bd33062b4fd4f83a84ca61fb3386643b0162f1cf9fbe3732ccd44a4ec9c48391

Analysis

max time kernel
141s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20231023-en
resource tags

arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
submitted
23/10/2023, 18:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.562594d5c4f0a7fe5bd48cdbad585050_JC.exe
Size

216KB
MD5

562594d5c4f0a7fe5bd48cdbad585050
SHA1

88554faa3e3314e21a6396b8fa012aadc7f14add
SHA256

bd33062b4fd4f83a84ca61fb3386643b0162f1cf9fbe3732ccd44a4ec9c48391
SHA512

befc9cc877d07e2032441719b4c5c2cac210cdf6d09c322813316e31f4bbd55183fee8569cd3147dfb4093db8de6a9a8a8f767c228195af8acd4e4c269b12cba
SSDEEP

6144:vlH4Ghfbq2BeK9mequ924H2xvZDD+UZ9fJoSfsdRgVhzFNHSi2:tffbJM2lqu9zH2TbJHHDHd2

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2960	u.dll
4868	mpress.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000_Classes\Local Settings	calc.exe
Key created	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000_Classes\Local Settings	calc.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1640	OpenWith.exe
4388	OpenWith.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2044 wrote to memory of 2876	2044	NEAS.562594d5c4f0a7fe5bd48cdbad585050_JC.exe	80
PID 2044 wrote to memory of 2876	2044	NEAS.562594d5c4f0a7fe5bd48cdbad585050_JC.exe	80
PID 2044 wrote to memory of 2876	2044	NEAS.562594d5c4f0a7fe5bd48cdbad585050_JC.exe	80
PID 2876 wrote to memory of 2960	2876	cmd.exe	81
PID 2876 wrote to memory of 2960	2876	cmd.exe	81
PID 2876 wrote to memory of 2960	2876	cmd.exe	81
PID 2960 wrote to memory of 4868	2960	u.dll	82
PID 2960 wrote to memory of 4868	2960	u.dll	82
PID 2960 wrote to memory of 4868	2960	u.dll	82
PID 2876 wrote to memory of 3160	2876	cmd.exe	83
PID 2876 wrote to memory of 3160	2876	cmd.exe	83
PID 2876 wrote to memory of 3160	2876	cmd.exe	83
PID 2876 wrote to memory of 4916	2876	cmd.exe	85
PID 2876 wrote to memory of 4916	2876	cmd.exe	85
PID 2876 wrote to memory of 4916	2876	cmd.exe	85

C:\Users\Admin\AppData\Local\Temp\NEAS.562594d5c4f0a7fe5bd48cdbad585050_JC.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.562594d5c4f0a7fe5bd48cdbad585050_JC.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2044
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FD2C.tmp\vir.bat""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2876
- - C:\Users\Admin\AppData\Local\Temp\u.dll
    u.dll -bat vir.bat -save NEAS.562594d5c4f0a7fe5bd48cdbad585050_JC.exe.com -include s.dll -overwrite -nodelete
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2960
  - - C:\Users\Admin\AppData\Local\Temp\FF20.tmp\mpress.exe
      "C:\Users\Admin\AppData\Local\Temp\FF20.tmp\mpress.exe" "C:\Users\Admin\AppData\Local\Temp\exeFF21.tmp"
      4⤵
      Executes dropped EXE
      PID:4868
- - C:\Windows\SysWOW64\calc.exe
    CALC.EXE
    3⤵
    - Modifies registry class
    PID:3160
- - C:\Windows\SysWOW64\calc.exe
    CALC.EXE
    3⤵
    - Modifies registry class
    PID:4916

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:1640

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:4388

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\FD2C.tmp\vir.bat

Filesize
1KB

MD5
c00abd85108be058aacfd91502257864

SHA1
3cba5f3acbfc7099f9bf35accd9b990ba7adb5a1

SHA256
d459de733153232f8f9888851c147ad17c820e3c4b5614d8ed4cecafb5217463

SHA512
742b8a48438c599d723a12856d8acf79c7942595a46e2b2af48c42fff9859d42554439e9333aa897a0993b73567fcd55b8b5da9f573331e1084a5b709ed942e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\FF20.tmp\mpress.exe

Filesize
100KB

MD5
e42b81b9636152c78ba480c1c47d3c7f

SHA1
66a2fca3925428ee91ad9df5b76b90b34d28e0f8

SHA256
7c24c72439880e502be51da5d991b9b56a1af242b4eef4737f0f43b4a87546d2

SHA512
4b2986106325c5c3fe11ab460f646d4740eb85252aa191f2b84e29901fac146d7a82e31c72d39c38a70277f78278621ee506d9da2681f5019cd64c7df85cff6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\FF20.tmp\mpress.exe

Filesize
100KB

MD5
e42b81b9636152c78ba480c1c47d3c7f

SHA1
66a2fca3925428ee91ad9df5b76b90b34d28e0f8

SHA256
7c24c72439880e502be51da5d991b9b56a1af242b4eef4737f0f43b4a87546d2

SHA512
4b2986106325c5c3fe11ab460f646d4740eb85252aa191f2b84e29901fac146d7a82e31c72d39c38a70277f78278621ee506d9da2681f5019cd64c7df85cff6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\exeFF21.tmp

Filesize
41KB

MD5
5a16fb75977e1799ed52f35a164922e6

SHA1
c1697c61c42498f0501a886392ddd2560646b24c

SHA256
f625375b30e87216e720919833d9d4e7bc11f0b61a9d2d218817d2ebb140d7de

SHA512
1e31f17c0fea7df5bd321ff0015b8226a378b649c43df1111d9467b0f86f3a14e5a7ae9ed00314695f688b7cc0c18e44b3fa6521a8fea5943e4eb9a69a612216

Download Submit
C:\Users\Admin\AppData\Local\Temp\exeFF21.tmp

Filesize
41KB

MD5
5a16fb75977e1799ed52f35a164922e6

SHA1
c1697c61c42498f0501a886392ddd2560646b24c

SHA256
f625375b30e87216e720919833d9d4e7bc11f0b61a9d2d218817d2ebb140d7de

SHA512
1e31f17c0fea7df5bd321ff0015b8226a378b649c43df1111d9467b0f86f3a14e5a7ae9ed00314695f688b7cc0c18e44b3fa6521a8fea5943e4eb9a69a612216

Download Submit
C:\Users\Admin\AppData\Local\Temp\exeFF21.tmp

Filesize
24KB

MD5
e6463306e4c9e1869c45c0433ea1eb4b

SHA1
33512256446775a16d9ec37c2ffbf1c181bbcea6

SHA256
c06e36b469862896e2c897a6c5d62904001de12be848452d77aedc560c2630aa

SHA512
a1fb58a92a6a57b166092cae0898937d652ea1f0f555f4829094d5efb7cd4763890ce76e35923ebbef6b3981b5565e0feae2484543f38ef999d6f22fc67bb589

Download Submit
C:\Users\Admin\AppData\Local\Temp\mpr172.tmp

Filesize
24KB

MD5
e6463306e4c9e1869c45c0433ea1eb4b

SHA1
33512256446775a16d9ec37c2ffbf1c181bbcea6

SHA256
c06e36b469862896e2c897a6c5d62904001de12be848452d77aedc560c2630aa

SHA512
a1fb58a92a6a57b166092cae0898937d652ea1f0f555f4829094d5efb7cd4763890ce76e35923ebbef6b3981b5565e0feae2484543f38ef999d6f22fc67bb589

Download Submit
C:\Users\Admin\AppData\Local\Temp\s.dll

Filesize
700KB

MD5
863c312b1e74b57dc2d01a1370684ff3

SHA1
39175536b2783f4b3d70cb29d3352388cfebbcac

SHA256
33c2b1a19a8b31cd969ee88acebba54c9af73d4a8633becfa609e067909db33a

SHA512
d6dcd4968bd18b3483f7fb6a63b9640d8d3f3fc63bccd5c0ba294c1f09fc9b6bcb4fae815682d5800f7acf34fdadd2ec54be7d728d754a46b9cdb2362b3fa76d

Download Submit
C:\Users\Admin\AppData\Local\Temp\u.dll

Filesize
700KB

MD5
863c312b1e74b57dc2d01a1370684ff3

SHA1
39175536b2783f4b3d70cb29d3352388cfebbcac

SHA256
33c2b1a19a8b31cd969ee88acebba54c9af73d4a8633becfa609e067909db33a

SHA512
d6dcd4968bd18b3483f7fb6a63b9640d8d3f3fc63bccd5c0ba294c1f09fc9b6bcb4fae815682d5800f7acf34fdadd2ec54be7d728d754a46b9cdb2362b3fa76d

Download Submit
C:\Users\Admin\AppData\Local\Temp\u.dll

Filesize
700KB

MD5
863c312b1e74b57dc2d01a1370684ff3

SHA1
39175536b2783f4b3d70cb29d3352388cfebbcac

SHA256
33c2b1a19a8b31cd969ee88acebba54c9af73d4a8633becfa609e067909db33a

SHA512
d6dcd4968bd18b3483f7fb6a63b9640d8d3f3fc63bccd5c0ba294c1f09fc9b6bcb4fae815682d5800f7acf34fdadd2ec54be7d728d754a46b9cdb2362b3fa76d

Download Submit
C:\Users\Admin\AppData\Local\Temp\u.dll

Filesize
700KB

MD5
863c312b1e74b57dc2d01a1370684ff3

SHA1
39175536b2783f4b3d70cb29d3352388cfebbcac

SHA256
33c2b1a19a8b31cd969ee88acebba54c9af73d4a8633becfa609e067909db33a

SHA512
d6dcd4968bd18b3483f7fb6a63b9640d8d3f3fc63bccd5c0ba294c1f09fc9b6bcb4fae815682d5800f7acf34fdadd2ec54be7d728d754a46b9cdb2362b3fa76d

Download Submit
C:\Users\Admin\AppData\Local\Temp\vir.bat

Filesize
1KB

MD5
f6007c105222cd5ac1ade29a117be5ba

SHA1
b7522cfff44ca03dbfe1e5067575727de21de7ef

SHA256
b5bf7b6f9f4b8958120aa27d9e2cd823b80f4ef223b3bf6f8a699bf8675f6516

SHA512
f033f9a7b9b1684bcd77bee8a58928f8c47867a85f487e447a028a2e98bd8844bb168afb6447f20b937c6588f47fc781a2a99a03bbb6fe065f5a2d9329ee8c37

Download Submit
memory/2044-1-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/2044-0-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/2044-71-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/4868-55-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4868-63-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads