1f60ba73b822f9348e2e87d80f4395b923dd24a82b3b16da28ecaaf1c09e3def

Analysis

max time kernel
118s
max time network
122s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
14-10-2023 09:48

Target

NEAS.5df99401e3c2e9a0bb505674bf172273_JC.exe
Size

129KB
MD5

5df99401e3c2e9a0bb505674bf172273
SHA1

13e6eeef2a745ad36c31e6192057a8a807c5bdc0
SHA256

1f60ba73b822f9348e2e87d80f4395b923dd24a82b3b16da28ecaaf1c09e3def
SHA512

6d36198b604ae2f262905eaab1ba3b3c1bc380e569886c2b22515f12a0497de826243913639dd4826cc72b91d46618f099530a539d21ad528aedac537e2c8504
SSDEEP

3072:WGEOuXwuyvvM/DegVMzB7Nt1oPFZlM0htmkj7yq3Y3u4Vpw:WFwPvvMbeGM932PvlM0hVeON4s

Score

7^/10

Deletes itself 1 IoCs

pid	Process
2868	cmd.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\web.exe	NEAS.5df99401e3c2e9a0bb505674bf172273_JC.exe
File opened for modification	C:\Windows\SysWOW64\web.exe	NEAS.5df99401e3c2e9a0bb505674bf172273_JC.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Debug\web32.dll	NEAS.5df99401e3c2e9a0bb505674bf172273_JC.exe

Modifies registry class 5 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F49C475D-5651-4A94-B289-9953F9248EF9}\InProcServer32\ThreadingModel = "Apartment"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F49C475D-5651-4A94-B289-9953F9248EF9}	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F49C475D-5651-4A94-B289-9953F9248EF9}\ = "url"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F49C475D-5651-4A94-B289-9953F9248EF9}\InProcServer32	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F49C475D-5651-4A94-B289-9953F9248EF9}\InProcServer32\ = "C:\\Windows\\Debug\\web32.dll"	regedit.exe

Runs .reg file with regedit 1 IoCs

pid	Process
1908	regedit.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2200 wrote to memory of 2244	2200	NEAS.5df99401e3c2e9a0bb505674bf172273_JC.exe	28
PID 2200 wrote to memory of 2244	2200	NEAS.5df99401e3c2e9a0bb505674bf172273_JC.exe	28
PID 2200 wrote to memory of 2244	2200	NEAS.5df99401e3c2e9a0bb505674bf172273_JC.exe	28
PID 2200 wrote to memory of 2244	2200	NEAS.5df99401e3c2e9a0bb505674bf172273_JC.exe	28
PID 2200 wrote to memory of 2868	2200	NEAS.5df99401e3c2e9a0bb505674bf172273_JC.exe	29
PID 2200 wrote to memory of 2868	2200	NEAS.5df99401e3c2e9a0bb505674bf172273_JC.exe	29
PID 2200 wrote to memory of 2868	2200	NEAS.5df99401e3c2e9a0bb505674bf172273_JC.exe	29
PID 2200 wrote to memory of 2868	2200	NEAS.5df99401e3c2e9a0bb505674bf172273_JC.exe	29
PID 2244 wrote to memory of 1908	2244	cmd.exe	31
PID 2244 wrote to memory of 1908	2244	cmd.exe	31
PID 2244 wrote to memory of 1908	2244	cmd.exe	31
PID 2244 wrote to memory of 1908	2244	cmd.exe	31

C:\Users\Admin\AppData\Local\Temp\NEAS.5df99401e3c2e9a0bb505674bf172273_JC.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.5df99401e3c2e9a0bb505674bf172273_JC.exe"
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2200
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\run1.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2244
- - C:\Windows\SysWOW64\regedit.exe
    regedit /s C:\Users\Admin\AppData\Local\Temp\s1.reg
    3⤵
    - Modifies registry class
    - Runs .reg file with regedit
    PID:1908
- C:\Windows\SysWOW64\cmd.exe
  cmd /c erase /F "C:\Users\Admin\AppData\Local\Temp\NEAS.5df99401e3c2e9a0bb505674bf172273_JC.exe"
  2⤵
  - Deletes itself
  PID:2868

C:\Users\Admin\AppData\Local\Temp\run1.bat

Filesize
118B

MD5
c9ca0afd6c6d4ba684394ab5ee38482c

SHA1
218342e5aa6ad25831f0f4991dd45cc822940206

SHA256
fb1820a50d3feaa20d5c43c92ce107c025d80549a0337b272df8c9f5ce89c25c

SHA512
3c8228a0cada2ef3a4c8fba626afd0bb5f518413243f0473842ae16a96a72e8b96229026413721c9472908945a6198ee6aa260f6c7516b984b3f7de6889a0495

Download Submit
C:\Users\Admin\AppData\Local\Temp\run1.bat

Filesize
118B

MD5
c9ca0afd6c6d4ba684394ab5ee38482c

SHA1
218342e5aa6ad25831f0f4991dd45cc822940206

SHA256
fb1820a50d3feaa20d5c43c92ce107c025d80549a0337b272df8c9f5ce89c25c

SHA512
3c8228a0cada2ef3a4c8fba626afd0bb5f518413243f0473842ae16a96a72e8b96229026413721c9472908945a6198ee6aa260f6c7516b984b3f7de6889a0495

Download Submit
C:\Users\Admin\AppData\Local\Temp\s1.reg

Filesize
401B

MD5
5e32fb9a736a8c57fc91d686f47933a0

SHA1
af36957427a7941e76706171e5943fdf5e8345e6

SHA256
1691cac4fc9de53de098f525ff02f9a01cabbc952f00eed8c533f62190ef8ba4

SHA512
96e4734944bbee46e7b3b3ca5bb692482df6ce91fbf764828d1304d1133ee7e3dc6c63cb3d5bd4e7a59adbc9a23af438490db5827cfb0438a3aa8eaf91a2546e

Download Submit
memory/2200-0-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2200-1-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2200-4-0x0000000000020000-0x0000000000022000-memory.dmp

Filesize
8KB

Download
memory/2200-14-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download