9c3f3364507de057526a68fe957e15bca4155e5b536e06bfa4d14c2b9c38147e

Analysis

max time kernel
158s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20231023-en
resource tags

arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
submitted
03/11/2023, 07:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.fc164d5dcd9e8ff613ea4a817df09f00_JC.exe
Size

208KB
MD5

fc164d5dcd9e8ff613ea4a817df09f00
SHA1

da67023657a1e60ffdbce892a85cc46c932b5a43
SHA256

9c3f3364507de057526a68fe957e15bca4155e5b536e06bfa4d14c2b9c38147e
SHA512

e85a3f3bdd1358bedb49790b1e3bc1fc7adb143a994720556acb2b11eccb1a098195afd2b4658fd2ba966e10c3405da93bf60ed606e599271bd2dbf6507b7517
SSDEEP

6144:Zl5wial8dpwZfHStZQitaRqkU9v8VenU:OZtZfHStx6qkU9l

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
3000	u.dll
688	mpress.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings	calc.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4360	OpenWith.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1896 wrote to memory of 1644	1896	NEAS.fc164d5dcd9e8ff613ea4a817df09f00_JC.exe	92
PID 1896 wrote to memory of 1644	1896	NEAS.fc164d5dcd9e8ff613ea4a817df09f00_JC.exe	92
PID 1896 wrote to memory of 1644	1896	NEAS.fc164d5dcd9e8ff613ea4a817df09f00_JC.exe	92
PID 1644 wrote to memory of 3000	1644	cmd.exe	93
PID 1644 wrote to memory of 3000	1644	cmd.exe	93
PID 1644 wrote to memory of 3000	1644	cmd.exe	93
PID 3000 wrote to memory of 688	3000	u.dll	94
PID 3000 wrote to memory of 688	3000	u.dll	94
PID 3000 wrote to memory of 688	3000	u.dll	94
PID 1644 wrote to memory of 2228	1644	cmd.exe	95
PID 1644 wrote to memory of 2228	1644	cmd.exe	95
PID 1644 wrote to memory of 2228	1644	cmd.exe	95

C:\Users\Admin\AppData\Local\Temp\NEAS.fc164d5dcd9e8ff613ea4a817df09f00_JC.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.fc164d5dcd9e8ff613ea4a817df09f00_JC.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1896
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7191.tmp\vir.bat""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1644
- - C:\Users\Admin\AppData\Local\Temp\u.dll
    u.dll -bat vir.bat -save NEAS.fc164d5dcd9e8ff613ea4a817df09f00_JC.exe.com -include s.dll -overwrite -nodelete
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3000
  - - C:\Users\Admin\AppData\Local\Temp\7654.tmp\mpress.exe
      "C:\Users\Admin\AppData\Local\Temp\7654.tmp\mpress.exe" "C:\Users\Admin\AppData\Local\Temp\exe7655.tmp"
      4⤵
      Executes dropped EXE
      PID:688
- - C:\Windows\SysWOW64\calc.exe
    CALC.EXE
    3⤵
    - Modifies registry class
    PID:2228

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:4360

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7191.tmp\vir.bat

Filesize
1KB

MD5
8e2d48ed098ebda44f26535071f23595

SHA1
9f3551f2ecf8c357792034df6d1b020d20cfd3a4

SHA256
c45131ab846830b8f13eafdd98c8a8778711cc5da50ea40ac913a508c64ebadc

SHA512
7f5e7f0070594f9206f3b523b3e76b558c81d4b79afdec668a164605c20881c3fe4590fb6b7ec58193118656f7a12fb0c96a881c11839fc546716b92d7bd369a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7654.tmp\mpress.exe

Filesize
100KB

MD5
e42b81b9636152c78ba480c1c47d3c7f

SHA1
66a2fca3925428ee91ad9df5b76b90b34d28e0f8

SHA256
7c24c72439880e502be51da5d991b9b56a1af242b4eef4737f0f43b4a87546d2

SHA512
4b2986106325c5c3fe11ab460f646d4740eb85252aa191f2b84e29901fac146d7a82e31c72d39c38a70277f78278621ee506d9da2681f5019cd64c7df85cff6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7654.tmp\mpress.exe

Filesize
100KB

MD5
e42b81b9636152c78ba480c1c47d3c7f

SHA1
66a2fca3925428ee91ad9df5b76b90b34d28e0f8

SHA256
7c24c72439880e502be51da5d991b9b56a1af242b4eef4737f0f43b4a87546d2

SHA512
4b2986106325c5c3fe11ab460f646d4740eb85252aa191f2b84e29901fac146d7a82e31c72d39c38a70277f78278621ee506d9da2681f5019cd64c7df85cff6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\exe7655.tmp

Filesize
41KB

MD5
0d7c6987ae20b3ffdfb12ed7b308980a

SHA1
1825c567314cb47598bc6118de46ea915e153be9

SHA256
5b1b6a6df41274434d0228ed9f8599412c9a71ffd03c0c8ca670011f6c87e3c0

SHA512
be3e223b70228918e03c2ec67478f18ab8a4e2fdefb7256087d3366cb96fcae9c83ceafbe820b82229e1b11b090d0933c1b645fc72ed3715e151108ca2dcc94b

Download Submit
C:\Users\Admin\AppData\Local\Temp\exe7655.tmp

Filesize
41KB

MD5
5a73cf0bca6a70a6556b8b9c5f75a146

SHA1
82048833120951d0c313d9efddcee9c6fef5f9ab

SHA256
f827cab419029c468ce90717f40fa0bf4a717194cb7c76408262cf21d3385177

SHA512
5bdcfd190e0be413916bb8972a57f7991c9798427e5a64420997be1ce1c95406049a35e4116e1b7db5fec43c40739505222b3e4265d9310599dabecfbfbf80e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\exe7655.tmp

Filesize
41KB

MD5
5a73cf0bca6a70a6556b8b9c5f75a146

SHA1
82048833120951d0c313d9efddcee9c6fef5f9ab

SHA256
f827cab419029c468ce90717f40fa0bf4a717194cb7c76408262cf21d3385177

SHA512
5bdcfd190e0be413916bb8972a57f7991c9798427e5a64420997be1ce1c95406049a35e4116e1b7db5fec43c40739505222b3e4265d9310599dabecfbfbf80e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\exe7655.tmp

Filesize
24KB

MD5
9f9e1d0d42cd5d650c0d9a3f8a067338

SHA1
648209302722fb768a10fcec8fb671924d166aa8

SHA256
70d0c089bd822e72992d59bdeb17616576bc9aeff1ddd605fcdda518cc77dd73

SHA512
6be6fbb2b6b085db17ee22304b0e85d5a4bc5ba62a5b4083834f6f407aedb3a776c33cd4f1bedcbf3eeb50bbc5300d52373a777a7853e9ce56bab89f9aec7ab7

Download Submit
C:\Users\Admin\AppData\Local\Temp\mpr7E82.tmp

Filesize
24KB

MD5
9f9e1d0d42cd5d650c0d9a3f8a067338

SHA1
648209302722fb768a10fcec8fb671924d166aa8

SHA256
70d0c089bd822e72992d59bdeb17616576bc9aeff1ddd605fcdda518cc77dd73

SHA512
6be6fbb2b6b085db17ee22304b0e85d5a4bc5ba62a5b4083834f6f407aedb3a776c33cd4f1bedcbf3eeb50bbc5300d52373a777a7853e9ce56bab89f9aec7ab7

Download Submit
C:\Users\Admin\AppData\Local\Temp\s.dll

Filesize
700KB

MD5
ae87ac1e9b528518386fcce9b8e42476

SHA1
fc85b58e7d83c229845ffdb5c1b94bc876f42d41

SHA256
becb8df39ed6cdd4ba569f649bc3c7edb11587e88ff6b7be7287ccf0030adddc

SHA512
1bd1a706491c541a4f3da109fa6d8a7342a1cbb51954123b58b35851143b55da01180dda9fa16ce6ad1be094c6baa595caef6fd9e6d97f5ab057137ed4643641

Download Submit
C:\Users\Admin\AppData\Local\Temp\u.dll

Filesize
700KB

MD5
ae87ac1e9b528518386fcce9b8e42476

SHA1
fc85b58e7d83c229845ffdb5c1b94bc876f42d41

SHA256
becb8df39ed6cdd4ba569f649bc3c7edb11587e88ff6b7be7287ccf0030adddc

SHA512
1bd1a706491c541a4f3da109fa6d8a7342a1cbb51954123b58b35851143b55da01180dda9fa16ce6ad1be094c6baa595caef6fd9e6d97f5ab057137ed4643641

Download Submit
C:\Users\Admin\AppData\Local\Temp\u.dll

Filesize
700KB

MD5
ae87ac1e9b528518386fcce9b8e42476

SHA1
fc85b58e7d83c229845ffdb5c1b94bc876f42d41

SHA256
becb8df39ed6cdd4ba569f649bc3c7edb11587e88ff6b7be7287ccf0030adddc

SHA512
1bd1a706491c541a4f3da109fa6d8a7342a1cbb51954123b58b35851143b55da01180dda9fa16ce6ad1be094c6baa595caef6fd9e6d97f5ab057137ed4643641

Download Submit
C:\Users\Admin\AppData\Local\Temp\u.dll

Filesize
700KB

MD5
ae87ac1e9b528518386fcce9b8e42476

SHA1
fc85b58e7d83c229845ffdb5c1b94bc876f42d41

SHA256
becb8df39ed6cdd4ba569f649bc3c7edb11587e88ff6b7be7287ccf0030adddc

SHA512
1bd1a706491c541a4f3da109fa6d8a7342a1cbb51954123b58b35851143b55da01180dda9fa16ce6ad1be094c6baa595caef6fd9e6d97f5ab057137ed4643641

Download Submit
C:\Users\Admin\AppData\Local\Temp\vir.bat

Filesize
1KB

MD5
f67736e9c6cae50a1f7c5a18321340b0

SHA1
bd4533c84c071d7c3e8ac54f597f8dc17c443dcb

SHA256
5914abaf38bf831888c5969c3d3fb0fab4b795daee03b7f4fb4ed1714d791d47

SHA512
782a59b5c8a01eb2b1dec4941f3acfe7a08e6e2f44e40a844321dfab15cca60dfee53ae1299e53e948d2d4bf3f350f19d698f40c74567e41f69db31596638903

Download Submit
memory/688-55-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/688-63-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1896-0-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/1896-2-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/1896-1-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/1896-71-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads