13c3be742114533999093345e9b69657bcbab53e70d79bc7f90be1b7550cbb20

Analysis

max time kernel
142s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20231023-en
resource tags

arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
submitted
05/11/2023, 01:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.e95cac30cf4cc032af3a2f0819b5e7c0_JC.dll
Size

21KB
MD5

e95cac30cf4cc032af3a2f0819b5e7c0
SHA1

862aa7a94c79f3a650908550e1f0c6f5af6790cb
SHA256

13c3be742114533999093345e9b69657bcbab53e70d79bc7f90be1b7550cbb20
SHA512

23a7bbb7bf691626afeab4cb9e763322ad211d08d329fc01adee989ff42add88ed8aa59186b5c66fb95c7c5713caf141fe468bd11b598b904bb93fb09585a894
SSDEEP

384:iMOcJoDvRZR113eWA+Uezhq/pW/00zWmV8qW9g1Yk9dlBRcAb91:i/9SWPU+hq/g5VJoCYCBRc891

Score

1^/10

Malware Config

Signatures

Modifies registry class 49 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2F69C611-6B14-47E8-9260-4BB7C52F504B}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{73A3F82A-0FE9-4B33-BA3B-FE095F697E0A}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{90A7734E-841B-4F77-9384-A2891E76E7E2}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{379BFBE1-C6C9-432A-93E1-6D17656C538C}\ = "IWebAppDiagnosticsSetup"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{379BFBE1-C6C9-432A-93E1-6D17656C538C}\NumMethods\ = "5"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D6FCA954-F7AE-4EAC-8783-85F5E4ABD840}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D5FE005B-2836-485E-B1F9-89D91AA24FD4}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{379BFBE1-C6C9-432A-93E1-6D17656C538C}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D5FE005B-2836-485E-B1F9-89D91AA24FD4}\NumMethods\ = "6"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D5FE005B-2836-485E-B1F9-89D91AA24FD4}\ = "IRemoteDebugApplication110"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{516E42B6-89A8-4530-937B-5F0708431442}\ = "IActiveScriptErrorDebug110"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{516E42B6-89A8-4530-937B-5F0708431442}\ProxyStubClsid32\ = "{D6FCA954-F7AE-4EAC-8783-85F5E4ABD840}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5A05B5DA-5AEB-4290-A08B-57177176464A}\ = "IDebugPublisherProcess110"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2F69C611-6B14-47E8-9260-4BB7C52F504B}\ProxyStubClsid32\ = "{D6FCA954-F7AE-4EAC-8783-85F5E4ABD840}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5A05B5DA-5AEB-4290-A08B-57177176464A}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{73A3F82A-0FE9-4B33-BA3B-FE095F697E0A}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{73A3F82A-0FE9-4B33-BA3B-FE095F697E0A}\NumMethods\ = "9"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{90A7734E-841B-4F77-9384-A2891E76E7E2}\NumMethods	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{516E42B6-89A8-4530-937B-5F0708431442}\NumMethods	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{379BFBE1-C6C9-432A-93E1-6D17656C538C}\ProxyStubClsid32\ = "{D6FCA954-F7AE-4EAC-8783-85F5E4ABD840}"	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000_Classes\WOW6432Node\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D6FCA954-F7AE-4EAC-8783-85F5E4ABD840}\ = "PSFactoryBuffer"	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000_Classes\WOW6432Node\Interface	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5A05B5DA-5AEB-4290-A08B-57177176464A}\NumMethods\ = "7"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{73A3F82A-0FE9-4B33-BA3B-FE095F697E0A}\ = "IActiveScriptWinRTErrorDebug"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{90A7734E-841B-4F77-9384-A2891E76E7E2}\ProxyStubClsid32\ = "{D6FCA954-F7AE-4EAC-8783-85F5E4ABD840}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{379BFBE1-C6C9-432A-93E1-6D17656C538C}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{73A3F82A-0FE9-4B33-BA3B-FE095F697E0A}\ProxyStubClsid32\ = "{D6FCA954-F7AE-4EAC-8783-85F5E4ABD840}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5A05B5DA-5AEB-4290-A08B-57177176464A}\ProxyStubClsid32\ = "{D6FCA954-F7AE-4EAC-8783-85F5E4ABD840}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{516E42B6-89A8-4530-937B-5F0708431442}\NumMethods\ = "4"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2F69C611-6B14-47E8-9260-4BB7C52F504B}\NumMethods\ = "4"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{90A7734E-841B-4F77-9384-A2891E76E7E2}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{90A7734E-841B-4F77-9384-A2891E76E7E2}\ = "IDebugApplicationNode100"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{90A7734E-841B-4F77-9384-A2891E76E7E2}\NumMethods\ = "6"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D6FCA954-F7AE-4EAC-8783-85F5E4ABD840}\InProcServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NEAS.e95cac30cf4cc032af3a2f0819b5e7c0_JC.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2F69C611-6B14-47E8-9260-4BB7C52F504B}\NumMethods	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5A05B5DA-5AEB-4290-A08B-57177176464A}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{516E42B6-89A8-4530-937B-5F0708431442}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D6FCA954-F7AE-4EAC-8783-85F5E4ABD840}\InProcServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D6FCA954-F7AE-4EAC-8783-85F5E4ABD840}\InProcServer32\ThreadingModel = "Both"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2F69C611-6B14-47E8-9260-4BB7C52F504B}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{73A3F82A-0FE9-4B33-BA3B-FE095F697E0A}\NumMethods	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5A05B5DA-5AEB-4290-A08B-57177176464A}\NumMethods	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2F69C611-6B14-47E8-9260-4BB7C52F504B}\ = "IRemoteDebugCriticalErrorEvent110"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D5FE005B-2836-485E-B1F9-89D91AA24FD4}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D5FE005B-2836-485E-B1F9-89D91AA24FD4}\ProxyStubClsid32\ = "{D6FCA954-F7AE-4EAC-8783-85F5E4ABD840}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D5FE005B-2836-485E-B1F9-89D91AA24FD4}\NumMethods	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{516E42B6-89A8-4530-937B-5F0708431442}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{379BFBE1-C6C9-432A-93E1-6D17656C538C}\NumMethods	regsvr32.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeManageVolumePrivilege	4468	svchost.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1416 wrote to memory of 704	1416	regsvr32.exe	83
PID 1416 wrote to memory of 704	1416	regsvr32.exe	83
PID 1416 wrote to memory of 704	1416	regsvr32.exe	83

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\NEAS.e95cac30cf4cc032af3a2f0819b5e7c0_JC.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:1416
- C:\Windows\SysWOW64\regsvr32.exe
  /s C:\Users\Admin\AppData\Local\Temp\NEAS.e95cac30cf4cc032af3a2f0819b5e7c0_JC.dll
  2⤵
  - Modifies registry class
  PID:704

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe
1⤵
PID:4516

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k UnistackSvcGroup
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4468

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Comms\UnistoreDB\store.jfm

Filesize
16KB

MD5
b68108a57d8683990b2841af31dab7ae

SHA1
8ed65c59a86aee9ea45d0ecae3a848848dafd561

SHA256
1204e525c0acc49ba11aea28142f95e1b030861fb1c99c057c88fd0cfbcb4c4f

SHA512
4736419e043c144390e884d13c1c341a3db3cc6c130bbd13a2eb9efb8f661e06fcc1ff74bcd5b3e2e0d4783670d6149caefda3374c47b08752442e5aba833027

Download Submit
memory/4468-40-0x00000247FFA90000-0x00000247FFA91000-memory.dmp

Filesize
4KB

Download
memory/4468-42-0x00000247FFA90000-0x00000247FFA91000-memory.dmp

Filesize
4KB

Download
memory/4468-33-0x00000247FFA90000-0x00000247FFA91000-memory.dmp

Filesize
4KB

Download
memory/4468-34-0x00000247FFA90000-0x00000247FFA91000-memory.dmp

Filesize
4KB

Download
memory/4468-35-0x00000247FFA90000-0x00000247FFA91000-memory.dmp

Filesize
4KB

Download
memory/4468-36-0x00000247FFA90000-0x00000247FFA91000-memory.dmp

Filesize
4KB

Download
memory/4468-37-0x00000247FFA90000-0x00000247FFA91000-memory.dmp

Filesize
4KB

Download
memory/4468-38-0x00000247FFA90000-0x00000247FFA91000-memory.dmp

Filesize
4KB

Download
memory/4468-39-0x00000247FFA90000-0x00000247FFA91000-memory.dmp

Filesize
4KB

Download
memory/4468-43-0x00000247FF6C0000-0x00000247FF6C1000-memory.dmp

Filesize
4KB

Download
memory/4468-32-0x00000247FFA70000-0x00000247FFA71000-memory.dmp

Filesize
4KB

Download
memory/4468-41-0x00000247FFA90000-0x00000247FFA91000-memory.dmp

Filesize
4KB

Download
memory/4468-0-0x00000247FB380000-0x00000247FB390000-memory.dmp

Filesize
64KB

Download
memory/4468-44-0x00000247FF6B0000-0x00000247FF6B1000-memory.dmp

Filesize
4KB

Download
memory/4468-46-0x00000247FF6C0000-0x00000247FF6C1000-memory.dmp

Filesize
4KB

Download
memory/4468-49-0x00000247FF6B0000-0x00000247FF6B1000-memory.dmp

Filesize
4KB

Download
memory/4468-52-0x00000247FF5F0000-0x00000247FF5F1000-memory.dmp

Filesize
4KB

Download
memory/4468-16-0x00000247FB480000-0x00000247FB490000-memory.dmp

Filesize
64KB

Download
memory/4468-64-0x00000247FF7F0000-0x00000247FF7F1000-memory.dmp

Filesize
4KB

Download
memory/4468-66-0x00000247FF800000-0x00000247FF801000-memory.dmp

Filesize
4KB

Download
memory/4468-67-0x00000247FF800000-0x00000247FF801000-memory.dmp

Filesize
4KB

Download
memory/4468-68-0x00000247FF910000-0x00000247FF911000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads