72c0145ace85c7a134f894b7f081b6d6dfa3a728ccadcb0b41780c7f9484e00c

General

Target

NEAS.1806e4c68214f50122564570b071efa0_JC.exe
Size

27KB
MD5

1806e4c68214f50122564570b071efa0
SHA1

5cb4f1078cd7aa1b58be574afeacd902b8d9514a
SHA256

72c0145ace85c7a134f894b7f081b6d6dfa3a728ccadcb0b41780c7f9484e00c
SHA512

2bcf20d90bce3760df9a397e75ef40c45f5f1ac108cb2c936186442d1d1607c09d5205380720f1038cf20c4ad201285f188ed94187c3ba3631ab5201cf386d25
SSDEEP

384:Rjk/A6WET7A5tRIoTS/DdJjjXNHN1doc0lZoEbtxb1JZoZs2daBl1bQg1g:Rjk/A6WYBD3XvQcq9xHqZjk/g

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1944	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2968	NTdhcp.exe

Loads dropped DLL 2 IoCs

pid	Process
1720	NEAS.1806e4c68214f50122564570b071efa0_JC.exe
1720	NEAS.1806e4c68214f50122564570b071efa0_JC.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\NTdhcp.exe	NEAS.1806e4c68214f50122564570b071efa0_JC.exe
File opened for modification	C:\Windows\SysWOW64\NTdhcp.exe	NTdhcp.exe
File created	C:\Windows\SysWOW64\NTdhcp.exe	NEAS.1806e4c68214f50122564570b071efa0_JC.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Deleteme.bat	NEAS.1806e4c68214f50122564570b071efa0_JC.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1720 wrote to memory of 2968	1720	NEAS.1806e4c68214f50122564570b071efa0_JC.exe	28
PID 1720 wrote to memory of 2968	1720	NEAS.1806e4c68214f50122564570b071efa0_JC.exe	28
PID 1720 wrote to memory of 2968	1720	NEAS.1806e4c68214f50122564570b071efa0_JC.exe	28
PID 1720 wrote to memory of 2968	1720	NEAS.1806e4c68214f50122564570b071efa0_JC.exe	28
PID 1720 wrote to memory of 1944	1720	NEAS.1806e4c68214f50122564570b071efa0_JC.exe	30
PID 1720 wrote to memory of 1944	1720	NEAS.1806e4c68214f50122564570b071efa0_JC.exe	30
PID 1720 wrote to memory of 1944	1720	NEAS.1806e4c68214f50122564570b071efa0_JC.exe	30
PID 1720 wrote to memory of 1944	1720	NEAS.1806e4c68214f50122564570b071efa0_JC.exe	30

C:\Users\Admin\AppData\Local\Temp\NEAS.1806e4c68214f50122564570b071efa0_JC.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.1806e4c68214f50122564570b071efa0_JC.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1720
- C:\Windows\SysWOW64\NTdhcp.exe
  C:\Windows\system32\NTdhcp.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  PID:2968
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Windows\Deleteme.bat
  2⤵
  - Deletes itself
  PID:1944

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Deleteme.bat

Filesize
200B

MD5
c7eab2f6c4c1e9f81f3331010003a769

SHA1
4e86382952b0331db9404a3c9113fa985bc15f8d

SHA256
35239fe17029ccc601c01de121cbdc4d49d7e99f842498fb9e8500d9527dbdb0

SHA512
1701846a71426e14337daec905986ac526e1681ce493046365d615439551cec976351229641ff0eabd1180c92254dc37110a41d5c77fcfe0e6f7d9ce60ee6ad7

Download Submit
C:\Windows\Deleteme.bat

Filesize
200B

MD5
c7eab2f6c4c1e9f81f3331010003a769

SHA1
4e86382952b0331db9404a3c9113fa985bc15f8d

SHA256
35239fe17029ccc601c01de121cbdc4d49d7e99f842498fb9e8500d9527dbdb0

SHA512
1701846a71426e14337daec905986ac526e1681ce493046365d615439551cec976351229641ff0eabd1180c92254dc37110a41d5c77fcfe0e6f7d9ce60ee6ad7

Download Submit
C:\Windows\SysWOW64\NTdhcp.exe

Filesize
27KB

MD5
1806e4c68214f50122564570b071efa0

SHA1
5cb4f1078cd7aa1b58be574afeacd902b8d9514a

SHA256
72c0145ace85c7a134f894b7f081b6d6dfa3a728ccadcb0b41780c7f9484e00c

SHA512
2bcf20d90bce3760df9a397e75ef40c45f5f1ac108cb2c936186442d1d1607c09d5205380720f1038cf20c4ad201285f188ed94187c3ba3631ab5201cf386d25

Download Submit
C:\Windows\SysWOW64\NTdhcp.exe

Filesize
27KB

MD5
1806e4c68214f50122564570b071efa0

SHA1
5cb4f1078cd7aa1b58be574afeacd902b8d9514a

SHA256
72c0145ace85c7a134f894b7f081b6d6dfa3a728ccadcb0b41780c7f9484e00c

SHA512
2bcf20d90bce3760df9a397e75ef40c45f5f1ac108cb2c936186442d1d1607c09d5205380720f1038cf20c4ad201285f188ed94187c3ba3631ab5201cf386d25

Download Submit
C:\Windows\SysWOW64\NTdhcp.exe

Filesize
27KB

MD5
1806e4c68214f50122564570b071efa0

SHA1
5cb4f1078cd7aa1b58be574afeacd902b8d9514a

SHA256
72c0145ace85c7a134f894b7f081b6d6dfa3a728ccadcb0b41780c7f9484e00c

SHA512
2bcf20d90bce3760df9a397e75ef40c45f5f1ac108cb2c936186442d1d1607c09d5205380720f1038cf20c4ad201285f188ed94187c3ba3631ab5201cf386d25

Download Submit
\Windows\SysWOW64\NTdhcp.exe

Filesize
27KB

MD5
1806e4c68214f50122564570b071efa0

SHA1
5cb4f1078cd7aa1b58be574afeacd902b8d9514a

SHA256
72c0145ace85c7a134f894b7f081b6d6dfa3a728ccadcb0b41780c7f9484e00c

SHA512
2bcf20d90bce3760df9a397e75ef40c45f5f1ac108cb2c936186442d1d1607c09d5205380720f1038cf20c4ad201285f188ed94187c3ba3631ab5201cf386d25

Download Submit
\Windows\SysWOW64\NTdhcp.exe

Filesize
27KB

MD5
1806e4c68214f50122564570b071efa0

SHA1
5cb4f1078cd7aa1b58be574afeacd902b8d9514a

SHA256
72c0145ace85c7a134f894b7f081b6d6dfa3a728ccadcb0b41780c7f9484e00c

SHA512
2bcf20d90bce3760df9a397e75ef40c45f5f1ac108cb2c936186442d1d1607c09d5205380720f1038cf20c4ad201285f188ed94187c3ba3631ab5201cf386d25

Download Submit
memory/1720-11-0x0000000000220000-0x0000000000237000-memory.dmp

Filesize
92KB

Download
memory/1720-0-0x0000000000400000-0x0000000000416200-memory.dmp

Filesize
88KB

Download
memory/1720-4-0x0000000000220000-0x0000000000237000-memory.dmp

Filesize
92KB

Download
memory/1720-21-0x0000000000400000-0x0000000000416200-memory.dmp

Filesize
88KB

Download
memory/1720-23-0x0000000000220000-0x0000000000237000-memory.dmp

Filesize
92KB

Download
memory/2968-14-0x0000000000400000-0x0000000000416200-memory.dmp

Filesize
88KB

Download

Analysis

Sharing