eddbf6cfc29a4d68a5540ebd3927e19c83878f5f1e5227070797408d96ac5b22

Analysis

max time kernel
162s
max time network
159s
platform
windows10-2004_x64
resource
win10v2004-20231023-en
resource tags

arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
submitted
04-11-2023 10:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.97795dd4d1689c0e33137388cdf9d9d0_JC.exe
Size

210KB
MD5

97795dd4d1689c0e33137388cdf9d9d0
SHA1

0e854ce1bcdba39466ff5326e8d6d601f561219e
SHA256

eddbf6cfc29a4d68a5540ebd3927e19c83878f5f1e5227070797408d96ac5b22
SHA512

292005e0babce997e505aa8190032e96f68e204d0b151c75f8a7e3f666bcc3ffa27a964c547c147814ea27389d661537464f1bcf112ab0a206243e7baed63034
SSDEEP

6144:QlXOWacjSlYtr/it/YUg2oNSx/UOIIxFN:RWacInhYKoNAjIIxFN

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
540	u.dll
2068	mpress.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000_Classes\Local Settings	calc.exe
Key created	\REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000_Classes\Local Settings	calc.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2160	OpenWith.exe
2700	OpenWith.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2820 wrote to memory of 3328	2820	NEAS.97795dd4d1689c0e33137388cdf9d9d0_JC.exe	90
PID 2820 wrote to memory of 3328	2820	NEAS.97795dd4d1689c0e33137388cdf9d9d0_JC.exe	90
PID 2820 wrote to memory of 3328	2820	NEAS.97795dd4d1689c0e33137388cdf9d9d0_JC.exe	90
PID 3328 wrote to memory of 540	3328	cmd.exe	91
PID 3328 wrote to memory of 540	3328	cmd.exe	91
PID 3328 wrote to memory of 540	3328	cmd.exe	91
PID 540 wrote to memory of 2068	540	u.dll	93
PID 540 wrote to memory of 2068	540	u.dll	93
PID 540 wrote to memory of 2068	540	u.dll	93
PID 3328 wrote to memory of 3212	3328	cmd.exe	94
PID 3328 wrote to memory of 3212	3328	cmd.exe	94
PID 3328 wrote to memory of 3212	3328	cmd.exe	94
PID 3328 wrote to memory of 4016	3328	cmd.exe	97
PID 3328 wrote to memory of 4016	3328	cmd.exe	97
PID 3328 wrote to memory of 4016	3328	cmd.exe	97

C:\Users\Admin\AppData\Local\Temp\NEAS.97795dd4d1689c0e33137388cdf9d9d0_JC.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.97795dd4d1689c0e33137388cdf9d9d0_JC.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2820
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\E280.tmp\vir.bat""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3328
- - C:\Users\Admin\AppData\Local\Temp\u.dll
    u.dll -bat vir.bat -save NEAS.97795dd4d1689c0e33137388cdf9d9d0_JC.exe.com -include s.dll -overwrite -nodelete
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:540
  - - C:\Users\Admin\AppData\Local\Temp\E445.tmp\mpress.exe
      "C:\Users\Admin\AppData\Local\Temp\E445.tmp\mpress.exe" "C:\Users\Admin\AppData\Local\Temp\exeE446.tmp"
      4⤵
      Executes dropped EXE
      PID:2068
- - C:\Windows\SysWOW64\calc.exe
    CALC.EXE
    3⤵
    - Modifies registry class
    PID:3212
- - C:\Windows\SysWOW64\calc.exe
    CALC.EXE
    3⤵
    - Modifies registry class
    PID:4016

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:2160

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:2700

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\E280.tmp\vir.bat

Filesize
1KB

MD5
9b4403c08a38e4757f75ea565b1c2d13

SHA1
2d827f85790d93da5bd4dee807ce41270e21d13f

SHA256
68a7326b8f26b8773b176e2352a3936e66c96ce6779d2d30872d2d02fb1a4476

SHA512
7773e442190b06c85c694adb133cb12b92ecbd37f24b93dbce3cf0707338ac46d9f11018ff66205408cb2c021105bfd6da8629a74efc3960326d620af3c2b9ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\E445.tmp\mpress.exe

Filesize
100KB

MD5
e42b81b9636152c78ba480c1c47d3c7f

SHA1
66a2fca3925428ee91ad9df5b76b90b34d28e0f8

SHA256
7c24c72439880e502be51da5d991b9b56a1af242b4eef4737f0f43b4a87546d2

SHA512
4b2986106325c5c3fe11ab460f646d4740eb85252aa191f2b84e29901fac146d7a82e31c72d39c38a70277f78278621ee506d9da2681f5019cd64c7df85cff6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\E445.tmp\mpress.exe

Filesize
100KB

MD5
e42b81b9636152c78ba480c1c47d3c7f

SHA1
66a2fca3925428ee91ad9df5b76b90b34d28e0f8

SHA256
7c24c72439880e502be51da5d991b9b56a1af242b4eef4737f0f43b4a87546d2

SHA512
4b2986106325c5c3fe11ab460f646d4740eb85252aa191f2b84e29901fac146d7a82e31c72d39c38a70277f78278621ee506d9da2681f5019cd64c7df85cff6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\exeE446.tmp

Filesize
41KB

MD5
2e70c1c3cf76d129ecfe6fd4b3cde5c9

SHA1
99c806cd24b06df8a4c867c83c03aca76ba7c739

SHA256
5fe031696636e8882f9799c33333304ac40f94e904253ce378299ef53bf4f365

SHA512
538127990380a5a18fa5deadde97d642dcdca7431a756d0d4e4481c9e0bdc0ae127c17de86a64b7035165832b90ba60c36d479de50a31c4d552319e5c1052a38

Download Submit
C:\Users\Admin\AppData\Local\Temp\exeE446.tmp

Filesize
41KB

MD5
2e70c1c3cf76d129ecfe6fd4b3cde5c9

SHA1
99c806cd24b06df8a4c867c83c03aca76ba7c739

SHA256
5fe031696636e8882f9799c33333304ac40f94e904253ce378299ef53bf4f365

SHA512
538127990380a5a18fa5deadde97d642dcdca7431a756d0d4e4481c9e0bdc0ae127c17de86a64b7035165832b90ba60c36d479de50a31c4d552319e5c1052a38

Download Submit
C:\Users\Admin\AppData\Local\Temp\exeE446.tmp

Filesize
24KB

MD5
e33aa3fafb1e80c9b61277a6daff7ad0

SHA1
45624a325ac832233b94c18902ba04e72b353ab7

SHA256
5526173c9cc37a4ff40ea736db2dffd8a4ef0bed65d9308a90cf1ac20a1bb4ff

SHA512
406f96fd420dc775a14330cb38c5b34ab57063846e2db0f26b35fe2a2e4949352d512aed434a25b6900d47bd200c8527278fb76c7afd1ee46ac254d3a91763c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\mprE58D.tmp

Filesize
24KB

MD5
e33aa3fafb1e80c9b61277a6daff7ad0

SHA1
45624a325ac832233b94c18902ba04e72b353ab7

SHA256
5526173c9cc37a4ff40ea736db2dffd8a4ef0bed65d9308a90cf1ac20a1bb4ff

SHA512
406f96fd420dc775a14330cb38c5b34ab57063846e2db0f26b35fe2a2e4949352d512aed434a25b6900d47bd200c8527278fb76c7afd1ee46ac254d3a91763c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\s.dll

Filesize
700KB

MD5
58dd14cd6b3f90b0f6bc82c01bcd2dab

SHA1
e496313b7cee401bbf2e0ceb6a0b1824bb5a4208

SHA256
63095a3df5569038746ca2d0553bb438a41ef2ed10c9c9e4a65b5ee861b6e2f8

SHA512
b7d4cdd64eadb5e52901b59b0bf86002d23f431e7ca503e86cb4f30313e05c83ca7619b7565e13f0c3d09395a59df80d27b44fb907afc6b65473b6d616beb1c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\u.dll

Filesize
700KB

MD5
58dd14cd6b3f90b0f6bc82c01bcd2dab

SHA1
e496313b7cee401bbf2e0ceb6a0b1824bb5a4208

SHA256
63095a3df5569038746ca2d0553bb438a41ef2ed10c9c9e4a65b5ee861b6e2f8

SHA512
b7d4cdd64eadb5e52901b59b0bf86002d23f431e7ca503e86cb4f30313e05c83ca7619b7565e13f0c3d09395a59df80d27b44fb907afc6b65473b6d616beb1c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\u.dll

Filesize
700KB

MD5
58dd14cd6b3f90b0f6bc82c01bcd2dab

SHA1
e496313b7cee401bbf2e0ceb6a0b1824bb5a4208

SHA256
63095a3df5569038746ca2d0553bb438a41ef2ed10c9c9e4a65b5ee861b6e2f8

SHA512
b7d4cdd64eadb5e52901b59b0bf86002d23f431e7ca503e86cb4f30313e05c83ca7619b7565e13f0c3d09395a59df80d27b44fb907afc6b65473b6d616beb1c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\u.dll

Filesize
700KB

MD5
58dd14cd6b3f90b0f6bc82c01bcd2dab

SHA1
e496313b7cee401bbf2e0ceb6a0b1824bb5a4208

SHA256
63095a3df5569038746ca2d0553bb438a41ef2ed10c9c9e4a65b5ee861b6e2f8

SHA512
b7d4cdd64eadb5e52901b59b0bf86002d23f431e7ca503e86cb4f30313e05c83ca7619b7565e13f0c3d09395a59df80d27b44fb907afc6b65473b6d616beb1c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\vir.bat

Filesize
2KB

MD5
1ce12d0e048282b5b77f4a1a5888f512

SHA1
6fda349194f620a0f8b763e0e0774d398323b585

SHA256
00c6104fbfde044838a04e9e6b1cdf1f6269564e3b3c9805c76f992c519212e2

SHA512
997a7c6b0dd7d5882481de07af18cc2321d9649d5c7732be2ec0e73cea51eeebdf237beb9da99dfc4bb8f3eec760b20ce0e9b9780fa6f1a9b05a5d5323f786f1

Download Submit
memory/2068-57-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2068-63-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2820-1-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/2820-0-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/2820-71-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads