ba30621397277537a0ffec93c4749ecd5c9f1457bf58a7af29b402787da4bf7a

Analysis

max time kernel
120s
max time network
126s
platform
windows7_x64
resource
win7-20231023-en
resource tags

arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system
submitted
04/11/2023, 14:45

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

NEAS.007a30e6b7eb00125f0f434bbe453240.exe
Size

887KB
MD5

007a30e6b7eb00125f0f434bbe453240
SHA1

1d628d11595d9853bb14e06894b9a2674c9f0b5f
SHA256

ba30621397277537a0ffec93c4749ecd5c9f1457bf58a7af29b402787da4bf7a
SHA512

f7a49f67f997f7f3dcfdb0c432b1c66cc6f28ab44eb309b89043d2d3b8dc1a96bc5848af93bed52be657960bac28e62a392eb7e0ddbc1139e65a8126982346a2
SSDEEP

6144:oMia/WU83WJoe4cmOtzvdIPCqSX8hx8I1/m6Xww/+NEPwABbxxJa/YESN:oMiGWUpF4cNIKihuimCww7PjVDa/ZSN

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2972	NEAS.007a30e6b7eb00125f0f434bbe453240.exe

Executes dropped EXE 1 IoCs

pid	Process
2972	NEAS.007a30e6b7eb00125f0f434bbe453240.exe

Loads dropped DLL 4 IoCs

pid	Process
2880	NEAS.007a30e6b7eb00125f0f434bbe453240.exe
2908	WerFault.exe
2908	WerFault.exe
2908	WerFault.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2908	2972	WerFault.exe	29

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2880	NEAS.007a30e6b7eb00125f0f434bbe453240.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
2972	NEAS.007a30e6b7eb00125f0f434bbe453240.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2880 wrote to memory of 2972	2880	NEAS.007a30e6b7eb00125f0f434bbe453240.exe	29
PID 2880 wrote to memory of 2972	2880	NEAS.007a30e6b7eb00125f0f434bbe453240.exe	29
PID 2880 wrote to memory of 2972	2880	NEAS.007a30e6b7eb00125f0f434bbe453240.exe	29
PID 2880 wrote to memory of 2972	2880	NEAS.007a30e6b7eb00125f0f434bbe453240.exe	29
PID 2972 wrote to memory of 2908	2972	NEAS.007a30e6b7eb00125f0f434bbe453240.exe	30
PID 2972 wrote to memory of 2908	2972	NEAS.007a30e6b7eb00125f0f434bbe453240.exe	30
PID 2972 wrote to memory of 2908	2972	NEAS.007a30e6b7eb00125f0f434bbe453240.exe	30
PID 2972 wrote to memory of 2908	2972	NEAS.007a30e6b7eb00125f0f434bbe453240.exe	30

C:\Users\Admin\AppData\Local\Temp\NEAS.007a30e6b7eb00125f0f434bbe453240.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.007a30e6b7eb00125f0f434bbe453240.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:2880
- C:\Users\Admin\AppData\Local\Temp\NEAS.007a30e6b7eb00125f0f434bbe453240.exe
  C:\Users\Admin\AppData\Local\Temp\NEAS.007a30e6b7eb00125f0f434bbe453240.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:2972
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2972 -s 144
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:2908

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\NEAS.007a30e6b7eb00125f0f434bbe453240.exe

Filesize
887KB

MD5
c56c8518e38296163a92fe2d5032d95b

SHA1
2b93a00bd961fa1e37adb743d8077dc077b31996

SHA256
474c58d032490ecfb5614e58b0bfb72134ce00cbe8826143d1abda8747c60f81

SHA512
8f8bd340481f8a648577a855f5a11cb2501202c8bfa31fab5b709435e56fa2f9e06a27921463495dffc041c9e5202c0b8028bf48d8e99d3dd5a2a45192b090db

Download Submit
\Users\Admin\AppData\Local\Temp\NEAS.007a30e6b7eb00125f0f434bbe453240.exe

Filesize
887KB

MD5
c56c8518e38296163a92fe2d5032d95b

SHA1
2b93a00bd961fa1e37adb743d8077dc077b31996

SHA256
474c58d032490ecfb5614e58b0bfb72134ce00cbe8826143d1abda8747c60f81

SHA512
8f8bd340481f8a648577a855f5a11cb2501202c8bfa31fab5b709435e56fa2f9e06a27921463495dffc041c9e5202c0b8028bf48d8e99d3dd5a2a45192b090db

Download Submit
\Users\Admin\AppData\Local\Temp\NEAS.007a30e6b7eb00125f0f434bbe453240.exe

Filesize
887KB

MD5
c56c8518e38296163a92fe2d5032d95b

SHA1
2b93a00bd961fa1e37adb743d8077dc077b31996

SHA256
474c58d032490ecfb5614e58b0bfb72134ce00cbe8826143d1abda8747c60f81

SHA512
8f8bd340481f8a648577a855f5a11cb2501202c8bfa31fab5b709435e56fa2f9e06a27921463495dffc041c9e5202c0b8028bf48d8e99d3dd5a2a45192b090db

Download Submit
\Users\Admin\AppData\Local\Temp\NEAS.007a30e6b7eb00125f0f434bbe453240.exe

Filesize
887KB

MD5
c56c8518e38296163a92fe2d5032d95b

SHA1
2b93a00bd961fa1e37adb743d8077dc077b31996

SHA256
474c58d032490ecfb5614e58b0bfb72134ce00cbe8826143d1abda8747c60f81

SHA512
8f8bd340481f8a648577a855f5a11cb2501202c8bfa31fab5b709435e56fa2f9e06a27921463495dffc041c9e5202c0b8028bf48d8e99d3dd5a2a45192b090db

Download Submit
\Users\Admin\AppData\Local\Temp\NEAS.007a30e6b7eb00125f0f434bbe453240.exe

Filesize
887KB

MD5
c56c8518e38296163a92fe2d5032d95b

SHA1
2b93a00bd961fa1e37adb743d8077dc077b31996

SHA256
474c58d032490ecfb5614e58b0bfb72134ce00cbe8826143d1abda8747c60f81

SHA512
8f8bd340481f8a648577a855f5a11cb2501202c8bfa31fab5b709435e56fa2f9e06a27921463495dffc041c9e5202c0b8028bf48d8e99d3dd5a2a45192b090db

Download Submit
memory/2880-0-0x0000000000400000-0x00000000004ED000-memory.dmp

Filesize
948KB

Download
memory/2880-6-0x0000000003010000-0x00000000030FD000-memory.dmp

Filesize
948KB

Download
memory/2880-10-0x0000000000400000-0x00000000004ED000-memory.dmp

Filesize
948KB

Download
memory/2972-9-0x0000000000400000-0x00000000004ED000-memory.dmp

Filesize
948KB

Download
memory/2972-11-0x0000000002F10000-0x0000000002FFD000-memory.dmp

Filesize
948KB

Download
memory/2972-15-0x0000000000400000-0x00000000004ED000-memory.dmp

Filesize
948KB

Download