a2e8ad9b2ea51549b8584f91849e1f812732b0d39322cc924691ab367ad2f8ff

General

Target

NEAS.5dace556b4a337af180d5751db9345e0.exe
Size

272KB
MD5

5dace556b4a337af180d5751db9345e0
SHA1

1aea82a318d80df636ce0a875cdfef8c59222eae
SHA256

a2e8ad9b2ea51549b8584f91849e1f812732b0d39322cc924691ab367ad2f8ff
SHA512

c15146af12402fbb1604afbc08c73be982490e05aae83fb28cc32b020d7a5753cd93f27e250ca78c4aa8eb3e7c315f42a5d1f6d48e8bbf19b2abe542aabadf0d
SSDEEP

6144:RsjiQ+u5HAPkbZePJDmlI/+dfkIOwgccXYJcmI3cvHQOFZayUa/nM2:SjiQ+u5HAPk9EUoYJcmym0

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1612	xeusua.exe

Loads dropped DLL 5 IoCs

pid	Process
2276	NEAS.5dace556b4a337af180d5751db9345e0.exe
2276	NEAS.5dace556b4a337af180d5751db9345e0.exe
2444	WerFault.exe
2444	WerFault.exe
2444	WerFault.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2444	1612	WerFault.exe	28

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2276	NEAS.5dace556b4a337af180d5751db9345e0.exe
1612	xeusua.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2276 wrote to memory of 1612	2276	NEAS.5dace556b4a337af180d5751db9345e0.exe	28
PID 2276 wrote to memory of 1612	2276	NEAS.5dace556b4a337af180d5751db9345e0.exe	28
PID 2276 wrote to memory of 1612	2276	NEAS.5dace556b4a337af180d5751db9345e0.exe	28
PID 2276 wrote to memory of 1612	2276	NEAS.5dace556b4a337af180d5751db9345e0.exe	28
PID 1612 wrote to memory of 2444	1612	xeusua.exe	29
PID 1612 wrote to memory of 2444	1612	xeusua.exe	29
PID 1612 wrote to memory of 2444	1612	xeusua.exe	29
PID 1612 wrote to memory of 2444	1612	xeusua.exe	29

C:\Users\Admin\AppData\Local\Temp\NEAS.5dace556b4a337af180d5751db9345e0.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.5dace556b4a337af180d5751db9345e0.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2276
- C:\Users\Admin\xeusua.exe
  "C:\Users\Admin\xeusua.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1612
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1612 -s 188
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:2444

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\xeusua.exe

Filesize
272KB

MD5
cd434a91a28ddd4b02b01308547917e6

SHA1
b37cefc8bc091e47d1980d85bc55f2a1df98e794

SHA256
ad5490f3ee0554ada7d64d306c48c1f2dcf76e7a4a246438d7d9ae20c4d8a94a

SHA512
52c3eaa660f31787322080233aea97ca891d89274cd5bed930380c03f5aee94e4a702e5f12b35b9a5d33b5d53dfd32a0e0c2f31eecfc845511e5a5456e7eeb9c

Download Submit
C:\Users\Admin\xeusua.exe

Filesize
272KB

MD5
cd434a91a28ddd4b02b01308547917e6

SHA1
b37cefc8bc091e47d1980d85bc55f2a1df98e794

SHA256
ad5490f3ee0554ada7d64d306c48c1f2dcf76e7a4a246438d7d9ae20c4d8a94a

SHA512
52c3eaa660f31787322080233aea97ca891d89274cd5bed930380c03f5aee94e4a702e5f12b35b9a5d33b5d53dfd32a0e0c2f31eecfc845511e5a5456e7eeb9c

Download Submit
\Users\Admin\xeusua.exe

Filesize
272KB

MD5
cd434a91a28ddd4b02b01308547917e6

SHA1
b37cefc8bc091e47d1980d85bc55f2a1df98e794

SHA256
ad5490f3ee0554ada7d64d306c48c1f2dcf76e7a4a246438d7d9ae20c4d8a94a

SHA512
52c3eaa660f31787322080233aea97ca891d89274cd5bed930380c03f5aee94e4a702e5f12b35b9a5d33b5d53dfd32a0e0c2f31eecfc845511e5a5456e7eeb9c

Download Submit
\Users\Admin\xeusua.exe

Filesize
272KB

MD5
cd434a91a28ddd4b02b01308547917e6

SHA1
b37cefc8bc091e47d1980d85bc55f2a1df98e794

SHA256
ad5490f3ee0554ada7d64d306c48c1f2dcf76e7a4a246438d7d9ae20c4d8a94a

SHA512
52c3eaa660f31787322080233aea97ca891d89274cd5bed930380c03f5aee94e4a702e5f12b35b9a5d33b5d53dfd32a0e0c2f31eecfc845511e5a5456e7eeb9c

Download Submit
\Users\Admin\xeusua.exe

Filesize
272KB

MD5
cd434a91a28ddd4b02b01308547917e6

SHA1
b37cefc8bc091e47d1980d85bc55f2a1df98e794

SHA256
ad5490f3ee0554ada7d64d306c48c1f2dcf76e7a4a246438d7d9ae20c4d8a94a

SHA512
52c3eaa660f31787322080233aea97ca891d89274cd5bed930380c03f5aee94e4a702e5f12b35b9a5d33b5d53dfd32a0e0c2f31eecfc845511e5a5456e7eeb9c

Download Submit
\Users\Admin\xeusua.exe

Filesize
272KB

MD5
cd434a91a28ddd4b02b01308547917e6

SHA1
b37cefc8bc091e47d1980d85bc55f2a1df98e794

SHA256
ad5490f3ee0554ada7d64d306c48c1f2dcf76e7a4a246438d7d9ae20c4d8a94a

SHA512
52c3eaa660f31787322080233aea97ca891d89274cd5bed930380c03f5aee94e4a702e5f12b35b9a5d33b5d53dfd32a0e0c2f31eecfc845511e5a5456e7eeb9c

Download Submit
\Users\Admin\xeusua.exe

Filesize
272KB

MD5
cd434a91a28ddd4b02b01308547917e6

SHA1
b37cefc8bc091e47d1980d85bc55f2a1df98e794

SHA256
ad5490f3ee0554ada7d64d306c48c1f2dcf76e7a4a246438d7d9ae20c4d8a94a

SHA512
52c3eaa660f31787322080233aea97ca891d89274cd5bed930380c03f5aee94e4a702e5f12b35b9a5d33b5d53dfd32a0e0c2f31eecfc845511e5a5456e7eeb9c

Download Submit
memory/1612-17-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1612-23-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2276-9-0x0000000002DA0000-0x0000000002DE4000-memory.dmp

Filesize
272KB

Download
memory/2276-14-0x0000000002DA0000-0x0000000002DE4000-memory.dmp

Filesize
272KB

Download
memory/2276-0-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2276-21-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2276-22-0x0000000002DA0000-0x0000000002DE4000-memory.dmp

Filesize
272KB

Download

Analysis

Sharing