89aa5e637a8d5807124af1640505a1515e9b41f9d8bd1e3eba043955be8353fb

Analysis

max time kernel
159s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20231023-en
resource tags

arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
submitted
04/11/2023, 08:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.5cb284c09e558a41613ecfb1eeaa52d0_JC.exe
Size

210KB
MD5

5cb284c09e558a41613ecfb1eeaa52d0
SHA1

1ebf46ee09b9b176f93bf2d14aca89ab68ebf20b
SHA256

89aa5e637a8d5807124af1640505a1515e9b41f9d8bd1e3eba043955be8353fb
SHA512

e1097854af838009b4dae3d540796b369482b9ff43f01d5222a4f24f90cb33df8ba8826c9dc7d4edced9eb039e8c877bdbbba030d431a020f3ddaeb063bdcb25
SSDEEP

6144:JljIxNJrVSnu78/LTlKh5/ICQ6Sojhvo6mWoj:QJhSnWQCQ6So9QdHj

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
3396	u.dll
4716	mpress.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings	calc.exe
Key created	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings	calc.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2796	OpenWith.exe
3336	OpenWith.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 3720 wrote to memory of 4576	3720	NEAS.5cb284c09e558a41613ecfb1eeaa52d0_JC.exe	92
PID 3720 wrote to memory of 4576	3720	NEAS.5cb284c09e558a41613ecfb1eeaa52d0_JC.exe	92
PID 3720 wrote to memory of 4576	3720	NEAS.5cb284c09e558a41613ecfb1eeaa52d0_JC.exe	92
PID 4576 wrote to memory of 3396	4576	cmd.exe	93
PID 4576 wrote to memory of 3396	4576	cmd.exe	93
PID 4576 wrote to memory of 3396	4576	cmd.exe	93
PID 3396 wrote to memory of 4716	3396	u.dll	94
PID 3396 wrote to memory of 4716	3396	u.dll	94
PID 3396 wrote to memory of 4716	3396	u.dll	94
PID 4576 wrote to memory of 3692	4576	cmd.exe	95
PID 4576 wrote to memory of 3692	4576	cmd.exe	95
PID 4576 wrote to memory of 3692	4576	cmd.exe	95
PID 4576 wrote to memory of 2404	4576	cmd.exe	99
PID 4576 wrote to memory of 2404	4576	cmd.exe	99
PID 4576 wrote to memory of 2404	4576	cmd.exe	99

C:\Users\Admin\AppData\Local\Temp\NEAS.5cb284c09e558a41613ecfb1eeaa52d0_JC.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.5cb284c09e558a41613ecfb1eeaa52d0_JC.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3720
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\1884.tmp\vir.bat""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4576
- - C:\Users\Admin\AppData\Local\Temp\u.dll
    u.dll -bat vir.bat -save NEAS.5cb284c09e558a41613ecfb1eeaa52d0_JC.exe.com -include s.dll -overwrite -nodelete
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3396
  - - C:\Users\Admin\AppData\Local\Temp\1C4D.tmp\mpress.exe
      "C:\Users\Admin\AppData\Local\Temp\1C4D.tmp\mpress.exe" "C:\Users\Admin\AppData\Local\Temp\exe1C4E.tmp"
      4⤵
      Executes dropped EXE
      PID:4716
- - C:\Windows\SysWOW64\calc.exe
    CALC.EXE
    3⤵
    - Modifies registry class
    PID:3692
- - C:\Windows\SysWOW64\calc.exe
    CALC.EXE
    3⤵
    - Modifies registry class
    PID:2404

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:2796

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:3336

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1884.tmp\vir.bat

Filesize
1KB

MD5
5b000f53b65dce7d504394d5125bf9b1

SHA1
dedb6896533f3763c764cc6a8ae8b98bd9dbd87d

SHA256
4e589850643050375a41553ca33deab80e7f72d1521796f4d3b1ff195b9845d6

SHA512
ca6c1bb30b4f386363b1e03be3da0f91ce3e2f16b558c389da910e564343b7857a596fc6d71eb79b94dea0ec3a947d5136590e9446b0b39bf36db5ba311cef89

Download Submit
C:\Users\Admin\AppData\Local\Temp\1C4D.tmp\mpress.exe

Filesize
100KB

MD5
e42b81b9636152c78ba480c1c47d3c7f

SHA1
66a2fca3925428ee91ad9df5b76b90b34d28e0f8

SHA256
7c24c72439880e502be51da5d991b9b56a1af242b4eef4737f0f43b4a87546d2

SHA512
4b2986106325c5c3fe11ab460f646d4740eb85252aa191f2b84e29901fac146d7a82e31c72d39c38a70277f78278621ee506d9da2681f5019cd64c7df85cff6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\1C4D.tmp\mpress.exe

Filesize
100KB

MD5
e42b81b9636152c78ba480c1c47d3c7f

SHA1
66a2fca3925428ee91ad9df5b76b90b34d28e0f8

SHA256
7c24c72439880e502be51da5d991b9b56a1af242b4eef4737f0f43b4a87546d2

SHA512
4b2986106325c5c3fe11ab460f646d4740eb85252aa191f2b84e29901fac146d7a82e31c72d39c38a70277f78278621ee506d9da2681f5019cd64c7df85cff6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\exe1C4E.tmp

Filesize
41KB

MD5
bfffa6c36b0aa15510a443a79382ede1

SHA1
af44603bd5cad266d5e1b681691c56a25b603e58

SHA256
54cc6b298d45fffa6b9198fa5d4b5793c6248f887feaed2b928c6c400fb7a22b

SHA512
381efd97ac75a95ec229955d82d6d4fc9019de88ecf7f58e9f550dd4a002d57ce03983dfdb3286782685d15740388e2d0bd6de50753a0b224dae10b0ebcda486

Download Submit
C:\Users\Admin\AppData\Local\Temp\exe1C4E.tmp

Filesize
41KB

MD5
12d78566a87c5c5ade4a64316de4100f

SHA1
3121f4232d8111ea08e00f995c9d8f32c89359e1

SHA256
d73991670f3299229dab64399a0718239af20294379e1b40b412def40c8c32bf

SHA512
fd387e9068b347f34d5866a3c1766771927ce82d4ad6cd339bd52c348678d54844a6701d4d890d3a9b38c47709623b287462379125974f49e753d852026e444b

Download Submit
C:\Users\Admin\AppData\Local\Temp\exe1C4E.tmp

Filesize
24KB

MD5
ed9e9dafc09ef9b7061df2099fa30f9c

SHA1
66de620a61c43cb860b1a5f92bc82c263037478a

SHA256
31448289327463d17d19142788afc24dbd39693d604a7ca3d3a3508f3028f580

SHA512
ebab4e3be1191abda765cb177d71a85b426aff2f3a758947ddbeb1088c977627aab366ac839fec0a8aef227421a4d8e997886ba22444aee0b6a1e1af2eb3d491

Download Submit
C:\Users\Admin\AppData\Local\Temp\mpr2EBC.tmp

Filesize
24KB

MD5
ed9e9dafc09ef9b7061df2099fa30f9c

SHA1
66de620a61c43cb860b1a5f92bc82c263037478a

SHA256
31448289327463d17d19142788afc24dbd39693d604a7ca3d3a3508f3028f580

SHA512
ebab4e3be1191abda765cb177d71a85b426aff2f3a758947ddbeb1088c977627aab366ac839fec0a8aef227421a4d8e997886ba22444aee0b6a1e1af2eb3d491

Download Submit
C:\Users\Admin\AppData\Local\Temp\s.dll

Filesize
700KB

MD5
03cfde8f9aa4a9e26520da9a85faca40

SHA1
45a3dc2ab8aa420c19922b1783a9f19e695da4e6

SHA256
93a3c30195dc710c1469f5fd364fe3e1866878b0055ee942ef23c19602664379

SHA512
e264531bbb9912785010f0368627937d33a6173e8c5b7b7d8f15809c018e2cfd799ec6182ecdb17f3f98c142b3bc0b475c1e625febd14805f7ff9a68ad6b2133

Download Submit
C:\Users\Admin\AppData\Local\Temp\u.dll

Filesize
700KB

MD5
03cfde8f9aa4a9e26520da9a85faca40

SHA1
45a3dc2ab8aa420c19922b1783a9f19e695da4e6

SHA256
93a3c30195dc710c1469f5fd364fe3e1866878b0055ee942ef23c19602664379

SHA512
e264531bbb9912785010f0368627937d33a6173e8c5b7b7d8f15809c018e2cfd799ec6182ecdb17f3f98c142b3bc0b475c1e625febd14805f7ff9a68ad6b2133

Download Submit
C:\Users\Admin\AppData\Local\Temp\u.dll

Filesize
700KB

MD5
03cfde8f9aa4a9e26520da9a85faca40

SHA1
45a3dc2ab8aa420c19922b1783a9f19e695da4e6

SHA256
93a3c30195dc710c1469f5fd364fe3e1866878b0055ee942ef23c19602664379

SHA512
e264531bbb9912785010f0368627937d33a6173e8c5b7b7d8f15809c018e2cfd799ec6182ecdb17f3f98c142b3bc0b475c1e625febd14805f7ff9a68ad6b2133

Download Submit
C:\Users\Admin\AppData\Local\Temp\u.dll

Filesize
700KB

MD5
03cfde8f9aa4a9e26520da9a85faca40

SHA1
45a3dc2ab8aa420c19922b1783a9f19e695da4e6

SHA256
93a3c30195dc710c1469f5fd364fe3e1866878b0055ee942ef23c19602664379

SHA512
e264531bbb9912785010f0368627937d33a6173e8c5b7b7d8f15809c018e2cfd799ec6182ecdb17f3f98c142b3bc0b475c1e625febd14805f7ff9a68ad6b2133

Download Submit
C:\Users\Admin\AppData\Local\Temp\vir.bat

Filesize
1KB

MD5
91bbf94ced9f347112b00fdd2d80cb6e

SHA1
b65d9fad1d34ba35ba85df78c7b65c5ed92e7614

SHA256
924a8f53986de55507660b793577589ef8f2abfb1d6e5dfc5b224fbee9b3856b

SHA512
70c87f6948f9782f479491c5648c283a648a03497324feba7fd52790ff248af2b0837c4740af32cc778a1c651759c52c6db8a15ab3d6d0a136cf24f697960581

Download Submit
memory/3720-0-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/3720-19-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/3720-1-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/4716-55-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4716-63-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads