58416b176f97c07e7126d53c56c5b039f78adedbc6fb67094855548ee3b8f7ba

Analysis

max time kernel
118s
max time network
122s
platform
windows7_x64
resource
win7-20231023-en
resource tags

arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system
submitted
03/11/2023, 20:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.d846d479240efa3313bcce9534725190_JC.exe
Size

1.8MB
MD5

d846d479240efa3313bcce9534725190
SHA1

a6b3be5f81edf6e2823a19dac1b6eb882357a174
SHA256

58416b176f97c07e7126d53c56c5b039f78adedbc6fb67094855548ee3b8f7ba
SHA512

236e6e4df70c483a4147729df34efea387c0e810fbbe60c26f79d5900bb6091d1845d0cadb194f594e4214f96a85c59e56671354b0c702fd6d54ebba609be67d
SSDEEP

49152:wWhr59BfJXAE+UJDyWh2Rmwj++kA75EVdZod:wWhrPBfKEneWhumwq/Qq6

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 8 IoCs

pid	Process
2760	rundll32.exe
2760	rundll32.exe
2760	rundll32.exe
2760	rundll32.exe
2936	rundll32.exe
2936	rundll32.exe
2936	rundll32.exe
2936	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 1456 wrote to memory of 2748	1456	NEAS.d846d479240efa3313bcce9534725190_JC.exe	28
PID 1456 wrote to memory of 2748	1456	NEAS.d846d479240efa3313bcce9534725190_JC.exe	28
PID 1456 wrote to memory of 2748	1456	NEAS.d846d479240efa3313bcce9534725190_JC.exe	28
PID 1456 wrote to memory of 2748	1456	NEAS.d846d479240efa3313bcce9534725190_JC.exe	28
PID 2748 wrote to memory of 2760	2748	control.exe	29
PID 2748 wrote to memory of 2760	2748	control.exe	29
PID 2748 wrote to memory of 2760	2748	control.exe	29
PID 2748 wrote to memory of 2760	2748	control.exe	29
PID 2748 wrote to memory of 2760	2748	control.exe	29
PID 2748 wrote to memory of 2760	2748	control.exe	29
PID 2748 wrote to memory of 2760	2748	control.exe	29
PID 2760 wrote to memory of 2536	2760	rundll32.exe	30
PID 2760 wrote to memory of 2536	2760	rundll32.exe	30
PID 2760 wrote to memory of 2536	2760	rundll32.exe	30
PID 2760 wrote to memory of 2536	2760	rundll32.exe	30
PID 2536 wrote to memory of 2936	2536	RunDll32.exe	31
PID 2536 wrote to memory of 2936	2536	RunDll32.exe	31
PID 2536 wrote to memory of 2936	2536	RunDll32.exe	31
PID 2536 wrote to memory of 2936	2536	RunDll32.exe	31
PID 2536 wrote to memory of 2936	2536	RunDll32.exe	31
PID 2536 wrote to memory of 2936	2536	RunDll32.exe	31
PID 2536 wrote to memory of 2936	2536	RunDll32.exe	31

C:\Users\Admin\AppData\Local\Temp\NEAS.d846d479240efa3313bcce9534725190_JC.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.d846d479240efa3313bcce9534725190_JC.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1456
- C:\Windows\SysWOW64\control.exe
  "C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\qB4Q22K0.CPL",
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2748
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\qB4Q22K0.CPL",
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2760
  - - C:\Windows\system32\RunDll32.exe
      C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\qB4Q22K0.CPL",
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2536
    - - C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 "C:\Users\Admin\AppData\Local\Temp\qB4Q22K0.CPL",
        5⤵
        Loads dropped DLL
        
        PID:2936

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\qB4Q22K0.CPL

Filesize
1.4MB

MD5
60f22c16c679a8d488de57bd63b90962

SHA1
c066dd0969a5490ec30d2849abb8424cacc4ea6d

SHA256
fff463d5766db8cd0443b6fc0b0ae4b55e39727110ac40dc640cfcb35d5be4c0

SHA512
fecb2da87dda5730ce64b475b901f1d4b361f1c857b57792c02a53ad05b520cdd895d17bcc0ef2f7cd378774dde67cbf09bf1a70de6985c938e7135ddb262e4b

Download Submit
\Users\Admin\AppData\Local\Temp\qB4q22K0.cpl

Filesize
1.4MB

MD5
60f22c16c679a8d488de57bd63b90962

SHA1
c066dd0969a5490ec30d2849abb8424cacc4ea6d

SHA256
fff463d5766db8cd0443b6fc0b0ae4b55e39727110ac40dc640cfcb35d5be4c0

SHA512
fecb2da87dda5730ce64b475b901f1d4b361f1c857b57792c02a53ad05b520cdd895d17bcc0ef2f7cd378774dde67cbf09bf1a70de6985c938e7135ddb262e4b

Download Submit
\Users\Admin\AppData\Local\Temp\qB4q22K0.cpl

Filesize
1.4MB

MD5
60f22c16c679a8d488de57bd63b90962

SHA1
c066dd0969a5490ec30d2849abb8424cacc4ea6d

SHA256
fff463d5766db8cd0443b6fc0b0ae4b55e39727110ac40dc640cfcb35d5be4c0

SHA512
fecb2da87dda5730ce64b475b901f1d4b361f1c857b57792c02a53ad05b520cdd895d17bcc0ef2f7cd378774dde67cbf09bf1a70de6985c938e7135ddb262e4b

Download Submit
\Users\Admin\AppData\Local\Temp\qB4q22K0.cpl

Filesize
1.4MB

MD5
60f22c16c679a8d488de57bd63b90962

SHA1
c066dd0969a5490ec30d2849abb8424cacc4ea6d

SHA256
fff463d5766db8cd0443b6fc0b0ae4b55e39727110ac40dc640cfcb35d5be4c0

SHA512
fecb2da87dda5730ce64b475b901f1d4b361f1c857b57792c02a53ad05b520cdd895d17bcc0ef2f7cd378774dde67cbf09bf1a70de6985c938e7135ddb262e4b

Download Submit
\Users\Admin\AppData\Local\Temp\qB4q22K0.cpl

Filesize
1.4MB

MD5
60f22c16c679a8d488de57bd63b90962

SHA1
c066dd0969a5490ec30d2849abb8424cacc4ea6d

SHA256
fff463d5766db8cd0443b6fc0b0ae4b55e39727110ac40dc640cfcb35d5be4c0

SHA512
fecb2da87dda5730ce64b475b901f1d4b361f1c857b57792c02a53ad05b520cdd895d17bcc0ef2f7cd378774dde67cbf09bf1a70de6985c938e7135ddb262e4b

Download Submit
\Users\Admin\AppData\Local\Temp\qB4q22K0.cpl

Filesize
1.4MB

MD5
60f22c16c679a8d488de57bd63b90962

SHA1
c066dd0969a5490ec30d2849abb8424cacc4ea6d

SHA256
fff463d5766db8cd0443b6fc0b0ae4b55e39727110ac40dc640cfcb35d5be4c0

SHA512
fecb2da87dda5730ce64b475b901f1d4b361f1c857b57792c02a53ad05b520cdd895d17bcc0ef2f7cd378774dde67cbf09bf1a70de6985c938e7135ddb262e4b

Download Submit
\Users\Admin\AppData\Local\Temp\qB4q22K0.cpl

Filesize
1.4MB

MD5
60f22c16c679a8d488de57bd63b90962

SHA1
c066dd0969a5490ec30d2849abb8424cacc4ea6d

SHA256
fff463d5766db8cd0443b6fc0b0ae4b55e39727110ac40dc640cfcb35d5be4c0

SHA512
fecb2da87dda5730ce64b475b901f1d4b361f1c857b57792c02a53ad05b520cdd895d17bcc0ef2f7cd378774dde67cbf09bf1a70de6985c938e7135ddb262e4b

Download Submit
\Users\Admin\AppData\Local\Temp\qB4q22K0.cpl

Filesize
1.4MB

MD5
60f22c16c679a8d488de57bd63b90962

SHA1
c066dd0969a5490ec30d2849abb8424cacc4ea6d

SHA256
fff463d5766db8cd0443b6fc0b0ae4b55e39727110ac40dc640cfcb35d5be4c0

SHA512
fecb2da87dda5730ce64b475b901f1d4b361f1c857b57792c02a53ad05b520cdd895d17bcc0ef2f7cd378774dde67cbf09bf1a70de6985c938e7135ddb262e4b

Download Submit
\Users\Admin\AppData\Local\Temp\qB4q22K0.cpl

Filesize
1.4MB

MD5
60f22c16c679a8d488de57bd63b90962

SHA1
c066dd0969a5490ec30d2849abb8424cacc4ea6d

SHA256
fff463d5766db8cd0443b6fc0b0ae4b55e39727110ac40dc640cfcb35d5be4c0

SHA512
fecb2da87dda5730ce64b475b901f1d4b361f1c857b57792c02a53ad05b520cdd895d17bcc0ef2f7cd378774dde67cbf09bf1a70de6985c938e7135ddb262e4b

Download Submit
memory/2760-8-0x0000000002230000-0x000000000238F000-memory.dmp

Filesize
1.4MB

Download
memory/2760-16-0x00000000027E0000-0x00000000028C1000-memory.dmp

Filesize
900KB

Download
memory/2760-17-0x00000000027E0000-0x00000000028C1000-memory.dmp

Filesize
900KB

Download
memory/2760-13-0x00000000027E0000-0x00000000028C1000-memory.dmp

Filesize
900KB

Download
memory/2760-12-0x00000000026E0000-0x00000000027DA000-memory.dmp

Filesize
1000KB

Download
memory/2760-9-0x0000000002230000-0x000000000238F000-memory.dmp

Filesize
1.4MB

Download
memory/2760-10-0x0000000000180000-0x0000000000186000-memory.dmp

Filesize
24KB

Download
memory/2936-22-0x0000000000960000-0x0000000000ABF000-memory.dmp

Filesize
1.4MB

Download
memory/2936-24-0x0000000000960000-0x0000000000ABF000-memory.dmp

Filesize
1.4MB

Download
memory/2936-23-0x00000000001D0000-0x00000000001D6000-memory.dmp

Filesize
24KB

Download
memory/2936-26-0x0000000002720000-0x000000000281A000-memory.dmp

Filesize
1000KB

Download
memory/2936-27-0x0000000002820000-0x0000000002901000-memory.dmp

Filesize
900KB

Download
memory/2936-30-0x0000000002820000-0x0000000002901000-memory.dmp

Filesize
900KB

Download
memory/2936-31-0x0000000002820000-0x0000000002901000-memory.dmp

Filesize
900KB

Download