b5ed70b476779b394767fea246dbd7c485c1b4d1d1615ed188d6c86c5ee06749

General

Target

NEAS.64c74017c516766686e28b6ad7b67650.exe
Size

257KB
MD5

64c74017c516766686e28b6ad7b67650
SHA1

970e5d8e68ce545209cde40e32cb8c9d90d702e1
SHA256

b5ed70b476779b394767fea246dbd7c485c1b4d1d1615ed188d6c86c5ee06749
SHA512

fec0486c37cef7287870e748d3976fa8b65adea4f65f09a90a96c49519bc69f2622d82ee461a4611ee591aa76d43cb6ded9a8abd1d1fa52dd9258047209efc06
SSDEEP

6144:lSBePu+AeHzWM3FObg6ytRWbYjBWS7zMas+d+:woPjAeHzt4VytRWMjBp/Mas+c

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2088	NEAS.64c74017c516766686e28b6ad7b67650.exe

Executes dropped EXE 1 IoCs

pid	Process
2088	NEAS.64c74017c516766686e28b6ad7b67650.exe

Loads dropped DLL 1 IoCs

pid	Process
1144	NEAS.64c74017c516766686e28b6ad7b67650.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
2088	NEAS.64c74017c516766686e28b6ad7b67650.exe

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2736	schtasks.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2088	NEAS.64c74017c516766686e28b6ad7b67650.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1144	NEAS.64c74017c516766686e28b6ad7b67650.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
1144	NEAS.64c74017c516766686e28b6ad7b67650.exe
2088	NEAS.64c74017c516766686e28b6ad7b67650.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1144 wrote to memory of 2088	1144	NEAS.64c74017c516766686e28b6ad7b67650.exe	28
PID 1144 wrote to memory of 2088	1144	NEAS.64c74017c516766686e28b6ad7b67650.exe	28
PID 1144 wrote to memory of 2088	1144	NEAS.64c74017c516766686e28b6ad7b67650.exe	28
PID 1144 wrote to memory of 2088	1144	NEAS.64c74017c516766686e28b6ad7b67650.exe	28
PID 2088 wrote to memory of 2736	2088	NEAS.64c74017c516766686e28b6ad7b67650.exe	29
PID 2088 wrote to memory of 2736	2088	NEAS.64c74017c516766686e28b6ad7b67650.exe	29
PID 2088 wrote to memory of 2736	2088	NEAS.64c74017c516766686e28b6ad7b67650.exe	29
PID 2088 wrote to memory of 2736	2088	NEAS.64c74017c516766686e28b6ad7b67650.exe	29

C:\Users\Admin\AppData\Local\Temp\NEAS.64c74017c516766686e28b6ad7b67650.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.64c74017c516766686e28b6ad7b67650.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1144
- C:\Users\Admin\AppData\Local\Temp\NEAS.64c74017c516766686e28b6ad7b67650.exe
  C:\Users\Admin\AppData\Local\Temp\NEAS.64c74017c516766686e28b6ad7b67650.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:2088
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /CREATE /RL HIGHEST /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\NEAS.64c74017c516766686e28b6ad7b67650.exe" /TN Google_Trk_Updater /F
    3⤵
    - Creates scheduled task(s)
    PID:2736

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\NEAS.64c74017c516766686e28b6ad7b67650.exe

Filesize
257KB

MD5
9a6ff866b23ff3d593eebdd2d762befc

SHA1
f2b0daf6f12d6125c1460e074f0149973c39101e

SHA256
3fb8bd90eabab5ec6f507d7577ecb8c68d43cf66f3bd29421b2a251fa833e13c

SHA512
639ecc79f60fc1748b9903c4cd81bcea5ae182f235d9fa26b9dd802548e1d25d897b02a0b6a798c9b7b96cd9249d8279af0dcd88c0145a8caad28975dd67e3ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\NEAS.64c74017c516766686e28b6ad7b67650.exe

Filesize
257KB

MD5
9a6ff866b23ff3d593eebdd2d762befc

SHA1
f2b0daf6f12d6125c1460e074f0149973c39101e

SHA256
3fb8bd90eabab5ec6f507d7577ecb8c68d43cf66f3bd29421b2a251fa833e13c

SHA512
639ecc79f60fc1748b9903c4cd81bcea5ae182f235d9fa26b9dd802548e1d25d897b02a0b6a798c9b7b96cd9249d8279af0dcd88c0145a8caad28975dd67e3ec

Download Submit
\Users\Admin\AppData\Local\Temp\NEAS.64c74017c516766686e28b6ad7b67650.exe

Filesize
257KB

MD5
9a6ff866b23ff3d593eebdd2d762befc

SHA1
f2b0daf6f12d6125c1460e074f0149973c39101e

SHA256
3fb8bd90eabab5ec6f507d7577ecb8c68d43cf66f3bd29421b2a251fa833e13c

SHA512
639ecc79f60fc1748b9903c4cd81bcea5ae182f235d9fa26b9dd802548e1d25d897b02a0b6a798c9b7b96cd9249d8279af0dcd88c0145a8caad28975dd67e3ec

Download Submit
memory/1144-14-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1144-1-0x00000000014C0000-0x0000000001578000-memory.dmp

Filesize
736KB

Download
memory/1144-2-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1144-15-0x0000000002E10000-0x0000000002EC8000-memory.dmp

Filesize
736KB

Download
memory/1144-0-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/2088-21-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/2088-25-0x0000000002D00000-0x0000000002D67000-memory.dmp

Filesize
412KB

Download
memory/2088-24-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2088-17-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2088-18-0x00000000014C0000-0x0000000001578000-memory.dmp

Filesize
736KB

Download
memory/2088-31-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads