3ce54555d25c3a73d344b1fad7d64dc9f18869f6aa7e30dbf2190e55595727e7

Analysis

max time kernel
144s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20231023-en
resource tags

arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
submitted
03-11-2023 09:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.e3ecc734391fde7907bc6ededa8025a0.exe
Size

209KB
MD5

e3ecc734391fde7907bc6ededa8025a0
SHA1

a99eb9e9d18a2c372e65636b899e22201bb03371
SHA256

3ce54555d25c3a73d344b1fad7d64dc9f18869f6aa7e30dbf2190e55595727e7
SHA512

ef84764de06c530105d6f2439ce23a3418a8491141cac3b4a3452a3033eb04272f5fc267e68d4cad6746c29860fa65e6727d451324c520415e1393ed61f9bf62
SSDEEP

6144:YlkW2r/aUGkQZYOZTDKVRXnsWx4CWmXI0wk:f1GUGmMaRXnsA4CQ

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
3128	u.dll
1784	mpress.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000_Classes\Local Settings	calc.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4440	OpenWith.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3940 wrote to memory of 4372	3940	NEAS.e3ecc734391fde7907bc6ededa8025a0.exe	88
PID 3940 wrote to memory of 4372	3940	NEAS.e3ecc734391fde7907bc6ededa8025a0.exe	88
PID 3940 wrote to memory of 4372	3940	NEAS.e3ecc734391fde7907bc6ededa8025a0.exe	88
PID 4372 wrote to memory of 3128	4372	cmd.exe	89
PID 4372 wrote to memory of 3128	4372	cmd.exe	89
PID 4372 wrote to memory of 3128	4372	cmd.exe	89
PID 3128 wrote to memory of 1784	3128	u.dll	93
PID 3128 wrote to memory of 1784	3128	u.dll	93
PID 3128 wrote to memory of 1784	3128	u.dll	93
PID 4372 wrote to memory of 2016	4372	cmd.exe	94
PID 4372 wrote to memory of 2016	4372	cmd.exe	94
PID 4372 wrote to memory of 2016	4372	cmd.exe	94

C:\Users\Admin\AppData\Local\Temp\NEAS.e3ecc734391fde7907bc6ededa8025a0.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.e3ecc734391fde7907bc6ededa8025a0.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3940
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\B381.tmp\vir.bat""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4372
- - C:\Users\Admin\AppData\Local\Temp\u.dll
    u.dll -bat vir.bat -save NEAS.e3ecc734391fde7907bc6ededa8025a0.exe.com -include s.dll -overwrite -nodelete
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3128
  - - C:\Users\Admin\AppData\Local\Temp\B508.tmp\mpress.exe
      "C:\Users\Admin\AppData\Local\Temp\B508.tmp\mpress.exe" "C:\Users\Admin\AppData\Local\Temp\exeB509.tmp"
      4⤵
      Executes dropped EXE
      PID:1784
- - C:\Windows\SysWOW64\calc.exe
    CALC.EXE
    3⤵
    - Modifies registry class
    PID:2016

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:4440

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\B381.tmp\vir.bat

Filesize
1KB

MD5
f0106d54bbe6508c2934fc6fbe6e4b37

SHA1
d0fd4476d32e991c2dc18a425d36d42bcf0c7a2b

SHA256
c8570f9cb8d6cf393cff3b1f1e4d26df32e10a419ace05623d3d65e40b14cebd

SHA512
fb2b025334eed38cd722e92334b3367b13ddce6868f625a94b2e55385cac78973b4cc00cdd4140ad4c6003091e97014701b433d170fd922df5f27fda9984fc87

Download Submit
C:\Users\Admin\AppData\Local\Temp\B508.tmp\mpress.exe

Filesize
100KB

MD5
e42b81b9636152c78ba480c1c47d3c7f

SHA1
66a2fca3925428ee91ad9df5b76b90b34d28e0f8

SHA256
7c24c72439880e502be51da5d991b9b56a1af242b4eef4737f0f43b4a87546d2

SHA512
4b2986106325c5c3fe11ab460f646d4740eb85252aa191f2b84e29901fac146d7a82e31c72d39c38a70277f78278621ee506d9da2681f5019cd64c7df85cff6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\B508.tmp\mpress.exe

Filesize
100KB

MD5
e42b81b9636152c78ba480c1c47d3c7f

SHA1
66a2fca3925428ee91ad9df5b76b90b34d28e0f8

SHA256
7c24c72439880e502be51da5d991b9b56a1af242b4eef4737f0f43b4a87546d2

SHA512
4b2986106325c5c3fe11ab460f646d4740eb85252aa191f2b84e29901fac146d7a82e31c72d39c38a70277f78278621ee506d9da2681f5019cd64c7df85cff6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\exeB509.tmp

Filesize
41KB

MD5
0d7c6987ae20b3ffdfb12ed7b308980a

SHA1
1825c567314cb47598bc6118de46ea915e153be9

SHA256
5b1b6a6df41274434d0228ed9f8599412c9a71ffd03c0c8ca670011f6c87e3c0

SHA512
be3e223b70228918e03c2ec67478f18ab8a4e2fdefb7256087d3366cb96fcae9c83ceafbe820b82229e1b11b090d0933c1b645fc72ed3715e151108ca2dcc94b

Download Submit
C:\Users\Admin\AppData\Local\Temp\exeB509.tmp

Filesize
41KB

MD5
0d7c6987ae20b3ffdfb12ed7b308980a

SHA1
1825c567314cb47598bc6118de46ea915e153be9

SHA256
5b1b6a6df41274434d0228ed9f8599412c9a71ffd03c0c8ca670011f6c87e3c0

SHA512
be3e223b70228918e03c2ec67478f18ab8a4e2fdefb7256087d3366cb96fcae9c83ceafbe820b82229e1b11b090d0933c1b645fc72ed3715e151108ca2dcc94b

Download Submit
C:\Users\Admin\AppData\Local\Temp\exeB509.tmp

Filesize
24KB

MD5
de1461993dacf490e8c70e6852465257

SHA1
27cec37d797927f6fb2630ade602ea54b4e2bf78

SHA256
0ad9c110a2eac087db222fb6dc9d60e9884086823c99ebe9f10e524d780dbcbd

SHA512
9f6013244874b6d0f02b0c1bf83264ba1b1f13b4bca9a36e69e23248c50ca30a67ffe9dfef97cda2934aa380ce82d7a7f70ba49754dcd7dca941536e92815b6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\mprC67C.tmp

Filesize
24KB

MD5
de1461993dacf490e8c70e6852465257

SHA1
27cec37d797927f6fb2630ade602ea54b4e2bf78

SHA256
0ad9c110a2eac087db222fb6dc9d60e9884086823c99ebe9f10e524d780dbcbd

SHA512
9f6013244874b6d0f02b0c1bf83264ba1b1f13b4bca9a36e69e23248c50ca30a67ffe9dfef97cda2934aa380ce82d7a7f70ba49754dcd7dca941536e92815b6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\s.dll

Filesize
700KB

MD5
ae87ac1e9b528518386fcce9b8e42476

SHA1
fc85b58e7d83c229845ffdb5c1b94bc876f42d41

SHA256
becb8df39ed6cdd4ba569f649bc3c7edb11587e88ff6b7be7287ccf0030adddc

SHA512
1bd1a706491c541a4f3da109fa6d8a7342a1cbb51954123b58b35851143b55da01180dda9fa16ce6ad1be094c6baa595caef6fd9e6d97f5ab057137ed4643641

Download Submit
C:\Users\Admin\AppData\Local\Temp\u.dll

Filesize
700KB

MD5
ae87ac1e9b528518386fcce9b8e42476

SHA1
fc85b58e7d83c229845ffdb5c1b94bc876f42d41

SHA256
becb8df39ed6cdd4ba569f649bc3c7edb11587e88ff6b7be7287ccf0030adddc

SHA512
1bd1a706491c541a4f3da109fa6d8a7342a1cbb51954123b58b35851143b55da01180dda9fa16ce6ad1be094c6baa595caef6fd9e6d97f5ab057137ed4643641

Download Submit
C:\Users\Admin\AppData\Local\Temp\u.dll

Filesize
700KB

MD5
ae87ac1e9b528518386fcce9b8e42476

SHA1
fc85b58e7d83c229845ffdb5c1b94bc876f42d41

SHA256
becb8df39ed6cdd4ba569f649bc3c7edb11587e88ff6b7be7287ccf0030adddc

SHA512
1bd1a706491c541a4f3da109fa6d8a7342a1cbb51954123b58b35851143b55da01180dda9fa16ce6ad1be094c6baa595caef6fd9e6d97f5ab057137ed4643641

Download Submit
C:\Users\Admin\AppData\Local\Temp\u.dll

Filesize
700KB

MD5
ae87ac1e9b528518386fcce9b8e42476

SHA1
fc85b58e7d83c229845ffdb5c1b94bc876f42d41

SHA256
becb8df39ed6cdd4ba569f649bc3c7edb11587e88ff6b7be7287ccf0030adddc

SHA512
1bd1a706491c541a4f3da109fa6d8a7342a1cbb51954123b58b35851143b55da01180dda9fa16ce6ad1be094c6baa595caef6fd9e6d97f5ab057137ed4643641

Download Submit
C:\Users\Admin\AppData\Local\Temp\vir.bat

Filesize
1KB

MD5
395614b187ec52fabff4b4419c9dfc0f

SHA1
6816541e1ef4f51d2ec80a15bd557a74fb56b9e8

SHA256
50a0eb58dd50ee78849a3fe82aaaeba0c98c07eb81c074bbd4b27ba04317f029

SHA512
1775718be58a317c42121862ca547f2a0d50428f5463c7171b42aac574c302156ab7c6e32327981ad41bc66ac4f966c72e0cc2896117c1bd2d20bdf3db2e64e8

Download Submit
memory/1784-58-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1784-65-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3940-19-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/3940-0-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/3940-1-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads