16a8ec8cf5d5fd419d7c546687676e8b77ccfc0b62e8fca7d1333a7c84ca85ad

General

Target

NEAS.bf46b844675586ebfc094e98afaabbc0.exe
Size

960KB
MD5

bf46b844675586ebfc094e98afaabbc0
SHA1

33f3aa5827ba4d9d0ce1c0a73c0a100427ba841b
SHA256

16a8ec8cf5d5fd419d7c546687676e8b77ccfc0b62e8fca7d1333a7c84ca85ad
SHA512

c7873603c396ef301b2b48a24cb6942098100b7e44f48c5514af8620d5c708ab76f34f1d282d399306b1faa13801533aa6388b25d2b31f7d44fe3fbb70e877d5
SSDEEP

24576:ji3xuNOmbMdgU6K7lnIPkDJIAwa/ZSTeF+77LX:AxuNOmb+vIAwgqeF+bX

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2180	NEAS.bf46b844675586ebfc094e98afaabbc0.exe

Executes dropped EXE 1 IoCs

pid	Process
2180	NEAS.bf46b844675586ebfc094e98afaabbc0.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Program crash 13 IoCs

pid	pid_target	Process	procid_target
1692	4316	WerFault.exe	84
4056	2180	WerFault.exe	94
1464	2180	WerFault.exe	94
4368	2180	WerFault.exe	94
4004	2180	WerFault.exe	94
4568	2180	WerFault.exe	94
4840	2180	WerFault.exe	94
4336	2180	WerFault.exe	94
1252	2180	WerFault.exe	94
220	2180	WerFault.exe	94
3380	2180	WerFault.exe	94
1960	2180	WerFault.exe	94
4976	2180	WerFault.exe	94

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2180	NEAS.bf46b844675586ebfc094e98afaabbc0.exe
2180	NEAS.bf46b844675586ebfc094e98afaabbc0.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
4316	NEAS.bf46b844675586ebfc094e98afaabbc0.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
2180	NEAS.bf46b844675586ebfc094e98afaabbc0.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4316 wrote to memory of 2180	4316	NEAS.bf46b844675586ebfc094e98afaabbc0.exe	94
PID 4316 wrote to memory of 2180	4316	NEAS.bf46b844675586ebfc094e98afaabbc0.exe	94
PID 4316 wrote to memory of 2180	4316	NEAS.bf46b844675586ebfc094e98afaabbc0.exe	94

C:\Users\Admin\AppData\Local\Temp\NEAS.bf46b844675586ebfc094e98afaabbc0.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.bf46b844675586ebfc094e98afaabbc0.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:4316
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4316 -s 344
  2⤵
  - Program crash
  PID:1692
- C:\Users\Admin\AppData\Local\Temp\NEAS.bf46b844675586ebfc094e98afaabbc0.exe
  C:\Users\Admin\AppData\Local\Temp\NEAS.bf46b844675586ebfc094e98afaabbc0.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of UnmapMainImage
  PID:2180
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2180 -s 352
    3⤵
    - Program crash
    PID:4056
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2180 -s 628
    3⤵
    - Program crash
    PID:1464
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2180 -s 680
    3⤵
    - Program crash
    PID:4368
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2180 -s 636
    3⤵
    - Program crash
    PID:4004
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2180 -s 720
    3⤵
    - Program crash
    PID:4568
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2180 -s 900
    3⤵
    - Program crash
    PID:4840
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2180 -s 1416
    3⤵
    - Program crash
    PID:4336
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2180 -s 1476
    3⤵
    - Program crash
    PID:1252
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2180 -s 1492
    3⤵
    - Program crash
    PID:220
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2180 -s 1480
    3⤵
    - Program crash
    PID:3380
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2180 -s 1564
    3⤵
    - Program crash
    PID:1960
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2180 -s 1124
    3⤵
    - Program crash
    PID:4976

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4316 -ip 4316
1⤵
PID:1632

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 2180 -ip 2180
1⤵
PID:3376

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 2180 -ip 2180
1⤵
PID:3240

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 2180 -ip 2180
1⤵
PID:3744

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 2180 -ip 2180
1⤵
PID:1972

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 2180 -ip 2180
1⤵
PID:3628

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 2180 -ip 2180
1⤵
PID:876

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 2180 -ip 2180
1⤵
PID:4888

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 2180 -ip 2180
1⤵
PID:1504

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 2180 -ip 2180
1⤵
PID:4816

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 2180 -ip 2180
1⤵
PID:1964

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 2180 -ip 2180
1⤵
PID:4844

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 2180 -ip 2180
1⤵
PID:1348

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\NEAS.bf46b844675586ebfc094e98afaabbc0.exe

Filesize
960KB

MD5
c12364341db4480ef97a1b1b7e977ffc

SHA1
a5049ec18db33078d0cc7a4b51f6b4102131087c

SHA256
922482106d4d998587ddf8cb9153e0684c4bc31b8aa43f8769fdfa329e38ba6e

SHA512
caf443e1b974b6b5491bd575989aa6b63df7cbc8fd98b64edccae6af0af6a4f2601e058e78eebcbeab0b6a3e5d7efc6df36f861354e435a5cc770a12d2744cef

Download Submit
memory/2180-7-0x0000000000400000-0x00000000004F0000-memory.dmp

Filesize
960KB

Download
memory/2180-9-0x0000000005000000-0x00000000050F0000-memory.dmp

Filesize
960KB

Download
memory/2180-8-0x0000000000400000-0x00000000004A3000-memory.dmp

Filesize
652KB

Download
memory/2180-20-0x000000000B9C0000-0x000000000BA63000-memory.dmp

Filesize
652KB

Download
memory/2180-18-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4316-0-0x0000000000400000-0x00000000004F0000-memory.dmp

Filesize
960KB

Download
memory/4316-6-0x0000000000400000-0x00000000004F0000-memory.dmp

Filesize
960KB

Download

Analysis

Sharing