70d054077c0d135a6defe2057eceb128e4a8695bf9b4859b1bfe5cb3848c48bc

Analysis

max time kernel
140s
max time network
120s
platform
windows7_x64
resource
win7-20231023-en
resource tags

arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system
submitted
02/11/2023, 07:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.9c969b703e8be6583a90373ebc35a730.exe
Size

835KB
MD5

9c969b703e8be6583a90373ebc35a730
SHA1

294f7c67ebf0f63981de249d2808b26ad9c9933d
SHA256

70d054077c0d135a6defe2057eceb128e4a8695bf9b4859b1bfe5cb3848c48bc
SHA512

4079eaf7341d9b2d803ae312f177f2e96471a9d6003fb522b19ac8f561a833be7a743c6942cdedb52b252062c1c7ada3882d6144ffce91fcf8a857f618d89911
SSDEEP

24576:j9E4EJqf8oYP7d3BFMukWMG+gcXh6dvrBV1gerPxHxmbuio8Tk3Qy0HyNtK35KO:jGJSdTG+g+h6dvrBV1gerPxHxmbuio8r

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
2768	u.dll
2836	u.dll
1288	mpress.exe

Loads dropped DLL 6 IoCs

pid	Process
2620	cmd.exe
2620	cmd.exe
2620	cmd.exe
2620	cmd.exe
2836	u.dll
2836	u.dll

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 1368 wrote to memory of 2620	1368	NEAS.9c969b703e8be6583a90373ebc35a730.exe	29
PID 1368 wrote to memory of 2620	1368	NEAS.9c969b703e8be6583a90373ebc35a730.exe	29
PID 1368 wrote to memory of 2620	1368	NEAS.9c969b703e8be6583a90373ebc35a730.exe	29
PID 1368 wrote to memory of 2620	1368	NEAS.9c969b703e8be6583a90373ebc35a730.exe	29
PID 2620 wrote to memory of 2768	2620	cmd.exe	30
PID 2620 wrote to memory of 2768	2620	cmd.exe	30
PID 2620 wrote to memory of 2768	2620	cmd.exe	30
PID 2620 wrote to memory of 2768	2620	cmd.exe	30
PID 2620 wrote to memory of 2836	2620	cmd.exe	31
PID 2620 wrote to memory of 2836	2620	cmd.exe	31
PID 2620 wrote to memory of 2836	2620	cmd.exe	31
PID 2620 wrote to memory of 2836	2620	cmd.exe	31
PID 2836 wrote to memory of 1288	2836	u.dll	32
PID 2836 wrote to memory of 1288	2836	u.dll	32
PID 2836 wrote to memory of 1288	2836	u.dll	32
PID 2836 wrote to memory of 1288	2836	u.dll	32
PID 2620 wrote to memory of 2340	2620	cmd.exe	33
PID 2620 wrote to memory of 2340	2620	cmd.exe	33
PID 2620 wrote to memory of 2340	2620	cmd.exe	33
PID 2620 wrote to memory of 2340	2620	cmd.exe	33

C:\Users\Admin\AppData\Local\Temp\NEAS.9c969b703e8be6583a90373ebc35a730.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.9c969b703e8be6583a90373ebc35a730.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1368
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\3CE1.tmp\vir.bat""
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2620
- - C:\Users\Admin\AppData\Local\Temp\u.dll
    u.dll -bat vir.bat -save NEAS.9c969b703e8be6583a90373ebc35a730.exe.com -include s.dll -overwrite -nodelete
    3⤵
    - Executes dropped EXE
    PID:2768
- - C:\Users\Admin\AppData\Local\Temp\u.dll
    u.dll -bat vir.bat -save ose00000.exe.com -include s.dll -overwrite -nodelete
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2836
  - - C:\Users\Admin\AppData\Local\Temp\5763.tmp\mpress.exe
      "C:\Users\Admin\AppData\Local\Temp\5763.tmp\mpress.exe" "C:\Users\Admin\AppData\Local\Temp\exe5764.tmp"
      4⤵
      Executes dropped EXE
      PID:1288
- - C:\Windows\SysWOW64\calc.exe
    CALC.EXE
    3⤵
    PID:2340

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\3CE1.tmp\vir.bat

Filesize
1KB

MD5
5b67551aa53d151ffcd4ee22baf27a95

SHA1
775e6e499cf66590b245e6a01b12d28562cd6a8a

SHA256
5cf6acc9977aefc383c59350e12f8b996e62c8c8ba357bf0897b7a76c7048648

SHA512
fc421c0d3ff21bf18235c1a34338d146b4dfae4479b60e63c73044ab859511e266d237f0ae443b1808a43aac90aa232c6fb4a8cad2bb3d0017974fe2be923649

Download Submit
C:\Users\Admin\AppData\Local\Temp\3CE1.tmp\vir.bat

Filesize
1KB

MD5
5b67551aa53d151ffcd4ee22baf27a95

SHA1
775e6e499cf66590b245e6a01b12d28562cd6a8a

SHA256
5cf6acc9977aefc383c59350e12f8b996e62c8c8ba357bf0897b7a76c7048648

SHA512
fc421c0d3ff21bf18235c1a34338d146b4dfae4479b60e63c73044ab859511e266d237f0ae443b1808a43aac90aa232c6fb4a8cad2bb3d0017974fe2be923649

Download Submit
C:\Users\Admin\AppData\Local\Temp\5763.tmp\mpress.exe

Filesize
100KB

MD5
e42b81b9636152c78ba480c1c47d3c7f

SHA1
66a2fca3925428ee91ad9df5b76b90b34d28e0f8

SHA256
7c24c72439880e502be51da5d991b9b56a1af242b4eef4737f0f43b4a87546d2

SHA512
4b2986106325c5c3fe11ab460f646d4740eb85252aa191f2b84e29901fac146d7a82e31c72d39c38a70277f78278621ee506d9da2681f5019cd64c7df85cff6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\5763.tmp\mpress.exe

Filesize
100KB

MD5
e42b81b9636152c78ba480c1c47d3c7f

SHA1
66a2fca3925428ee91ad9df5b76b90b34d28e0f8

SHA256
7c24c72439880e502be51da5d991b9b56a1af242b4eef4737f0f43b4a87546d2

SHA512
4b2986106325c5c3fe11ab460f646d4740eb85252aa191f2b84e29901fac146d7a82e31c72d39c38a70277f78278621ee506d9da2681f5019cd64c7df85cff6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\exe5764.tmp

Filesize
41KB

MD5
4d1c4e637e66e3aee050194ee149b1ae

SHA1
542aab9bf825e8cbb8afc946b8fe555ea402a413

SHA256
ba3591ba0a42bd2556af093af3beb685383b239570a459d00ad9ff0747851e25

SHA512
801010a3a79285d26a7ecd84928b7e24de7adab6ad67d2d2ebc81a5639a6b9ea9f0f5cb087e1dfbda5a9cfa031bc2f1798f18d688a7cfc600cb9cde670862011

Download Submit
C:\Users\Admin\AppData\Local\Temp\exe5764.tmp

Filesize
743KB

MD5
6cbf55fd1214e197064ac575097a41da

SHA1
9bf0fcb871a0931035381297eaefa5144cc069f5

SHA256
801476e1664e3a6f3577efa2cf12251905992282678383bdcb07f2e4d7384313

SHA512
c231261c6d956f2ab2e3c635ab6f18c60ed7721e30b65b9247df203645f7260a18f01da78afbaa1f12b184139c3a62feba6c2862678bad61b489325f4e725453

Download Submit
C:\Users\Admin\AppData\Local\Temp\exe5764.tmp

Filesize
743KB

MD5
6cbf55fd1214e197064ac575097a41da

SHA1
9bf0fcb871a0931035381297eaefa5144cc069f5

SHA256
801476e1664e3a6f3577efa2cf12251905992282678383bdcb07f2e4d7384313

SHA512
c231261c6d956f2ab2e3c635ab6f18c60ed7721e30b65b9247df203645f7260a18f01da78afbaa1f12b184139c3a62feba6c2862678bad61b489325f4e725453

Download Submit
C:\Users\Admin\AppData\Local\Temp\exe5764.tmp

Filesize
208KB

MD5
b9de4614449cb4a4df0a048bc4ed1d26

SHA1
9ed256b23de0049106727a9d4a0b9df18c76fcbf

SHA256
826dc8a29742b39139afa1bc83c733809d615b7bb4f38dcc56416ace220c1e2d

SHA512
15bdb1f2a693cb89821cd3529c61b85311d0edf5ab87e20eeca0be026b2cb808b031f49b82017ba426b6858e977bd97d61903dd6f4d0c982a9785859ebf41365

Download Submit
C:\Users\Admin\AppData\Local\Temp\s.dll

Filesize
700KB

MD5
e52e1dacca253a95205caebdf9ba61be

SHA1
89b934078b0ebb6045bcc17eee3395fc3af688ca

SHA256
bc6123009aa8bb34968892ccdd73ef4470aea0651056a9c81e10c60185b81621

SHA512
98cc05f9a24eb88d6c3be905c7870db5bc4d2b36c7a62abde8b2a4e3f2066bd715173c5b17d7066b8db049d6adba0a0b7a2214d3eb54a89ce5e1e97f6afcd4c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\u.dll

Filesize
700KB

MD5
e52e1dacca253a95205caebdf9ba61be

SHA1
89b934078b0ebb6045bcc17eee3395fc3af688ca

SHA256
bc6123009aa8bb34968892ccdd73ef4470aea0651056a9c81e10c60185b81621

SHA512
98cc05f9a24eb88d6c3be905c7870db5bc4d2b36c7a62abde8b2a4e3f2066bd715173c5b17d7066b8db049d6adba0a0b7a2214d3eb54a89ce5e1e97f6afcd4c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\u.dll

Filesize
700KB

MD5
e52e1dacca253a95205caebdf9ba61be

SHA1
89b934078b0ebb6045bcc17eee3395fc3af688ca

SHA256
bc6123009aa8bb34968892ccdd73ef4470aea0651056a9c81e10c60185b81621

SHA512
98cc05f9a24eb88d6c3be905c7870db5bc4d2b36c7a62abde8b2a4e3f2066bd715173c5b17d7066b8db049d6adba0a0b7a2214d3eb54a89ce5e1e97f6afcd4c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\u.dll

Filesize
700KB

MD5
e52e1dacca253a95205caebdf9ba61be

SHA1
89b934078b0ebb6045bcc17eee3395fc3af688ca

SHA256
bc6123009aa8bb34968892ccdd73ef4470aea0651056a9c81e10c60185b81621

SHA512
98cc05f9a24eb88d6c3be905c7870db5bc4d2b36c7a62abde8b2a4e3f2066bd715173c5b17d7066b8db049d6adba0a0b7a2214d3eb54a89ce5e1e97f6afcd4c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\vir.bat

Filesize
1KB

MD5
4a450bd55be8889acbcc79be2ad73117

SHA1
204bea325054390ef1571a5eaa6756e4e84f6e7d

SHA256
f0554727f795e0d3d234a57db8e0ecc075e589968f0ce8a98800e12eac1f6cd6

SHA512
c1451d465c1b76f36ad3ec3cb51f5e313a226f536814abba9e6ea681d896c42ccce4fd95f495d6c0c229fe02aed6b9858ddef2e20d327a93ce71e2495b91c5ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\vir.bat

Filesize
1KB

MD5
b77ea6f5416ada40a9c320f63020dbdc

SHA1
12433ba4d1efafa74f037aab9b3d1d25942ed2bc

SHA256
bc9606ebb167d7ff56bdada39e351845791f2caa15f912ca433eae8ed066676f

SHA512
a9ea6d1a6f2c7c25f7c022decb150575dc0d725ef083691d9903043ca31e814fef1711467637a26ad2c51b28514c2753414957630f4eb04eef92d02c2b93a30b

Download Submit
\Users\Admin\AppData\Local\Temp\5763.tmp\mpress.exe

Filesize
100KB

MD5
e42b81b9636152c78ba480c1c47d3c7f

SHA1
66a2fca3925428ee91ad9df5b76b90b34d28e0f8

SHA256
7c24c72439880e502be51da5d991b9b56a1af242b4eef4737f0f43b4a87546d2

SHA512
4b2986106325c5c3fe11ab460f646d4740eb85252aa191f2b84e29901fac146d7a82e31c72d39c38a70277f78278621ee506d9da2681f5019cd64c7df85cff6e

Download Submit
\Users\Admin\AppData\Local\Temp\5763.tmp\mpress.exe

Filesize
100KB

MD5
e42b81b9636152c78ba480c1c47d3c7f

SHA1
66a2fca3925428ee91ad9df5b76b90b34d28e0f8

SHA256
7c24c72439880e502be51da5d991b9b56a1af242b4eef4737f0f43b4a87546d2

SHA512
4b2986106325c5c3fe11ab460f646d4740eb85252aa191f2b84e29901fac146d7a82e31c72d39c38a70277f78278621ee506d9da2681f5019cd64c7df85cff6e

Download Submit
\Users\Admin\AppData\Local\Temp\u.dll

Filesize
700KB

MD5
e52e1dacca253a95205caebdf9ba61be

SHA1
89b934078b0ebb6045bcc17eee3395fc3af688ca

SHA256
bc6123009aa8bb34968892ccdd73ef4470aea0651056a9c81e10c60185b81621

SHA512
98cc05f9a24eb88d6c3be905c7870db5bc4d2b36c7a62abde8b2a4e3f2066bd715173c5b17d7066b8db049d6adba0a0b7a2214d3eb54a89ce5e1e97f6afcd4c0

Download Submit
\Users\Admin\AppData\Local\Temp\u.dll

Filesize
700KB

MD5
e52e1dacca253a95205caebdf9ba61be

SHA1
89b934078b0ebb6045bcc17eee3395fc3af688ca

SHA256
bc6123009aa8bb34968892ccdd73ef4470aea0651056a9c81e10c60185b81621

SHA512
98cc05f9a24eb88d6c3be905c7870db5bc4d2b36c7a62abde8b2a4e3f2066bd715173c5b17d7066b8db049d6adba0a0b7a2214d3eb54a89ce5e1e97f6afcd4c0

Download Submit
\Users\Admin\AppData\Local\Temp\u.dll

Filesize
700KB

MD5
e52e1dacca253a95205caebdf9ba61be

SHA1
89b934078b0ebb6045bcc17eee3395fc3af688ca

SHA256
bc6123009aa8bb34968892ccdd73ef4470aea0651056a9c81e10c60185b81621

SHA512
98cc05f9a24eb88d6c3be905c7870db5bc4d2b36c7a62abde8b2a4e3f2066bd715173c5b17d7066b8db049d6adba0a0b7a2214d3eb54a89ce5e1e97f6afcd4c0

Download Submit
\Users\Admin\AppData\Local\Temp\u.dll

Filesize
700KB

MD5
e52e1dacca253a95205caebdf9ba61be

SHA1
89b934078b0ebb6045bcc17eee3395fc3af688ca

SHA256
bc6123009aa8bb34968892ccdd73ef4470aea0651056a9c81e10c60185b81621

SHA512
98cc05f9a24eb88d6c3be905c7870db5bc4d2b36c7a62abde8b2a4e3f2066bd715173c5b17d7066b8db049d6adba0a0b7a2214d3eb54a89ce5e1e97f6afcd4c0

Download Submit
memory/1288-98-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1368-0-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/1368-109-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/2836-87-0x0000000000310000-0x0000000000344000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads