72e3b22c4ca692ba4d32d41e53c26e50902ba271c3a927b7d6066da15be17090

Analysis

max time kernel
120s
max time network
123s
platform
windows7_x64
resource
win7-20231025-en
resource tags

arch:x64arch:x86image:win7-20231025-enlocale:en-usos:windows7-x64system
submitted
18/11/2023, 00:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.5f94cad3f12a82e2d556e4a718ec1710.exe
Size

1.2MB
MD5

5f94cad3f12a82e2d556e4a718ec1710
SHA1

a59c8a2b25c47440fdac3546c2a6915d8971a777
SHA256

72e3b22c4ca692ba4d32d41e53c26e50902ba271c3a927b7d6066da15be17090
SHA512

caf301ea69b4ed7cce34f01bc81307bc86016740ea3c20280f9e8125013e7380c6acfc7a7f4a16885d4de670187bde561643910a853164873c83c1494df59e0e
SSDEEP

12288:XQDvmF68BfAgm8ipJdhRjlDa/ZSEniF+G4l:XQ7mk8B/tipJH3a/ZSEniF+9

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2356	NEAS.5f94cad3f12a82e2d556e4a718ec1710.exe

Loads dropped DLL 4 IoCs

pid	Process
2596	NEAS.5f94cad3f12a82e2d556e4a718ec1710.exe
2664	WerFault.exe
2664	WerFault.exe
2664	WerFault.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2664	2356	WerFault.exe	29

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2596	NEAS.5f94cad3f12a82e2d556e4a718ec1710.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
2356	NEAS.5f94cad3f12a82e2d556e4a718ec1710.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2596 wrote to memory of 2356	2596	NEAS.5f94cad3f12a82e2d556e4a718ec1710.exe	29
PID 2596 wrote to memory of 2356	2596	NEAS.5f94cad3f12a82e2d556e4a718ec1710.exe	29
PID 2596 wrote to memory of 2356	2596	NEAS.5f94cad3f12a82e2d556e4a718ec1710.exe	29
PID 2596 wrote to memory of 2356	2596	NEAS.5f94cad3f12a82e2d556e4a718ec1710.exe	29
PID 2356 wrote to memory of 2664	2356	NEAS.5f94cad3f12a82e2d556e4a718ec1710.exe	30
PID 2356 wrote to memory of 2664	2356	NEAS.5f94cad3f12a82e2d556e4a718ec1710.exe	30
PID 2356 wrote to memory of 2664	2356	NEAS.5f94cad3f12a82e2d556e4a718ec1710.exe	30
PID 2356 wrote to memory of 2664	2356	NEAS.5f94cad3f12a82e2d556e4a718ec1710.exe	30

C:\Users\Admin\AppData\Local\Temp\NEAS.5f94cad3f12a82e2d556e4a718ec1710.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.5f94cad3f12a82e2d556e4a718ec1710.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:2596
- C:\Users\Admin\AppData\Local\Temp\NEAS.5f94cad3f12a82e2d556e4a718ec1710.exe
  C:\Users\Admin\AppData\Local\Temp\NEAS.5f94cad3f12a82e2d556e4a718ec1710.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:2356
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2356 -s 144
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:2664

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\NEAS.5f94cad3f12a82e2d556e4a718ec1710.exe

Filesize
1.2MB

MD5
e090025207cfdeb25f040887a6a74137

SHA1
448b831a2622e41370eee2bbfba6504fe4efb59b

SHA256
ca7cb14d3398f8e915c1f74de381be975b0bb8e9c45ffd85fabf68bcaf79ce54

SHA512
c3785e0470c62aea7965751fcba3a03f02b00861bef62934c673e8f2349e29c33985c5f6affda1b8497a4d074d227de5f95ace24dfffa7b59ca1e2bde9deaa8b

Download Submit
\Users\Admin\AppData\Local\Temp\NEAS.5f94cad3f12a82e2d556e4a718ec1710.exe

Filesize
1.2MB

MD5
e090025207cfdeb25f040887a6a74137

SHA1
448b831a2622e41370eee2bbfba6504fe4efb59b

SHA256
ca7cb14d3398f8e915c1f74de381be975b0bb8e9c45ffd85fabf68bcaf79ce54

SHA512
c3785e0470c62aea7965751fcba3a03f02b00861bef62934c673e8f2349e29c33985c5f6affda1b8497a4d074d227de5f95ace24dfffa7b59ca1e2bde9deaa8b

Download Submit
\Users\Admin\AppData\Local\Temp\NEAS.5f94cad3f12a82e2d556e4a718ec1710.exe

Filesize
1.2MB

MD5
e090025207cfdeb25f040887a6a74137

SHA1
448b831a2622e41370eee2bbfba6504fe4efb59b

SHA256
ca7cb14d3398f8e915c1f74de381be975b0bb8e9c45ffd85fabf68bcaf79ce54

SHA512
c3785e0470c62aea7965751fcba3a03f02b00861bef62934c673e8f2349e29c33985c5f6affda1b8497a4d074d227de5f95ace24dfffa7b59ca1e2bde9deaa8b

Download Submit
\Users\Admin\AppData\Local\Temp\NEAS.5f94cad3f12a82e2d556e4a718ec1710.exe

Filesize
1.2MB

MD5
e090025207cfdeb25f040887a6a74137

SHA1
448b831a2622e41370eee2bbfba6504fe4efb59b

SHA256
ca7cb14d3398f8e915c1f74de381be975b0bb8e9c45ffd85fabf68bcaf79ce54

SHA512
c3785e0470c62aea7965751fcba3a03f02b00861bef62934c673e8f2349e29c33985c5f6affda1b8497a4d074d227de5f95ace24dfffa7b59ca1e2bde9deaa8b

Download Submit
\Users\Admin\AppData\Local\Temp\NEAS.5f94cad3f12a82e2d556e4a718ec1710.exe

Filesize
1.2MB

MD5
e090025207cfdeb25f040887a6a74137

SHA1
448b831a2622e41370eee2bbfba6504fe4efb59b

SHA256
ca7cb14d3398f8e915c1f74de381be975b0bb8e9c45ffd85fabf68bcaf79ce54

SHA512
c3785e0470c62aea7965751fcba3a03f02b00861bef62934c673e8f2349e29c33985c5f6affda1b8497a4d074d227de5f95ace24dfffa7b59ca1e2bde9deaa8b

Download Submit
memory/2356-10-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/2356-11-0x0000000002E70000-0x0000000002F58000-memory.dmp

Filesize
928KB

Download
memory/2596-0-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/2596-7-0x0000000002E40000-0x0000000002F28000-memory.dmp

Filesize
928KB

Download
memory/2596-8-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download