39fee5e4d8bb4a327dbbaae28a2fc4079c26de5d6625e13aa938c3298ed2b871

General

Target

3dbaf52c14476fdf2c0fd418f63e6c60_NEAS.exe
Size

4.8MB
MD5

3dbaf52c14476fdf2c0fd418f63e6c60
SHA1

82a840c135ddf85ef1d6d1adee79911560eaf5ee
SHA256

39fee5e4d8bb4a327dbbaae28a2fc4079c26de5d6625e13aa938c3298ed2b871
SHA512

35cd4a930e646a5e09b126edd56074aae45cd0e2d249f7d48910edd1eda7c21e0efb74400fa49c4228a0782a94a60ef43a570c9d18443eb1f6a84323a7690e04
SSDEEP

98304:NuXjXvYl/KeshTWROV8qtx9aYhTWRyKP09fZ1:NfYeskROV8QaYkRyKP6

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2968	3dbaf52c14476fdf2c0fd418f63e6c60_NEAS.exe

Executes dropped EXE 1 IoCs

pid	Process
2968	3dbaf52c14476fdf2c0fd418f63e6c60_NEAS.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
21	pastebin.com
22	pastebin.com

Program crash 15 IoCs

pid	pid_target	Process	procid_target
3148	1920	WerFault.exe	82
732	2968	WerFault.exe	89
1732	2968	WerFault.exe	89
4260	2968	WerFault.exe	89
3184	2968	WerFault.exe	89
2092	2968	WerFault.exe	89
4628	2968	WerFault.exe	89
1080	2968	WerFault.exe	89
2832	2968	WerFault.exe	89
1056	2968	WerFault.exe	89
224	2968	WerFault.exe	89
944	2968	WerFault.exe	89
976	2968	WerFault.exe	89
4276	2968	WerFault.exe	89
1084	2968	WerFault.exe	89

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2968	3dbaf52c14476fdf2c0fd418f63e6c60_NEAS.exe
2968	3dbaf52c14476fdf2c0fd418f63e6c60_NEAS.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1920	3dbaf52c14476fdf2c0fd418f63e6c60_NEAS.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
2968	3dbaf52c14476fdf2c0fd418f63e6c60_NEAS.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1920 wrote to memory of 2968	1920	3dbaf52c14476fdf2c0fd418f63e6c60_NEAS.exe	89
PID 1920 wrote to memory of 2968	1920	3dbaf52c14476fdf2c0fd418f63e6c60_NEAS.exe	89
PID 1920 wrote to memory of 2968	1920	3dbaf52c14476fdf2c0fd418f63e6c60_NEAS.exe	89

C:\Users\Admin\AppData\Local\Temp\3dbaf52c14476fdf2c0fd418f63e6c60_NEAS.exe
"C:\Users\Admin\AppData\Local\Temp\3dbaf52c14476fdf2c0fd418f63e6c60_NEAS.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:1920
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1920 -s 340
  2⤵
  - Program crash
  PID:3148
- C:\Users\Admin\AppData\Local\Temp\3dbaf52c14476fdf2c0fd418f63e6c60_NEAS.exe
  C:\Users\Admin\AppData\Local\Temp\3dbaf52c14476fdf2c0fd418f63e6c60_NEAS.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of UnmapMainImage
  PID:2968
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2968 -s 344
    3⤵
    - Program crash
    PID:732
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2968 -s 628
    3⤵
    - Program crash
    PID:1732
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2968 -s 636
    3⤵
    - Program crash
    PID:4260
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2968 -s 636
    3⤵
    - Program crash
    PID:3184
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2968 -s 720
    3⤵
    - Program crash
    PID:2092
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2968 -s 892
    3⤵
    - Program crash
    PID:4628
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2968 -s 1404
    3⤵
    - Program crash
    PID:1080
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2968 -s 1416
    3⤵
    - Program crash
    PID:2832
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2968 -s 1464
    3⤵
    - Program crash
    PID:1056
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2968 -s 1456
    3⤵
    - Program crash
    PID:224
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2968 -s 1528
    3⤵
    - Program crash
    PID:944
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2968 -s 1676
    3⤵
    - Program crash
    PID:976
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2968 -s 1480
    3⤵
    - Program crash
    PID:4276
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2968 -s 652
    3⤵
    - Program crash
    PID:1084

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 1920 -ip 1920
1⤵
PID:3116

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2968 -ip 2968
1⤵
PID:5008

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 2968 -ip 2968
1⤵
PID:3732

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 2968 -ip 2968
1⤵
PID:1544

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 2968 -ip 2968
1⤵
PID:4924

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 2968 -ip 2968
1⤵
PID:3376

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 2968 -ip 2968
1⤵
PID:1464

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 2968 -ip 2968
1⤵
PID:2624

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 2968 -ip 2968
1⤵
PID:672

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 2968 -ip 2968
1⤵
PID:2548

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 2968 -ip 2968
1⤵
PID:536

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 2968 -ip 2968
1⤵
PID:2848

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 2968 -ip 2968
1⤵
PID:4356

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 2968 -ip 2968
1⤵
PID:4416

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 2968 -ip 2968
1⤵
PID:5096

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\3dbaf52c14476fdf2c0fd418f63e6c60_NEAS.exe

Filesize
4.8MB

MD5
89727ad5bf5291b2a6b433a22ec1ccab

SHA1
a17db0b999a7aff7f634e8f43ad47a0111681aa5

SHA256
e292c3e729e44d9894d8310f7058368c9ca54812f4f4ed654da072a4505eade6

SHA512
91eb82cfd0a1feff67433129c080282c95f3d633c1d62dbc27f6d0ea394e0473fc356973817aa2fb9f17ae9fe8a43f785886e9f2fe284d7673389e1d70a3d68c

Download Submit
memory/1920-0-0x0000000000400000-0x00000000004F0000-memory.dmp

Filesize
960KB

Download
memory/1920-6-0x0000000000400000-0x00000000004F0000-memory.dmp

Filesize
960KB

Download
memory/2968-7-0x0000000000400000-0x00000000004F0000-memory.dmp

Filesize
960KB

Download
memory/2968-8-0x0000000000400000-0x00000000004A3000-memory.dmp

Filesize
652KB

Download
memory/2968-14-0x0000000005060000-0x0000000005150000-memory.dmp

Filesize
960KB

Download
memory/2968-21-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2968-27-0x000000000B9B0000-0x000000000BA53000-memory.dmp

Filesize
652KB

Download

Analysis

Sharing