Overview

overview

10

Static

static

3

NEAS.5213e...c0.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    141s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231023-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03-11-2023 12:02

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    NEAS.5213ee74e4d9223121ff1d5136ffd0c0.exe

  • Size

    515KB

  • MD5

    5213ee74e4d9223121ff1d5136ffd0c0

  • SHA1

    631d3d1d3ee82a99a70c710d22f0a0c179fb447c

  • SHA256

    721315d8100c535325f9cf8b434727d66bf8daf52f934a8aaf927bd5e3d952f9

  • SHA512

    506e124104db8ac20b3c714b1dd43331d2e11def1678d1239600e99a8d294cd73bcced49bd920f300c50e6886b20eb73da4fb11da48e6d1e6125495e0c08b1f0

  • SSDEEP

    12288:UMrWy90jOOzGNlEyV26leOA31GIovYKZnxsajKz:qyQOOzGQyZbIoTnxs8Kz

Score
10/10
evasionpersistencetrojan

Malware Config

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • Executes dropped EXE 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 2 IoCs
  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\NEAS.5213ee74e4d9223121ff1d5136ffd0c0.exe
    "C:\Users\Admin\AppData\Local\Temp\NEAS.5213ee74e4d9223121ff1d5136ffd0c0.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:3704
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1jh97Zz1.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1jh97Zz1.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:3668
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4784
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\2lP1685.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\2lP1685.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:5072
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        3⤵
          PID:4320
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 4320 -s 540
            4⤵
            • Program crash
            PID:2436
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4320 -ip 4320
      1⤵
        PID:1456

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1jh97Zz1.exe
        Filesize

        869KB

        MD5

        fed8ae830b76ea3777cb7c84f1f1eec8

        SHA1

        a32f31b931b013ffb5ce494769debda81b827888

        SHA256

        f7631006c7ef29f9f7e12256c49b95117640ed4cad103ce99020d3d68350c35f

        SHA512

        bd9b888168af23b0aae13b05b33f1b4618a9e0fabd69d01495965c57afb4ba82394363de15cddcd32a969b74c45bfafba062a52edc2197c800d7fe23f7e8347b

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1jh97Zz1.exe
        Filesize

        869KB

        MD5

        fed8ae830b76ea3777cb7c84f1f1eec8

        SHA1

        a32f31b931b013ffb5ce494769debda81b827888

        SHA256

        f7631006c7ef29f9f7e12256c49b95117640ed4cad103ce99020d3d68350c35f

        SHA512

        bd9b888168af23b0aae13b05b33f1b4618a9e0fabd69d01495965c57afb4ba82394363de15cddcd32a969b74c45bfafba062a52edc2197c800d7fe23f7e8347b

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\2lP1685.exe
        Filesize

        1.0MB

        MD5

        f4efee1ac0e3e00ff0064fa6353a583c

        SHA1

        6143c29a1e5ec65004dd291bb84a867d154ee0d1

        SHA256

        ce0d21601d0c6e3212ca085ca272e4104490ea1cb48419152560867721056261

        SHA512

        13a3e3d413358b8d34165e761e280347ad447f70200211fb449f897c2d76ff91b07febd761dd1aa21acb20ac900887a98dddfd0253356ea41d19c24d0236321a

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\2lP1685.exe
        Filesize

        1.0MB

        MD5

        f4efee1ac0e3e00ff0064fa6353a583c

        SHA1

        6143c29a1e5ec65004dd291bb84a867d154ee0d1

        SHA256

        ce0d21601d0c6e3212ca085ca272e4104490ea1cb48419152560867721056261

        SHA512

        13a3e3d413358b8d34165e761e280347ad447f70200211fb449f897c2d76ff91b07febd761dd1aa21acb20ac900887a98dddfd0253356ea41d19c24d0236321a

        Download Submit

      • memory/4320-12-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/4320-13-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/4320-14-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/4320-16-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/4784-7-0x0000000000400000-0x000000000040A000-memory.dmp

        Filesize

        40KB

        Download

      • memory/4784-11-0x0000000074350000-0x0000000074B00000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/4784-17-0x0000000074350000-0x0000000074B00000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/4784-19-0x0000000074350000-0x0000000074B00000-memory.dmp

        Filesize

        7.7MB

        Download