72e40cac0281190ba5104c1257c374f0d523636a84d6cade22ae05bcf72955da

Analysis

max time kernel
151s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20231023-en
resource tags

arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
submitted
31/10/2023, 20:39

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

NEAS.33a50541a2ca052a61cd4cc6aff62af0_JC.exe
Size

209KB
MD5

33a50541a2ca052a61cd4cc6aff62af0
SHA1

5a92a09bacff8015cc47a5d62b1a0b898b818910
SHA256

72e40cac0281190ba5104c1257c374f0d523636a84d6cade22ae05bcf72955da
SHA512

961c8dba613b8ebb4402555032c4e7d2ba2d3243fb3b3950a8b06aeb3f98e2dbaa4404a3f16992afe2256e83455125339bc36a0db409c75647fdc2666c8610ee
SSDEEP

3072:qlmtZSkhslvxNnn9w4ZKktgsKAbt2OGXhqqyRxzmbcSXQL9w+jNtIVYwkKsbTsv8:qlsSFhznn9drxbtGxsVL9w+zp/l

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2124	u.dll
2456	mpress.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings	calc.exe
Key created	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings	calc.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2996	OpenWith.exe
1752	OpenWith.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 4884 wrote to memory of 1936	4884	NEAS.33a50541a2ca052a61cd4cc6aff62af0_JC.exe	93
PID 4884 wrote to memory of 1936	4884	NEAS.33a50541a2ca052a61cd4cc6aff62af0_JC.exe	93
PID 4884 wrote to memory of 1936	4884	NEAS.33a50541a2ca052a61cd4cc6aff62af0_JC.exe	93
PID 1936 wrote to memory of 2124	1936	cmd.exe	95
PID 1936 wrote to memory of 2124	1936	cmd.exe	95
PID 1936 wrote to memory of 2124	1936	cmd.exe	95
PID 2124 wrote to memory of 2456	2124	u.dll	96
PID 2124 wrote to memory of 2456	2124	u.dll	96
PID 2124 wrote to memory of 2456	2124	u.dll	96
PID 1936 wrote to memory of 2156	1936	cmd.exe	97
PID 1936 wrote to memory of 2156	1936	cmd.exe	97
PID 1936 wrote to memory of 2156	1936	cmd.exe	97
PID 1936 wrote to memory of 4812	1936	cmd.exe	101
PID 1936 wrote to memory of 4812	1936	cmd.exe	101
PID 1936 wrote to memory of 4812	1936	cmd.exe	101

C:\Users\Admin\AppData\Local\Temp\NEAS.33a50541a2ca052a61cd4cc6aff62af0_JC.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.33a50541a2ca052a61cd4cc6aff62af0_JC.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4884
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\441.tmp\vir.bat""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1936
- - C:\Users\Admin\AppData\Local\Temp\u.dll
    u.dll -bat vir.bat -save NEAS.33a50541a2ca052a61cd4cc6aff62af0_JC.exe.com -include s.dll -overwrite -nodelete
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2124
  - - C:\Users\Admin\AppData\Local\Temp\858.tmp\mpress.exe
      "C:\Users\Admin\AppData\Local\Temp\858.tmp\mpress.exe" "C:\Users\Admin\AppData\Local\Temp\exe888.tmp"
      4⤵
      Executes dropped EXE
      PID:2456
- - C:\Windows\SysWOW64\calc.exe
    CALC.EXE
    3⤵
    - Modifies registry class
    PID:2156
- - C:\Windows\SysWOW64\calc.exe
    CALC.EXE
    3⤵
    - Modifies registry class
    PID:4812

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:2996

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:1752

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\441.tmp\vir.bat

Filesize
1KB

MD5
a74597aa3607d89f849c990d0bb7f437

SHA1
03acb289aeca09d9388459c0936ae50d2ec213f7

SHA256
474afd74bd35ce24f3444bb713d738a5d22964ace3baa55342bc96e9c2ab5b48

SHA512
e399738cb145c82962002fb045891f3bebf7ffe26a01d8f29da98d77837ab44f2fc7a1aa6d2a8f98d3bd2221520f2bce1dbe92a93a113e9a3d6b383c8302aa84

Download Submit
C:\Users\Admin\AppData\Local\Temp\858.tmp\mpress.exe

Filesize
100KB

MD5
e42b81b9636152c78ba480c1c47d3c7f

SHA1
66a2fca3925428ee91ad9df5b76b90b34d28e0f8

SHA256
7c24c72439880e502be51da5d991b9b56a1af242b4eef4737f0f43b4a87546d2

SHA512
4b2986106325c5c3fe11ab460f646d4740eb85252aa191f2b84e29901fac146d7a82e31c72d39c38a70277f78278621ee506d9da2681f5019cd64c7df85cff6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\858.tmp\mpress.exe

Filesize
100KB

MD5
e42b81b9636152c78ba480c1c47d3c7f

SHA1
66a2fca3925428ee91ad9df5b76b90b34d28e0f8

SHA256
7c24c72439880e502be51da5d991b9b56a1af242b4eef4737f0f43b4a87546d2

SHA512
4b2986106325c5c3fe11ab460f646d4740eb85252aa191f2b84e29901fac146d7a82e31c72d39c38a70277f78278621ee506d9da2681f5019cd64c7df85cff6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\exe888.tmp

Filesize
41KB

MD5
ebcc0f877b80fa4157b2f780c6863c50

SHA1
e9bc8f799887a43ef7445bf39124075a2baf1b3c

SHA256
9053aa322aa1443a79c4ef7b1447f92d05c9d3c023902ef4de3abaaccdc6df01

SHA512
7d000c34f9de9c41cef651f3e681f97b147a251de69ecbc3743e437f97ce10cc33d1f3d5fc45c10d1b75bac3de5b86ff8ae50bb629fafb34bbf0a4c5593aa945

Download Submit
C:\Users\Admin\AppData\Local\Temp\exe888.tmp

Filesize
741KB

MD5
d019122cf6b255b3fa00163eba1f9023

SHA1
6d9ff19a46e0c20fc3972a39a25b19236de307c4

SHA256
743f6c6ce86c199b39d3ff0b484c66ebc9b9b69c970580de1d6ff07111337aac

SHA512
1167a8b5f90e9cf49bb52710eb1dc78bcae32091d2c6b60a88ae9bdf2bc045df1707f119f5fb6fd799f0a914f747412744129753c4578d351040fc2f68e71b62

Download Submit
C:\Users\Admin\AppData\Local\Temp\exe888.tmp

Filesize
741KB

MD5
d019122cf6b255b3fa00163eba1f9023

SHA1
6d9ff19a46e0c20fc3972a39a25b19236de307c4

SHA256
743f6c6ce86c199b39d3ff0b484c66ebc9b9b69c970580de1d6ff07111337aac

SHA512
1167a8b5f90e9cf49bb52710eb1dc78bcae32091d2c6b60a88ae9bdf2bc045df1707f119f5fb6fd799f0a914f747412744129753c4578d351040fc2f68e71b62

Download Submit
C:\Users\Admin\AppData\Local\Temp\exe888.tmp

Filesize
207KB

MD5
4ef5df4279d3bcb33a5710823e845c40

SHA1
aeab1e44c9735cee7c2356dc8284348710b75b1d

SHA256
8ec64c8bc9770a47b0c5ded390907cb5589188bfe012a81e4d573092bb158369

SHA512
dc0010d4e483350e16b497b0064749aa8e7e51e8c4886c2033e6f40af6dd9115691e12f35c335e8365c61696ff8a2bb683b8064332f4457ea69a51bc425802a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\mprE24.tmp

Filesize
207KB

MD5
4ef5df4279d3bcb33a5710823e845c40

SHA1
aeab1e44c9735cee7c2356dc8284348710b75b1d

SHA256
8ec64c8bc9770a47b0c5ded390907cb5589188bfe012a81e4d573092bb158369

SHA512
dc0010d4e483350e16b497b0064749aa8e7e51e8c4886c2033e6f40af6dd9115691e12f35c335e8365c61696ff8a2bb683b8064332f4457ea69a51bc425802a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\s.dll

Filesize
700KB

MD5
77ba6153827a203577b5d79c941e801c

SHA1
6deb4bdee67f4fb1a01ffa702e7941220c00f5a0

SHA256
7df73edded92f9b3f8e0639a4acaac72fdee2358eb0325e5cd66b23b44ce9bf7

SHA512
65d6b016a9109dc3358f7952fef0eb520a79a3084cb6da4f30558ebfeaf127f046408366452b178f43fd75d5a077118301326899f0207ed38b96310273824ad2

Download Submit
C:\Users\Admin\AppData\Local\Temp\u.dll

Filesize
700KB

MD5
77ba6153827a203577b5d79c941e801c

SHA1
6deb4bdee67f4fb1a01ffa702e7941220c00f5a0

SHA256
7df73edded92f9b3f8e0639a4acaac72fdee2358eb0325e5cd66b23b44ce9bf7

SHA512
65d6b016a9109dc3358f7952fef0eb520a79a3084cb6da4f30558ebfeaf127f046408366452b178f43fd75d5a077118301326899f0207ed38b96310273824ad2

Download Submit
C:\Users\Admin\AppData\Local\Temp\u.dll

Filesize
700KB

MD5
77ba6153827a203577b5d79c941e801c

SHA1
6deb4bdee67f4fb1a01ffa702e7941220c00f5a0

SHA256
7df73edded92f9b3f8e0639a4acaac72fdee2358eb0325e5cd66b23b44ce9bf7

SHA512
65d6b016a9109dc3358f7952fef0eb520a79a3084cb6da4f30558ebfeaf127f046408366452b178f43fd75d5a077118301326899f0207ed38b96310273824ad2

Download Submit
C:\Users\Admin\AppData\Local\Temp\u.dll

Filesize
700KB

MD5
77ba6153827a203577b5d79c941e801c

SHA1
6deb4bdee67f4fb1a01ffa702e7941220c00f5a0

SHA256
7df73edded92f9b3f8e0639a4acaac72fdee2358eb0325e5cd66b23b44ce9bf7

SHA512
65d6b016a9109dc3358f7952fef0eb520a79a3084cb6da4f30558ebfeaf127f046408366452b178f43fd75d5a077118301326899f0207ed38b96310273824ad2

Download Submit
C:\Users\Admin\AppData\Local\Temp\vir.bat

Filesize
1KB

MD5
598941c8566055aabccfbec31a9c0f31

SHA1
630b75880ed9e405d01157e92b3b640806cb59b9

SHA256
cec25f746b81af80c58e8f51fc5c55988092b39ba4f6471957813a4679f5648a

SHA512
73e13d39adb8b8daa10d2354be14b3dbc4f02596b8440ff464f5c169cf0b32f6b8ee7be0a608ea11089ec75e4f34368415e8225ac4f5ff9793689243e45fc93d

Download Submit
memory/2456-53-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2456-61-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4884-1-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/4884-0-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/4884-69-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads