Overview

overview

7

Static

static

3

NEAS.64b23...50.exe

windows7-x64

7

NEAS.64b23...50.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    139s
  • max time network
    157s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231023-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11/11/2023, 12:22

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    NEAS.64b235ed174a942235dc65cc589fda50.exe

  • Size

    2.3MB

  • MD5

    64b235ed174a942235dc65cc589fda50

  • SHA1

    2f98400bb7b42c2fedbb4ce0f0c50b49a4978ea6

  • SHA256

    5c3db086d2f6e7778094c161953ad39db88f5f042778600477ad16a00be607d3

  • SHA512

    2fc786746f926a827f7276ed3829a809845d50220a0e9797a57e4806aa3f351ec30ad093b8d9ce7e4aae8b7f4cf3a7af33cf33f967803b124153701dd5c12631

  • SSDEEP

    49152:+sWQoKSgqeF+bq4TTow+lsghbyV8qXdTy:+sWMYeshTWROV8qtm

Score
7/10

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Program crash 13 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\NEAS.64b235ed174a942235dc65cc589fda50.exe
    "C:\Users\Admin\AppData\Local\Temp\NEAS.64b235ed174a942235dc65cc589fda50.exe"
    1⤵
    • Suspicious behavior: RenamesItself
    • Suspicious use of WriteProcessMemory
    PID:4248
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4248 -s 344
      2⤵
      • Program crash
      PID:1624
    • C:\Users\Admin\AppData\Local\Temp\NEAS.64b235ed174a942235dc65cc589fda50.exe
      C:\Users\Admin\AppData\Local\Temp\NEAS.64b235ed174a942235dc65cc589fda50.exe
      2⤵
      • Deletes itself
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of UnmapMainImage
      PID:876
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 876 -s 344
        3⤵
        • Program crash
        PID:1516
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 876 -s 636
        3⤵
        • Program crash
        PID:3132
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 876 -s 668
        3⤵
        • Program crash
        PID:3604
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 876 -s 636
        3⤵
        • Program crash
        PID:3060
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 876 -s 728
        3⤵
        • Program crash
        PID:3300
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 876 -s 896
        3⤵
        • Program crash
        PID:1032
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 876 -s 1324
        3⤵
        • Program crash
        PID:4872
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 876 -s 1448
        3⤵
        • Program crash
        PID:5020
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 876 -s 1416
        3⤵
        • Program crash
        PID:1040
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 876 -s 1504
        3⤵
        • Program crash
        PID:4356
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 876 -s 1484
        3⤵
        • Program crash
        PID:1284
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 876 -s 640
        3⤵
        • Program crash
        PID:2576
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 4248 -ip 4248
    1⤵
      PID:712
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 876 -ip 876
      1⤵
        PID:4228
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 876 -ip 876
        1⤵
          PID:4060
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 876 -ip 876
          1⤵
            PID:3860
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 876 -ip 876
            1⤵
              PID:3296
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 876 -ip 876
              1⤵
                PID:4396
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 876 -ip 876
                1⤵
                  PID:4860
                • C:\Windows\SysWOW64\WerFault.exe
                  C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 876 -ip 876
                  1⤵
                    PID:756
                  • C:\Windows\SysWOW64\WerFault.exe
                    C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 876 -ip 876
                    1⤵
                      PID:4500
                    • C:\Windows\SysWOW64\WerFault.exe
                      C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 876 -ip 876
                      1⤵
                        PID:992
                      • C:\Windows\SysWOW64\WerFault.exe
                        C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 876 -ip 876
                        1⤵
                          PID:4080
                        • C:\Windows\SysWOW64\WerFault.exe
                          C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 876 -ip 876
                          1⤵
                            PID:3604
                          • C:\Windows\SysWOW64\WerFault.exe
                            C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 876 -ip 876
                            1⤵
                              PID:4632

                            Network

                                  MITRE ATT&CK Enterprise v15

                                  Replay Monitor

                                  Loading Replay Monitor...

                                  Downloads

                                  • C:\Users\Admin\AppData\Local\Temp\NEAS.64b235ed174a942235dc65cc589fda50.exe
                                    Filesize

                                    2.3MB

                                    MD5

                                    7771af2e29907262434123429f406e77

                                    SHA1

                                    45d5a3ec65f6231ca8ce57eacb84a44f815a6c4e

                                    SHA256

                                    9aa09fdb0c17e5feadc98f7dfd581ff852c27822e77814ddfdda72b39ca20057

                                    SHA512

                                    e342528f9a5ff3870db4da47aa7865e0c53424768d6504b649a65a6758e8bef1b85987d7c8f7967269399052ca5044e835a71fe5ee9b8f06fa80b19f4a9d9c86

                                    Download Submit

                                  • memory/876-7-0x0000000000400000-0x00000000004F0000-memory.dmp

                                    Filesize

                                    960KB

                                    Download

                                  • memory/876-8-0x0000000004F50000-0x0000000005040000-memory.dmp

                                    Filesize

                                    960KB

                                    Download

                                  • memory/876-9-0x0000000000400000-0x00000000004A3000-memory.dmp

                                    Filesize

                                    652KB

                                    Download

                                  • memory/876-20-0x000000000C9F0000-0x000000000CA93000-memory.dmp

                                    Filesize

                                    652KB

                                    Download

                                  • memory/876-18-0x0000000000400000-0x0000000000443000-memory.dmp

                                    Filesize

                                    268KB

                                    Download

                                  • memory/4248-0-0x0000000000400000-0x00000000004F0000-memory.dmp

                                    Filesize

                                    960KB

                                    Download

                                  • memory/4248-6-0x0000000000400000-0x00000000004F0000-memory.dmp

                                    Filesize

                                    960KB

                                    Download