2ca6071240b2678eb38df1e18424090a804750af4589c8c4ea308ec2497b9e47

General

Target

NEAS.07d6133a5d84a193aa6a9e52d5df2dd0_JC.exe
Size

208KB
MD5

07d6133a5d84a193aa6a9e52d5df2dd0
SHA1

868e24eeb56cb7e5ceb4a2313d89ba838137ce21
SHA256

2ca6071240b2678eb38df1e18424090a804750af4589c8c4ea308ec2497b9e47
SHA512

0eea9dd30af01d349a667cffb31c84b177efe44e675a7695f774584c32fa8f7630718b95871482475d058b1f47f94919330993f0b3c5de8191c558debf4af763
SSDEEP

6144:Kpk9w9HF/IUWfw18m4jOXl9a07QDykQEj1:5wnn/TaYPkQC

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2720	GQC.exe

Loads dropped DLL 2 IoCs

pid	Process
2732	cmd.exe
2732	cmd.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\windows\SysWOW64\GQC.exe	NEAS.07d6133a5d84a193aa6a9e52d5df2dd0_JC.exe
File opened for modification	C:\windows\SysWOW64\GQC.exe	NEAS.07d6133a5d84a193aa6a9e52d5df2dd0_JC.exe
File created	C:\windows\SysWOW64\GQC.exe.bat	NEAS.07d6133a5d84a193aa6a9e52d5df2dd0_JC.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
856	NEAS.07d6133a5d84a193aa6a9e52d5df2dd0_JC.exe
2720	GQC.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
856	NEAS.07d6133a5d84a193aa6a9e52d5df2dd0_JC.exe
856	NEAS.07d6133a5d84a193aa6a9e52d5df2dd0_JC.exe
2720	GQC.exe
2720	GQC.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 856 wrote to memory of 2732	856	NEAS.07d6133a5d84a193aa6a9e52d5df2dd0_JC.exe	28
PID 856 wrote to memory of 2732	856	NEAS.07d6133a5d84a193aa6a9e52d5df2dd0_JC.exe	28
PID 856 wrote to memory of 2732	856	NEAS.07d6133a5d84a193aa6a9e52d5df2dd0_JC.exe	28
PID 856 wrote to memory of 2732	856	NEAS.07d6133a5d84a193aa6a9e52d5df2dd0_JC.exe	28
PID 2732 wrote to memory of 2720	2732	cmd.exe	30
PID 2732 wrote to memory of 2720	2732	cmd.exe	30
PID 2732 wrote to memory of 2720	2732	cmd.exe	30
PID 2732 wrote to memory of 2720	2732	cmd.exe	30

C:\Users\Admin\AppData\Local\Temp\NEAS.07d6133a5d84a193aa6a9e52d5df2dd0_JC.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.07d6133a5d84a193aa6a9e52d5df2dd0_JC.exe"
1⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:856
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\windows\system32\GQC.exe.bat" "
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2732
- - C:\windows\SysWOW64\GQC.exe
    C:\windows\system32\GQC.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2720

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\GQC.exe

Filesize
208KB

MD5
475c07037e2d798ec9c634db1ea5dcc3

SHA1
291448236451e8415508dc262fffef7010cc5847

SHA256
d08fe398a308c1df657aefd87b3ab1afd76fee06748d176d0c910d187a43d2f4

SHA512
17dc4110846e2433087c5c0d568cf80e0983b06ec431ac15b2a5733e2f7cbf44ecd2ce96611d4d4b82ecf5f66a54bd6b6be0c395b3b00b2b7d60bdfd830489b1

Download Submit
C:\Windows\SysWOW64\GQC.exe.bat

Filesize
70B

MD5
a0d949bcde85681209a199940da1e381

SHA1
141365f91386aa260562bf76cefcf3dc0a83befd

SHA256
09cddd12226a17e56cecc37f877f351ffc71f965bc082908c169d20be36ff166

SHA512
7b0dad2f82eb7dfe8174c129d83f2169bb6679e3ce69e19cf35a06327a739af7d2837bd71d503343529b1517a24a34b841de00c8714f6bd602c2b381e74703c4

Download Submit
C:\windows\SysWOW64\GQC.exe

Filesize
208KB

MD5
475c07037e2d798ec9c634db1ea5dcc3

SHA1
291448236451e8415508dc262fffef7010cc5847

SHA256
d08fe398a308c1df657aefd87b3ab1afd76fee06748d176d0c910d187a43d2f4

SHA512
17dc4110846e2433087c5c0d568cf80e0983b06ec431ac15b2a5733e2f7cbf44ecd2ce96611d4d4b82ecf5f66a54bd6b6be0c395b3b00b2b7d60bdfd830489b1

Download Submit
C:\windows\SysWOW64\GQC.exe.bat

Filesize
70B

MD5
a0d949bcde85681209a199940da1e381

SHA1
141365f91386aa260562bf76cefcf3dc0a83befd

SHA256
09cddd12226a17e56cecc37f877f351ffc71f965bc082908c169d20be36ff166

SHA512
7b0dad2f82eb7dfe8174c129d83f2169bb6679e3ce69e19cf35a06327a739af7d2837bd71d503343529b1517a24a34b841de00c8714f6bd602c2b381e74703c4

Download Submit
\Windows\SysWOW64\GQC.exe

Filesize
208KB

MD5
475c07037e2d798ec9c634db1ea5dcc3

SHA1
291448236451e8415508dc262fffef7010cc5847

SHA256
d08fe398a308c1df657aefd87b3ab1afd76fee06748d176d0c910d187a43d2f4

SHA512
17dc4110846e2433087c5c0d568cf80e0983b06ec431ac15b2a5733e2f7cbf44ecd2ce96611d4d4b82ecf5f66a54bd6b6be0c395b3b00b2b7d60bdfd830489b1

Download Submit
\Windows\SysWOW64\GQC.exe

Filesize
208KB

MD5
475c07037e2d798ec9c634db1ea5dcc3

SHA1
291448236451e8415508dc262fffef7010cc5847

SHA256
d08fe398a308c1df657aefd87b3ab1afd76fee06748d176d0c910d187a43d2f4

SHA512
17dc4110846e2433087c5c0d568cf80e0983b06ec431ac15b2a5733e2f7cbf44ecd2ce96611d4d4b82ecf5f66a54bd6b6be0c395b3b00b2b7d60bdfd830489b1

Download Submit
memory/856-0-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/856-12-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2720-19-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2720-21-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2732-15-0x0000000000270000-0x00000000002A8000-memory.dmp

Filesize
224KB

Download
memory/2732-20-0x0000000000270000-0x00000000002A8000-memory.dmp

Filesize
224KB

Download

Analysis

Sharing