2bbd3c7b0ba9057e0bc76b5188919af1d155baf632adf88bfec7b3ac19b4f7d8

Analysis

max time kernel
146s
max time network
135s
platform
windows10-2004_x64
resource
win10v2004-20231020-en
resource tags

arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
submitted
03/11/2023, 06:35

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

NEAS.908d0c623ac18f01731c99c048c37000_JC.exe
Size

835KB
MD5

908d0c623ac18f01731c99c048c37000
SHA1

b73f0abad18ff36b4030cf9799fd4dceb0e11c44
SHA256

2bbd3c7b0ba9057e0bc76b5188919af1d155baf632adf88bfec7b3ac19b4f7d8
SHA512

3a3b321b0ebd7714a81d41e46abcedc4741aee4e526081933e38d79f2196102ef8c102360dc86264d85118f799ce496e3bcd74b25b122ba7f20978a01821f0fa
SSDEEP

24576:ATH0N2rP7d3BFMukWMG+gcXh6dvrBV1gerPxHxmbuio8Tk3Qy0HyNtK35KO:ATH0NvTG+g+h6dvrBV1gerPxHxmbuiow

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2148	u.dll
3240	mpress.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000_Classes\Local Settings	calc.exe
Key created	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000_Classes\Local Settings	calc.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4148	OpenWith.exe
1992	OpenWith.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 324 wrote to memory of 1824	324	NEAS.908d0c623ac18f01731c99c048c37000_JC.exe	89
PID 324 wrote to memory of 1824	324	NEAS.908d0c623ac18f01731c99c048c37000_JC.exe	89
PID 324 wrote to memory of 1824	324	NEAS.908d0c623ac18f01731c99c048c37000_JC.exe	89
PID 1824 wrote to memory of 2148	1824	cmd.exe	90
PID 1824 wrote to memory of 2148	1824	cmd.exe	90
PID 1824 wrote to memory of 2148	1824	cmd.exe	90
PID 2148 wrote to memory of 3240	2148	u.dll	93
PID 2148 wrote to memory of 3240	2148	u.dll	93
PID 2148 wrote to memory of 3240	2148	u.dll	93
PID 1824 wrote to memory of 4644	1824	cmd.exe	95
PID 1824 wrote to memory of 4644	1824	cmd.exe	95
PID 1824 wrote to memory of 4644	1824	cmd.exe	95
PID 1824 wrote to memory of 4508	1824	cmd.exe	97
PID 1824 wrote to memory of 4508	1824	cmd.exe	97
PID 1824 wrote to memory of 4508	1824	cmd.exe	97

C:\Users\Admin\AppData\Local\Temp\NEAS.908d0c623ac18f01731c99c048c37000_JC.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.908d0c623ac18f01731c99c048c37000_JC.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:324
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\E678.tmp\vir.bat""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1824
- - C:\Users\Admin\AppData\Local\Temp\u.dll
    u.dll -bat vir.bat -save NEAS.908d0c623ac18f01731c99c048c37000_JC.exe.com -include s.dll -overwrite -nodelete
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2148
  - - C:\Users\Admin\AppData\Local\Temp\E7FE.tmp\mpress.exe
      "C:\Users\Admin\AppData\Local\Temp\E7FE.tmp\mpress.exe" "C:\Users\Admin\AppData\Local\Temp\exeE7FF.tmp"
      4⤵
      Executes dropped EXE
      PID:3240
- - C:\Windows\SysWOW64\calc.exe
    CALC.EXE
    3⤵
    - Modifies registry class
    PID:4644
- - C:\Windows\SysWOW64\calc.exe
    CALC.EXE
    3⤵
    - Modifies registry class
    PID:4508

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:4148

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:1992

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\E678.tmp\vir.bat

Filesize
1KB

MD5
4cda739e4e5471cce9d2917c7e3050df

SHA1
b7ddd7914b9e26a61abcd21632d675b67a18f195

SHA256
bfdbdb295b5977eaa1be7c30c15c3dee0e8a1fb3c503b9c954c504a9a7f91b32

SHA512
ba5f2b44114b1d5120c1102c4d8a89f56f2736dd05540977b72e47f8a5e56396e4be652ca78686b81c3e4b04c2b7afb8e80adbb94d9f916b9c9627f1743c4979

Download Submit
C:\Users\Admin\AppData\Local\Temp\E7FE.tmp\mpress.exe

Filesize
100KB

MD5
e42b81b9636152c78ba480c1c47d3c7f

SHA1
66a2fca3925428ee91ad9df5b76b90b34d28e0f8

SHA256
7c24c72439880e502be51da5d991b9b56a1af242b4eef4737f0f43b4a87546d2

SHA512
4b2986106325c5c3fe11ab460f646d4740eb85252aa191f2b84e29901fac146d7a82e31c72d39c38a70277f78278621ee506d9da2681f5019cd64c7df85cff6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\E7FE.tmp\mpress.exe

Filesize
100KB

MD5
e42b81b9636152c78ba480c1c47d3c7f

SHA1
66a2fca3925428ee91ad9df5b76b90b34d28e0f8

SHA256
7c24c72439880e502be51da5d991b9b56a1af242b4eef4737f0f43b4a87546d2

SHA512
4b2986106325c5c3fe11ab460f646d4740eb85252aa191f2b84e29901fac146d7a82e31c72d39c38a70277f78278621ee506d9da2681f5019cd64c7df85cff6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\exeE7FF.tmp

Filesize
41KB

MD5
7aa367dca7be65e07b16bd69f06263e3

SHA1
d447739251408f8e8490a9d307927bfbe41737ce

SHA256
738bf50547320b0683af727ad6d430f2e7b83c846fe24f91527b7ee263bfa076

SHA512
d7884589d7d12a628c9e07b77b3b793fa91f67fe13563e7b072ca864e053e6b7d711852e30ae1c877576b8ad47f67d2826e8ee711e6b65a329baa57492fe31b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\exeE7FF.tmp

Filesize
41KB

MD5
9cc408b90f1f221a465d794185288e90

SHA1
b0a05b513abbd5ba1d780a70e29125052c95d5e4

SHA256
2cd50a509f8b47f13148e6a629e980bc203e57b91f624fb6df79f5d2317d7c7a

SHA512
789b727bf6745321d64b12a4dfe9b050256af98edf7ecf6b46607eb7aba57d0d48de7908cdf1f19aae9bbbb1c327d516aa872cd130f19d64485fec3dfa68f326

Download Submit
C:\Users\Admin\AppData\Local\Temp\exeE7FF.tmp

Filesize
24KB

MD5
6fe6936f4026fc3302041fe94a50f65f

SHA1
ca3f88fb23c9cf78bda96e004866e08ca29cccb6

SHA256
9aa37a9ab8f7f1c1db0e4e0097eed487744deaaff9607386516b9961cf4d744d

SHA512
87c79e3e9af9e6cb2f67cd582e034ed8d5b863323acee872775088bc05157df59e6ed9b7b6f727167064c5b9e7a27a152a5bf1d452dee3b8e4250b2a51c1868f

Download Submit
C:\Users\Admin\AppData\Local\Temp\mprE9E3.tmp

Filesize
24KB

MD5
6fe6936f4026fc3302041fe94a50f65f

SHA1
ca3f88fb23c9cf78bda96e004866e08ca29cccb6

SHA256
9aa37a9ab8f7f1c1db0e4e0097eed487744deaaff9607386516b9961cf4d744d

SHA512
87c79e3e9af9e6cb2f67cd582e034ed8d5b863323acee872775088bc05157df59e6ed9b7b6f727167064c5b9e7a27a152a5bf1d452dee3b8e4250b2a51c1868f

Download Submit
C:\Users\Admin\AppData\Local\Temp\s.dll

Filesize
700KB

MD5
3c9568b0d86a865f9f73d9c0967cfdad

SHA1
3270df3e0e600f4df2c3cbc384837693a8a3a83e

SHA256
c7b97a001b39e17382e929aad924555f3d21886b86aed38cffd660490801d1d6

SHA512
bd423d1d57823b1bf6db42aeec199aa93178a9317ead85b42b60e091aaf4f73ce721bc07fda4750e112c4dccb9d87e21d5793965da9d6e92b0c5bed92c26876f

Download Submit
C:\Users\Admin\AppData\Local\Temp\u.dll

Filesize
700KB

MD5
3c9568b0d86a865f9f73d9c0967cfdad

SHA1
3270df3e0e600f4df2c3cbc384837693a8a3a83e

SHA256
c7b97a001b39e17382e929aad924555f3d21886b86aed38cffd660490801d1d6

SHA512
bd423d1d57823b1bf6db42aeec199aa93178a9317ead85b42b60e091aaf4f73ce721bc07fda4750e112c4dccb9d87e21d5793965da9d6e92b0c5bed92c26876f

Download Submit
C:\Users\Admin\AppData\Local\Temp\u.dll

Filesize
700KB

MD5
3c9568b0d86a865f9f73d9c0967cfdad

SHA1
3270df3e0e600f4df2c3cbc384837693a8a3a83e

SHA256
c7b97a001b39e17382e929aad924555f3d21886b86aed38cffd660490801d1d6

SHA512
bd423d1d57823b1bf6db42aeec199aa93178a9317ead85b42b60e091aaf4f73ce721bc07fda4750e112c4dccb9d87e21d5793965da9d6e92b0c5bed92c26876f

Download Submit
C:\Users\Admin\AppData\Local\Temp\u.dll

Filesize
700KB

MD5
3c9568b0d86a865f9f73d9c0967cfdad

SHA1
3270df3e0e600f4df2c3cbc384837693a8a3a83e

SHA256
c7b97a001b39e17382e929aad924555f3d21886b86aed38cffd660490801d1d6

SHA512
bd423d1d57823b1bf6db42aeec199aa93178a9317ead85b42b60e091aaf4f73ce721bc07fda4750e112c4dccb9d87e21d5793965da9d6e92b0c5bed92c26876f

Download Submit
C:\Users\Admin\AppData\Local\Temp\vir.bat

Filesize
1KB

MD5
357fb203ee9ff161dfd16c300a7db0d6

SHA1
fab017bdb4e35fa5b10b41be3829a0ee33f9a301

SHA256
c84493f31c9f1c0b6cbe70fe9fb72c65cad81201d11d5aac4d2d86dceff0796b

SHA512
77818a829e009e2e88e50b10d6c35661b67e34670e066d8240870f88d150202196b58a6eda88a679d528cb2e49b84f9399b574e776b7cff6ed430e7e1b91b7b5

Download Submit
memory/324-1-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/324-0-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/324-70-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/3240-54-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3240-62-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads