ae69c79c5099bb9a25b7f7a363799c5c96720e3092940f6c75a9a10afbb23159

Analysis

max time kernel
141s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20231020-en
resource tags

arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
submitted
02/11/2023, 15:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.43da965ea15ef6fa0d40b28e164513d0_JC.exe
Size

209KB
MD5

43da965ea15ef6fa0d40b28e164513d0
SHA1

1e8ccb03b7f10ccafe7147ebd0b6a0d475600615
SHA256

ae69c79c5099bb9a25b7f7a363799c5c96720e3092940f6c75a9a10afbb23159
SHA512

e5a2846d5fa1f327bc8c04f74545fe96c09c3e5b7bdd5e1dd803bed4eb5301bdccd05ce34c642d9e2cbf1fbd315bce381d7816ad4c2191c06a52a430d145c005
SSDEEP

6144:rl0n6au2Q8wVBgii/67cF6ySAUZQkQEt9vQmYTEcj+g19Hih:yn6au2LSBfi/6YFBEQhMVwTEcj+IH

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
3312	u.dll
4628	mpress.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000_Classes\Local Settings	calc.exe
Key created	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000_Classes\Local Settings	calc.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4896	OpenWith.exe
3284	OpenWith.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 5012 wrote to memory of 1468	5012	NEAS.43da965ea15ef6fa0d40b28e164513d0_JC.exe	89
PID 5012 wrote to memory of 1468	5012	NEAS.43da965ea15ef6fa0d40b28e164513d0_JC.exe	89
PID 5012 wrote to memory of 1468	5012	NEAS.43da965ea15ef6fa0d40b28e164513d0_JC.exe	89
PID 1468 wrote to memory of 3312	1468	cmd.exe	90
PID 1468 wrote to memory of 3312	1468	cmd.exe	90
PID 1468 wrote to memory of 3312	1468	cmd.exe	90
PID 3312 wrote to memory of 4628	3312	u.dll	93
PID 3312 wrote to memory of 4628	3312	u.dll	93
PID 3312 wrote to memory of 4628	3312	u.dll	93
PID 1468 wrote to memory of 5084	1468	cmd.exe	95
PID 1468 wrote to memory of 5084	1468	cmd.exe	95
PID 1468 wrote to memory of 5084	1468	cmd.exe	95
PID 1468 wrote to memory of 3308	1468	cmd.exe	99
PID 1468 wrote to memory of 3308	1468	cmd.exe	99
PID 1468 wrote to memory of 3308	1468	cmd.exe	99

C:\Users\Admin\AppData\Local\Temp\NEAS.43da965ea15ef6fa0d40b28e164513d0_JC.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.43da965ea15ef6fa0d40b28e164513d0_JC.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:5012
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7D00.tmp\vir.bat""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1468
- - C:\Users\Admin\AppData\Local\Temp\u.dll
    u.dll -bat vir.bat -save NEAS.43da965ea15ef6fa0d40b28e164513d0_JC.exe.com -include s.dll -overwrite -nodelete
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3312
  - - C:\Users\Admin\AppData\Local\Temp\7E38.tmp\mpress.exe
      "C:\Users\Admin\AppData\Local\Temp\7E38.tmp\mpress.exe" "C:\Users\Admin\AppData\Local\Temp\exe7E39.tmp"
      4⤵
      Executes dropped EXE
      PID:4628
- - C:\Windows\SysWOW64\calc.exe
    CALC.EXE
    3⤵
    - Modifies registry class
    PID:5084
- - C:\Windows\SysWOW64\calc.exe
    CALC.EXE
    3⤵
    - Modifies registry class
    PID:3308

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:4896

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:3284

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7D00.tmp\vir.bat

Filesize
1KB

MD5
2cb44500f4b2423c91860d1870864c9d

SHA1
2180514a96eca79c4e7f3e5408b47c3767940b15

SHA256
277b2b8847720d787f1ed64558d290a1760ce3b3e4f0b0858a38663f4bfd7875

SHA512
f93b86ea20d0966995e9aacbb5d6b2f82542688c6a87b1fff516c9d98f79adaf09a3cd0cae9d69d39c98d5eea073fa51b02be66172959ce0694b5c5b435f2110

Download Submit
C:\Users\Admin\AppData\Local\Temp\7E38.tmp\mpress.exe

Filesize
100KB

MD5
e42b81b9636152c78ba480c1c47d3c7f

SHA1
66a2fca3925428ee91ad9df5b76b90b34d28e0f8

SHA256
7c24c72439880e502be51da5d991b9b56a1af242b4eef4737f0f43b4a87546d2

SHA512
4b2986106325c5c3fe11ab460f646d4740eb85252aa191f2b84e29901fac146d7a82e31c72d39c38a70277f78278621ee506d9da2681f5019cd64c7df85cff6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7E38.tmp\mpress.exe

Filesize
100KB

MD5
e42b81b9636152c78ba480c1c47d3c7f

SHA1
66a2fca3925428ee91ad9df5b76b90b34d28e0f8

SHA256
7c24c72439880e502be51da5d991b9b56a1af242b4eef4737f0f43b4a87546d2

SHA512
4b2986106325c5c3fe11ab460f646d4740eb85252aa191f2b84e29901fac146d7a82e31c72d39c38a70277f78278621ee506d9da2681f5019cd64c7df85cff6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\exe7E39.tmp

Filesize
41KB

MD5
7aa367dca7be65e07b16bd69f06263e3

SHA1
d447739251408f8e8490a9d307927bfbe41737ce

SHA256
738bf50547320b0683af727ad6d430f2e7b83c846fe24f91527b7ee263bfa076

SHA512
d7884589d7d12a628c9e07b77b3b793fa91f67fe13563e7b072ca864e053e6b7d711852e30ae1c877576b8ad47f67d2826e8ee711e6b65a329baa57492fe31b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\exe7E39.tmp

Filesize
741KB

MD5
fede3b152faf828326a1966a63d0ce68

SHA1
03673b268f912613e6de2dcebd79efa4cd9b9915

SHA256
9945f0e7e578397ab4addf6e01fde79c2983e20c01120477a59d932c6866aefd

SHA512
b1f253bb479c81644182ff1854e8bed70616d8824464c2d60b3000791b84afb0fa5be1128d4369cb8540680fcd71bbb4554d8c67336383d0504e8dda6b5487b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\exe7E39.tmp

Filesize
741KB

MD5
fede3b152faf828326a1966a63d0ce68

SHA1
03673b268f912613e6de2dcebd79efa4cd9b9915

SHA256
9945f0e7e578397ab4addf6e01fde79c2983e20c01120477a59d932c6866aefd

SHA512
b1f253bb479c81644182ff1854e8bed70616d8824464c2d60b3000791b84afb0fa5be1128d4369cb8540680fcd71bbb4554d8c67336383d0504e8dda6b5487b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\exe7E39.tmp

Filesize
207KB

MD5
5c8f9a1066119dccaf7e3a3aadb31b34

SHA1
a284592f9d878c5ec3b524d4630074b7d72c42f3

SHA256
55053a5a17c83669902250dd3d0299dd83bdc2b28460eb0d7c0da2378dd11828

SHA512
ac0b13ceeb82ed55cfe20e63149b7bfd70f7b91b3672b37fd10838ffb8b0a6e10d249bea0cb6949d7d3a13827b71e2d52c7ad4ce9ce855365091780391027da0

Download Submit
C:\Users\Admin\AppData\Local\Temp\mpr806B.tmp

Filesize
207KB

MD5
5c8f9a1066119dccaf7e3a3aadb31b34

SHA1
a284592f9d878c5ec3b524d4630074b7d72c42f3

SHA256
55053a5a17c83669902250dd3d0299dd83bdc2b28460eb0d7c0da2378dd11828

SHA512
ac0b13ceeb82ed55cfe20e63149b7bfd70f7b91b3672b37fd10838ffb8b0a6e10d249bea0cb6949d7d3a13827b71e2d52c7ad4ce9ce855365091780391027da0

Download Submit
C:\Users\Admin\AppData\Local\Temp\s.dll

Filesize
700KB

MD5
3c9568b0d86a865f9f73d9c0967cfdad

SHA1
3270df3e0e600f4df2c3cbc384837693a8a3a83e

SHA256
c7b97a001b39e17382e929aad924555f3d21886b86aed38cffd660490801d1d6

SHA512
bd423d1d57823b1bf6db42aeec199aa93178a9317ead85b42b60e091aaf4f73ce721bc07fda4750e112c4dccb9d87e21d5793965da9d6e92b0c5bed92c26876f

Download Submit
C:\Users\Admin\AppData\Local\Temp\u.dll

Filesize
700KB

MD5
3c9568b0d86a865f9f73d9c0967cfdad

SHA1
3270df3e0e600f4df2c3cbc384837693a8a3a83e

SHA256
c7b97a001b39e17382e929aad924555f3d21886b86aed38cffd660490801d1d6

SHA512
bd423d1d57823b1bf6db42aeec199aa93178a9317ead85b42b60e091aaf4f73ce721bc07fda4750e112c4dccb9d87e21d5793965da9d6e92b0c5bed92c26876f

Download Submit
C:\Users\Admin\AppData\Local\Temp\u.dll

Filesize
700KB

MD5
3c9568b0d86a865f9f73d9c0967cfdad

SHA1
3270df3e0e600f4df2c3cbc384837693a8a3a83e

SHA256
c7b97a001b39e17382e929aad924555f3d21886b86aed38cffd660490801d1d6

SHA512
bd423d1d57823b1bf6db42aeec199aa93178a9317ead85b42b60e091aaf4f73ce721bc07fda4750e112c4dccb9d87e21d5793965da9d6e92b0c5bed92c26876f

Download Submit
C:\Users\Admin\AppData\Local\Temp\u.dll

Filesize
700KB

MD5
3c9568b0d86a865f9f73d9c0967cfdad

SHA1
3270df3e0e600f4df2c3cbc384837693a8a3a83e

SHA256
c7b97a001b39e17382e929aad924555f3d21886b86aed38cffd660490801d1d6

SHA512
bd423d1d57823b1bf6db42aeec199aa93178a9317ead85b42b60e091aaf4f73ce721bc07fda4750e112c4dccb9d87e21d5793965da9d6e92b0c5bed92c26876f

Download Submit
C:\Users\Admin\AppData\Local\Temp\vir.bat

Filesize
1KB

MD5
9932c0dee63764b24a6ee9bdb8080d09

SHA1
028ce8e857f32854f77ec9e6c468a185ddcdad0a

SHA256
76047442a2481c20408edc811bd6b1bdeb5bbad5ac1707aa76d949945e49adf7

SHA512
13566c626a85363808f997a11d8e4ad326ef766408ba289aabf2cbe72288370ba7aaff4adae8bf1a2cd64c17c090a785eb1e50b542364ea5ff9f65b4e24715e1

Download Submit
memory/4628-54-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4628-62-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5012-0-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/5012-1-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/5012-70-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads