a92c7af15b989b1077029d40dd299c8ab0c0547490c6d3143bcf7d02c3c269fc

General

Target

NEAS.440d663d8a714e0c39bd251b1aaede90.exe
Size

2.4MB
MD5

440d663d8a714e0c39bd251b1aaede90
SHA1

c4276c8c3a348f4030092018dbe49056c2d6b670
SHA256

a92c7af15b989b1077029d40dd299c8ab0c0547490c6d3143bcf7d02c3c269fc
SHA512

e5faefcf67a185f248a234ac543c175b2cb5dbdb74fa7f0d4be94bb674e6c108a23afa7eae752d6aa0b2122a9fab5c21b4f4af26af5e4b10b2b37823a7643075
SSDEEP

49152:rIROZIEG190vgWgigZ6W5LXP63KNUR9IETjALJr87gigHR8z:k8ZREWYJXy3Z

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1684	NEAS.440d663d8a714e0c39bd251b1aaede90.exe

Executes dropped EXE 1 IoCs

pid	Process
1684	NEAS.440d663d8a714e0c39bd251b1aaede90.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Program crash 14 IoCs

pid	pid_target	Process	procid_target
1372	1300	WerFault.exe	85
776	1684	WerFault.exe	95
5080	1684	WerFault.exe	95
680	1684	WerFault.exe	95
760	1684	WerFault.exe	95
4908	1684	WerFault.exe	95
264	1684	WerFault.exe	95
4200	1684	WerFault.exe	95
3328	1684	WerFault.exe	95
3964	1684	WerFault.exe	95
3952	1684	WerFault.exe	95
3428	1684	WerFault.exe	95
680	1684	WerFault.exe	95
2688	1684	WerFault.exe	95

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1684	NEAS.440d663d8a714e0c39bd251b1aaede90.exe
1684	NEAS.440d663d8a714e0c39bd251b1aaede90.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1300	NEAS.440d663d8a714e0c39bd251b1aaede90.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
1684	NEAS.440d663d8a714e0c39bd251b1aaede90.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1300 wrote to memory of 1684	1300	NEAS.440d663d8a714e0c39bd251b1aaede90.exe	95
PID 1300 wrote to memory of 1684	1300	NEAS.440d663d8a714e0c39bd251b1aaede90.exe	95
PID 1300 wrote to memory of 1684	1300	NEAS.440d663d8a714e0c39bd251b1aaede90.exe	95

C:\Users\Admin\AppData\Local\Temp\NEAS.440d663d8a714e0c39bd251b1aaede90.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.440d663d8a714e0c39bd251b1aaede90.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:1300
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1300 -s 344
  2⤵
  - Program crash
  PID:1372
- C:\Users\Admin\AppData\Local\Temp\NEAS.440d663d8a714e0c39bd251b1aaede90.exe
  C:\Users\Admin\AppData\Local\Temp\NEAS.440d663d8a714e0c39bd251b1aaede90.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of UnmapMainImage
  PID:1684
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1684 -s 344
    3⤵
    - Program crash
    PID:776
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1684 -s 372
    3⤵
    - Program crash
    PID:5080
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1684 -s 648
    3⤵
    - Program crash
    PID:680
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1684 -s 668
    3⤵
    - Program crash
    PID:760
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1684 -s 720
    3⤵
    - Program crash
    PID:4908
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1684 -s 904
    3⤵
    - Program crash
    PID:264
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1684 -s 1420
    3⤵
    - Program crash
    PID:4200
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1684 -s 1432
    3⤵
    - Program crash
    PID:3328
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1684 -s 1688
    3⤵
    - Program crash
    PID:3964
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1684 -s 1480
    3⤵
    - Program crash
    PID:3952
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1684 -s 1532
    3⤵
    - Program crash
    PID:3428
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1684 -s 1548
    3⤵
    - Program crash
    PID:680
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1684 -s 632
    3⤵
    - Program crash
    PID:2688

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 1300 -ip 1300
1⤵
PID:2396

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 1684 -ip 1684
1⤵
PID:3816

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 1684 -ip 1684
1⤵
PID:4100

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 1684 -ip 1684
1⤵
PID:3032

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 1684 -ip 1684
1⤵
PID:1076

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 1684 -ip 1684
1⤵
PID:1840

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 1684 -ip 1684
1⤵
PID:1520

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 1684 -ip 1684
1⤵
PID:4256

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 1684 -ip 1684
1⤵
PID:4328

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 1684 -ip 1684
1⤵
PID:3832

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 1684 -ip 1684
1⤵
PID:2812

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 1684 -ip 1684
1⤵
PID:2620

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 1684 -ip 1684
1⤵
PID:3080

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 1684 -ip 1684
1⤵
PID:4216

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\NEAS.440d663d8a714e0c39bd251b1aaede90.exe

Filesize
2.4MB

MD5
fa82403eebbc7e3af96b571a91edf66e

SHA1
730eb13025152cd617c45ff96467d0513549487e

SHA256
09ea06c5feb6f8a00f411ec6c898cea45c787c9a0b67be4af7543e85e9dfb9cc

SHA512
bf8e0d9ae3647fda925929854c8f2a2693f046a5ef3b71c15be814fd8aa11f4bdeb2c0dd432f73d54a271959ee2690ab72dbb32fb9979a8dd860f9e43cd5c3bb

Download Submit
memory/1300-0-0x0000000000400000-0x000000000050D000-memory.dmp

Filesize
1.1MB

Download
memory/1300-1-0x0000000000400000-0x000000000050D000-memory.dmp

Filesize
1.1MB

Download
memory/1300-7-0x0000000000400000-0x000000000050D000-memory.dmp

Filesize
1.1MB

Download
memory/1684-8-0x0000000000400000-0x000000000050D000-memory.dmp

Filesize
1.1MB

Download
memory/1684-9-0x0000000005130000-0x000000000523D000-memory.dmp

Filesize
1.1MB

Download
memory/1684-10-0x0000000000400000-0x00000000004A3000-memory.dmp

Filesize
652KB

Download
memory/1684-20-0x000000000B9D0000-0x000000000BA73000-memory.dmp

Filesize
652KB

Download
memory/1684-19-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download

Analysis

Sharing