649c1149abc18d368ecbfbd6686d0835b5ee40a1fc81b7fac180426687a6d49b

Analysis

max time kernel
122s
max time network
126s
platform
windows7_x64
resource
win7-20231020-en
resource tags

arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system
submitted
02/11/2023, 16:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.41a7f01f6a2aa59eacafa70d9f8413e0.exe
Size

896KB
MD5

41a7f01f6a2aa59eacafa70d9f8413e0
SHA1

34379ee306479cfecd43e88b06f1ec80c81c53d0
SHA256

649c1149abc18d368ecbfbd6686d0835b5ee40a1fc81b7fac180426687a6d49b
SHA512

11ac5cfd1aa6becbd57915db40c14d9d880275b1004ee4b8354aebfcab51eb21bd08ac7ca932cd15653fe992b7e17d1222d21dde2090ff740a7272d878d0651e
SSDEEP

12288:Xy7G7Sok++skWlVijs/92v8j7MjlDa/ZSP:XyK7Fk0Vig/9a8j7Ca/ZSP

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2496	NEAS.41a7f01f6a2aa59eacafa70d9f8413e0.exe

Executes dropped EXE 1 IoCs

pid	Process
2496	NEAS.41a7f01f6a2aa59eacafa70d9f8413e0.exe

Loads dropped DLL 4 IoCs

pid	Process
1748	NEAS.41a7f01f6a2aa59eacafa70d9f8413e0.exe
2292	WerFault.exe
2292	WerFault.exe
2292	WerFault.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2292	2496	WerFault.exe	29

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1748	NEAS.41a7f01f6a2aa59eacafa70d9f8413e0.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
2496	NEAS.41a7f01f6a2aa59eacafa70d9f8413e0.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1748 wrote to memory of 2496	1748	NEAS.41a7f01f6a2aa59eacafa70d9f8413e0.exe	29
PID 1748 wrote to memory of 2496	1748	NEAS.41a7f01f6a2aa59eacafa70d9f8413e0.exe	29
PID 1748 wrote to memory of 2496	1748	NEAS.41a7f01f6a2aa59eacafa70d9f8413e0.exe	29
PID 1748 wrote to memory of 2496	1748	NEAS.41a7f01f6a2aa59eacafa70d9f8413e0.exe	29
PID 2496 wrote to memory of 2292	2496	NEAS.41a7f01f6a2aa59eacafa70d9f8413e0.exe	30
PID 2496 wrote to memory of 2292	2496	NEAS.41a7f01f6a2aa59eacafa70d9f8413e0.exe	30
PID 2496 wrote to memory of 2292	2496	NEAS.41a7f01f6a2aa59eacafa70d9f8413e0.exe	30
PID 2496 wrote to memory of 2292	2496	NEAS.41a7f01f6a2aa59eacafa70d9f8413e0.exe	30

C:\Users\Admin\AppData\Local\Temp\NEAS.41a7f01f6a2aa59eacafa70d9f8413e0.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.41a7f01f6a2aa59eacafa70d9f8413e0.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:1748
- C:\Users\Admin\AppData\Local\Temp\NEAS.41a7f01f6a2aa59eacafa70d9f8413e0.exe
  C:\Users\Admin\AppData\Local\Temp\NEAS.41a7f01f6a2aa59eacafa70d9f8413e0.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:2496
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2496 -s 144
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:2292

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\NEAS.41a7f01f6a2aa59eacafa70d9f8413e0.exe

Filesize
896KB

MD5
2463cd3ca0bc94c3dda2d3e346ccafeb

SHA1
422bf29f68ce1f9ee86e19a9ed523f85eff2a2c4

SHA256
9558cff412f8182139f6245fbcc5d50667fe9c05d8e1cc54518de1d4887ea863

SHA512
253fcc50e904e7c70b0c3d3673b7e91790ce23825ff36078e1fb98e17c14e2d2ce3c53606f9f0dad8288b5492624a20f163443d48db121ed0eba92ee2e925277

Download Submit
\Users\Admin\AppData\Local\Temp\NEAS.41a7f01f6a2aa59eacafa70d9f8413e0.exe

Filesize
896KB

MD5
2463cd3ca0bc94c3dda2d3e346ccafeb

SHA1
422bf29f68ce1f9ee86e19a9ed523f85eff2a2c4

SHA256
9558cff412f8182139f6245fbcc5d50667fe9c05d8e1cc54518de1d4887ea863

SHA512
253fcc50e904e7c70b0c3d3673b7e91790ce23825ff36078e1fb98e17c14e2d2ce3c53606f9f0dad8288b5492624a20f163443d48db121ed0eba92ee2e925277

Download Submit
\Users\Admin\AppData\Local\Temp\NEAS.41a7f01f6a2aa59eacafa70d9f8413e0.exe

Filesize
896KB

MD5
2463cd3ca0bc94c3dda2d3e346ccafeb

SHA1
422bf29f68ce1f9ee86e19a9ed523f85eff2a2c4

SHA256
9558cff412f8182139f6245fbcc5d50667fe9c05d8e1cc54518de1d4887ea863

SHA512
253fcc50e904e7c70b0c3d3673b7e91790ce23825ff36078e1fb98e17c14e2d2ce3c53606f9f0dad8288b5492624a20f163443d48db121ed0eba92ee2e925277

Download Submit
\Users\Admin\AppData\Local\Temp\NEAS.41a7f01f6a2aa59eacafa70d9f8413e0.exe

Filesize
896KB

MD5
2463cd3ca0bc94c3dda2d3e346ccafeb

SHA1
422bf29f68ce1f9ee86e19a9ed523f85eff2a2c4

SHA256
9558cff412f8182139f6245fbcc5d50667fe9c05d8e1cc54518de1d4887ea863

SHA512
253fcc50e904e7c70b0c3d3673b7e91790ce23825ff36078e1fb98e17c14e2d2ce3c53606f9f0dad8288b5492624a20f163443d48db121ed0eba92ee2e925277

Download Submit
\Users\Admin\AppData\Local\Temp\NEAS.41a7f01f6a2aa59eacafa70d9f8413e0.exe

Filesize
896KB

MD5
2463cd3ca0bc94c3dda2d3e346ccafeb

SHA1
422bf29f68ce1f9ee86e19a9ed523f85eff2a2c4

SHA256
9558cff412f8182139f6245fbcc5d50667fe9c05d8e1cc54518de1d4887ea863

SHA512
253fcc50e904e7c70b0c3d3673b7e91790ce23825ff36078e1fb98e17c14e2d2ce3c53606f9f0dad8288b5492624a20f163443d48db121ed0eba92ee2e925277

Download Submit
memory/1748-0-0x0000000000400000-0x00000000004ED000-memory.dmp

Filesize
948KB

Download
memory/1748-8-0x0000000000400000-0x00000000004ED000-memory.dmp

Filesize
948KB

Download
memory/1748-7-0x00000000030A0000-0x000000000318D000-memory.dmp

Filesize
948KB

Download
memory/2496-10-0x0000000000400000-0x00000000004ED000-memory.dmp

Filesize
948KB

Download
memory/2496-11-0x0000000002F70000-0x000000000305D000-memory.dmp

Filesize
948KB

Download
memory/2496-15-0x0000000000400000-0x00000000004ED000-memory.dmp

Filesize
948KB

Download