3df09b566ed9bc73167278cce8a9e0d6e9ae2378883494dc28b8529147824ea1

Analysis

max time kernel
120s
max time network
124s
platform
windows7_x64
resource
win7-20231023-en
resource tags

arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system
submitted
04/11/2023, 14:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.05b2fb19e7433c423fcfb77578cd7520.exe
Size

50KB
MD5

05b2fb19e7433c423fcfb77578cd7520
SHA1

1f48a4ffae8b6cdef2199bdf1644326dc6a58d58
SHA256

3df09b566ed9bc73167278cce8a9e0d6e9ae2378883494dc28b8529147824ea1
SHA512

7ba00d6cc703bf8201e2edaf0468031283c278c0ddf9c6aa89b000af7eed9fae40f3c99bc21770f86c8bca80ba37f2f8c4a27d6918c52d7563663efccb92fa1e
SSDEEP

768:NTRDu9EEet5i2u0RLPwAFleSysz4XUCO7LLXeMXhr975SxJx0FEXt8:NTRDoLeSuVeS74/O7LLJXhr/s+Kt

Score

1^/10

Malware Config

Signatures

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2296	NEAS.05b2fb19e7433c423fcfb77578cd7520.exe

Suspicious behavior: MapViewOfSection 21 IoCs

pid	Process
2296	NEAS.05b2fb19e7433c423fcfb77578cd7520.exe
2296	NEAS.05b2fb19e7433c423fcfb77578cd7520.exe
2296	NEAS.05b2fb19e7433c423fcfb77578cd7520.exe
2296	NEAS.05b2fb19e7433c423fcfb77578cd7520.exe
2296	NEAS.05b2fb19e7433c423fcfb77578cd7520.exe
2296	NEAS.05b2fb19e7433c423fcfb77578cd7520.exe
2296	NEAS.05b2fb19e7433c423fcfb77578cd7520.exe
2296	NEAS.05b2fb19e7433c423fcfb77578cd7520.exe
2296	NEAS.05b2fb19e7433c423fcfb77578cd7520.exe
2296	NEAS.05b2fb19e7433c423fcfb77578cd7520.exe
2296	NEAS.05b2fb19e7433c423fcfb77578cd7520.exe
2296	NEAS.05b2fb19e7433c423fcfb77578cd7520.exe
2296	NEAS.05b2fb19e7433c423fcfb77578cd7520.exe
2296	NEAS.05b2fb19e7433c423fcfb77578cd7520.exe
2296	NEAS.05b2fb19e7433c423fcfb77578cd7520.exe
2296	NEAS.05b2fb19e7433c423fcfb77578cd7520.exe
2296	NEAS.05b2fb19e7433c423fcfb77578cd7520.exe
2296	NEAS.05b2fb19e7433c423fcfb77578cd7520.exe
2296	NEAS.05b2fb19e7433c423fcfb77578cd7520.exe
2296	NEAS.05b2fb19e7433c423fcfb77578cd7520.exe
2296	NEAS.05b2fb19e7433c423fcfb77578cd7520.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2296	NEAS.05b2fb19e7433c423fcfb77578cd7520.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2296 wrote to memory of 372	2296	NEAS.05b2fb19e7433c423fcfb77578cd7520.exe	5
PID 2296 wrote to memory of 372	2296	NEAS.05b2fb19e7433c423fcfb77578cd7520.exe	5
PID 2296 wrote to memory of 372	2296	NEAS.05b2fb19e7433c423fcfb77578cd7520.exe	5
PID 2296 wrote to memory of 372	2296	NEAS.05b2fb19e7433c423fcfb77578cd7520.exe	5
PID 2296 wrote to memory of 372	2296	NEAS.05b2fb19e7433c423fcfb77578cd7520.exe	5
PID 2296 wrote to memory of 372	2296	NEAS.05b2fb19e7433c423fcfb77578cd7520.exe	5
PID 2296 wrote to memory of 372	2296	NEAS.05b2fb19e7433c423fcfb77578cd7520.exe	5
PID 2296 wrote to memory of 388	2296	NEAS.05b2fb19e7433c423fcfb77578cd7520.exe	4
PID 2296 wrote to memory of 388	2296	NEAS.05b2fb19e7433c423fcfb77578cd7520.exe	4
PID 2296 wrote to memory of 388	2296	NEAS.05b2fb19e7433c423fcfb77578cd7520.exe	4
PID 2296 wrote to memory of 388	2296	NEAS.05b2fb19e7433c423fcfb77578cd7520.exe	4
PID 2296 wrote to memory of 388	2296	NEAS.05b2fb19e7433c423fcfb77578cd7520.exe	4
PID 2296 wrote to memory of 388	2296	NEAS.05b2fb19e7433c423fcfb77578cd7520.exe	4
PID 2296 wrote to memory of 388	2296	NEAS.05b2fb19e7433c423fcfb77578cd7520.exe	4
PID 2296 wrote to memory of 424	2296	NEAS.05b2fb19e7433c423fcfb77578cd7520.exe	3
PID 2296 wrote to memory of 424	2296	NEAS.05b2fb19e7433c423fcfb77578cd7520.exe	3
PID 2296 wrote to memory of 424	2296	NEAS.05b2fb19e7433c423fcfb77578cd7520.exe	3
PID 2296 wrote to memory of 424	2296	NEAS.05b2fb19e7433c423fcfb77578cd7520.exe	3
PID 2296 wrote to memory of 424	2296	NEAS.05b2fb19e7433c423fcfb77578cd7520.exe	3
PID 2296 wrote to memory of 424	2296	NEAS.05b2fb19e7433c423fcfb77578cd7520.exe	3
PID 2296 wrote to memory of 424	2296	NEAS.05b2fb19e7433c423fcfb77578cd7520.exe	3
PID 2296 wrote to memory of 472	2296	NEAS.05b2fb19e7433c423fcfb77578cd7520.exe	2
PID 2296 wrote to memory of 472	2296	NEAS.05b2fb19e7433c423fcfb77578cd7520.exe	2
PID 2296 wrote to memory of 472	2296	NEAS.05b2fb19e7433c423fcfb77578cd7520.exe	2
PID 2296 wrote to memory of 472	2296	NEAS.05b2fb19e7433c423fcfb77578cd7520.exe	2
PID 2296 wrote to memory of 472	2296	NEAS.05b2fb19e7433c423fcfb77578cd7520.exe	2
PID 2296 wrote to memory of 472	2296	NEAS.05b2fb19e7433c423fcfb77578cd7520.exe	2
PID 2296 wrote to memory of 472	2296	NEAS.05b2fb19e7433c423fcfb77578cd7520.exe	2
PID 2296 wrote to memory of 480	2296	NEAS.05b2fb19e7433c423fcfb77578cd7520.exe	1
PID 2296 wrote to memory of 480	2296	NEAS.05b2fb19e7433c423fcfb77578cd7520.exe	1
PID 2296 wrote to memory of 480	2296	NEAS.05b2fb19e7433c423fcfb77578cd7520.exe	1
PID 2296 wrote to memory of 480	2296	NEAS.05b2fb19e7433c423fcfb77578cd7520.exe	1
PID 2296 wrote to memory of 480	2296	NEAS.05b2fb19e7433c423fcfb77578cd7520.exe	1
PID 2296 wrote to memory of 480	2296	NEAS.05b2fb19e7433c423fcfb77578cd7520.exe	1
PID 2296 wrote to memory of 480	2296	NEAS.05b2fb19e7433c423fcfb77578cd7520.exe	1
PID 2296 wrote to memory of 488	2296	NEAS.05b2fb19e7433c423fcfb77578cd7520.exe	8
PID 2296 wrote to memory of 488	2296	NEAS.05b2fb19e7433c423fcfb77578cd7520.exe	8
PID 2296 wrote to memory of 488	2296	NEAS.05b2fb19e7433c423fcfb77578cd7520.exe	8
PID 2296 wrote to memory of 488	2296	NEAS.05b2fb19e7433c423fcfb77578cd7520.exe	8
PID 2296 wrote to memory of 488	2296	NEAS.05b2fb19e7433c423fcfb77578cd7520.exe	8
PID 2296 wrote to memory of 488	2296	NEAS.05b2fb19e7433c423fcfb77578cd7520.exe	8
PID 2296 wrote to memory of 488	2296	NEAS.05b2fb19e7433c423fcfb77578cd7520.exe	8
PID 2296 wrote to memory of 604	2296	NEAS.05b2fb19e7433c423fcfb77578cd7520.exe	26
PID 2296 wrote to memory of 604	2296	NEAS.05b2fb19e7433c423fcfb77578cd7520.exe	26
PID 2296 wrote to memory of 604	2296	NEAS.05b2fb19e7433c423fcfb77578cd7520.exe	26
PID 2296 wrote to memory of 604	2296	NEAS.05b2fb19e7433c423fcfb77578cd7520.exe	26
PID 2296 wrote to memory of 604	2296	NEAS.05b2fb19e7433c423fcfb77578cd7520.exe	26
PID 2296 wrote to memory of 604	2296	NEAS.05b2fb19e7433c423fcfb77578cd7520.exe	26
PID 2296 wrote to memory of 604	2296	NEAS.05b2fb19e7433c423fcfb77578cd7520.exe	26
PID 2296 wrote to memory of 684	2296	NEAS.05b2fb19e7433c423fcfb77578cd7520.exe	25
PID 2296 wrote to memory of 684	2296	NEAS.05b2fb19e7433c423fcfb77578cd7520.exe	25
PID 2296 wrote to memory of 684	2296	NEAS.05b2fb19e7433c423fcfb77578cd7520.exe	25
PID 2296 wrote to memory of 684	2296	NEAS.05b2fb19e7433c423fcfb77578cd7520.exe	25
PID 2296 wrote to memory of 684	2296	NEAS.05b2fb19e7433c423fcfb77578cd7520.exe	25
PID 2296 wrote to memory of 684	2296	NEAS.05b2fb19e7433c423fcfb77578cd7520.exe	25
PID 2296 wrote to memory of 684	2296	NEAS.05b2fb19e7433c423fcfb77578cd7520.exe	25
PID 2296 wrote to memory of 764	2296	NEAS.05b2fb19e7433c423fcfb77578cd7520.exe	24
PID 2296 wrote to memory of 764	2296	NEAS.05b2fb19e7433c423fcfb77578cd7520.exe	24
PID 2296 wrote to memory of 764	2296	NEAS.05b2fb19e7433c423fcfb77578cd7520.exe	24
PID 2296 wrote to memory of 764	2296	NEAS.05b2fb19e7433c423fcfb77578cd7520.exe	24
PID 2296 wrote to memory of 764	2296	NEAS.05b2fb19e7433c423fcfb77578cd7520.exe	24
PID 2296 wrote to memory of 764	2296	NEAS.05b2fb19e7433c423fcfb77578cd7520.exe	24
PID 2296 wrote to memory of 764	2296	NEAS.05b2fb19e7433c423fcfb77578cd7520.exe	24
PID 2296 wrote to memory of 824	2296	NEAS.05b2fb19e7433c423fcfb77578cd7520.exe	9

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:480

C:\Windows\system32\services.exe
C:\Windows\system32\services.exe
1⤵
PID:472
- C:\Windows\System32\svchost.exe
  C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
  2⤵
  PID:824
- - C:\Windows\system32\Dwm.exe
    "C:\Windows\system32\Dwm.exe"
    3⤵
    PID:1196
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k LocalService
  2⤵
  PID:1004
- C:\Windows\system32\taskhost.exe
  "taskhost.exe"
  2⤵
  PID:1128
- C:\Windows\system32\sppsvc.exe
  C:\Windows\system32\sppsvc.exe
  2⤵
  PID:2108
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
  2⤵
  PID:2228
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
  2⤵
  PID:1088
- C:\Windows\System32\spoolsv.exe
  C:\Windows\System32\spoolsv.exe
  2⤵
  PID:1028
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k NetworkService
  2⤵
  PID:332
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k netsvcs
  2⤵
  PID:864
- C:\Windows\System32\svchost.exe
  C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
  2⤵
  PID:764
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k RPCSS
  2⤵
  PID:684
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k DcomLaunch
  2⤵
  PID:604

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:424

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
PID:388

C:\Windows\system32\wininit.exe
wininit.exe
1⤵
PID:372
- C:\Windows\system32\lsm.exe
  C:\Windows\system32\lsm.exe
  2⤵
  PID:488

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:2444

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1224
- C:\Users\Admin\AppData\Local\Temp\NEAS.05b2fb19e7433c423fcfb77578cd7520.exe
  "C:\Users\Admin\AppData\Local\Temp\NEAS.05b2fb19e7433c423fcfb77578cd7520.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2296

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2296-0-0x0000000001000000-0x0000000001010000-memory.dmp

Filesize
64KB

Download
memory/2296-2-0x0000000077890000-0x0000000077891000-memory.dmp

Filesize
4KB

Download
memory/2296-1-0x000000007788F000-0x0000000077890000-memory.dmp

Filesize
4KB

Download
memory/2296-3-0x0000000001000000-0x0000000001010000-memory.dmp

Filesize
64KB

Download