ec422a2961ff46fb8b3b47a4648df955a9b07336f67c2c76fa2c00c32d690d8f

General

Target

NEAS.03119a9cc8b3cedf91888d50d2ea74f0_JC.exe
Size

28KB
MD5

03119a9cc8b3cedf91888d50d2ea74f0
SHA1

75ed2d08ec0985959a873101a2240dce946a2915
SHA256

ec422a2961ff46fb8b3b47a4648df955a9b07336f67c2c76fa2c00c32d690d8f
SHA512

95352e9d3b5884b9e8866846f4f7b011c5b9946a9c433eda93e62a815f33f5f8c7129c1fb8261fb35f2c638854dadfd4c2c16fc7cfdcde0a43419047ef2f0f7a
SSDEEP

768:7xKzynmJnHyAtKzCIFtZ+wmf1qoryWxfV+UHjst3U:7xIySnHgz3/ZFo1V+tk

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2876	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
1508	NTdHcP.exe

Loads dropped DLL 2 IoCs

pid	Process
1980	NEAS.03119a9cc8b3cedf91888d50d2ea74f0_JC.exe
1980	NEAS.03119a9cc8b3cedf91888d50d2ea74f0_JC.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\NTdHcP.exe	NEAS.03119a9cc8b3cedf91888d50d2ea74f0_JC.exe
File opened for modification	C:\Windows\SysWOW64\NTdHcP.exe	NEAS.03119a9cc8b3cedf91888d50d2ea74f0_JC.exe
File opened for modification	C:\Windows\SysWOW64\NTdHcP.exe	NTdHcP.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Deleteme.bat	NEAS.03119a9cc8b3cedf91888d50d2ea74f0_JC.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1980 wrote to memory of 1508	1980	NEAS.03119a9cc8b3cedf91888d50d2ea74f0_JC.exe	28
PID 1980 wrote to memory of 1508	1980	NEAS.03119a9cc8b3cedf91888d50d2ea74f0_JC.exe	28
PID 1980 wrote to memory of 1508	1980	NEAS.03119a9cc8b3cedf91888d50d2ea74f0_JC.exe	28
PID 1980 wrote to memory of 1508	1980	NEAS.03119a9cc8b3cedf91888d50d2ea74f0_JC.exe	28
PID 1980 wrote to memory of 2876	1980	NEAS.03119a9cc8b3cedf91888d50d2ea74f0_JC.exe	29
PID 1980 wrote to memory of 2876	1980	NEAS.03119a9cc8b3cedf91888d50d2ea74f0_JC.exe	29
PID 1980 wrote to memory of 2876	1980	NEAS.03119a9cc8b3cedf91888d50d2ea74f0_JC.exe	29
PID 1980 wrote to memory of 2876	1980	NEAS.03119a9cc8b3cedf91888d50d2ea74f0_JC.exe	29

C:\Users\Admin\AppData\Local\Temp\NEAS.03119a9cc8b3cedf91888d50d2ea74f0_JC.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.03119a9cc8b3cedf91888d50d2ea74f0_JC.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1980
- C:\Windows\SysWOW64\NTdHcP.exe
  C:\Windows\system32\NTdHcP.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  PID:1508
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Windows\Deleteme.bat
  2⤵
  - Deletes itself
  PID:2876

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Deleteme.bat

Filesize
200B

MD5
c840e07a2429ec807b186d7296abf52e

SHA1
cdf743cd8cca411503e3be991df079a8c60a2927

SHA256
3f33a770765c4267a72aeccafb5326f627e814de9d19e902b96da9a146547531

SHA512
b1a544e168515cb1aa36d0a5173f1213b6df4d6b4779893b6324a805c65da37f89ea652649983987e54ab02cd8383bcf26e5e21bf88a58361b9c53e922d3c451

Download Submit
C:\Windows\Deleteme.bat

Filesize
200B

MD5
c840e07a2429ec807b186d7296abf52e

SHA1
cdf743cd8cca411503e3be991df079a8c60a2927

SHA256
3f33a770765c4267a72aeccafb5326f627e814de9d19e902b96da9a146547531

SHA512
b1a544e168515cb1aa36d0a5173f1213b6df4d6b4779893b6324a805c65da37f89ea652649983987e54ab02cd8383bcf26e5e21bf88a58361b9c53e922d3c451

Download Submit
C:\Windows\SysWOW64\NTdHcP.exe

Filesize
28KB

MD5
03119a9cc8b3cedf91888d50d2ea74f0

SHA1
75ed2d08ec0985959a873101a2240dce946a2915

SHA256
ec422a2961ff46fb8b3b47a4648df955a9b07336f67c2c76fa2c00c32d690d8f

SHA512
95352e9d3b5884b9e8866846f4f7b011c5b9946a9c433eda93e62a815f33f5f8c7129c1fb8261fb35f2c638854dadfd4c2c16fc7cfdcde0a43419047ef2f0f7a

Download Submit
C:\Windows\SysWOW64\NTdHcP.exe

Filesize
28KB

MD5
03119a9cc8b3cedf91888d50d2ea74f0

SHA1
75ed2d08ec0985959a873101a2240dce946a2915

SHA256
ec422a2961ff46fb8b3b47a4648df955a9b07336f67c2c76fa2c00c32d690d8f

SHA512
95352e9d3b5884b9e8866846f4f7b011c5b9946a9c433eda93e62a815f33f5f8c7129c1fb8261fb35f2c638854dadfd4c2c16fc7cfdcde0a43419047ef2f0f7a

Download Submit
C:\Windows\SysWOW64\NTdHcP.exe

Filesize
28KB

MD5
03119a9cc8b3cedf91888d50d2ea74f0

SHA1
75ed2d08ec0985959a873101a2240dce946a2915

SHA256
ec422a2961ff46fb8b3b47a4648df955a9b07336f67c2c76fa2c00c32d690d8f

SHA512
95352e9d3b5884b9e8866846f4f7b011c5b9946a9c433eda93e62a815f33f5f8c7129c1fb8261fb35f2c638854dadfd4c2c16fc7cfdcde0a43419047ef2f0f7a

Download Submit
\Windows\SysWOW64\NTdHcP.exe

Filesize
28KB

MD5
03119a9cc8b3cedf91888d50d2ea74f0

SHA1
75ed2d08ec0985959a873101a2240dce946a2915

SHA256
ec422a2961ff46fb8b3b47a4648df955a9b07336f67c2c76fa2c00c32d690d8f

SHA512
95352e9d3b5884b9e8866846f4f7b011c5b9946a9c433eda93e62a815f33f5f8c7129c1fb8261fb35f2c638854dadfd4c2c16fc7cfdcde0a43419047ef2f0f7a

Download Submit
\Windows\SysWOW64\NTdHcP.exe

Filesize
28KB

MD5
03119a9cc8b3cedf91888d50d2ea74f0

SHA1
75ed2d08ec0985959a873101a2240dce946a2915

SHA256
ec422a2961ff46fb8b3b47a4648df955a9b07336f67c2c76fa2c00c32d690d8f

SHA512
95352e9d3b5884b9e8866846f4f7b011c5b9946a9c433eda93e62a815f33f5f8c7129c1fb8261fb35f2c638854dadfd4c2c16fc7cfdcde0a43419047ef2f0f7a

Download Submit
memory/1508-13-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/1508-14-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/1508-17-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/1980-11-0x0000000000330000-0x000000000034D000-memory.dmp

Filesize
116KB

Download
memory/1980-0-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/1980-1-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/1980-24-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/1980-2-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download

Analysis

Sharing