7a769a77cc081580100b0c865a20dd8ecffb7667275b180115a7bcee0943c70e

General

Target

NEAS.3a55e3735433706e8f3aab4ef8d86ad0.exe
Size

944KB
MD5

3a55e3735433706e8f3aab4ef8d86ad0
SHA1

f812a8cb4d40cf2358e71bce8fc7bb23298c6276
SHA256

7a769a77cc081580100b0c865a20dd8ecffb7667275b180115a7bcee0943c70e
SHA512

ed7079c9b4a2af53691482db292ac81d571038a4c12b299257a062ab26b830d8c1a0fc07968fa56b1d6cfcfc7a023412f36a59278c5fe8a004c2a4f949aa4d90
SSDEEP

6144:kXoNoStDSV7W0D1gLBxWRBTWyrQYVh3U+L777s7U7fhAJOeyje+WofQrmL4hUOzh:pNNk7dWBGtrlLEr7pUdejVDa/ZSZD

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
3056	NEAS.3a55e3735433706e8f3aab4ef8d86ad0.exe

Executes dropped EXE 1 IoCs

pid	Process
3056	NEAS.3a55e3735433706e8f3aab4ef8d86ad0.exe

Loads dropped DLL 4 IoCs

pid	Process
3016	NEAS.3a55e3735433706e8f3aab4ef8d86ad0.exe
2688	WerFault.exe
2688	WerFault.exe
2688	WerFault.exe

Program crash 1 IoCs

pid	pid_target	Process
2688	3056	WerFault.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
3016	NEAS.3a55e3735433706e8f3aab4ef8d86ad0.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
3056	NEAS.3a55e3735433706e8f3aab4ef8d86ad0.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 3016 wrote to memory of 3056	3016	NEAS.3a55e3735433706e8f3aab4ef8d86ad0.exe	30
PID 3016 wrote to memory of 3056	3016	NEAS.3a55e3735433706e8f3aab4ef8d86ad0.exe	30
PID 3016 wrote to memory of 3056	3016	NEAS.3a55e3735433706e8f3aab4ef8d86ad0.exe	30
PID 3016 wrote to memory of 3056	3016	NEAS.3a55e3735433706e8f3aab4ef8d86ad0.exe	30
PID 3056 wrote to memory of 2688	3056	NEAS.3a55e3735433706e8f3aab4ef8d86ad0.exe	29
PID 3056 wrote to memory of 2688	3056	NEAS.3a55e3735433706e8f3aab4ef8d86ad0.exe	29
PID 3056 wrote to memory of 2688	3056	NEAS.3a55e3735433706e8f3aab4ef8d86ad0.exe	29
PID 3056 wrote to memory of 2688	3056	NEAS.3a55e3735433706e8f3aab4ef8d86ad0.exe	29

C:\Users\Admin\AppData\Local\Temp\NEAS.3a55e3735433706e8f3aab4ef8d86ad0.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.3a55e3735433706e8f3aab4ef8d86ad0.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:3016
- C:\Users\Admin\AppData\Local\Temp\NEAS.3a55e3735433706e8f3aab4ef8d86ad0.exe
  C:\Users\Admin\AppData\Local\Temp\NEAS.3a55e3735433706e8f3aab4ef8d86ad0.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:3056

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3056 -s 144
1⤵
- Loads dropped DLL
- Program crash
PID:2688

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\NEAS.3a55e3735433706e8f3aab4ef8d86ad0.exe

Filesize
944KB

MD5
4471a0787268b30c894c72f0ba2aa071

SHA1
1cea0a9f5b13432ff67ec07a94f278d6d2e63575

SHA256
ca7e89fce58b5c50aedfd62ae4d6518921455cc39dd24369cb6fc0d58c233a1e

SHA512
d04af54f771327a28dfae536edc418306531fc85d678f1411403f7947a9a96e4e6c6702fc22a058a75def013ecff978508355cb4f9057343718db8165be56b9e

Download Submit
C:\Users\Admin\AppData\Local\Temp\NEAS.3a55e3735433706e8f3aab4ef8d86ad0.exe

Filesize
944KB

MD5
4471a0787268b30c894c72f0ba2aa071

SHA1
1cea0a9f5b13432ff67ec07a94f278d6d2e63575

SHA256
ca7e89fce58b5c50aedfd62ae4d6518921455cc39dd24369cb6fc0d58c233a1e

SHA512
d04af54f771327a28dfae536edc418306531fc85d678f1411403f7947a9a96e4e6c6702fc22a058a75def013ecff978508355cb4f9057343718db8165be56b9e

Download Submit
\Users\Admin\AppData\Local\Temp\NEAS.3a55e3735433706e8f3aab4ef8d86ad0.exe

Filesize
944KB

MD5
4471a0787268b30c894c72f0ba2aa071

SHA1
1cea0a9f5b13432ff67ec07a94f278d6d2e63575

SHA256
ca7e89fce58b5c50aedfd62ae4d6518921455cc39dd24369cb6fc0d58c233a1e

SHA512
d04af54f771327a28dfae536edc418306531fc85d678f1411403f7947a9a96e4e6c6702fc22a058a75def013ecff978508355cb4f9057343718db8165be56b9e

Download Submit
\Users\Admin\AppData\Local\Temp\NEAS.3a55e3735433706e8f3aab4ef8d86ad0.exe

Filesize
944KB

MD5
4471a0787268b30c894c72f0ba2aa071

SHA1
1cea0a9f5b13432ff67ec07a94f278d6d2e63575

SHA256
ca7e89fce58b5c50aedfd62ae4d6518921455cc39dd24369cb6fc0d58c233a1e

SHA512
d04af54f771327a28dfae536edc418306531fc85d678f1411403f7947a9a96e4e6c6702fc22a058a75def013ecff978508355cb4f9057343718db8165be56b9e

Download Submit
\Users\Admin\AppData\Local\Temp\NEAS.3a55e3735433706e8f3aab4ef8d86ad0.exe

Filesize
944KB

MD5
4471a0787268b30c894c72f0ba2aa071

SHA1
1cea0a9f5b13432ff67ec07a94f278d6d2e63575

SHA256
ca7e89fce58b5c50aedfd62ae4d6518921455cc39dd24369cb6fc0d58c233a1e

SHA512
d04af54f771327a28dfae536edc418306531fc85d678f1411403f7947a9a96e4e6c6702fc22a058a75def013ecff978508355cb4f9057343718db8165be56b9e

Download Submit
\Users\Admin\AppData\Local\Temp\NEAS.3a55e3735433706e8f3aab4ef8d86ad0.exe

Filesize
944KB

MD5
4471a0787268b30c894c72f0ba2aa071

SHA1
1cea0a9f5b13432ff67ec07a94f278d6d2e63575

SHA256
ca7e89fce58b5c50aedfd62ae4d6518921455cc39dd24369cb6fc0d58c233a1e

SHA512
d04af54f771327a28dfae536edc418306531fc85d678f1411403f7947a9a96e4e6c6702fc22a058a75def013ecff978508355cb4f9057343718db8165be56b9e

Download Submit
memory/3016-0-0x0000000000400000-0x00000000004EC000-memory.dmp

Filesize
944KB

Download
memory/3016-8-0x0000000002FA0000-0x000000000308C000-memory.dmp

Filesize
944KB

Download
memory/3016-7-0x0000000000400000-0x00000000004EC000-memory.dmp

Filesize
944KB

Download
memory/3056-11-0x0000000002CF0000-0x0000000002DDC000-memory.dmp

Filesize
944KB

Download
memory/3056-10-0x0000000000400000-0x00000000004EC000-memory.dmp

Filesize
944KB

Download

Analysis

Sharing