2cd9b4a1a47fd447b8231dbb3841a19f8f100436bb7fd6c2f19271955f84d8af

Analysis

max time kernel
162s
max time network
163s
platform
windows10-2004_x64
resource
win10v2004-20231023-en
resource tags

arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
submitted
03/11/2023, 14:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.ce9874fa92f04097cfaf036a7296b2b0_JC.exe
Size

211KB
MD5

ce9874fa92f04097cfaf036a7296b2b0
SHA1

e689171d5781161e03bb4d5171df9833b4aaaea3
SHA256

2cd9b4a1a47fd447b8231dbb3841a19f8f100436bb7fd6c2f19271955f84d8af
SHA512

00361e336460a42893ead6bd5accccb5954c942874c7ce4831d4231781d23bfe381b8aa6af255630af5553d5d13eb565f970060dc6f98ba581bb2c3e795e9829
SSDEEP

3072:Rld1ZdJywGLnn7DKqtIyHaV8qy8uvNrAkjy1oxpWjeDzvj0AuVXgK440:RldDEn3te8QmdAd1qt7ruz4t

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
4844	u.dll
1680	mpress.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings	calc.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1116	OpenWith.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3308 wrote to memory of 3000	3308	NEAS.ce9874fa92f04097cfaf036a7296b2b0_JC.exe	95
PID 3308 wrote to memory of 3000	3308	NEAS.ce9874fa92f04097cfaf036a7296b2b0_JC.exe	95
PID 3308 wrote to memory of 3000	3308	NEAS.ce9874fa92f04097cfaf036a7296b2b0_JC.exe	95
PID 3000 wrote to memory of 4844	3000	cmd.exe	96
PID 3000 wrote to memory of 4844	3000	cmd.exe	96
PID 3000 wrote to memory of 4844	3000	cmd.exe	96
PID 4844 wrote to memory of 1680	4844	u.dll	99
PID 4844 wrote to memory of 1680	4844	u.dll	99
PID 4844 wrote to memory of 1680	4844	u.dll	99
PID 3000 wrote to memory of 2292	3000	cmd.exe	100
PID 3000 wrote to memory of 2292	3000	cmd.exe	100
PID 3000 wrote to memory of 2292	3000	cmd.exe	100

C:\Users\Admin\AppData\Local\Temp\NEAS.ce9874fa92f04097cfaf036a7296b2b0_JC.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.ce9874fa92f04097cfaf036a7296b2b0_JC.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3308
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AEB9.tmp\vir.bat""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3000
- - C:\Users\Admin\AppData\Local\Temp\u.dll
    u.dll -bat vir.bat -save NEAS.ce9874fa92f04097cfaf036a7296b2b0_JC.exe.com -include s.dll -overwrite -nodelete
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4844
  - - C:\Users\Admin\AppData\Local\Temp\C290.tmp\mpress.exe
      "C:\Users\Admin\AppData\Local\Temp\C290.tmp\mpress.exe" "C:\Users\Admin\AppData\Local\Temp\exeC291.tmp"
      4⤵
      Executes dropped EXE
      PID:1680
- - C:\Windows\SysWOW64\calc.exe
    CALC.EXE
    3⤵
    - Modifies registry class
    PID:2292

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:1116

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\AEB9.tmp\vir.bat

Filesize
1KB

MD5
c403f7523d417c4a1a9fc6ed447f586f

SHA1
a6d73aae606441550bfd425abfe06944d040bb83

SHA256
c0501db8959aaf032651e54256faf9b3dc44dfb68e9969b8673319b256c16733

SHA512
280993ebe285fdc7a00b0f33cfa34cb62d11f8e895c486f60be2596d231c2eab7c439a6409c668089ceb1252ad8005d0e65d5c14cd6e901f0bc5862f215cab1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\C290.tmp\mpress.exe

Filesize
100KB

MD5
e42b81b9636152c78ba480c1c47d3c7f

SHA1
66a2fca3925428ee91ad9df5b76b90b34d28e0f8

SHA256
7c24c72439880e502be51da5d991b9b56a1af242b4eef4737f0f43b4a87546d2

SHA512
4b2986106325c5c3fe11ab460f646d4740eb85252aa191f2b84e29901fac146d7a82e31c72d39c38a70277f78278621ee506d9da2681f5019cd64c7df85cff6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\C290.tmp\mpress.exe

Filesize
100KB

MD5
e42b81b9636152c78ba480c1c47d3c7f

SHA1
66a2fca3925428ee91ad9df5b76b90b34d28e0f8

SHA256
7c24c72439880e502be51da5d991b9b56a1af242b4eef4737f0f43b4a87546d2

SHA512
4b2986106325c5c3fe11ab460f646d4740eb85252aa191f2b84e29901fac146d7a82e31c72d39c38a70277f78278621ee506d9da2681f5019cd64c7df85cff6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\exeC291.tmp

Filesize
41KB

MD5
77a06c5c46840d106a0d18b6d840abba

SHA1
3649530ef070f8cdd754cc989d920a839da003c2

SHA256
08d65f74d742d02e9396ef5f7c4e95cf10edbfbf93db9bc61231729577f08156

SHA512
fea5fffc72d47bf49e8009678fb550e9677b121f39da5512dc896325fdd8e75616017579486f61ff403042caf0700e43ce7ad6361cc883dbfb46481dda04bd3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\exeC291.tmp

Filesize
41KB

MD5
87ce7e017b18ad56b0e5802c5c09ba30

SHA1
d6a716c490baa6aef22304a4677b5bd81d6faeb3

SHA256
dbe5b8b0115a957ded825052758aa669bece52c952e10554b32a4c26aa95a64c

SHA512
e0a29cdc6df0b2bbf2eb6c56dbffd509151d3ace79477c7871342d3a9a768aa5ed77aa97fb17d4f4a2677484629c4bc85f9d7769bde3e1b1e475047f693d667b

Download Submit
C:\Users\Admin\AppData\Local\Temp\exeC291.tmp

Filesize
24KB

MD5
2ca3eaf07db2330f8143ff85d0039b4a

SHA1
93be118e4a55246ea4299fcbac597a92e864bcf5

SHA256
70f99ad5b5b74ea5326011690bdf3595da14b2f7d424df1d1fc20ae9c03717d4

SHA512
82fb77608bb8f00888b774f1c65370b9767139a25b44a8e72f05743572b790fc2d3d97b292c0cf2cf50e76fb61c22a1dac53178cd07b642fce4b4b0e79f419b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\exeC291.tmp

Filesize
41KB

MD5
2962dfcac22070e3da981e1115397938

SHA1
09a2ddd77cc9265c1c9a3a0b3797ea5007e3bd28

SHA256
d47a5a1f144a7b1a0267ec604f18238419a29402b4ef51f1b2165f346ef88951

SHA512
8efe28ee9ba694a2cc010bb61736de3f7bc190c3656f814a700e9992391a174982fa21f16d24ce1c36876e095f1a76569183cee52048ae22102cac621beb422a

Download Submit
C:\Users\Admin\AppData\Local\Temp\mpr2021.tmp

Filesize
24KB

MD5
2ca3eaf07db2330f8143ff85d0039b4a

SHA1
93be118e4a55246ea4299fcbac597a92e864bcf5

SHA256
70f99ad5b5b74ea5326011690bdf3595da14b2f7d424df1d1fc20ae9c03717d4

SHA512
82fb77608bb8f00888b774f1c65370b9767139a25b44a8e72f05743572b790fc2d3d97b292c0cf2cf50e76fb61c22a1dac53178cd07b642fce4b4b0e79f419b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\s.dll

Filesize
700KB

MD5
03e84bf7ea2eba6e881e868ceefe2526

SHA1
09019ed20cf16847a264f5d1840ee0802f1778a6

SHA256
8b16836b18106d0e8fdbb4b26beefee04479fe219a59cc2a186b68db91fcd832

SHA512
32a47a7b4725f2d71573ad855b0a3bc99b3fa86d70f7b1b60456361bbcd03d37ea58f2b7092c0b6993e156db4ddd66b1d544363523f580a6dd8c055697ec2026

Download Submit
C:\Users\Admin\AppData\Local\Temp\u.dll

Filesize
700KB

MD5
03e84bf7ea2eba6e881e868ceefe2526

SHA1
09019ed20cf16847a264f5d1840ee0802f1778a6

SHA256
8b16836b18106d0e8fdbb4b26beefee04479fe219a59cc2a186b68db91fcd832

SHA512
32a47a7b4725f2d71573ad855b0a3bc99b3fa86d70f7b1b60456361bbcd03d37ea58f2b7092c0b6993e156db4ddd66b1d544363523f580a6dd8c055697ec2026

Download Submit
C:\Users\Admin\AppData\Local\Temp\u.dll

Filesize
700KB

MD5
03e84bf7ea2eba6e881e868ceefe2526

SHA1
09019ed20cf16847a264f5d1840ee0802f1778a6

SHA256
8b16836b18106d0e8fdbb4b26beefee04479fe219a59cc2a186b68db91fcd832

SHA512
32a47a7b4725f2d71573ad855b0a3bc99b3fa86d70f7b1b60456361bbcd03d37ea58f2b7092c0b6993e156db4ddd66b1d544363523f580a6dd8c055697ec2026

Download Submit
C:\Users\Admin\AppData\Local\Temp\u.dll

Filesize
700KB

MD5
03e84bf7ea2eba6e881e868ceefe2526

SHA1
09019ed20cf16847a264f5d1840ee0802f1778a6

SHA256
8b16836b18106d0e8fdbb4b26beefee04479fe219a59cc2a186b68db91fcd832

SHA512
32a47a7b4725f2d71573ad855b0a3bc99b3fa86d70f7b1b60456361bbcd03d37ea58f2b7092c0b6993e156db4ddd66b1d544363523f580a6dd8c055697ec2026

Download Submit
C:\Users\Admin\AppData\Local\Temp\vir.bat

Filesize
1KB

MD5
88c2db825d60fc43431e5eaf098695db

SHA1
4a5c2c9e4171bd1ff54c0615341a46f1b213a452

SHA256
6a3b938ddd0f0e208f75a776f5638a2cd09165ec7f5d88a1d9445611ce036705

SHA512
995ec0e30e2d5fa893baff5d55477f729577e86b20aab1278eb8062e77b36f628e12e6214d881607cece64d7f7f1f99fce418d0b86dd3a2c0b8b60a7fa5238e9

Download Submit
memory/1680-61-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1680-67-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3308-0-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/3308-14-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/3308-3-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/3308-2-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/3308-1-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads