89aa5e637a8d5807124af1640505a1515e9b41f9d8bd1e3eba043955be8353fb

Analysis

max time kernel
143s
max time network
127s
platform
windows7_x64
resource
win7-20231020-en
resource tags

arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system
submitted
04/11/2023, 08:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.5cb284c09e558a41613ecfb1eeaa52d0_JC.exe
Size

210KB
MD5

5cb284c09e558a41613ecfb1eeaa52d0
SHA1

1ebf46ee09b9b176f93bf2d14aca89ab68ebf20b
SHA256

89aa5e637a8d5807124af1640505a1515e9b41f9d8bd1e3eba043955be8353fb
SHA512

e1097854af838009b4dae3d540796b369482b9ff43f01d5222a4f24f90cb33df8ba8826c9dc7d4edced9eb039e8c877bdbbba030d431a020f3ddaeb063bdcb25
SSDEEP

6144:JljIxNJrVSnu78/LTlKh5/ICQ6Sojhvo6mWoj:QJhSnWQCQ6So9QdHj

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
484	u.dll
2720	u.dll
2628	mpress.exe

Loads dropped DLL 6 IoCs

pid	Process
1688	cmd.exe
1688	cmd.exe
1688	cmd.exe
1688	cmd.exe
2720	u.dll
2720	u.dll

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 1968 wrote to memory of 1688	1968	NEAS.5cb284c09e558a41613ecfb1eeaa52d0_JC.exe	29
PID 1968 wrote to memory of 1688	1968	NEAS.5cb284c09e558a41613ecfb1eeaa52d0_JC.exe	29
PID 1968 wrote to memory of 1688	1968	NEAS.5cb284c09e558a41613ecfb1eeaa52d0_JC.exe	29
PID 1968 wrote to memory of 1688	1968	NEAS.5cb284c09e558a41613ecfb1eeaa52d0_JC.exe	29
PID 1688 wrote to memory of 484	1688	cmd.exe	30
PID 1688 wrote to memory of 484	1688	cmd.exe	30
PID 1688 wrote to memory of 484	1688	cmd.exe	30
PID 1688 wrote to memory of 484	1688	cmd.exe	30
PID 1688 wrote to memory of 2720	1688	cmd.exe	31
PID 1688 wrote to memory of 2720	1688	cmd.exe	31
PID 1688 wrote to memory of 2720	1688	cmd.exe	31
PID 1688 wrote to memory of 2720	1688	cmd.exe	31
PID 2720 wrote to memory of 2628	2720	u.dll	32
PID 2720 wrote to memory of 2628	2720	u.dll	32
PID 2720 wrote to memory of 2628	2720	u.dll	32
PID 2720 wrote to memory of 2628	2720	u.dll	32
PID 1688 wrote to memory of 524	1688	cmd.exe	33
PID 1688 wrote to memory of 524	1688	cmd.exe	33
PID 1688 wrote to memory of 524	1688	cmd.exe	33
PID 1688 wrote to memory of 524	1688	cmd.exe	33

C:\Users\Admin\AppData\Local\Temp\NEAS.5cb284c09e558a41613ecfb1eeaa52d0_JC.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.5cb284c09e558a41613ecfb1eeaa52d0_JC.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1968
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\7224.tmp\vir.bat""
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1688
- - C:\Users\Admin\AppData\Local\Temp\u.dll
    u.dll -bat vir.bat -save NEAS.5cb284c09e558a41613ecfb1eeaa52d0_JC.exe.com -include s.dll -overwrite -nodelete
    3⤵
    - Executes dropped EXE
    PID:484
- - C:\Users\Admin\AppData\Local\Temp\u.dll
    u.dll -bat vir.bat -save ose00000.exe.com -include s.dll -overwrite -nodelete
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2720
  - - C:\Users\Admin\AppData\Local\Temp\83FF.tmp\mpress.exe
      "C:\Users\Admin\AppData\Local\Temp\83FF.tmp\mpress.exe" "C:\Users\Admin\AppData\Local\Temp\exe8400.tmp"
      4⤵
      Executes dropped EXE
      PID:2628
- - C:\Windows\SysWOW64\calc.exe
    CALC.EXE
    3⤵
    PID:524

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7224.tmp\vir.bat

Filesize
1KB

MD5
5b000f53b65dce7d504394d5125bf9b1

SHA1
dedb6896533f3763c764cc6a8ae8b98bd9dbd87d

SHA256
4e589850643050375a41553ca33deab80e7f72d1521796f4d3b1ff195b9845d6

SHA512
ca6c1bb30b4f386363b1e03be3da0f91ce3e2f16b558c389da910e564343b7857a596fc6d71eb79b94dea0ec3a947d5136590e9446b0b39bf36db5ba311cef89

Download Submit
C:\Users\Admin\AppData\Local\Temp\7224.tmp\vir.bat

Filesize
1KB

MD5
5b000f53b65dce7d504394d5125bf9b1

SHA1
dedb6896533f3763c764cc6a8ae8b98bd9dbd87d

SHA256
4e589850643050375a41553ca33deab80e7f72d1521796f4d3b1ff195b9845d6

SHA512
ca6c1bb30b4f386363b1e03be3da0f91ce3e2f16b558c389da910e564343b7857a596fc6d71eb79b94dea0ec3a947d5136590e9446b0b39bf36db5ba311cef89

Download Submit
C:\Users\Admin\AppData\Local\Temp\83FF.tmp\mpress.exe

Filesize
100KB

MD5
e42b81b9636152c78ba480c1c47d3c7f

SHA1
66a2fca3925428ee91ad9df5b76b90b34d28e0f8

SHA256
7c24c72439880e502be51da5d991b9b56a1af242b4eef4737f0f43b4a87546d2

SHA512
4b2986106325c5c3fe11ab460f646d4740eb85252aa191f2b84e29901fac146d7a82e31c72d39c38a70277f78278621ee506d9da2681f5019cd64c7df85cff6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\83FF.tmp\mpress.exe

Filesize
100KB

MD5
e42b81b9636152c78ba480c1c47d3c7f

SHA1
66a2fca3925428ee91ad9df5b76b90b34d28e0f8

SHA256
7c24c72439880e502be51da5d991b9b56a1af242b4eef4737f0f43b4a87546d2

SHA512
4b2986106325c5c3fe11ab460f646d4740eb85252aa191f2b84e29901fac146d7a82e31c72d39c38a70277f78278621ee506d9da2681f5019cd64c7df85cff6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\exe8400.tmp

Filesize
41KB

MD5
bfffa6c36b0aa15510a443a79382ede1

SHA1
af44603bd5cad266d5e1b681691c56a25b603e58

SHA256
54cc6b298d45fffa6b9198fa5d4b5793c6248f887feaed2b928c6c400fb7a22b

SHA512
381efd97ac75a95ec229955d82d6d4fc9019de88ecf7f58e9f550dd4a002d57ce03983dfdb3286782685d15740388e2d0bd6de50753a0b224dae10b0ebcda486

Download Submit
C:\Users\Admin\AppData\Local\Temp\exe8400.tmp

Filesize
25KB

MD5
8d308637cf8cb4e76f91b18e06a81ada

SHA1
a1710293fb17884b55d87e83aa4ced3af81eca55

SHA256
eb198a36b4f250d2ef8b44235960e4b1618dd60b49e93c1d2c42f090b587f661

SHA512
9d3869032c8371169824a1417c53a3a4d57d714871f3dc356dc78317c4b78b151b248b235f6057431f510e143c90c2d0c977285709b2feb803681e9be9fbcc75

Download Submit
C:\Users\Admin\AppData\Local\Temp\exe8400.tmp

Filesize
41KB

MD5
7b1d4881dc73906ac31bf9d7865df73d

SHA1
a6f1239420a24da767551259556ca3e374c49887

SHA256
a9cf9751c195c7f214c38d7e5a7308bf900b097a7341435c44eed65f3e751c0e

SHA512
135968f385986f363a596823d52b17fc8cc48173bb531c300d48325c61350471f7b1769cb7397ffd11c4a5e647896d2cf0f3a50b28ef4ea456b666793af743fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\s.dll

Filesize
700KB

MD5
03cfde8f9aa4a9e26520da9a85faca40

SHA1
45a3dc2ab8aa420c19922b1783a9f19e695da4e6

SHA256
93a3c30195dc710c1469f5fd364fe3e1866878b0055ee942ef23c19602664379

SHA512
e264531bbb9912785010f0368627937d33a6173e8c5b7b7d8f15809c018e2cfd799ec6182ecdb17f3f98c142b3bc0b475c1e625febd14805f7ff9a68ad6b2133

Download Submit
C:\Users\Admin\AppData\Local\Temp\u.dll

Filesize
700KB

MD5
03cfde8f9aa4a9e26520da9a85faca40

SHA1
45a3dc2ab8aa420c19922b1783a9f19e695da4e6

SHA256
93a3c30195dc710c1469f5fd364fe3e1866878b0055ee942ef23c19602664379

SHA512
e264531bbb9912785010f0368627937d33a6173e8c5b7b7d8f15809c018e2cfd799ec6182ecdb17f3f98c142b3bc0b475c1e625febd14805f7ff9a68ad6b2133

Download Submit
C:\Users\Admin\AppData\Local\Temp\u.dll

Filesize
700KB

MD5
03cfde8f9aa4a9e26520da9a85faca40

SHA1
45a3dc2ab8aa420c19922b1783a9f19e695da4e6

SHA256
93a3c30195dc710c1469f5fd364fe3e1866878b0055ee942ef23c19602664379

SHA512
e264531bbb9912785010f0368627937d33a6173e8c5b7b7d8f15809c018e2cfd799ec6182ecdb17f3f98c142b3bc0b475c1e625febd14805f7ff9a68ad6b2133

Download Submit
C:\Users\Admin\AppData\Local\Temp\u.dll

Filesize
700KB

MD5
03cfde8f9aa4a9e26520da9a85faca40

SHA1
45a3dc2ab8aa420c19922b1783a9f19e695da4e6

SHA256
93a3c30195dc710c1469f5fd364fe3e1866878b0055ee942ef23c19602664379

SHA512
e264531bbb9912785010f0368627937d33a6173e8c5b7b7d8f15809c018e2cfd799ec6182ecdb17f3f98c142b3bc0b475c1e625febd14805f7ff9a68ad6b2133

Download Submit
C:\Users\Admin\AppData\Local\Temp\vir.bat

Filesize
1KB

MD5
91bbf94ced9f347112b00fdd2d80cb6e

SHA1
b65d9fad1d34ba35ba85df78c7b65c5ed92e7614

SHA256
924a8f53986de55507660b793577589ef8f2abfb1d6e5dfc5b224fbee9b3856b

SHA512
70c87f6948f9782f479491c5648c283a648a03497324feba7fd52790ff248af2b0837c4740af32cc778a1c651759c52c6db8a15ab3d6d0a136cf24f697960581

Download Submit
C:\Users\Admin\AppData\Local\Temp\vir.bat

Filesize
1KB

MD5
a4aad89ce46894da3f4e556e78008592

SHA1
c5d60d84b65f545dd73cd8bd67e35bc440b1b638

SHA256
b6af4b2865c63cf2fb92882894312d893dcbfe13d85568f8cb4b99f7a2b237af

SHA512
72fca832de18832fd9235c45458b7418989c1feaf7928871ded2fb81f554d4c28b81e931fbed17d0b8917785ac43d458bd2ddba3a2041571470f056acb9ce864

Download Submit
\Users\Admin\AppData\Local\Temp\83FF.tmp\mpress.exe

Filesize
100KB

MD5
e42b81b9636152c78ba480c1c47d3c7f

SHA1
66a2fca3925428ee91ad9df5b76b90b34d28e0f8

SHA256
7c24c72439880e502be51da5d991b9b56a1af242b4eef4737f0f43b4a87546d2

SHA512
4b2986106325c5c3fe11ab460f646d4740eb85252aa191f2b84e29901fac146d7a82e31c72d39c38a70277f78278621ee506d9da2681f5019cd64c7df85cff6e

Download Submit
\Users\Admin\AppData\Local\Temp\83FF.tmp\mpress.exe

Filesize
100KB

MD5
e42b81b9636152c78ba480c1c47d3c7f

SHA1
66a2fca3925428ee91ad9df5b76b90b34d28e0f8

SHA256
7c24c72439880e502be51da5d991b9b56a1af242b4eef4737f0f43b4a87546d2

SHA512
4b2986106325c5c3fe11ab460f646d4740eb85252aa191f2b84e29901fac146d7a82e31c72d39c38a70277f78278621ee506d9da2681f5019cd64c7df85cff6e

Download Submit
\Users\Admin\AppData\Local\Temp\u.dll

Filesize
700KB

MD5
03cfde8f9aa4a9e26520da9a85faca40

SHA1
45a3dc2ab8aa420c19922b1783a9f19e695da4e6

SHA256
93a3c30195dc710c1469f5fd364fe3e1866878b0055ee942ef23c19602664379

SHA512
e264531bbb9912785010f0368627937d33a6173e8c5b7b7d8f15809c018e2cfd799ec6182ecdb17f3f98c142b3bc0b475c1e625febd14805f7ff9a68ad6b2133

Download Submit
\Users\Admin\AppData\Local\Temp\u.dll

Filesize
700KB

MD5
03cfde8f9aa4a9e26520da9a85faca40

SHA1
45a3dc2ab8aa420c19922b1783a9f19e695da4e6

SHA256
93a3c30195dc710c1469f5fd364fe3e1866878b0055ee942ef23c19602664379

SHA512
e264531bbb9912785010f0368627937d33a6173e8c5b7b7d8f15809c018e2cfd799ec6182ecdb17f3f98c142b3bc0b475c1e625febd14805f7ff9a68ad6b2133

Download Submit
\Users\Admin\AppData\Local\Temp\u.dll

Filesize
700KB

MD5
03cfde8f9aa4a9e26520da9a85faca40

SHA1
45a3dc2ab8aa420c19922b1783a9f19e695da4e6

SHA256
93a3c30195dc710c1469f5fd364fe3e1866878b0055ee942ef23c19602664379

SHA512
e264531bbb9912785010f0368627937d33a6173e8c5b7b7d8f15809c018e2cfd799ec6182ecdb17f3f98c142b3bc0b475c1e625febd14805f7ff9a68ad6b2133

Download Submit
\Users\Admin\AppData\Local\Temp\u.dll

Filesize
700KB

MD5
03cfde8f9aa4a9e26520da9a85faca40

SHA1
45a3dc2ab8aa420c19922b1783a9f19e695da4e6

SHA256
93a3c30195dc710c1469f5fd364fe3e1866878b0055ee942ef23c19602664379

SHA512
e264531bbb9912785010f0368627937d33a6173e8c5b7b7d8f15809c018e2cfd799ec6182ecdb17f3f98c142b3bc0b475c1e625febd14805f7ff9a68ad6b2133

Download Submit
memory/1968-0-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/1968-112-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/2628-101-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2720-94-0x0000000000650000-0x0000000000684000-memory.dmp

Filesize
208KB

Download
memory/2720-89-0x0000000000650000-0x0000000000684000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads