72c0145ace85c7a134f894b7f081b6d6dfa3a728ccadcb0b41780c7f9484e00c

Analysis

max time kernel
138s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20231023-en
resource tags

arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
submitted
01/11/2023, 10:55

Target

NEAS.1806e4c68214f50122564570b071efa0_JC.exe
Size

27KB
MD5

1806e4c68214f50122564570b071efa0
SHA1

5cb4f1078cd7aa1b58be574afeacd902b8d9514a
SHA256

72c0145ace85c7a134f894b7f081b6d6dfa3a728ccadcb0b41780c7f9484e00c
SHA512

2bcf20d90bce3760df9a397e75ef40c45f5f1ac108cb2c936186442d1d1607c09d5205380720f1038cf20c4ad201285f188ed94187c3ba3631ab5201cf386d25
SSDEEP

384:Rjk/A6WET7A5tRIoTS/DdJjjXNHN1doc0lZoEbtxb1JZoZs2daBl1bQg1g:Rjk/A6WYBD3XvQcq9xHqZjk/g

Score

7^/10

Executes dropped EXE 1 IoCs

pid	Process
208	NTdhcp.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\NTdhcp.exe	NTdhcp.exe
File created	C:\Windows\SysWOW64\NTdhcp.exe	NEAS.1806e4c68214f50122564570b071efa0_JC.exe
File opened for modification	C:\Windows\SysWOW64\NTdhcp.exe	NEAS.1806e4c68214f50122564570b071efa0_JC.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Deleteme.bat	NEAS.1806e4c68214f50122564570b071efa0_JC.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1120 wrote to memory of 208	1120	NEAS.1806e4c68214f50122564570b071efa0_JC.exe	86
PID 1120 wrote to memory of 208	1120	NEAS.1806e4c68214f50122564570b071efa0_JC.exe	86
PID 1120 wrote to memory of 208	1120	NEAS.1806e4c68214f50122564570b071efa0_JC.exe	86
PID 1120 wrote to memory of 4240	1120	NEAS.1806e4c68214f50122564570b071efa0_JC.exe	87
PID 1120 wrote to memory of 4240	1120	NEAS.1806e4c68214f50122564570b071efa0_JC.exe	87
PID 1120 wrote to memory of 4240	1120	NEAS.1806e4c68214f50122564570b071efa0_JC.exe	87

C:\Users\Admin\AppData\Local\Temp\NEAS.1806e4c68214f50122564570b071efa0_JC.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.1806e4c68214f50122564570b071efa0_JC.exe"
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1120
- C:\Windows\SysWOW64\NTdhcp.exe
  C:\Windows\system32\NTdhcp.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  PID:208
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\Deleteme.bat
  2⤵
  PID:4240

C:\Windows\Deleteme.bat

Filesize
200B

MD5
c7eab2f6c4c1e9f81f3331010003a769

SHA1
4e86382952b0331db9404a3c9113fa985bc15f8d

SHA256
35239fe17029ccc601c01de121cbdc4d49d7e99f842498fb9e8500d9527dbdb0

SHA512
1701846a71426e14337daec905986ac526e1681ce493046365d615439551cec976351229641ff0eabd1180c92254dc37110a41d5c77fcfe0e6f7d9ce60ee6ad7

Download Submit
C:\Windows\SysWOW64\NTdhcp.exe

Filesize
27KB

MD5
1806e4c68214f50122564570b071efa0

SHA1
5cb4f1078cd7aa1b58be574afeacd902b8d9514a

SHA256
72c0145ace85c7a134f894b7f081b6d6dfa3a728ccadcb0b41780c7f9484e00c

SHA512
2bcf20d90bce3760df9a397e75ef40c45f5f1ac108cb2c936186442d1d1607c09d5205380720f1038cf20c4ad201285f188ed94187c3ba3631ab5201cf386d25

Download Submit
C:\Windows\SysWOW64\NTdhcp.exe

Filesize
27KB

MD5
1806e4c68214f50122564570b071efa0

SHA1
5cb4f1078cd7aa1b58be574afeacd902b8d9514a

SHA256
72c0145ace85c7a134f894b7f081b6d6dfa3a728ccadcb0b41780c7f9484e00c

SHA512
2bcf20d90bce3760df9a397e75ef40c45f5f1ac108cb2c936186442d1d1607c09d5205380720f1038cf20c4ad201285f188ed94187c3ba3631ab5201cf386d25

Download Submit
memory/208-6-0x0000000000400000-0x0000000000416200-memory.dmp

Filesize
88KB

Download
memory/1120-0-0x0000000000400000-0x0000000000416200-memory.dmp

Filesize
88KB

Download
memory/1120-9-0x0000000000400000-0x0000000000416200-memory.dmp

Filesize
88KB

Download