9f8aa2556d03bb10dc4a245f7b07fbed0fae34d7fa2721369347573cf2df4c19

Analysis

max time kernel
142s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20231020-en
resource tags

arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
submitted
01/11/2023, 13:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.41670defae02d98ebf6213d5e0db5d90.exe
Size

349KB
MD5

41670defae02d98ebf6213d5e0db5d90
SHA1

daae369af5b79d56c894ff6e545318fd04399d56
SHA256

9f8aa2556d03bb10dc4a245f7b07fbed0fae34d7fa2721369347573cf2df4c19
SHA512

89dd3a31ff816ae143739cf514da18d975512b7bc28b8ef80d9a8c96e2867a36726eb21901ebeb236145505a524ec235363a93cf4f37d613888b81aa623c4c03
SSDEEP

6144:YlsSFhzuDs14O4VrEv/oOYiWXG2Gkx3D9s+XIoWTG2wZOy/:HUhaD5O4Vgv/rYi5Vkx3DqoWy2wk2

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
5004	u.dll
2300	mpress.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000_Classes\Local Settings	calc.exe
Key created	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000_Classes\Local Settings	calc.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1348	OpenWith.exe
1792	OpenWith.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 4876 wrote to memory of 5100	4876	NEAS.41670defae02d98ebf6213d5e0db5d90.exe	92
PID 4876 wrote to memory of 5100	4876	NEAS.41670defae02d98ebf6213d5e0db5d90.exe	92
PID 4876 wrote to memory of 5100	4876	NEAS.41670defae02d98ebf6213d5e0db5d90.exe	92
PID 5100 wrote to memory of 5004	5100	cmd.exe	93
PID 5100 wrote to memory of 5004	5100	cmd.exe	93
PID 5100 wrote to memory of 5004	5100	cmd.exe	93
PID 5004 wrote to memory of 2300	5004	u.dll	94
PID 5004 wrote to memory of 2300	5004	u.dll	94
PID 5004 wrote to memory of 2300	5004	u.dll	94
PID 5100 wrote to memory of 3676	5100	cmd.exe	95
PID 5100 wrote to memory of 3676	5100	cmd.exe	95
PID 5100 wrote to memory of 3676	5100	cmd.exe	95
PID 5100 wrote to memory of 464	5100	cmd.exe	99
PID 5100 wrote to memory of 464	5100	cmd.exe	99
PID 5100 wrote to memory of 464	5100	cmd.exe	99

C:\Users\Admin\AppData\Local\Temp\NEAS.41670defae02d98ebf6213d5e0db5d90.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.41670defae02d98ebf6213d5e0db5d90.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4876
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\9DE.tmp\vir.bat""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5100
- - C:\Users\Admin\AppData\Local\Temp\u.dll
    u.dll -bat vir.bat -save NEAS.41670defae02d98ebf6213d5e0db5d90.exe.com -include s.dll -overwrite -nodelete
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:5004
  - - C:\Users\Admin\AppData\Local\Temp\BB3.tmp\mpress.exe
      "C:\Users\Admin\AppData\Local\Temp\BB3.tmp\mpress.exe" "C:\Users\Admin\AppData\Local\Temp\exeBB4.tmp"
      4⤵
      Executes dropped EXE
      PID:2300
- - C:\Windows\SysWOW64\calc.exe
    CALC.EXE
    3⤵
    - Modifies registry class
    PID:3676
- - C:\Windows\SysWOW64\calc.exe
    CALC.EXE
    3⤵
    - Modifies registry class
    PID:464

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:1348

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:1792

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\9DE.tmp\vir.bat

Filesize
1KB

MD5
5d582393268ca4acb0fcc02104dd7f22

SHA1
a6c0abdc09cb462896476e4f78bbd5e451223457

SHA256
25d15b9c92836da024d0eca9513e32a1e802101295b519a999d4965437273788

SHA512
7c832e770adae9d8eb130720398978db6912449c9de23a2221d6a254ebea5027f8a9e80a2d8021b6cfc479b90a6d01dad85ca473fb9046b5026c765ff29f06da

Download Submit
C:\Users\Admin\AppData\Local\Temp\BB3.tmp\mpress.exe

Filesize
100KB

MD5
e42b81b9636152c78ba480c1c47d3c7f

SHA1
66a2fca3925428ee91ad9df5b76b90b34d28e0f8

SHA256
7c24c72439880e502be51da5d991b9b56a1af242b4eef4737f0f43b4a87546d2

SHA512
4b2986106325c5c3fe11ab460f646d4740eb85252aa191f2b84e29901fac146d7a82e31c72d39c38a70277f78278621ee506d9da2681f5019cd64c7df85cff6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\BB3.tmp\mpress.exe

Filesize
100KB

MD5
e42b81b9636152c78ba480c1c47d3c7f

SHA1
66a2fca3925428ee91ad9df5b76b90b34d28e0f8

SHA256
7c24c72439880e502be51da5d991b9b56a1af242b4eef4737f0f43b4a87546d2

SHA512
4b2986106325c5c3fe11ab460f646d4740eb85252aa191f2b84e29901fac146d7a82e31c72d39c38a70277f78278621ee506d9da2681f5019cd64c7df85cff6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\exeBB4.tmp

Filesize
41KB

MD5
bac68e690b1c14dba6029b68bf6485e0

SHA1
911ac3beb4e166a4fd3e263787175b257a8a2125

SHA256
45422da2885226ab32d568f8155b68c173675a7a5ca058f1e75feddc5229348d

SHA512
6ab4ded492eb5c594ba5a0da0eb0f6f812b459de500b9111264276e6eadaefd58e470abb2bebd4c044b689dddd08a919a947417f53d246e4547befc859f5d34a

Download Submit
C:\Users\Admin\AppData\Local\Temp\exeBB4.tmp

Filesize
41KB

MD5
bac68e690b1c14dba6029b68bf6485e0

SHA1
911ac3beb4e166a4fd3e263787175b257a8a2125

SHA256
45422da2885226ab32d568f8155b68c173675a7a5ca058f1e75feddc5229348d

SHA512
6ab4ded492eb5c594ba5a0da0eb0f6f812b459de500b9111264276e6eadaefd58e470abb2bebd4c044b689dddd08a919a947417f53d246e4547befc859f5d34a

Download Submit
C:\Users\Admin\AppData\Local\Temp\exeBB4.tmp

Filesize
24KB

MD5
6c8375af56ea9d846bb98f244c2f75ec

SHA1
f39bbe976b325e9864355bca72648fc1b43c4d2e

SHA256
145af7787040412ff1f590420fe90c147d26dc6c3b705121dc3d0da6448c38a7

SHA512
7810c64eae600cfdad4d398db90b5a84cfd8936fa626c644a36fc8cbc98a6b16fb37807d75ab7ecdfeb19d10db8b6f07e69046dc4fc2ad80bcba50dd058d821d

Download Submit
C:\Users\Admin\AppData\Local\Temp\mpr1066.tmp

Filesize
24KB

MD5
6c8375af56ea9d846bb98f244c2f75ec

SHA1
f39bbe976b325e9864355bca72648fc1b43c4d2e

SHA256
145af7787040412ff1f590420fe90c147d26dc6c3b705121dc3d0da6448c38a7

SHA512
7810c64eae600cfdad4d398db90b5a84cfd8936fa626c644a36fc8cbc98a6b16fb37807d75ab7ecdfeb19d10db8b6f07e69046dc4fc2ad80bcba50dd058d821d

Download Submit
C:\Users\Admin\AppData\Local\Temp\s.dll

Filesize
700KB

MD5
77ba6153827a203577b5d79c941e801c

SHA1
6deb4bdee67f4fb1a01ffa702e7941220c00f5a0

SHA256
7df73edded92f9b3f8e0639a4acaac72fdee2358eb0325e5cd66b23b44ce9bf7

SHA512
65d6b016a9109dc3358f7952fef0eb520a79a3084cb6da4f30558ebfeaf127f046408366452b178f43fd75d5a077118301326899f0207ed38b96310273824ad2

Download Submit
C:\Users\Admin\AppData\Local\Temp\u.dll

Filesize
700KB

MD5
77ba6153827a203577b5d79c941e801c

SHA1
6deb4bdee67f4fb1a01ffa702e7941220c00f5a0

SHA256
7df73edded92f9b3f8e0639a4acaac72fdee2358eb0325e5cd66b23b44ce9bf7

SHA512
65d6b016a9109dc3358f7952fef0eb520a79a3084cb6da4f30558ebfeaf127f046408366452b178f43fd75d5a077118301326899f0207ed38b96310273824ad2

Download Submit
C:\Users\Admin\AppData\Local\Temp\u.dll

Filesize
700KB

MD5
77ba6153827a203577b5d79c941e801c

SHA1
6deb4bdee67f4fb1a01ffa702e7941220c00f5a0

SHA256
7df73edded92f9b3f8e0639a4acaac72fdee2358eb0325e5cd66b23b44ce9bf7

SHA512
65d6b016a9109dc3358f7952fef0eb520a79a3084cb6da4f30558ebfeaf127f046408366452b178f43fd75d5a077118301326899f0207ed38b96310273824ad2

Download Submit
C:\Users\Admin\AppData\Local\Temp\u.dll

Filesize
700KB

MD5
77ba6153827a203577b5d79c941e801c

SHA1
6deb4bdee67f4fb1a01ffa702e7941220c00f5a0

SHA256
7df73edded92f9b3f8e0639a4acaac72fdee2358eb0325e5cd66b23b44ce9bf7

SHA512
65d6b016a9109dc3358f7952fef0eb520a79a3084cb6da4f30558ebfeaf127f046408366452b178f43fd75d5a077118301326899f0207ed38b96310273824ad2

Download Submit
C:\Users\Admin\AppData\Local\Temp\vir.bat

Filesize
1KB

MD5
04e4bb33d2a57579c757e3d48bc17439

SHA1
20dd7b5ffff2763b6b296e34f370da7d995b4ff7

SHA256
40c32e33715422e053e347f047988d4ea4724d77eb4c92687e66cf826ed225c0

SHA512
81512cdeaeea7e43a1f97a1a43e2e9439ae5574db7a54dc4884f7db635756263a8ece33911291ec898ddc0ef6629c2916ac57172ab20c1914131b1bbce97e7ac

Download Submit
memory/2300-59-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2300-66-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4876-0-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/4876-4-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/4876-2-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/4876-1-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/4876-74-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads