-0x0000018CE7600000-0x0000018CE7601000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2176-44-0x0000018CE7890000-0x0000018CE7891000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2176-52-0x0000018CE74C0000-0x0000018CE74C1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2176-53-0x0000018CE74B0000-0x0000018CE74B1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2176-55-0x0000018CE74C0000-0x0000018CE74C1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2176-58-0x0000018CE74B0000-0x0000018CE74B1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2176-61-0x0000018CE73F0000-0x0000018CE73F1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2176-75-0x0000018CE7600000-0x0000018CE7601000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2176-73-0x0000018CE75F0000-0x0000018CE75F1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/4004-4-0x0000000000400000-0x0000000000409000-memory.dmp

        Filesize

        36KB

        Download

      • memory/4004-8-0x0000000000400000-0x0000000000409000-memory.dmp

        Filesize

        36KB

        Download

      • memory/4004-0-0x0000000000400000-0x0000000000409000-memory.dmp

        Filesize

        36KB

        Download