72e40cac0281190ba5104c1257c374f0d523636a84d6cade22ae05bcf72955da

Analysis

max time kernel
141s
max time network
121s
platform
windows7_x64
resource
win7-20231025-en
resource tags

arch:x64arch:x86image:win7-20231025-enlocale:en-usos:windows7-x64system
submitted
31-10-2023 20:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.33a50541a2ca052a61cd4cc6aff62af0_JC.exe
Size

209KB
MD5

33a50541a2ca052a61cd4cc6aff62af0
SHA1

5a92a09bacff8015cc47a5d62b1a0b898b818910
SHA256

72e40cac0281190ba5104c1257c374f0d523636a84d6cade22ae05bcf72955da
SHA512

961c8dba613b8ebb4402555032c4e7d2ba2d3243fb3b3950a8b06aeb3f98e2dbaa4404a3f16992afe2256e83455125339bc36a0db409c75647fdc2666c8610ee
SSDEEP

3072:qlmtZSkhslvxNnn9w4ZKktgsKAbt2OGXhqqyRxzmbcSXQL9w+jNtIVYwkKsbTsv8:qlsSFhznn9drxbtGxsVL9w+zp/l

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
2676	u.dll
2624	mpress.exe
2444	u.dll
1992	mpress.exe

Loads dropped DLL 8 IoCs

pid	Process
2980	cmd.exe
2980	cmd.exe
2676	u.dll
2676	u.dll
2980	cmd.exe
2980	cmd.exe
2444	u.dll
2444	u.dll

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2940 wrote to memory of 2980	2940	NEAS.33a50541a2ca052a61cd4cc6aff62af0_JC.exe	29
PID 2940 wrote to memory of 2980	2940	NEAS.33a50541a2ca052a61cd4cc6aff62af0_JC.exe	29
PID 2940 wrote to memory of 2980	2940	NEAS.33a50541a2ca052a61cd4cc6aff62af0_JC.exe	29
PID 2940 wrote to memory of 2980	2940	NEAS.33a50541a2ca052a61cd4cc6aff62af0_JC.exe	29
PID 2980 wrote to memory of 2676	2980	cmd.exe	30
PID 2980 wrote to memory of 2676	2980	cmd.exe	30
PID 2980 wrote to memory of 2676	2980	cmd.exe	30
PID 2980 wrote to memory of 2676	2980	cmd.exe	30
PID 2676 wrote to memory of 2624	2676	u.dll	31
PID 2676 wrote to memory of 2624	2676	u.dll	31
PID 2676 wrote to memory of 2624	2676	u.dll	31
PID 2676 wrote to memory of 2624	2676	u.dll	31
PID 2980 wrote to memory of 2444	2980	cmd.exe	32
PID 2980 wrote to memory of 2444	2980	cmd.exe	32
PID 2980 wrote to memory of 2444	2980	cmd.exe	32
PID 2980 wrote to memory of 2444	2980	cmd.exe	32
PID 2444 wrote to memory of 1992	2444	u.dll	33
PID 2444 wrote to memory of 1992	2444	u.dll	33
PID 2444 wrote to memory of 1992	2444	u.dll	33
PID 2444 wrote to memory of 1992	2444	u.dll	33
PID 2980 wrote to memory of 556	2980	cmd.exe	34
PID 2980 wrote to memory of 556	2980	cmd.exe	34
PID 2980 wrote to memory of 556	2980	cmd.exe	34
PID 2980 wrote to memory of 556	2980	cmd.exe	34

C:\Users\Admin\AppData\Local\Temp\NEAS.33a50541a2ca052a61cd4cc6aff62af0_JC.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.33a50541a2ca052a61cd4cc6aff62af0_JC.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2940
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\3775.tmp\vir.bat""
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2980
- - C:\Users\Admin\AppData\Local\Temp\u.dll
    u.dll -bat vir.bat -save NEAS.33a50541a2ca052a61cd4cc6aff62af0_JC.exe.com -include s.dll -overwrite -nodelete
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2676
  - - C:\Users\Admin\AppData\Local\Temp\3939.tmp\mpress.exe
      "C:\Users\Admin\AppData\Local\Temp\3939.tmp\mpress.exe" "C:\Users\Admin\AppData\Local\Temp\exe393A.tmp"
      4⤵
      Executes dropped EXE
      PID:2624
- - C:\Users\Admin\AppData\Local\Temp\u.dll
    u.dll -bat vir.bat -save ose00000.exe.com -include s.dll -overwrite -nodelete
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2444
  - - C:\Users\Admin\AppData\Local\Temp\3C36.tmp\mpress.exe
      "C:\Users\Admin\AppData\Local\Temp\3C36.tmp\mpress.exe" "C:\Users\Admin\AppData\Local\Temp\exe3C37.tmp"
      4⤵
      Executes dropped EXE
      PID:1992
- - C:\Windows\SysWOW64\calc.exe
    CALC.EXE
    3⤵
    PID:556

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\3775.tmp\vir.bat

Filesize
1KB

MD5
a74597aa3607d89f849c990d0bb7f437

SHA1
03acb289aeca09d9388459c0936ae50d2ec213f7

SHA256
474afd74bd35ce24f3444bb713d738a5d22964ace3baa55342bc96e9c2ab5b48

SHA512
e399738cb145c82962002fb045891f3bebf7ffe26a01d8f29da98d77837ab44f2fc7a1aa6d2a8f98d3bd2221520f2bce1dbe92a93a113e9a3d6b383c8302aa84

Download Submit
C:\Users\Admin\AppData\Local\Temp\3775.tmp\vir.bat

Filesize
1KB

MD5
a74597aa3607d89f849c990d0bb7f437

SHA1
03acb289aeca09d9388459c0936ae50d2ec213f7

SHA256
474afd74bd35ce24f3444bb713d738a5d22964ace3baa55342bc96e9c2ab5b48

SHA512
e399738cb145c82962002fb045891f3bebf7ffe26a01d8f29da98d77837ab44f2fc7a1aa6d2a8f98d3bd2221520f2bce1dbe92a93a113e9a3d6b383c8302aa84

Download Submit
C:\Users\Admin\AppData\Local\Temp\3939.tmp\mpress.exe

Filesize
100KB

MD5
e42b81b9636152c78ba480c1c47d3c7f

SHA1
66a2fca3925428ee91ad9df5b76b90b34d28e0f8

SHA256
7c24c72439880e502be51da5d991b9b56a1af242b4eef4737f0f43b4a87546d2

SHA512
4b2986106325c5c3fe11ab460f646d4740eb85252aa191f2b84e29901fac146d7a82e31c72d39c38a70277f78278621ee506d9da2681f5019cd64c7df85cff6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\3939.tmp\mpress.exe

Filesize
100KB

MD5
e42b81b9636152c78ba480c1c47d3c7f

SHA1
66a2fca3925428ee91ad9df5b76b90b34d28e0f8

SHA256
7c24c72439880e502be51da5d991b9b56a1af242b4eef4737f0f43b4a87546d2

SHA512
4b2986106325c5c3fe11ab460f646d4740eb85252aa191f2b84e29901fac146d7a82e31c72d39c38a70277f78278621ee506d9da2681f5019cd64c7df85cff6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\3C36.tmp\mpress.exe

Filesize
100KB

MD5
e42b81b9636152c78ba480c1c47d3c7f

SHA1
66a2fca3925428ee91ad9df5b76b90b34d28e0f8

SHA256
7c24c72439880e502be51da5d991b9b56a1af242b4eef4737f0f43b4a87546d2

SHA512
4b2986106325c5c3fe11ab460f646d4740eb85252aa191f2b84e29901fac146d7a82e31c72d39c38a70277f78278621ee506d9da2681f5019cd64c7df85cff6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\RCX3C78.tmp

Filesize
41KB

MD5
d83b3ab33a0074fea9e15055fe7b4954

SHA1
e278f9d795c82c9dba2abb8958cdfbb7e7180f23

SHA256
59349af3dd83762af1d8524723289cce4eee98d6e06a64e48992cce1b4edb966

SHA512
ae8ddbda60bb28cb947a4a6d4677292e7aa1b0ea83deadcf8905db1a667a5515f03e67639b7c49ef303bdab970d540bfbe56764b55a9590b1ecaa591c8cb5169

Download Submit
C:\Users\Admin\AppData\Local\Temp\exe393A.tmp

Filesize
41KB

MD5
ebcc0f877b80fa4157b2f780c6863c50

SHA1
e9bc8f799887a43ef7445bf39124075a2baf1b3c

SHA256
9053aa322aa1443a79c4ef7b1447f92d05c9d3c023902ef4de3abaaccdc6df01

SHA512
7d000c34f9de9c41cef651f3e681f97b147a251de69ecbc3743e437f97ce10cc33d1f3d5fc45c10d1b75bac3de5b86ff8ae50bb629fafb34bbf0a4c5593aa945

Download Submit
C:\Users\Admin\AppData\Local\Temp\exe393A.tmp

Filesize
742KB

MD5
88c088af8913f82470c6b4801c4ebb5f

SHA1
a418fea3f98db2b3358559218d219db91c6ffe83

SHA256
a0eb11e71f6691ddbf06ba96fb3a3981208b6cea2f19612706ba0abf00a5f33a

SHA512
715ee3045d1e74f93691944b60e4ee69bbbbf032bbb8746c6e37469447df842284d6ccae137710392ca32c650149eb4b78072214cd63ba7f66502ec25a989899

Download Submit
C:\Users\Admin\AppData\Local\Temp\exe393A.tmp

Filesize
208KB

MD5
46121940548de3522ef51f417925cb82

SHA1
480d3c9f5728523f8f402c9e3bf64ad45c757b2c

SHA256
5fa2ad820829c58e8e903b09b5be880a02d30d5345ace7e3e5a68ff93baae829

SHA512
fd555a73d8626bdce8596968d576f286397e9b4b74b578a2d8a446c336aa1c14dd86b54c57026fe165cb9cdfc643a886b3d65dc61b716b95ec95626f4a8a5570

Download Submit
C:\Users\Admin\AppData\Local\Temp\exe3C37.tmp

Filesize
41KB

MD5
bac68e690b1c14dba6029b68bf6485e0

SHA1
911ac3beb4e166a4fd3e263787175b257a8a2125

SHA256
45422da2885226ab32d568f8155b68c173675a7a5ca058f1e75feddc5229348d

SHA512
6ab4ded492eb5c594ba5a0da0eb0f6f812b459de500b9111264276e6eadaefd58e470abb2bebd4c044b689dddd08a919a947417f53d246e4547befc859f5d34a

Download Submit
C:\Users\Admin\AppData\Local\Temp\exe3C37.tmp

Filesize
741KB

MD5
d019122cf6b255b3fa00163eba1f9023

SHA1
6d9ff19a46e0c20fc3972a39a25b19236de307c4

SHA256
743f6c6ce86c199b39d3ff0b484c66ebc9b9b69c970580de1d6ff07111337aac

SHA512
1167a8b5f90e9cf49bb52710eb1dc78bcae32091d2c6b60a88ae9bdf2bc045df1707f119f5fb6fd799f0a914f747412744129753c4578d351040fc2f68e71b62

Download Submit
C:\Users\Admin\AppData\Local\Temp\exe3C37.tmp

Filesize
741KB

MD5
d019122cf6b255b3fa00163eba1f9023

SHA1
6d9ff19a46e0c20fc3972a39a25b19236de307c4

SHA256
743f6c6ce86c199b39d3ff0b484c66ebc9b9b69c970580de1d6ff07111337aac

SHA512
1167a8b5f90e9cf49bb52710eb1dc78bcae32091d2c6b60a88ae9bdf2bc045df1707f119f5fb6fd799f0a914f747412744129753c4578d351040fc2f68e71b62

Download Submit
C:\Users\Admin\AppData\Local\Temp\exe3C37.tmp

Filesize
207KB

MD5
4ef5df4279d3bcb33a5710823e845c40

SHA1
aeab1e44c9735cee7c2356dc8284348710b75b1d

SHA256
8ec64c8bc9770a47b0c5ded390907cb5589188bfe012a81e4d573092bb158369

SHA512
dc0010d4e483350e16b497b0064749aa8e7e51e8c4886c2033e6f40af6dd9115691e12f35c335e8365c61696ff8a2bb683b8064332f4457ea69a51bc425802a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\s.dll

Filesize
700KB

MD5
77ba6153827a203577b5d79c941e801c

SHA1
6deb4bdee67f4fb1a01ffa702e7941220c00f5a0

SHA256
7df73edded92f9b3f8e0639a4acaac72fdee2358eb0325e5cd66b23b44ce9bf7

SHA512
65d6b016a9109dc3358f7952fef0eb520a79a3084cb6da4f30558ebfeaf127f046408366452b178f43fd75d5a077118301326899f0207ed38b96310273824ad2

Download Submit
C:\Users\Admin\AppData\Local\Temp\u.dll

Filesize
700KB

MD5
77ba6153827a203577b5d79c941e801c

SHA1
6deb4bdee67f4fb1a01ffa702e7941220c00f5a0

SHA256
7df73edded92f9b3f8e0639a4acaac72fdee2358eb0325e5cd66b23b44ce9bf7

SHA512
65d6b016a9109dc3358f7952fef0eb520a79a3084cb6da4f30558ebfeaf127f046408366452b178f43fd75d5a077118301326899f0207ed38b96310273824ad2

Download Submit
C:\Users\Admin\AppData\Local\Temp\u.dll

Filesize
700KB

MD5
77ba6153827a203577b5d79c941e801c

SHA1
6deb4bdee67f4fb1a01ffa702e7941220c00f5a0

SHA256
7df73edded92f9b3f8e0639a4acaac72fdee2358eb0325e5cd66b23b44ce9bf7

SHA512
65d6b016a9109dc3358f7952fef0eb520a79a3084cb6da4f30558ebfeaf127f046408366452b178f43fd75d5a077118301326899f0207ed38b96310273824ad2

Download Submit
C:\Users\Admin\AppData\Local\Temp\u.dll

Filesize
700KB

MD5
77ba6153827a203577b5d79c941e801c

SHA1
6deb4bdee67f4fb1a01ffa702e7941220c00f5a0

SHA256
7df73edded92f9b3f8e0639a4acaac72fdee2358eb0325e5cd66b23b44ce9bf7

SHA512
65d6b016a9109dc3358f7952fef0eb520a79a3084cb6da4f30558ebfeaf127f046408366452b178f43fd75d5a077118301326899f0207ed38b96310273824ad2

Download Submit
C:\Users\Admin\AppData\Local\Temp\vir.bat

Filesize
1KB

MD5
598941c8566055aabccfbec31a9c0f31

SHA1
630b75880ed9e405d01157e92b3b640806cb59b9

SHA256
cec25f746b81af80c58e8f51fc5c55988092b39ba4f6471957813a4679f5648a

SHA512
73e13d39adb8b8daa10d2354be14b3dbc4f02596b8440ff464f5c169cf0b32f6b8ee7be0a608ea11089ec75e4f34368415e8225ac4f5ff9793689243e45fc93d

Download Submit
C:\Users\Admin\AppData\Local\Temp\vir.bat

Filesize
1KB

MD5
22bc4fb74155e29ebae803e1f483076c

SHA1
1df62aaefe20f92897033510d72e56d6469fc381

SHA256
3ea33c096a399e49f905e9ac48fa950012d7664defc82d729ed48b06ec69a517

SHA512
91d3b69b406988a28827552050a5151da726efa0e3ceebca380d5d9e6aa2adf98122f0e05ee181d6db3f6776ea9c5345f6c3197b55e6c46f006dbb2703b0c2d8

Download Submit
\Users\Admin\AppData\Local\Temp\3939.tmp\mpress.exe

Filesize
100KB

MD5
e42b81b9636152c78ba480c1c47d3c7f

SHA1
66a2fca3925428ee91ad9df5b76b90b34d28e0f8

SHA256
7c24c72439880e502be51da5d991b9b56a1af242b4eef4737f0f43b4a87546d2

SHA512
4b2986106325c5c3fe11ab460f646d4740eb85252aa191f2b84e29901fac146d7a82e31c72d39c38a70277f78278621ee506d9da2681f5019cd64c7df85cff6e

Download Submit
\Users\Admin\AppData\Local\Temp\3939.tmp\mpress.exe

Filesize
100KB

MD5
e42b81b9636152c78ba480c1c47d3c7f

SHA1
66a2fca3925428ee91ad9df5b76b90b34d28e0f8

SHA256
7c24c72439880e502be51da5d991b9b56a1af242b4eef4737f0f43b4a87546d2

SHA512
4b2986106325c5c3fe11ab460f646d4740eb85252aa191f2b84e29901fac146d7a82e31c72d39c38a70277f78278621ee506d9da2681f5019cd64c7df85cff6e

Download Submit
\Users\Admin\AppData\Local\Temp\3C36.tmp\mpress.exe

Filesize
100KB

MD5
e42b81b9636152c78ba480c1c47d3c7f

SHA1
66a2fca3925428ee91ad9df5b76b90b34d28e0f8

SHA256
7c24c72439880e502be51da5d991b9b56a1af242b4eef4737f0f43b4a87546d2

SHA512
4b2986106325c5c3fe11ab460f646d4740eb85252aa191f2b84e29901fac146d7a82e31c72d39c38a70277f78278621ee506d9da2681f5019cd64c7df85cff6e

Download Submit
\Users\Admin\AppData\Local\Temp\3C36.tmp\mpress.exe

Filesize
100KB

MD5
e42b81b9636152c78ba480c1c47d3c7f

SHA1
66a2fca3925428ee91ad9df5b76b90b34d28e0f8

SHA256
7c24c72439880e502be51da5d991b9b56a1af242b4eef4737f0f43b4a87546d2

SHA512
4b2986106325c5c3fe11ab460f646d4740eb85252aa191f2b84e29901fac146d7a82e31c72d39c38a70277f78278621ee506d9da2681f5019cd64c7df85cff6e

Download Submit
\Users\Admin\AppData\Local\Temp\u.dll

Filesize
700KB

MD5
77ba6153827a203577b5d79c941e801c

SHA1
6deb4bdee67f4fb1a01ffa702e7941220c00f5a0

SHA256
7df73edded92f9b3f8e0639a4acaac72fdee2358eb0325e5cd66b23b44ce9bf7

SHA512
65d6b016a9109dc3358f7952fef0eb520a79a3084cb6da4f30558ebfeaf127f046408366452b178f43fd75d5a077118301326899f0207ed38b96310273824ad2

Download Submit
\Users\Admin\AppData\Local\Temp\u.dll

Filesize
700KB

MD5
77ba6153827a203577b5d79c941e801c

SHA1
6deb4bdee67f4fb1a01ffa702e7941220c00f5a0

SHA256
7df73edded92f9b3f8e0639a4acaac72fdee2358eb0325e5cd66b23b44ce9bf7

SHA512
65d6b016a9109dc3358f7952fef0eb520a79a3084cb6da4f30558ebfeaf127f046408366452b178f43fd75d5a077118301326899f0207ed38b96310273824ad2

Download Submit
\Users\Admin\AppData\Local\Temp\u.dll

Filesize
700KB

MD5
77ba6153827a203577b5d79c941e801c

SHA1
6deb4bdee67f4fb1a01ffa702e7941220c00f5a0

SHA256
7df73edded92f9b3f8e0639a4acaac72fdee2358eb0325e5cd66b23b44ce9bf7

SHA512
65d6b016a9109dc3358f7952fef0eb520a79a3084cb6da4f30558ebfeaf127f046408366452b178f43fd75d5a077118301326899f0207ed38b96310273824ad2

Download Submit
\Users\Admin\AppData\Local\Temp\u.dll

Filesize
700KB

MD5
77ba6153827a203577b5d79c941e801c

SHA1
6deb4bdee67f4fb1a01ffa702e7941220c00f5a0

SHA256
7df73edded92f9b3f8e0639a4acaac72fdee2358eb0325e5cd66b23b44ce9bf7

SHA512
65d6b016a9109dc3358f7952fef0eb520a79a3084cb6da4f30558ebfeaf127f046408366452b178f43fd75d5a077118301326899f0207ed38b96310273824ad2

Download Submit
memory/1992-145-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1992-140-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2444-137-0x0000000000330000-0x0000000000364000-memory.dmp

Filesize
208KB

Download
memory/2444-139-0x0000000000330000-0x0000000000364000-memory.dmp

Filesize
208KB

Download
memory/2624-66-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2624-72-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2676-59-0x0000000000300000-0x0000000000334000-memory.dmp

Filesize
208KB

Download
memory/2676-64-0x0000000000300000-0x0000000000334000-memory.dmp

Filesize
208KB

Download
memory/2940-0-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/2940-156-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads