Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
07/05/2024, 00:36
Static task
static1
Behavioral task
behavioral1
Sample
3dbaf52c14476fdf2c0fd418f63e6c60_NEAS.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
3dbaf52c14476fdf2c0fd418f63e6c60_NEAS.exe
Resource
win10v2004-20240426-en
General
-
Target
3dbaf52c14476fdf2c0fd418f63e6c60_NEAS.exe
-
Size
4.8MB
-
MD5
3dbaf52c14476fdf2c0fd418f63e6c60
-
SHA1
82a840c135ddf85ef1d6d1adee79911560eaf5ee
-
SHA256
39fee5e4d8bb4a327dbbaae28a2fc4079c26de5d6625e13aa938c3298ed2b871
-
SHA512
35cd4a930e646a5e09b126edd56074aae45cd0e2d249f7d48910edd1eda7c21e0efb74400fa49c4228a0782a94a60ef43a570c9d18443eb1f6a84323a7690e04
-
SSDEEP
98304:NuXjXvYl/KeshTWROV8qtx9aYhTWRyKP09fZ1:NfYeskROV8QaYkRyKP6
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 2968 3dbaf52c14476fdf2c0fd418f63e6c60_NEAS.exe -
Executes dropped EXE 1 IoCs
pid Process 2968 3dbaf52c14476fdf2c0fd418f63e6c60_NEAS.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 21 pastebin.com 22 pastebin.com -
Program crash 15 IoCs
pid pid_target Process procid_target 3148 1920 WerFault.exe 82 732 2968 WerFault.exe 89 1732 2968 WerFault.exe 89 4260 2968 WerFault.exe 89 3184 2968 WerFault.exe 89 2092 2968 WerFault.exe 89 4628 2968 WerFault.exe 89 1080 2968 WerFault.exe 89 2832 2968 WerFault.exe 89 1056 2968 WerFault.exe 89 224 2968 WerFault.exe 89 944 2968 WerFault.exe 89 976 2968 WerFault.exe 89 4276 2968 WerFault.exe 89 1084 2968 WerFault.exe 89 -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2968 3dbaf52c14476fdf2c0fd418f63e6c60_NEAS.exe 2968 3dbaf52c14476fdf2c0fd418f63e6c60_NEAS.exe -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 1920 3dbaf52c14476fdf2c0fd418f63e6c60_NEAS.exe -
Suspicious use of UnmapMainImage 1 IoCs
pid Process 2968 3dbaf52c14476fdf2c0fd418f63e6c60_NEAS.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 1920 wrote to memory of 2968 1920 3dbaf52c14476fdf2c0fd418f63e6c60_NEAS.exe 89 PID 1920 wrote to memory of 2968 1920 3dbaf52c14476fdf2c0fd418f63e6c60_NEAS.exe 89 PID 1920 wrote to memory of 2968 1920 3dbaf52c14476fdf2c0fd418f63e6c60_NEAS.exe 89
Processes
-
C:\Users\Admin\AppData\Local\Temp\3dbaf52c14476fdf2c0fd418f63e6c60_NEAS.exe"C:\Users\Admin\AppData\Local\Temp\3dbaf52c14476fdf2c0fd418f63e6c60_NEAS.exe"1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:1920 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1920 -s 3402⤵
- Program crash
PID:3148
-
-
C:\Users\Admin\AppData\Local\Temp\3dbaf52c14476fdf2c0fd418f63e6c60_NEAS.exeC:\Users\Admin\AppData\Local\Temp\3dbaf52c14476fdf2c0fd418f63e6c60_NEAS.exe2⤵
- Deletes itself
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of UnmapMainImage
PID:2968 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2968 -s 3443⤵
- Program crash
PID:732
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2968 -s 6283⤵
- Program crash
PID:1732
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2968 -s 6363⤵
- Program crash
PID:4260
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2968 -s 6363⤵
- Program crash
PID:3184
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2968 -s 7203⤵
- Program crash
PID:2092
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2968 -s 8923⤵
- Program crash
PID:4628
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2968 -s 14043⤵
- Program crash
PID:1080
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2968 -s 14163⤵
- Program crash
PID:2832
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2968 -s 14643⤵
- Program crash
PID:1056
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2968 -s 14563⤵
- Program crash
PID:224
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2968 -s 15283⤵
- Program crash
PID:944
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2968 -s 16763⤵
- Program crash
PID:976
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2968 -s 14803⤵
- Program crash
PID:4276
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2968 -s 6523⤵
- Program crash
PID:1084
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 1920 -ip 19201⤵PID:3116
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2968 -ip 29681⤵PID:5008
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 2968 -ip 29681⤵PID:3732
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 2968 -ip 29681⤵PID:1544
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 2968 -ip 29681⤵PID:4924
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 2968 -ip 29681⤵PID:3376
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 2968 -ip 29681⤵PID:1464
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 2968 -ip 29681⤵PID:2624
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 2968 -ip 29681⤵PID:672
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 2968 -ip 29681⤵PID:2548
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 2968 -ip 29681⤵PID:536
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 2968 -ip 29681⤵PID:2848
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 2968 -ip 29681⤵PID:4356
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 2968 -ip 29681⤵PID:4416
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 2968 -ip 29681⤵PID:5096
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4.8MB
MD589727ad5bf5291b2a6b433a22ec1ccab
SHA1a17db0b999a7aff7f634e8f43ad47a0111681aa5
SHA256e292c3e729e44d9894d8310f7058368c9ca54812f4f4ed654da072a4505eade6
SHA51291eb82cfd0a1feff67433129c080282c95f3d633c1d62dbc27f6d0ea394e0473fc356973817aa2fb9f17ae9fe8a43f785886e9f2fe284d7673389e1d70a3d68c