5053e65784539b6771c91b7f5c43b4bccabb38f9bddb9c913aec4af6b5ec5401

Analysis

max time kernel
141s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20231023-en
resource tags

arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
submitted
04-11-2023 23:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.013f5805b0386976d42d95334fa6f5d0_JC.exe
Size

394KB
MD5

013f5805b0386976d42d95334fa6f5d0
SHA1

9125695fb8338de69d6b430ab41f292cbdcdf486
SHA256

5053e65784539b6771c91b7f5c43b4bccabb38f9bddb9c913aec4af6b5ec5401
SHA512

b4e6e5a6915fedf4c19f0d938744b6b47ca5f13b2cb14391b2a6310bb2ce3e817f2848ee184cc839f62a432b6e151bc1ab689a86a0080d7a86cef7ad85e6d67b
SSDEEP

6144:MRAhhJxX7bNIAROzTuaPUD8XRuf0b4mt/R/0DMrRsFp3ZgBpMnNkOtUTioe:UsAAPaPUD18t/R/OgRsTmaNOa

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2F4B4F5A-8B9A-11D5-EBA1-F78EEEEEE983}\StubPath = "msvmp32.exe"	NEAS.013f5805b0386976d42d95334fa6f5d0_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2F4B4F5A-8B9A-11D5-EBA1-F78EEEEEE983}	NEAS.013f5805b0386976d42d95334fa6f5d0_JC.exe

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\SysWow64\\concp32.exe \"%1\" %*"	NEAS.013f5805b0386976d42d95334fa6f5d0_JC.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\VCL = "vcl32.exe"	NEAS.013f5805b0386976d42d95334fa6f5d0_JC.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\VCL = "vcl32.exe"	NEAS.013f5805b0386976d42d95334fa6f5d0_JC.exe

Drops file in System32 directory 6 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\vcl32.exe	NEAS.013f5805b0386976d42d95334fa6f5d0_JC.exe
File opened for modification	C:\Windows\SysWOW64\vcl32.exe	NEAS.013f5805b0386976d42d95334fa6f5d0_JC.exe
File created	C:\Windows\SysWOW64\msvmp32.exe	NEAS.013f5805b0386976d42d95334fa6f5d0_JC.exe
File opened for modification	C:\Windows\SysWOW64\msvmp32.exe	NEAS.013f5805b0386976d42d95334fa6f5d0_JC.exe
File created	C:\Windows\SysWOW64\concp32.exe	NEAS.013f5805b0386976d42d95334fa6f5d0_JC.exe
File opened for modification	C:\Windows\SysWOW64\concp32.exe	NEAS.013f5805b0386976d42d95334fa6f5d0_JC.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
868	4948	WerFault.exe	85

Modifies registry class 5 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2F4B4F5A-8B9A-11D5-EBA1-F78EEEEEE983}\ax = 47b480ac22ca7665c92836d33d2f47b6	NEAS.013f5805b0386976d42d95334fa6f5d0_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\SysWow64\\concp32.exe \"%1\" %*"	NEAS.013f5805b0386976d42d95334fa6f5d0_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2F4B4F5A-8B9A-11D5-EBA1-F78EEEEEE983}	NEAS.013f5805b0386976d42d95334fa6f5d0_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2F4B4F5A-8B9A-11D5-EBA1-F78EEEEEE983}\InprocServer32	NEAS.013f5805b0386976d42d95334fa6f5d0_JC.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2F4B4F5A-8B9A-11D5-EBA1-F78EEEEEE983}\sm = 01b8ec350471bd332433eee476ebe1f3	NEAS.013f5805b0386976d42d95334fa6f5d0_JC.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
4948	NEAS.013f5805b0386976d42d95334fa6f5d0_JC.exe

C:\Users\Admin\AppData\Local\Temp\NEAS.013f5805b0386976d42d95334fa6f5d0_JC.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.013f5805b0386976d42d95334fa6f5d0_JC.exe"
1⤵
- Modifies Installed Components in the registry
- Modifies system executable filetype association
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:4948
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4948 -s 708
  2⤵
  - Program crash
  PID:868

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4948 -ip 4948
1⤵
PID:4876

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\concp32.exe

Filesize
403KB

MD5
7c32564c40d7ff3027c7675e4d3e3742

SHA1
3feba14d3fb23b9dd631ab7a4dc3c79d8a73ff25

SHA256
aa4a6e6517de20084e5290c0941a3a84729b71cd80a447c2f9d0441543579635

SHA512
011b1d2eb47a0179345b180bb160376b643c20f01d08d30a2c788db2fe8717a06595948a420ee928c1e6953db1c53b94e801b3a73cc47eb4b37c8e424fab917f

Download Submit
memory/4948-0-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4948-7-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download