Analysis
-
max time kernel
151s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20231020-en -
resource tags
-
submitted
02/11/2023, 11:37
General
-
Target
NEAS.f0a145a4642ccc3aeee7b9020df1a240_JC.exe
-
Size
472KB
-
MD5
f0a145a4642ccc3aeee7b9020df1a240
-
SHA1
964ef862b08cf20889e00554f72aa805bb538181
-
SHA256
edbb0337ed97f309cff42a85b7518a2ed4c550ce9a10e6b3b2b05db4780aff42
-
SHA512
052245a3e810277ed8026ad321865e090ffc0fe59030b4b7f52fabe8b299a7a8299808822593b05db49f893483c54610ac4b1c5d7708e9fcc3b331ae6881a79a
-
SSDEEP
12288:ZT9+40ByvNv54B9f01ZmHByvNv51lZlP5Po53rC1kWNH1yfMN1xCTr3huvca1khy:ZT9+4Lvr4B9f01ZmQvr1vN
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
-
Executes dropped EXE 64 IoCs
-
Drops file in System32 directory 64 IoCs
-
Program crash 1 IoCs
-
Modifies registry class 64 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.f0a145a4642ccc3aeee7b9020df1a240_JC.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.f0a145a4642ccc3aeee7b9020df1a240_JC.exe"1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Dcpmen32.exeC:\Windows\system32\Dcpmen32.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Ejlbhh32.exeC:\Windows\system32\Ejlbhh32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Ejoomhmi.exeC:\Windows\system32\Ejoomhmi.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Efepbi32.exeC:\Windows\system32\Efepbi32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Eblpgjha.exeC:\Windows\system32\Eblpgjha.exe6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Eppqqn32.exeC:\Windows\system32\Eppqqn32.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Elgaeolp.exeC:\Windows\system32\Elgaeolp.exe8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Fjhacf32.exeC:\Windows\system32\Fjhacf32.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Fmikeaap.exeC:\Windows\system32\Fmikeaap.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Fjmkoeqi.exeC:\Windows\system32\Fjmkoeqi.exe11⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Fbhpch32.exeC:\Windows\system32\Fbhpch32.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Fbjmhh32.exeC:\Windows\system32\Fbjmhh32.exe13⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Fmpqfq32.exeC:\Windows\system32\Fmpqfq32.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Gmbmkpie.exeC:\Windows\system32\Gmbmkpie.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Gmdjapgb.exeC:\Windows\system32\Gmdjapgb.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Gkhkjd32.exeC:\Windows\system32\Gkhkjd32.exe17⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Gdcliikj.exeC:\Windows\system32\Gdcliikj.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Hloqml32.exeC:\Windows\system32\Hloqml32.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Hkpqkcpd.exeC:\Windows\system32\Hkpqkcpd.exe20⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Hdhedh32.exeC:\Windows\system32\Hdhedh32.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Hmpjmn32.exeC:\Windows\system32\Hmpjmn32.exe22⤵
- Executes dropped EXE
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\SysWOW64\Hcmbee32.exeC:\Windows\system32\Hcmbee32.exe1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Hiiggoaf.exeC:\Windows\system32\Hiiggoaf.exe2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Hgmgqc32.exeC:\Windows\system32\Hgmgqc32.exe3⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Icfekc32.exeC:\Windows\system32\Icfekc32.exe4⤵
- Executes dropped EXE
- Modifies registry class
-
C:\Windows\SysWOW64\Ikpjbq32.exeC:\Windows\system32\Ikpjbq32.exe5⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Inqbclob.exeC:\Windows\system32\Inqbclob.exe6⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Jpaleglc.exeC:\Windows\system32\Jpaleglc.exe7⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Jcbdgb32.exeC:\Windows\system32\Jcbdgb32.exe8⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Jklinohd.exeC:\Windows\system32\Jklinohd.exe9⤵
- Executes dropped EXE
- Drops file in System32 directory
-
C:\Windows\SysWOW64\Jddnfd32.exeC:\Windows\system32\Jddnfd32.exe10⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Kkpbin32.exeC:\Windows\system32\Kkpbin32.exe11⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Kjepjkhf.exeC:\Windows\system32\Kjepjkhf.exe12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
-
C:\Windows\SysWOW64\Kjjiej32.exeC:\Windows\system32\Kjjiej32.exe13⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Lmbhgd32.exeC:\Windows\system32\Lmbhgd32.exe14⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Lggldm32.exeC:\Windows\system32\Lggldm32.exe15⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Mgclpkac.exeC:\Windows\system32\Mgclpkac.exe16⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Malpia32.exeC:\Windows\system32\Malpia32.exe17⤵
- Executes dropped EXE
- Modifies registry class
-
C:\Windows\SysWOW64\Mmbanbmg.exeC:\Windows\system32\Mmbanbmg.exe18⤵
- Executes dropped EXE
- Drops file in System32 directory
-
C:\Windows\SysWOW64\Nhahaiec.exeC:\Windows\system32\Nhahaiec.exe19⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Nnkpnclp.exeC:\Windows\system32\Nnkpnclp.exe20⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Odhifjkg.exeC:\Windows\system32\Odhifjkg.exe21⤵
- Executes dropped EXE
- Modifies registry class
-
C:\Windows\SysWOW64\Oeheqm32.exeC:\Windows\system32\Oeheqm32.exe22⤵
- Executes dropped EXE
- Modifies registry class
-
C:\Windows\SysWOW64\Omcjep32.exeC:\Windows\system32\Omcjep32.exe23⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Ohkkhhmh.exeC:\Windows\system32\Ohkkhhmh.exe24⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Oodcdb32.exeC:\Windows\system32\Oodcdb32.exe25⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Olicnfco.exeC:\Windows\system32\Olicnfco.exe26⤵
- Executes dropped EXE
- Drops file in System32 directory
-
C:\Windows\SysWOW64\Peahgl32.exeC:\Windows\system32\Peahgl32.exe27⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
-
C:\Windows\SysWOW64\Poimpapp.exeC:\Windows\system32\Poimpapp.exe28⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Phaahggp.exeC:\Windows\system32\Phaahggp.exe29⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Ponfka32.exeC:\Windows\system32\Ponfka32.exe30⤵
- Executes dropped EXE
- Drops file in System32 directory
-
C:\Windows\SysWOW64\Phfjcf32.exeC:\Windows\system32\Phfjcf32.exe31⤵
- Executes dropped EXE
- Modifies registry class
-
C:\Windows\SysWOW64\Pejkmk32.exeC:\Windows\system32\Pejkmk32.exe32⤵
- Executes dropped EXE
- Drops file in System32 directory
-
C:\Windows\SysWOW64\Pldcjeia.exeC:\Windows\system32\Pldcjeia.exe33⤵
- Executes dropped EXE
- Drops file in System32 directory
-
C:\Windows\SysWOW64\Qhkdof32.exeC:\Windows\system32\Qhkdof32.exe34⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Qachgk32.exeC:\Windows\system32\Qachgk32.exe35⤵
- Executes dropped EXE
- Modifies registry class
-
C:\Windows\SysWOW64\Aogiap32.exeC:\Windows\system32\Aogiap32.exe36⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Addaif32.exeC:\Windows\system32\Addaif32.exe37⤵
- Executes dropped EXE
- Drops file in System32 directory
-
C:\Windows\SysWOW64\Aknifq32.exeC:\Windows\system32\Aknifq32.exe38⤵
- Executes dropped EXE
- Drops file in System32 directory
-
C:\Windows\SysWOW64\Alnfpcag.exeC:\Windows\system32\Alnfpcag.exe39⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
-
C:\Windows\SysWOW64\Adikdfna.exeC:\Windows\system32\Adikdfna.exe40⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Aonoao32.exeC:\Windows\system32\Aonoao32.exe41⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Aamknj32.exeC:\Windows\system32\Aamknj32.exe42⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
-
C:\Windows\SysWOW64\Bnfihkqm.exeC:\Windows\system32\Bnfihkqm.exe43⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Bdpaeehj.exeC:\Windows\system32\Bdpaeehj.exe44⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
-
C:\Windows\SysWOW64\Boeebnhp.exeC:\Windows\system32\Boeebnhp.exe45⤵
-
C:\Windows\SysWOW64\Bdbnjdfg.exeC:\Windows\system32\Bdbnjdfg.exe46⤵
-
C:\Windows\SysWOW64\Bohbhmfm.exeC:\Windows\system32\Bohbhmfm.exe47⤵
-
C:\Windows\SysWOW64\Bllbaa32.exeC:\Windows\system32\Bllbaa32.exe48⤵
-
C:\Windows\SysWOW64\Bedgjgkg.exeC:\Windows\system32\Bedgjgkg.exe49⤵
-
C:\Windows\SysWOW64\Bomkcm32.exeC:\Windows\system32\Bomkcm32.exe50⤵
- Drops file in System32 directory
-
C:\Windows\SysWOW64\Bdickcpo.exeC:\Windows\system32\Bdickcpo.exe51⤵
-
C:\Windows\SysWOW64\Camddhoi.exeC:\Windows\system32\Camddhoi.exe52⤵
-
C:\Windows\SysWOW64\Ckeimm32.exeC:\Windows\system32\Ckeimm32.exe53⤵
-
C:\Windows\SysWOW64\Cocacl32.exeC:\Windows\system32\Cocacl32.exe54⤵
- Modifies registry class
-
C:\Windows\SysWOW64\Cfnjpfcl.exeC:\Windows\system32\Cfnjpfcl.exe55⤵
-
C:\Windows\SysWOW64\Cnindhpg.exeC:\Windows\system32\Cnindhpg.exe56⤵
-
C:\Windows\SysWOW64\Cdbfab32.exeC:\Windows\system32\Cdbfab32.exe57⤵
-
C:\Windows\SysWOW64\Ckmonl32.exeC:\Windows\system32\Ckmonl32.exe58⤵
-
C:\Windows\SysWOW64\Cbfgkffn.exeC:\Windows\system32\Cbfgkffn.exe59⤵
-
C:\Windows\SysWOW64\Dmlkhofd.exeC:\Windows\system32\Dmlkhofd.exe60⤵
-
C:\Windows\SysWOW64\Dnmhpg32.exeC:\Windows\system32\Dnmhpg32.exe61⤵
-
C:\Windows\SysWOW64\Dhclmp32.exeC:\Windows\system32\Dhclmp32.exe62⤵
-
C:\Windows\SysWOW64\Dnpdegjp.exeC:\Windows\system32\Dnpdegjp.exe63⤵
-
C:\Windows\SysWOW64\Ddjmba32.exeC:\Windows\system32\Ddjmba32.exe64⤵
-
C:\Windows\SysWOW64\Dbpjaeoc.exeC:\Windows\system32\Dbpjaeoc.exe65⤵
- Adds autorun key to be loaded by Explorer.exe on startup
-
C:\Windows\SysWOW64\Dodjjimm.exeC:\Windows\system32\Dodjjimm.exe66⤵
-
C:\Windows\SysWOW64\Eiloco32.exeC:\Windows\system32\Eiloco32.exe67⤵
-
C:\Windows\SysWOW64\Ebdcld32.exeC:\Windows\system32\Ebdcld32.exe68⤵
-
C:\Windows\SysWOW64\Eiokinbk.exeC:\Windows\system32\Eiokinbk.exe69⤵
-
C:\Windows\SysWOW64\Eoideh32.exeC:\Windows\system32\Eoideh32.exe70⤵
-
C:\Windows\SysWOW64\Eeelnp32.exeC:\Windows\system32\Eeelnp32.exe71⤵
-
C:\Windows\SysWOW64\Emmdom32.exeC:\Windows\system32\Emmdom32.exe72⤵
-
C:\Windows\SysWOW64\Ennqfenp.exeC:\Windows\system32\Ennqfenp.exe73⤵
-
C:\Windows\SysWOW64\Eehicoel.exeC:\Windows\system32\Eehicoel.exe74⤵
- Drops file in System32 directory
-
C:\Windows\SysWOW64\Ekaapi32.exeC:\Windows\system32\Ekaapi32.exe75⤵
-
C:\Windows\SysWOW64\Eblimcdf.exeC:\Windows\system32\Eblimcdf.exe76⤵
-
C:\Windows\SysWOW64\Eifaim32.exeC:\Windows\system32\Eifaim32.exe77⤵
-
C:\Windows\SysWOW64\Eppjfgcp.exeC:\Windows\system32\Eppjfgcp.exe78⤵
-
C:\Windows\SysWOW64\Ebnfbcbc.exeC:\Windows\system32\Ebnfbcbc.exe79⤵
-
C:\Windows\SysWOW64\Fmcjpl32.exeC:\Windows\system32\Fmcjpl32.exe80⤵
-
C:\Windows\SysWOW64\Fneggdhg.exeC:\Windows\system32\Fneggdhg.exe81⤵
- Adds autorun key to be loaded by Explorer.exe on startup
-
C:\Windows\SysWOW64\Feoodn32.exeC:\Windows\system32\Feoodn32.exe82⤵
-
C:\Windows\SysWOW64\Fligqhga.exeC:\Windows\system32\Fligqhga.exe83⤵
-
C:\Windows\SysWOW64\Fbbpmb32.exeC:\Windows\system32\Fbbpmb32.exe84⤵
- Modifies registry class
-
C:\Windows\SysWOW64\Fpgpgfmh.exeC:\Windows\system32\Fpgpgfmh.exe85⤵
-
C:\Windows\SysWOW64\Ffqhcq32.exeC:\Windows\system32\Ffqhcq32.exe86⤵
- Modifies registry class
-
C:\Windows\SysWOW64\Fefedmil.exeC:\Windows\system32\Fefedmil.exe87⤵
- Modifies registry class
-
C:\Windows\SysWOW64\Gfeaopqo.exeC:\Windows\system32\Gfeaopqo.exe88⤵
-
C:\Windows\SysWOW64\Glbjggof.exeC:\Windows\system32\Glbjggof.exe89⤵
-
C:\Windows\SysWOW64\Gnqfcbnj.exeC:\Windows\system32\Gnqfcbnj.exe90⤵
- Modifies registry class
-
C:\Windows\SysWOW64\Gifkpknp.exeC:\Windows\system32\Gifkpknp.exe91⤵
- Adds autorun key to be loaded by Explorer.exe on startup
-
C:\Windows\SysWOW64\Gbnoiqdq.exeC:\Windows\system32\Gbnoiqdq.exe92⤵
- Modifies registry class
-
C:\Windows\SysWOW64\Hmpcbhji.exeC:\Windows\system32\Hmpcbhji.exe93⤵
-
C:\Windows\SysWOW64\Hfhgkmpj.exeC:\Windows\system32\Hfhgkmpj.exe94⤵
-
C:\Windows\SysWOW64\Hlepcdoa.exeC:\Windows\system32\Hlepcdoa.exe95⤵
-
C:\Windows\SysWOW64\Hpchib32.exeC:\Windows\system32\Hpchib32.exe96⤵
-
C:\Windows\SysWOW64\Ifmqfm32.exeC:\Windows\system32\Ifmqfm32.exe97⤵
-
C:\Windows\SysWOW64\Iliinc32.exeC:\Windows\system32\Iliinc32.exe98⤵
-
C:\Windows\SysWOW64\Imiehfao.exeC:\Windows\system32\Imiehfao.exe99⤵
-
C:\Windows\SysWOW64\Iedjmioj.exeC:\Windows\system32\Iedjmioj.exe100⤵
-
C:\Windows\SysWOW64\Iomoenej.exeC:\Windows\system32\Iomoenej.exe101⤵
-
C:\Windows\SysWOW64\Imnocf32.exeC:\Windows\system32\Imnocf32.exe102⤵
-
C:\Windows\SysWOW64\Igfclkdj.exeC:\Windows\system32\Igfclkdj.exe103⤵
-
C:\Windows\SysWOW64\Jghpbk32.exeC:\Windows\system32\Jghpbk32.exe104⤵
-
C:\Windows\SysWOW64\Jiglnf32.exeC:\Windows\system32\Jiglnf32.exe105⤵
-
C:\Windows\SysWOW64\Jocefm32.exeC:\Windows\system32\Jocefm32.exe106⤵
-
C:\Windows\SysWOW64\Jiiicf32.exeC:\Windows\system32\Jiiicf32.exe107⤵
- Adds autorun key to be loaded by Explorer.exe on startup
-
C:\Windows\SysWOW64\Jepjhg32.exeC:\Windows\system32\Jepjhg32.exe108⤵
- Drops file in System32 directory
-
C:\Windows\SysWOW64\Jljbeali.exeC:\Windows\system32\Jljbeali.exe109⤵
-
C:\Windows\SysWOW64\Jcdjbk32.exeC:\Windows\system32\Jcdjbk32.exe110⤵
-
C:\Windows\SysWOW64\Jinboekc.exeC:\Windows\system32\Jinboekc.exe111⤵
- Adds autorun key to be loaded by Explorer.exe on startup
-
C:\Windows\SysWOW64\Jllokajf.exeC:\Windows\system32\Jllokajf.exe112⤵
- Modifies registry class
-
C:\Windows\SysWOW64\Kgflcifg.exeC:\Windows\system32\Kgflcifg.exe113⤵
- Drops file in System32 directory
-
C:\Windows\SysWOW64\Klcekpdo.exeC:\Windows\system32\Klcekpdo.exe114⤵
-
C:\Windows\SysWOW64\Koaagkcb.exeC:\Windows\system32\Koaagkcb.exe115⤵
-
C:\Windows\SysWOW64\Kjgeedch.exeC:\Windows\system32\Kjgeedch.exe116⤵
-
C:\Windows\SysWOW64\Kpanan32.exeC:\Windows\system32\Kpanan32.exe117⤵
-
C:\Windows\SysWOW64\Klhnfo32.exeC:\Windows\system32\Klhnfo32.exe118⤵
- Drops file in System32 directory
-
C:\Windows\SysWOW64\Kngkqbgl.exeC:\Windows\system32\Kngkqbgl.exe119⤵
-
C:\Windows\SysWOW64\Loighj32.exeC:\Windows\system32\Loighj32.exe120⤵
-
C:\Windows\SysWOW64\Lgpoihnl.exeC:\Windows\system32\Lgpoihnl.exe121⤵
- Modifies registry class
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-