Analysis
-
max time kernel
143s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20231130-en -
resource tags
arch:x64arch:x86image:win10v2004-20231130-enlocale:en-usos:windows10-2004-x64system -
submitted
02-12-2023 10:15
Static task
static1
Behavioral task
behavioral1
Sample
NEAS.0523f7cfc131c52445b00d8c354b91658bc0b5f970d5c5ffc01b8480a84b9364.exe
Resource
win7-20231201-en
Behavioral task
behavioral2
Sample
NEAS.0523f7cfc131c52445b00d8c354b91658bc0b5f970d5c5ffc01b8480a84b9364.exe
Resource
win10v2004-20231130-en
General
-
Target
NEAS.0523f7cfc131c52445b00d8c354b91658bc0b5f970d5c5ffc01b8480a84b9364.exe
-
Size
330KB
-
MD5
9defa32ab3c74af8e29aea03a454934e
-
SHA1
04dac45bb456d502638ac199f8a4bb9285167658
-
SHA256
0523f7cfc131c52445b00d8c354b91658bc0b5f970d5c5ffc01b8480a84b9364
-
SHA512
b43c24dcf817b310c94743efd49e803d3c48a24192bed6ab99cfa813af5df20e69ac67f052ba613a185519ef5f0b1e9aaeacf7d77a40d0a32e4aa03747ca282f
-
SSDEEP
6144:wBlL/Di/CcLN+BiYHbAabwWZKhl/fnT6vWKupX4ZWK2j1Mu9nBE:CZiFN4rbRbtYZnTsW7U22mE
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
dkudxis.exepid process 3200 dkudxis.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 868 3200 WerFault.exe dkudxis.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
NEAS.0523f7cfc131c52445b00d8c354b91658bc0b5f970d5c5ffc01b8480a84b9364.exedkudxis.exedescription pid process target process PID 5032 wrote to memory of 3200 5032 NEAS.0523f7cfc131c52445b00d8c354b91658bc0b5f970d5c5ffc01b8480a84b9364.exe dkudxis.exe PID 5032 wrote to memory of 3200 5032 NEAS.0523f7cfc131c52445b00d8c354b91658bc0b5f970d5c5ffc01b8480a84b9364.exe dkudxis.exe PID 5032 wrote to memory of 3200 5032 NEAS.0523f7cfc131c52445b00d8c354b91658bc0b5f970d5c5ffc01b8480a84b9364.exe dkudxis.exe PID 3200 wrote to memory of 1056 3200 dkudxis.exe dkudxis.exe PID 3200 wrote to memory of 1056 3200 dkudxis.exe dkudxis.exe PID 3200 wrote to memory of 1056 3200 dkudxis.exe dkudxis.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.0523f7cfc131c52445b00d8c354b91658bc0b5f970d5c5ffc01b8480a84b9364.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.0523f7cfc131c52445b00d8c354b91658bc0b5f970d5c5ffc01b8480a84b9364.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:5032 -
C:\Users\Admin\AppData\Local\Temp\dkudxis.exe"C:\Users\Admin\AppData\Local\Temp\dkudxis.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3200 -
C:\Users\Admin\AppData\Local\Temp\dkudxis.exe"C:\Users\Admin\AppData\Local\Temp\dkudxis.exe"3⤵PID:1056
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3200 -s 5723⤵
- Program crash
PID:868
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 3200 -ip 32001⤵PID:2492
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
165KB
MD5265d03e2362687fa11bd38903296c90a
SHA195ec7500a11ff8bf5809bbdd2e86ebafc2ce9765
SHA256437cd124c76c0f79962fea99694cbd9bed574a2428c6e174ef7391ed52fe277c
SHA512cf21e66e5f21ad43ad4e2ad5e7cdde8ca7530309afea2d7a5df047ae0bf8d9bf5c4dc8b6de7a9f2d24b9524a5ae2ff16c3af0cb3493942646016a67bc8c91c59
-
Filesize
165KB
MD5265d03e2362687fa11bd38903296c90a
SHA195ec7500a11ff8bf5809bbdd2e86ebafc2ce9765
SHA256437cd124c76c0f79962fea99694cbd9bed574a2428c6e174ef7391ed52fe277c
SHA512cf21e66e5f21ad43ad4e2ad5e7cdde8ca7530309afea2d7a5df047ae0bf8d9bf5c4dc8b6de7a9f2d24b9524a5ae2ff16c3af0cb3493942646016a67bc8c91c59
-
Filesize
262KB
MD52df4d71b568e778685d268ca305207bb
SHA1703aff435d69a6a57801cdb394b5563bb9053eee
SHA2566d9fa06d84ba86dc703b7f5704112cef0aa877c47b8bf8f51282d5f017f881bc
SHA512e37a8fd2802334cc45fcb988e9c3a22ebd6cfe15d292f5bff12275abcc1d15648556bf3850a56c8705a8b3c77dddd9a4c6e4688fa71569fdf073d381713564bd