95d1562268a30e1804b35d0dfdd63d138000e979c1bff3e9d2b5699145c0f742

Analysis

max time kernel
131s
max time network
171s
platform
windows10-2004_x64
resource
win10v2004-20231023-en
resource tags

arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
submitted
03/11/2023, 13:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.518c340169d0a4d3da323e8841952900.exe
Size

504KB
MD5

518c340169d0a4d3da323e8841952900
SHA1

44672a8a0fb5b4772f9b3fd10dd274286e8d2760
SHA256

95d1562268a30e1804b35d0dfdd63d138000e979c1bff3e9d2b5699145c0f742
SHA512

9a31e2c463407d6d8be619a2ed0373b839f6893fdb51ccced3bfb4d4e31642b5f9d07ee5a52b203f3e4d6adcb2a5718d4546c2df187d78def2520bb9610cd933
SSDEEP

6144:+hu6gmjDtI52zAZzfBCBTD1IeHYAiaGLnM6EVJvcvQFfnhqAuz/EJd10oqtEcqK+:+hvcvZQBuaiaGTrEVWvQDqARzAEf

Score

7^/10

upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
4512	NEAS.518c340169d0a4d3da323e8841952900.exe

Executes dropped EXE 1 IoCs

pid	Process
4512	NEAS.518c340169d0a4d3da323e8841952900.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1428-0-0x0000000000400000-0x000000000065C000-memory.dmp	upx
behavioral2/files/0x0008000000022e15-12.dat	upx
behavioral2/memory/4512-14-0x0000000000400000-0x000000000065C000-memory.dmp	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Program crash 14 IoCs

pid	pid_target	Process	procid_target
4172	4512	WerFault.exe	89
836	4512	WerFault.exe	89
4244	4512	WerFault.exe	89
388	4512	WerFault.exe	89
884	4512	WerFault.exe	89
1412	4512	WerFault.exe	89
764	4512	WerFault.exe	89
636	4512	WerFault.exe	89
2184	4512	WerFault.exe	89
1704	4512	WerFault.exe	89
1652	4512	WerFault.exe	89
3624	4512	WerFault.exe	89
4008	4512	WerFault.exe	89
4916	4512	WerFault.exe	89

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
3604	schtasks.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1428	NEAS.518c340169d0a4d3da323e8841952900.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
1428	NEAS.518c340169d0a4d3da323e8841952900.exe
4512	NEAS.518c340169d0a4d3da323e8841952900.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1428 wrote to memory of 4512	1428	NEAS.518c340169d0a4d3da323e8841952900.exe	89
PID 1428 wrote to memory of 4512	1428	NEAS.518c340169d0a4d3da323e8841952900.exe	89
PID 1428 wrote to memory of 4512	1428	NEAS.518c340169d0a4d3da323e8841952900.exe	89
PID 4512 wrote to memory of 3604	4512	NEAS.518c340169d0a4d3da323e8841952900.exe	91
PID 4512 wrote to memory of 3604	4512	NEAS.518c340169d0a4d3da323e8841952900.exe	91
PID 4512 wrote to memory of 3604	4512	NEAS.518c340169d0a4d3da323e8841952900.exe	91
PID 4512 wrote to memory of 5072	4512	NEAS.518c340169d0a4d3da323e8841952900.exe	94
PID 4512 wrote to memory of 5072	4512	NEAS.518c340169d0a4d3da323e8841952900.exe	94
PID 4512 wrote to memory of 5072	4512	NEAS.518c340169d0a4d3da323e8841952900.exe	94
PID 5072 wrote to memory of 1992	5072	cmd.exe	96
PID 5072 wrote to memory of 1992	5072	cmd.exe	96
PID 5072 wrote to memory of 1992	5072	cmd.exe	96

C:\Users\Admin\AppData\Local\Temp\NEAS.518c340169d0a4d3da323e8841952900.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.518c340169d0a4d3da323e8841952900.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1428
- C:\Users\Admin\AppData\Local\Temp\NEAS.518c340169d0a4d3da323e8841952900.exe
  C:\Users\Admin\AppData\Local\Temp\NEAS.518c340169d0a4d3da323e8841952900.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:4512
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /CREATE /RL HIGHEST /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\NEAS.518c340169d0a4d3da323e8841952900.exe" /TN zI9ZHeXk296c /F
    3⤵
    - Creates scheduled task(s)
    PID:3604
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c schtasks.exe /Query /XML /TN zI9ZHeXk296c > C:\Users\Admin\AppData\Local\Temp\Gb80VfGlt.xml
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5072
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks.exe /Query /XML /TN zI9ZHeXk296c
      4⤵
      PID:1992
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4512 -s 604
    3⤵
    - Program crash
    PID:4172
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4512 -s 628
    3⤵
    - Program crash
    PID:836
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4512 -s 736
    3⤵
    - Program crash
    PID:4244
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4512 -s 756
    3⤵
    - Program crash
    PID:388
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4512 -s 760
    3⤵
    - Program crash
    PID:884
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4512 -s 756
    3⤵
    - Program crash
    PID:1412
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4512 -s 1468
    3⤵
    - Program crash
    PID:764
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4512 -s 1884
    3⤵
    - Program crash
    PID:636
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4512 -s 1520
    3⤵
    - Program crash
    PID:2184
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4512 -s 2028
    3⤵
    - Program crash
    PID:1704
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4512 -s 2208
    3⤵
    - Program crash
    PID:1652
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4512 -s 1948
    3⤵
    - Program crash
    PID:3624
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4512 -s 2052
    3⤵
    - Program crash
    PID:4008
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4512 -s 752
    3⤵
    - Program crash
    PID:4916

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4512 -ip 4512
1⤵
PID:1452

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4512 -ip 4512
1⤵
PID:1236

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 4512 -ip 4512
1⤵
PID:2264

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 4512 -ip 4512
1⤵
PID:3852

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 4512 -ip 4512
1⤵
PID:3280

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 4512 -ip 4512
1⤵
PID:2732

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 4512 -ip 4512
1⤵
PID:4232

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4512 -ip 4512
1⤵
PID:376

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4512 -ip 4512
1⤵
PID:4872

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 4512 -ip 4512
1⤵
PID:1452

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4512 -ip 4512
1⤵
PID:1700

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4512 -ip 4512
1⤵
PID:1804

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4512 -ip 4512
1⤵
PID:560

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 4512 -ip 4512
1⤵
PID:3884

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Gb80VfGlt.xml

Filesize
1KB

MD5
a4aaff722d47154cc1b5904c3da83c16

SHA1
fb948ceeb9e629b08fd2d43baa6513db37c097b8

SHA256
4680752cddf6e2d2b36e7b8a775fcd52288bb5fce5d21c1d283acfce6de00c68

SHA512
f53c927b05440c6834f33c96e1b8d62211236556932651184257fcb56ab1df87e667a9b28fa066fa5b99adfb6bbd9c5e0c145354e7bc2e4d512b5405acfb2cd1

Download Submit
C:\Users\Admin\AppData\Local\Temp\NEAS.518c340169d0a4d3da323e8841952900.exe

Filesize
504KB

MD5
fe30a3c4971e68843419671ad356813d

SHA1
248c248686ddc191e87d17a110b5f3ed9154e93c

SHA256
bae658465d060bb5b1cec6020141d5513cac173dd811ddabab6f1bbf88bd3e58

SHA512
1a8e19c481111e70dff319c47334fb0d593be06f913ee331cadc7f514b832910b4ca2146a5f7f05f36162b14067343a616d182e3c35711d8900fc52e37ec86a8

Download Submit
memory/1428-0-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/1428-1-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/1428-2-0x0000000001730000-0x00000000017AE000-memory.dmp

Filesize
504KB

Download
memory/1428-13-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/4512-14-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/4512-16-0x0000000025040000-0x00000000250BE000-memory.dmp

Filesize
504KB

Download
memory/4512-22-0x0000000000470000-0x00000000004DB000-memory.dmp

Filesize
428KB

Download
memory/4512-23-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4512-32-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads