80624e23929622d85305d6df25663620667c2cb06431c34a7a632ab2045aa8b9

General

Target

NEAS.585cf71e2f69a984d6949dd6cdab5810.exe
Size

960KB
MD5

585cf71e2f69a984d6949dd6cdab5810
SHA1

cc1e0049973a15a2d40adcb39387c3fe6f27d24a
SHA256

80624e23929622d85305d6df25663620667c2cb06431c34a7a632ab2045aa8b9
SHA512

32d791947839ec8691f4abec5a34b2aed62db517eb77d44921b64c83a65a04439cb126de020b746362ac4f68edd4280cf15bd31bafc1df92c679e09378344262
SSDEEP

24576:nFRnXZI26p9YYmtuC9iWPWqTvIpx4AUAkEa/ZSTeF+77LX:lOYYmtuC9FPWqTcYAkEgqeF+bX

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2128	NEAS.585cf71e2f69a984d6949dd6cdab5810.exe

Executes dropped EXE 1 IoCs

pid	Process
2128	NEAS.585cf71e2f69a984d6949dd6cdab5810.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Program crash 13 IoCs

pid	pid_target	Process	procid_target
100	3340	WerFault.exe	85
4476	2128	WerFault.exe	93
744	2128	WerFault.exe	93
4680	2128	WerFault.exe	93
2420	2128	WerFault.exe	93
1860	2128	WerFault.exe	93
1964	2128	WerFault.exe	93
1832	2128	WerFault.exe	93
680	2128	WerFault.exe	93
400	2128	WerFault.exe	93
2148	2128	WerFault.exe	93
452	2128	WerFault.exe	93
5028	2128	WerFault.exe	93

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2128	NEAS.585cf71e2f69a984d6949dd6cdab5810.exe
2128	NEAS.585cf71e2f69a984d6949dd6cdab5810.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
3340	NEAS.585cf71e2f69a984d6949dd6cdab5810.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
2128	NEAS.585cf71e2f69a984d6949dd6cdab5810.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3340 wrote to memory of 2128	3340	NEAS.585cf71e2f69a984d6949dd6cdab5810.exe	93
PID 3340 wrote to memory of 2128	3340	NEAS.585cf71e2f69a984d6949dd6cdab5810.exe	93
PID 3340 wrote to memory of 2128	3340	NEAS.585cf71e2f69a984d6949dd6cdab5810.exe	93

C:\Users\Admin\AppData\Local\Temp\NEAS.585cf71e2f69a984d6949dd6cdab5810.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.585cf71e2f69a984d6949dd6cdab5810.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:3340
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3340 -s 344
  2⤵
  - Program crash
  PID:100
- C:\Users\Admin\AppData\Local\Temp\NEAS.585cf71e2f69a984d6949dd6cdab5810.exe
  C:\Users\Admin\AppData\Local\Temp\NEAS.585cf71e2f69a984d6949dd6cdab5810.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of UnmapMainImage
  PID:2128
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2128 -s 344
    3⤵
    - Program crash
    PID:4476
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2128 -s 636
    3⤵
    - Program crash
    PID:744
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2128 -s 644
    3⤵
    - Program crash
    PID:4680
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2128 -s 644
    3⤵
    - Program crash
    PID:2420
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2128 -s 708
    3⤵
    - Program crash
    PID:1860
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2128 -s 896
    3⤵
    - Program crash
    PID:1964
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2128 -s 1396
    3⤵
    - Program crash
    PID:1832
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2128 -s 1448
    3⤵
    - Program crash
    PID:680
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2128 -s 1464
    3⤵
    - Program crash
    PID:400
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2128 -s 1460
    3⤵
    - Program crash
    PID:2148
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2128 -s 1536
    3⤵
    - Program crash
    PID:452
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2128 -s 1692
    3⤵
    - Program crash
    PID:5028

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3340 -ip 3340
1⤵
PID:3804

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 2128 -ip 2128
1⤵
PID:4428

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 2128 -ip 2128
1⤵
PID:828

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 2128 -ip 2128
1⤵
PID:2756

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 2128 -ip 2128
1⤵
PID:4584

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 2128 -ip 2128
1⤵
PID:2848

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 2128 -ip 2128
1⤵
PID:2172

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 2128 -ip 2128
1⤵
PID:2408

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 2128 -ip 2128
1⤵
PID:2032

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 2128 -ip 2128
1⤵
PID:1920

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 2128 -ip 2128
1⤵
PID:1716

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 2128 -ip 2128
1⤵
PID:2820

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 2128 -ip 2128
1⤵
PID:4840

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\NEAS.585cf71e2f69a984d6949dd6cdab5810.exe

Filesize
960KB

MD5
18f0fce3235bb798c2896c9749c8a29c

SHA1
6961b1fe746d67ef7c8cc13e87788a56e9f94618

SHA256
d031628caa693ce223e21f300d4edb68db4196bc1186d1662e9c6276d6cbd03e

SHA512
cc06aa4c9aac68269166d9ad7d38816456d7265662190748682833082ca85e8abaadd4b9f8e486f1f64fac2326378248e899a6aa1500ac4711817a279d4b5325

Download Submit
memory/2128-7-0x0000000000400000-0x00000000004F0000-memory.dmp

Filesize
960KB

Download
memory/2128-8-0x0000000005060000-0x0000000005150000-memory.dmp

Filesize
960KB

Download
memory/2128-9-0x0000000000400000-0x00000000004A3000-memory.dmp

Filesize
652KB

Download
memory/2128-18-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2128-19-0x000000000B9D0000-0x000000000BA73000-memory.dmp

Filesize
652KB

Download
memory/2128-25-0x0000000000400000-0x00000000004F0000-memory.dmp

Filesize
960KB

Download
memory/3340-0-0x0000000000400000-0x00000000004F0000-memory.dmp

Filesize
960KB

Download
memory/3340-6-0x0000000000400000-0x00000000004F0000-memory.dmp

Filesize
960KB

Download

Analysis

Sharing