Analysis
-
max time kernel
3s -
max time network
8s -
platform
windows10-2004_x64 -
resource
win10v2004-20230915-en -
resource tags
arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system -
submitted
06/10/2023, 21:10
Static task
static1
Behavioral task
behavioral1
Sample
NEAS.2465cc840ceb2189afccab4a940848374e21ed6a6729896c376f9e3fb6ebc637_JC.exe
Resource
win7-20230831-en
Behavioral task
behavioral2
Sample
NEAS.2465cc840ceb2189afccab4a940848374e21ed6a6729896c376f9e3fb6ebc637_JC.exe
Resource
win10v2004-20230915-en
General
-
Target
NEAS.2465cc840ceb2189afccab4a940848374e21ed6a6729896c376f9e3fb6ebc637_JC.exe
-
Size
938KB
-
MD5
8bd5e668f7592e6aebf2c9459c8aed16
-
SHA1
bd041fb95785b0744eca6722a57f3e023f8efd0a
-
SHA256
2465cc840ceb2189afccab4a940848374e21ed6a6729896c376f9e3fb6ebc637
-
SHA512
13ec6b3f681337df392efcddba24828c5361149da71b0e0f0920a9fbac0ff87a59ab80248606fec044542bb91eae213714a106fc96ff0611d377e58fa0fc0c12
-
SSDEEP
24576:ayX2MYIRavNOwt3+ZxAQ4JZ/LO6FjMJyorGDdILAN:hXxYNFOBZxh43zP4JyoK7
Malware Config
Signatures
-
Executes dropped EXE 5 IoCs
pid Process 3404 v1556100.exe 1704 v3458274.exe 3724 v8681682.exe 5076 v6311519.exe 4088 a0945891.exe -
Adds Run key to start application 2 TTPs 5 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" v3458274.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" v8681682.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" v6311519.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" NEAS.2465cc840ceb2189afccab4a940848374e21ed6a6729896c376f9e3fb6ebc637_JC.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" v1556100.exe -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 1532 wrote to memory of 3404 1532 NEAS.2465cc840ceb2189afccab4a940848374e21ed6a6729896c376f9e3fb6ebc637_JC.exe 85 PID 1532 wrote to memory of 3404 1532 NEAS.2465cc840ceb2189afccab4a940848374e21ed6a6729896c376f9e3fb6ebc637_JC.exe 85 PID 1532 wrote to memory of 3404 1532 NEAS.2465cc840ceb2189afccab4a940848374e21ed6a6729896c376f9e3fb6ebc637_JC.exe 85 PID 3404 wrote to memory of 1704 3404 v1556100.exe 86 PID 3404 wrote to memory of 1704 3404 v1556100.exe 86 PID 3404 wrote to memory of 1704 3404 v1556100.exe 86 PID 1704 wrote to memory of 3724 1704 v3458274.exe 87 PID 1704 wrote to memory of 3724 1704 v3458274.exe 87 PID 1704 wrote to memory of 3724 1704 v3458274.exe 87 PID 3724 wrote to memory of 5076 3724 v8681682.exe 88 PID 3724 wrote to memory of 5076 3724 v8681682.exe 88 PID 3724 wrote to memory of 5076 3724 v8681682.exe 88 PID 5076 wrote to memory of 4088 5076 v6311519.exe 90 PID 5076 wrote to memory of 4088 5076 v6311519.exe 90 PID 5076 wrote to memory of 4088 5076 v6311519.exe 90
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.2465cc840ceb2189afccab4a940848374e21ed6a6729896c376f9e3fb6ebc637_JC.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.2465cc840ceb2189afccab4a940848374e21ed6a6729896c376f9e3fb6ebc637_JC.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1532 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v1556100.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v1556100.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3404 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v3458274.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v3458274.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1704 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v8681682.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v8681682.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3724 -
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v6311519.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v6311519.exe5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:5076 -
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a0945891.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a0945891.exe6⤵
- Executes dropped EXE
PID:4088
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
832KB
MD532ddbd22fb6836895646159f7bebb7fd
SHA112234df3f214fe2d7c7b2f1a48c389e6d44b20b0
SHA2562ee802bc5d1aaab546e3b04c8ca7b4f9d7a02ed5e2251b0ed0a735a9c8364f34
SHA512566cc60ebb5d5f058789913c2cba51e2f6fd447836e0db81fc926f811b829fce07767487205ebde6f673e0c9cd662ac81638a8a884b9c0257e7b8243917268bf
-
Filesize
832KB
MD532ddbd22fb6836895646159f7bebb7fd
SHA112234df3f214fe2d7c7b2f1a48c389e6d44b20b0
SHA2562ee802bc5d1aaab546e3b04c8ca7b4f9d7a02ed5e2251b0ed0a735a9c8364f34
SHA512566cc60ebb5d5f058789913c2cba51e2f6fd447836e0db81fc926f811b829fce07767487205ebde6f673e0c9cd662ac81638a8a884b9c0257e7b8243917268bf
-
Filesize
606KB
MD59566533b57e88ef21ee3b0084f7f2cb3
SHA162d76a7ce9c2f56f8924dc0283505f1454536c6f
SHA2565b72da9984c867383105354e8b8594e63ac3b79ce634d55a76482f474d11927b
SHA512537a4e9ad6002bac1c56b38fdb704abc7efd1fe73d7a05448f10281ff45cab9469c45611e9e4cf37401f4adcdb37d53a4e00e275c75dc7372aa9df835f2c30b9
-
Filesize
606KB
MD59566533b57e88ef21ee3b0084f7f2cb3
SHA162d76a7ce9c2f56f8924dc0283505f1454536c6f
SHA2565b72da9984c867383105354e8b8594e63ac3b79ce634d55a76482f474d11927b
SHA512537a4e9ad6002bac1c56b38fdb704abc7efd1fe73d7a05448f10281ff45cab9469c45611e9e4cf37401f4adcdb37d53a4e00e275c75dc7372aa9df835f2c30b9
-
Filesize
481KB
MD580ebe24a2e8bc5ce10df081eb851bcbb
SHA18ce189638d3785a0b8d3df542cb19b2d35b69ef1
SHA256c8948c4e1f70cf4086c7a1298b5b613c077df0ef4b8b1a6b0836c99c40d1cb41
SHA5123ac3e91571f508d47eba7c210d2bad0e5fb091f643b88529e5075a9b22105e5a6715e90f3cd02f8ca60b674331c31ada640b3100dde7039fd92c30fe5e81fe8a
-
Filesize
481KB
MD580ebe24a2e8bc5ce10df081eb851bcbb
SHA18ce189638d3785a0b8d3df542cb19b2d35b69ef1
SHA256c8948c4e1f70cf4086c7a1298b5b613c077df0ef4b8b1a6b0836c99c40d1cb41
SHA5123ac3e91571f508d47eba7c210d2bad0e5fb091f643b88529e5075a9b22105e5a6715e90f3cd02f8ca60b674331c31ada640b3100dde7039fd92c30fe5e81fe8a
-
Filesize
325KB
MD54e8cd75c6ca7aee8015fdb6172f713ff
SHA1e654240ed11b8d5f3324245ebe937df9ebe1334d
SHA25668c0a093334b0be38fc3117daf1aa879c110cdab95319932f224cf6cc9640bb5
SHA512b0b8e71f5215c3d1b7074dc73f6757dfcf800d380928d42fdaaed804163c57bd48a1dffa18c2f25f4521473dcb04ce0d69ac858430d9fb92377679d96b23045f
-
Filesize
325KB
MD54e8cd75c6ca7aee8015fdb6172f713ff
SHA1e654240ed11b8d5f3324245ebe937df9ebe1334d
SHA25668c0a093334b0be38fc3117daf1aa879c110cdab95319932f224cf6cc9640bb5
SHA512b0b8e71f5215c3d1b7074dc73f6757dfcf800d380928d42fdaaed804163c57bd48a1dffa18c2f25f4521473dcb04ce0d69ac858430d9fb92377679d96b23045f
-
Filesize
184KB
MD56ea61ffe70f256772311e5d6d86d1d0f
SHA1bd03add2f9fb71cb465b1537b6186bb8e9c2494a
SHA2568ac43c889bd7352369e006b81640b465e976ee311d392b6bb505b38000f2612f
SHA512339918c376be5bcc568b87756c43e65631b78f5414660464a97b842a7f9218bb1037e555062c0b3d6a034381986a3bdb2f0b76686dceef4853892bbf668efa08
-
Filesize
184KB
MD56ea61ffe70f256772311e5d6d86d1d0f
SHA1bd03add2f9fb71cb465b1537b6186bb8e9c2494a
SHA2568ac43c889bd7352369e006b81640b465e976ee311d392b6bb505b38000f2612f
SHA512339918c376be5bcc568b87756c43e65631b78f5414660464a97b842a7f9218bb1037e555062c0b3d6a034381986a3bdb2f0b76686dceef4853892bbf668efa08