8f3f46137a2d37c1a9ae39a06777e536aeb7fa2705c6100958dcc9fa914e4f65

Analysis

max time kernel
45s
max time network
99s
platform
windows10-2004_x64
resource
win10v2004-20231023-en
resource tags

arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
submitted
05/11/2023, 22:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.4545290d3484e3025debd0ee61610fd0.exe
Size

621KB
MD5

4545290d3484e3025debd0ee61610fd0
SHA1

7ae2e35894ef3f69f17b87f63e99ee4b06814a12
SHA256

8f3f46137a2d37c1a9ae39a06777e536aeb7fa2705c6100958dcc9fa914e4f65
SHA512

e22ef73665fe14f86f894295d04d7f7b8c215e7d62b7d6af483758a281430889ec51b1716dc8c3220368ad1ebb9d7e0353bf5ac988606fe4726299a13a472989
SSDEEP

12288:A4eH5HlYFGhgftuyFRWzRSxxtJlOT4udasHYz4P90Sj:A4enYF2gwlzRuzLO8sHY810Sj

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1148	NEAS.4545290d3484e3025debd0ee61610fd0.exe
1148	NEAS.4545290d3484e3025debd0ee61610fd0.exe
1148	NEAS.4545290d3484e3025debd0ee61610fd0.exe
1148	NEAS.4545290d3484e3025debd0ee61610fd0.exe
1148	NEAS.4545290d3484e3025debd0ee61610fd0.exe
1148	NEAS.4545290d3484e3025debd0ee61610fd0.exe
1148	NEAS.4545290d3484e3025debd0ee61610fd0.exe
1148	NEAS.4545290d3484e3025debd0ee61610fd0.exe
1148	NEAS.4545290d3484e3025debd0ee61610fd0.exe
1148	NEAS.4545290d3484e3025debd0ee61610fd0.exe
1148	NEAS.4545290d3484e3025debd0ee61610fd0.exe
1148	NEAS.4545290d3484e3025debd0ee61610fd0.exe
1148	NEAS.4545290d3484e3025debd0ee61610fd0.exe
1148	NEAS.4545290d3484e3025debd0ee61610fd0.exe
1148	NEAS.4545290d3484e3025debd0ee61610fd0.exe
1148	NEAS.4545290d3484e3025debd0ee61610fd0.exe
1148	NEAS.4545290d3484e3025debd0ee61610fd0.exe
1148	NEAS.4545290d3484e3025debd0ee61610fd0.exe
1148	NEAS.4545290d3484e3025debd0ee61610fd0.exe
1148	NEAS.4545290d3484e3025debd0ee61610fd0.exe
1148	NEAS.4545290d3484e3025debd0ee61610fd0.exe
1148	NEAS.4545290d3484e3025debd0ee61610fd0.exe
1148	NEAS.4545290d3484e3025debd0ee61610fd0.exe
1148	NEAS.4545290d3484e3025debd0ee61610fd0.exe
1148	NEAS.4545290d3484e3025debd0ee61610fd0.exe
1148	NEAS.4545290d3484e3025debd0ee61610fd0.exe
1148	NEAS.4545290d3484e3025debd0ee61610fd0.exe
1148	NEAS.4545290d3484e3025debd0ee61610fd0.exe
1148	NEAS.4545290d3484e3025debd0ee61610fd0.exe
1148	NEAS.4545290d3484e3025debd0ee61610fd0.exe
1148	NEAS.4545290d3484e3025debd0ee61610fd0.exe
1148	NEAS.4545290d3484e3025debd0ee61610fd0.exe
1148	NEAS.4545290d3484e3025debd0ee61610fd0.exe
1148	NEAS.4545290d3484e3025debd0ee61610fd0.exe
1148	NEAS.4545290d3484e3025debd0ee61610fd0.exe
1148	NEAS.4545290d3484e3025debd0ee61610fd0.exe
1148	NEAS.4545290d3484e3025debd0ee61610fd0.exe
1148	NEAS.4545290d3484e3025debd0ee61610fd0.exe
1148	NEAS.4545290d3484e3025debd0ee61610fd0.exe
1148	NEAS.4545290d3484e3025debd0ee61610fd0.exe
1148	NEAS.4545290d3484e3025debd0ee61610fd0.exe
1148	NEAS.4545290d3484e3025debd0ee61610fd0.exe
1148	NEAS.4545290d3484e3025debd0ee61610fd0.exe
1148	NEAS.4545290d3484e3025debd0ee61610fd0.exe
1148	NEAS.4545290d3484e3025debd0ee61610fd0.exe
1148	NEAS.4545290d3484e3025debd0ee61610fd0.exe
1148	NEAS.4545290d3484e3025debd0ee61610fd0.exe
1148	NEAS.4545290d3484e3025debd0ee61610fd0.exe
1148	NEAS.4545290d3484e3025debd0ee61610fd0.exe
1148	NEAS.4545290d3484e3025debd0ee61610fd0.exe
1148	NEAS.4545290d3484e3025debd0ee61610fd0.exe
1148	NEAS.4545290d3484e3025debd0ee61610fd0.exe
1148	NEAS.4545290d3484e3025debd0ee61610fd0.exe
1148	NEAS.4545290d3484e3025debd0ee61610fd0.exe
1148	NEAS.4545290d3484e3025debd0ee61610fd0.exe
1148	NEAS.4545290d3484e3025debd0ee61610fd0.exe
1148	NEAS.4545290d3484e3025debd0ee61610fd0.exe
1148	NEAS.4545290d3484e3025debd0ee61610fd0.exe
1148	NEAS.4545290d3484e3025debd0ee61610fd0.exe
1148	NEAS.4545290d3484e3025debd0ee61610fd0.exe
1148	NEAS.4545290d3484e3025debd0ee61610fd0.exe
1148	NEAS.4545290d3484e3025debd0ee61610fd0.exe
1148	NEAS.4545290d3484e3025debd0ee61610fd0.exe
1148	NEAS.4545290d3484e3025debd0ee61610fd0.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 1148 wrote to memory of 3228	1148	NEAS.4545290d3484e3025debd0ee61610fd0.exe	89
PID 1148 wrote to memory of 3228	1148	NEAS.4545290d3484e3025debd0ee61610fd0.exe	89
PID 1148 wrote to memory of 2060	1148	NEAS.4545290d3484e3025debd0ee61610fd0.exe	90
PID 1148 wrote to memory of 2060	1148	NEAS.4545290d3484e3025debd0ee61610fd0.exe	90
PID 1148 wrote to memory of 2080	1148	NEAS.4545290d3484e3025debd0ee61610fd0.exe	91
PID 1148 wrote to memory of 2080	1148	NEAS.4545290d3484e3025debd0ee61610fd0.exe	91
PID 1148 wrote to memory of 4708	1148	NEAS.4545290d3484e3025debd0ee61610fd0.exe	92
PID 1148 wrote to memory of 4708	1148	NEAS.4545290d3484e3025debd0ee61610fd0.exe	92
PID 4708 wrote to memory of 3600	4708	cmd.exe	94
PID 4708 wrote to memory of 3600	4708	cmd.exe	94
PID 4708 wrote to memory of 3092	4708	cmd.exe	96
PID 4708 wrote to memory of 3092	4708	cmd.exe	96
PID 4708 wrote to memory of 1844	4708	cmd.exe	95
PID 4708 wrote to memory of 1844	4708	cmd.exe	95
PID 1148 wrote to memory of 1468	1148	NEAS.4545290d3484e3025debd0ee61610fd0.exe	97
PID 1148 wrote to memory of 1468	1148	NEAS.4545290d3484e3025debd0ee61610fd0.exe	97
PID 1148 wrote to memory of 2764	1148	NEAS.4545290d3484e3025debd0ee61610fd0.exe	98
PID 1148 wrote to memory of 2764	1148	NEAS.4545290d3484e3025debd0ee61610fd0.exe	98
PID 1148 wrote to memory of 1964	1148	NEAS.4545290d3484e3025debd0ee61610fd0.exe	99
PID 1148 wrote to memory of 1964	1148	NEAS.4545290d3484e3025debd0ee61610fd0.exe	99
PID 1148 wrote to memory of 4808	1148	NEAS.4545290d3484e3025debd0ee61610fd0.exe	100
PID 1148 wrote to memory of 4808	1148	NEAS.4545290d3484e3025debd0ee61610fd0.exe	100
PID 1148 wrote to memory of 5020	1148	NEAS.4545290d3484e3025debd0ee61610fd0.exe	101
PID 1148 wrote to memory of 5020	1148	NEAS.4545290d3484e3025debd0ee61610fd0.exe	101
PID 5020 wrote to memory of 3468	5020	cmd.exe	103
PID 5020 wrote to memory of 3468	5020	cmd.exe	103
PID 3468 wrote to memory of 3948	3468	msedge.exe	108
PID 3468 wrote to memory of 3948	3468	msedge.exe	108

C:\Users\Admin\AppData\Local\Temp\NEAS.4545290d3484e3025debd0ee61610fd0.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.4545290d3484e3025debd0ee61610fd0.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1148
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:3228
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c color 5
  2⤵
  PID:2060
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:2080
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\NEAS.4545290d3484e3025debd0ee61610fd0.exe" MD5 | find /i /v "md5" | find /i /v "certutil"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4708
- - C:\Windows\system32\certutil.exe
    certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\NEAS.4545290d3484e3025debd0ee61610fd0.exe" MD5
    3⤵
    PID:3600
- - C:\Windows\system32\find.exe
    find /i /v "certutil"
    3⤵
    PID:1844
- - C:\Windows\system32\find.exe
    find /i /v "md5"
    3⤵
    PID:3092
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:1468
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c color 9
  2⤵
  PID:2764
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c color 9
  2⤵
  PID:1964
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:4808
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start https://discord.gg/subz
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5020
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://discord.gg/subz
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3468
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ff9142346f8,0x7ff914234708,0x7ff914234718
      4⤵
      PID:3948

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
f4787679d96bf7263d9a34ce31dea7e4

SHA1
ebbade52b0a07d888ae0221ad89081902e6e7f1b

SHA256
bfcadaffd49f5351acf68b8249b32270424bc2459125818492cd3224662a9a87

SHA512
de3f3d1cd602bddb664bd0d2aecb661204dd239b278b1f03d6b9dca6f3d03bd3041ac42f4382f5edf5b310b17ff9ecddff59f16729e8c095625040a364252307

Download Submit
memory/1148-0-0x00000236BBA00000-0x00000236BBA1E000-memory.dmp

Filesize
120KB

Download
memory/1148-1-0x00000236BB9A0000-0x00000236BB9B0000-memory.dmp

Filesize
64KB

Download
memory/1148-3-0x00000236BBA00000-0x00000236BBA01000-memory.dmp

Filesize
4KB

Download
memory/1148-2-0x00000236BB9A0000-0x00000236BB9A1000-memory.dmp

Filesize
4KB

Download
memory/1148-4-0x00000236BBA00000-0x00000236BBA01000-memory.dmp

Filesize
4KB

Download
memory/1148-5-0x00000236BB9A0000-0x00000236BB9B0000-memory.dmp

Filesize
64KB

Download
memory/1148-6-0x00000236BBA00000-0x00000236BBA1E000-memory.dmp

Filesize
120KB

Download
memory/1148-7-0x00000236BB9A0000-0x00000236BB9AD000-memory.dmp

Filesize
52KB

Download
memory/1148-8-0x00000236BBA00000-0x00000236BBA01000-memory.dmp

Filesize
4KB

Download
memory/1148-10-0x00000236BB9A0000-0x00000236BB9AD000-memory.dmp

Filesize
52KB

Download
memory/1148-11-0x00000236BB9A0000-0x00000236BB9A1000-memory.dmp

Filesize
4KB

Download
memory/1148-9-0x00000236BB9A0000-0x00000236BB9B0000-memory.dmp

Filesize
64KB

Download
memory/1148-12-0x00000236BBA00000-0x00000236BBA01000-memory.dmp

Filesize
4KB

Download
memory/1148-13-0x00000236BBA00000-0x00000236BBA01000-memory.dmp

Filesize
4KB

Download
memory/1148-14-0x00000236BB9A0000-0x00000236BB9A1000-memory.dmp

Filesize
4KB

Download
memory/1148-15-0x00000236BB9A0000-0x00000236BB9A1000-memory.dmp

Filesize
4KB

Download
memory/1148-16-0x00000236BBA00000-0x00000236BBA01000-memory.dmp

Filesize
4KB

Download
memory/1148-17-0x00000236BBA00000-0x00000236BBA1E000-memory.dmp

Filesize
120KB

Download
memory/1148-18-0x00000236BB9A0000-0x00000236BB9B0000-memory.dmp

Filesize
64KB

Download
memory/1148-19-0x00000236BB9A0000-0x00000236BB9A1000-memory.dmp

Filesize
4KB

Download
memory/1148-20-0x00000236BB9A0000-0x00000236BB9A1000-memory.dmp

Filesize
4KB

Download
memory/1148-21-0x00000236BBA00000-0x00000236BBA01000-memory.dmp

Filesize
4KB

Download
memory/1148-23-0x00000236BB9A0000-0x00000236BB9A1000-memory.dmp

Filesize
4KB

Download
memory/1148-22-0x00000236BBA00000-0x00000236BBA01000-memory.dmp

Filesize
4KB

Download
memory/1148-24-0x00000236BBA00000-0x00000236BBA1E000-memory.dmp

Filesize
120KB

Download
memory/1148-25-0x00000236BB9A0000-0x00000236BB9AD000-memory.dmp

Filesize
52KB

Download
memory/1148-26-0x00000236BB9A0000-0x00000236BB9B0000-memory.dmp

Filesize
64KB

Download
memory/1148-27-0x00000236BB9A0000-0x00000236BB9AD000-memory.dmp

Filesize
52KB

Download
memory/1148-28-0x00000236BB9A0000-0x00000236BB9AD000-memory.dmp

Filesize
52KB

Download
memory/1148-29-0x00000236BB9A0000-0x00000236BB9A1000-memory.dmp

Filesize
4KB

Download
memory/1148-30-0x00000236BB9A0000-0x00000236BB9A1000-memory.dmp

Filesize
4KB

Download
memory/1148-31-0x00000236BBA00000-0x00000236BBA01000-memory.dmp

Filesize
4KB

Download
memory/1148-32-0x00000236BBA00000-0x00000236BBA9C000-memory.dmp

Filesize
624KB

Download
memory/1148-33-0x00000236BB9A0000-0x00000236BB9A1000-memory.dmp

Filesize
4KB

Download
memory/1148-34-0x00000236BB9A0000-0x00000236BB9A1000-memory.dmp

Filesize
4KB

Download
memory/1148-35-0x00000236BB9A0000-0x00000236BB9B0000-memory.dmp

Filesize
64KB

Download
memory/1148-36-0x00000236BBA00000-0x00000236BBA1E000-memory.dmp

Filesize
120KB

Download
memory/1148-37-0x00000236BBA20000-0x00000236BBA21000-memory.dmp

Filesize
4KB

Download
memory/1148-38-0x00000236BBA00000-0x00000236BBA01000-memory.dmp

Filesize
4KB

Download
memory/1148-39-0x00000236BB9A0000-0x00000236BB9A1000-memory.dmp

Filesize
4KB

Download
memory/1148-41-0x00000236BB9A0000-0x00000236BB9AD000-memory.dmp

Filesize
52KB

Download
memory/1148-40-0x00000236BB9A0000-0x00000236BB9B0000-memory.dmp

Filesize
64KB

Download
memory/1148-42-0x00000236BB9A0000-0x00000236BB9AD000-memory.dmp

Filesize
52KB

Download
memory/1148-43-0x00000236BB9A0000-0x00000236BB9A1000-memory.dmp

Filesize
4KB

Download
memory/1148-44-0x00000236BBA00000-0x00000236BBA01000-memory.dmp

Filesize
4KB

Download
memory/1148-45-0x00000236BB9A0000-0x00000236BB9AD000-memory.dmp

Filesize
52KB

Download
memory/1148-46-0x00000236BBA00000-0x00000236BBA01000-memory.dmp

Filesize
4KB

Download
memory/1148-47-0x00000236BBA00000-0x00000236BBA9C000-memory.dmp

Filesize
624KB

Download
memory/1148-48-0x00000236BB9A0000-0x00000236BB9A1000-memory.dmp

Filesize
4KB

Download
memory/1148-50-0x00000236BB9A0000-0x00000236BB9A1000-memory.dmp

Filesize
4KB

Download
memory/1148-49-0x00000236BBA00000-0x00000236BBA01000-memory.dmp

Filesize
4KB

Download
memory/1148-51-0x00000236BBA00000-0x00000236BBA1E000-memory.dmp

Filesize
120KB

Download
memory/1148-52-0x00000236BB9A0000-0x00000236BB9A1000-memory.dmp

Filesize
4KB

Download
memory/1148-53-0x00000236BB9A0000-0x00000236BB9AD000-memory.dmp

Filesize
52KB

Download
memory/1148-54-0x00000236BB9A0000-0x00000236BB9A1000-memory.dmp

Filesize
4KB

Download
memory/1148-55-0x00000236BB9A0000-0x00000236BB9A1000-memory.dmp

Filesize
4KB

Download
memory/1148-56-0x00000236BB9A0000-0x00000236BB9AD000-memory.dmp

Filesize
52KB

Download
memory/1148-57-0x00000236BB9A0000-0x00000236BB9A1000-memory.dmp

Filesize
4KB

Download
memory/1148-58-0x00000236BB9A0000-0x00000236BB9A1000-memory.dmp

Filesize
4KB

Download
memory/1148-59-0x00000236BB9A0000-0x00000236BB9AD000-memory.dmp

Filesize
52KB

Download
memory/1148-60-0x00000236BBA00000-0x00000236BBA01000-memory.dmp

Filesize
4KB

Download
memory/1148-61-0x00000236BBA00000-0x00000236BBA01000-memory.dmp

Filesize
4KB

Download
memory/1148-62-0x00000236BB9A0000-0x00000236BB9A1000-memory.dmp

Filesize
4KB

Download
memory/1148-63-0x00000236BBA00000-0x00000236BBA01000-memory.dmp

Filesize
4KB

Download