75483db7a6dd3d262928479570dcd0e1bcbf620ef0b842151bfe67d700dfac9c

Analysis

max time kernel
140s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20231020-en
resource tags

arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
submitted
22/10/2023, 14:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.ec78f9ce9d990399e03975f58b028830_JC.exe
Size

554KB
MD5

ec78f9ce9d990399e03975f58b028830
SHA1

3414ded876c629b3a81cce8371177a8ebde51b68
SHA256

75483db7a6dd3d262928479570dcd0e1bcbf620ef0b842151bfe67d700dfac9c
SHA512

24771e5cca5ef6625d1f5324bf41f0dd3229a0fad5b92a31bb7683c31258321283b829779b7fb1d714f326a274d852b526404d0c134ba1f6fde0b813f0b2848e
SSDEEP

12288:8SpAKy2Fqke8dqWvIa5120ltwxp+SPPmdXwAS8J+cwOcBu0VkjOm3iqfyVGR:8SKKy2Ut88Uf2awxpn0Xw8wOGkjkqfyO

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3612	update.exe

Loads dropped DLL 3 IoCs

pid	Process
1496	NEAS.ec78f9ce9d990399e03975f58b028830_JC.exe
3612	update.exe
3612	update.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\setupapi.log	update.exe
File opened for modification	\??\c:\windows\KB977914.log	update.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeBackupPrivilege	3612	update.exe
Token: SeRestorePrivilege	3612	update.exe
Token: SeShutdownPrivilege	3612	update.exe
Token: SeSecurityPrivilege	3612	update.exe
Token: SeTakeOwnershipPrivilege	3612	update.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1496 wrote to memory of 3612	1496	NEAS.ec78f9ce9d990399e03975f58b028830_JC.exe	88
PID 1496 wrote to memory of 3612	1496	NEAS.ec78f9ce9d990399e03975f58b028830_JC.exe	88
PID 1496 wrote to memory of 3612	1496	NEAS.ec78f9ce9d990399e03975f58b028830_JC.exe	88

C:\Users\Admin\AppData\Local\Temp\NEAS.ec78f9ce9d990399e03975f58b028830_JC.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.ec78f9ce9d990399e03975f58b028830_JC.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1496
- \??\c:\0f1252b50a4ef609e7adf303028d09af\update\update.exe
  c:\0f1252b50a4ef609e7adf303028d09af\update\update.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  PID:3612

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\0f1252b50a4ef609e7adf303028d09af\_sfx_.dll

Filesize
25KB

MD5
ee207e35aea4d5df41d90221e1b66efa

SHA1
757469cf9ad2f21f267bbe730560114fdf8a89a5

SHA256
cf64c95e9a2d02967efc22b00efb3736156b913a95231eb63c1df45d43475e64

SHA512
43e9f75725daa4f3428b2d9cee2c2cc8b2f2e991b8e58d72d2f429fbdfb614c86d172f03d3f9da98756bd4e245643d9a57c6efa422d6c60ad364a2322245542d

Download Submit
C:\0f1252b50a4ef609e7adf303028d09af\update\update.exe

Filesize
712KB

MD5
9570121468658dcc6972f1dfa624a223

SHA1
61716952df7a03fc01ac919f44f07e9588840b8c

SHA256
bc2cde5db3027a726c81df78bdef10b5ec9a7b4a5ba297911c7b999638f76b33

SHA512
7c2168a6db5bf7dd7c09682983e9059524621834d0d9ae250382c74d714b0e99b625f5ee9a648e18de9fa25b580bac5ab770ad63c406a9f88c87ade1a372429c

Download Submit
C:\0f1252b50a4ef609e7adf303028d09af\update\updspapi.dll

Filesize
331KB

MD5
eb5c64286d987337f702813e73fcf615

SHA1
77c393b4cf5b61c29afa408ec1ebd93b22271e3f

SHA256
44062d8525a1de307491a46376d1831e23c27c18edb3de8f142d83eb7a21fc52

SHA512
0c71779a7b5a3507b5d0ccc0f9ff785032e1d8c32e76a0c0acadfd531d9ca87b61fd9742d69c610823a4315e181ad41f561811badbc262052d0f3ba86b9237a6

Download Submit
C:\0f1252b50a4ef609e7adf303028d09af\update\updspapi.dll

Filesize
331KB

MD5
eb5c64286d987337f702813e73fcf615

SHA1
77c393b4cf5b61c29afa408ec1ebd93b22271e3f

SHA256
44062d8525a1de307491a46376d1831e23c27c18edb3de8f142d83eb7a21fc52

SHA512
0c71779a7b5a3507b5d0ccc0f9ff785032e1d8c32e76a0c0acadfd531d9ca87b61fd9742d69c610823a4315e181ad41f561811badbc262052d0f3ba86b9237a6

Download Submit
memory/1496-0-0x0000000001000000-0x00000000010A0000-memory.dmp

Filesize
640KB

Download
memory/1496-113-0x0000000001000000-0x00000000010A0000-memory.dmp

Filesize
640KB

Download
memory/1496-115-0x0000000001000000-0x00000000010A0000-memory.dmp

Filesize
640KB

Download
memory/3612-112-0x0000000000670000-0x00000000006C4000-memory.dmp

Filesize
336KB

Download