3f858025a9a0122e0f5e7efe5e8e3f1d79258599926120bf976c296d7a20cffd

Analysis

max time kernel
147s
max time network
175s
platform
windows10-2004_x64
resource
win10v2004-20231020-en
resource tags

arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
submitted
07/11/2023, 19:06

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

NEAS.815785e2b3a194963d475bf139ff70b0.exe
Size

209KB
MD5

815785e2b3a194963d475bf139ff70b0
SHA1

cc5f0bc87221c74e2ce9dcf13326376a8b2939ec
SHA256

3f858025a9a0122e0f5e7efe5e8e3f1d79258599926120bf976c296d7a20cffd
SHA512

ffbb4906e285f7a7ee1fa5e416f636901ff54de1f2d36d78ece2b0b2a567bc7abd00753f2a75c2e97c2176bce185b1957b62554f0f274d6f626f40b876cdfc63
SSDEEP

6144:rlkXrdefm0WPX9d6hAOeZzpNWYbP290Cx57:aXhefmXPz6uOizpMYbP2qC77

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2408	u.dll
3396	mpress.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000_Classes\Local Settings	calc.exe
Key created	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000_Classes\Local Settings	calc.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1764	OpenWith.exe
4800	OpenWith.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 1008 wrote to memory of 1240	1008	NEAS.815785e2b3a194963d475bf139ff70b0.exe	89
PID 1008 wrote to memory of 1240	1008	NEAS.815785e2b3a194963d475bf139ff70b0.exe	89
PID 1008 wrote to memory of 1240	1008	NEAS.815785e2b3a194963d475bf139ff70b0.exe	89
PID 1240 wrote to memory of 2408	1240	cmd.exe	91
PID 1240 wrote to memory of 2408	1240	cmd.exe	91
PID 1240 wrote to memory of 2408	1240	cmd.exe	91
PID 2408 wrote to memory of 3396	2408	u.dll	92
PID 2408 wrote to memory of 3396	2408	u.dll	92
PID 2408 wrote to memory of 3396	2408	u.dll	92
PID 1240 wrote to memory of 1784	1240	cmd.exe	93
PID 1240 wrote to memory of 1784	1240	cmd.exe	93
PID 1240 wrote to memory of 1784	1240	cmd.exe	93
PID 1240 wrote to memory of 1000	1240	cmd.exe	97
PID 1240 wrote to memory of 1000	1240	cmd.exe	97
PID 1240 wrote to memory of 1000	1240	cmd.exe	97

C:\Users\Admin\AppData\Local\Temp\NEAS.815785e2b3a194963d475bf139ff70b0.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.815785e2b3a194963d475bf139ff70b0.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1008
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\F201.tmp\vir.bat""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1240
- - C:\Users\Admin\AppData\Local\Temp\u.dll
    u.dll -bat vir.bat -save NEAS.815785e2b3a194963d475bf139ff70b0.exe.com -include s.dll -overwrite -nodelete
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2408
  - - C:\Users\Admin\AppData\Local\Temp\F53D.tmp\mpress.exe
      "C:\Users\Admin\AppData\Local\Temp\F53D.tmp\mpress.exe" "C:\Users\Admin\AppData\Local\Temp\exeF54E.tmp"
      4⤵
      Executes dropped EXE
      PID:3396
- - C:\Windows\SysWOW64\calc.exe
    CALC.EXE
    3⤵
    - Modifies registry class
    PID:1784
- - C:\Windows\SysWOW64\calc.exe
    CALC.EXE
    3⤵
    - Modifies registry class
    PID:1000

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:1764

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:4800

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\F201.tmp\vir.bat

Filesize
1KB

MD5
6ed579e582ac4424761e53bf28ea537b

SHA1
985266a98ca5f96fcebe236ec019134e71614a05

SHA256
21ceaa19c2ff7a9a88db9cb0c486ec8610690ba530b71ffea64a47247032636a

SHA512
c2aa27114de85fe09d1c2fc9fe299e3c1a79acaaf34e548855dba4a0f7150afe0296273ff174d2a7e0b61532892d5525207d0933c1fc15b7c62f1924b149d5d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\F53D.tmp\mpress.exe

Filesize
100KB

MD5
e42b81b9636152c78ba480c1c47d3c7f

SHA1
66a2fca3925428ee91ad9df5b76b90b34d28e0f8

SHA256
7c24c72439880e502be51da5d991b9b56a1af242b4eef4737f0f43b4a87546d2

SHA512
4b2986106325c5c3fe11ab460f646d4740eb85252aa191f2b84e29901fac146d7a82e31c72d39c38a70277f78278621ee506d9da2681f5019cd64c7df85cff6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\F53D.tmp\mpress.exe

Filesize
100KB

MD5
e42b81b9636152c78ba480c1c47d3c7f

SHA1
66a2fca3925428ee91ad9df5b76b90b34d28e0f8

SHA256
7c24c72439880e502be51da5d991b9b56a1af242b4eef4737f0f43b4a87546d2

SHA512
4b2986106325c5c3fe11ab460f646d4740eb85252aa191f2b84e29901fac146d7a82e31c72d39c38a70277f78278621ee506d9da2681f5019cd64c7df85cff6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\exeF54E.tmp

Filesize
41KB

MD5
57e7d2dcbc1686d2d2efb77c1198ce9c

SHA1
48c2849994f0f6bdbfb30e612ca01694232a15ae

SHA256
b4a2baaf1b1d49dee4c1f0d647f211b44b7f06c18d665bd9226ba69ab4340573

SHA512
98616ac6349379ae1b3ed0d9d8b38e9d088b598ff38367efb5dd9ae0b8d3f88c6fd63bc6ebb195e76f8052abd59221bdf317b9017917b5d3f723e68312694ff1

Download Submit
C:\Users\Admin\AppData\Local\Temp\exeF54E.tmp

Filesize
41KB

MD5
57e7d2dcbc1686d2d2efb77c1198ce9c

SHA1
48c2849994f0f6bdbfb30e612ca01694232a15ae

SHA256
b4a2baaf1b1d49dee4c1f0d647f211b44b7f06c18d665bd9226ba69ab4340573

SHA512
98616ac6349379ae1b3ed0d9d8b38e9d088b598ff38367efb5dd9ae0b8d3f88c6fd63bc6ebb195e76f8052abd59221bdf317b9017917b5d3f723e68312694ff1

Download Submit
C:\Users\Admin\AppData\Local\Temp\exeF54E.tmp

Filesize
24KB

MD5
371c4910c08109d87f99f9774eb24709

SHA1
e943f3ed9a80459593e7f48fa6ffcc17d4b30799

SHA256
9523a038732d4e1fffeb9d8df39c32a8b87f33cbf1e51994108c16e0ab1b552d

SHA512
48a03c5c75f463aaf85fd99c093f0151a3c2b3033d34d49b9107363831773625bde92bc7a0a20ca24572a1d834a8409097418a0829344440370295cd0b1a865d

Download Submit
C:\Users\Admin\AppData\Local\Temp\mprF9C1.tmp

Filesize
24KB

MD5
371c4910c08109d87f99f9774eb24709

SHA1
e943f3ed9a80459593e7f48fa6ffcc17d4b30799

SHA256
9523a038732d4e1fffeb9d8df39c32a8b87f33cbf1e51994108c16e0ab1b552d

SHA512
48a03c5c75f463aaf85fd99c093f0151a3c2b3033d34d49b9107363831773625bde92bc7a0a20ca24572a1d834a8409097418a0829344440370295cd0b1a865d

Download Submit
C:\Users\Admin\AppData\Local\Temp\s.dll

Filesize
700KB

MD5
e4127ceb5db948172fd241be25b36358

SHA1
5a01fa3772c6d27630d50c73fadac9508780c51a

SHA256
f3e8cd29180b07115d0d33a3ecf0c542da05680aee99971aa7e9bd2423597f70

SHA512
13dd5db60d2faeaee632b62a3c92b323215931250ed8a1513a0af9b92c335dbf4b6c458e266bc08431eccff36256203dc81488e6f83185bdee737eed1a82883d

Download Submit
C:\Users\Admin\AppData\Local\Temp\u.dll

Filesize
700KB

MD5
e4127ceb5db948172fd241be25b36358

SHA1
5a01fa3772c6d27630d50c73fadac9508780c51a

SHA256
f3e8cd29180b07115d0d33a3ecf0c542da05680aee99971aa7e9bd2423597f70

SHA512
13dd5db60d2faeaee632b62a3c92b323215931250ed8a1513a0af9b92c335dbf4b6c458e266bc08431eccff36256203dc81488e6f83185bdee737eed1a82883d

Download Submit
C:\Users\Admin\AppData\Local\Temp\u.dll

Filesize
700KB

MD5
e4127ceb5db948172fd241be25b36358

SHA1
5a01fa3772c6d27630d50c73fadac9508780c51a

SHA256
f3e8cd29180b07115d0d33a3ecf0c542da05680aee99971aa7e9bd2423597f70

SHA512
13dd5db60d2faeaee632b62a3c92b323215931250ed8a1513a0af9b92c335dbf4b6c458e266bc08431eccff36256203dc81488e6f83185bdee737eed1a82883d

Download Submit
C:\Users\Admin\AppData\Local\Temp\u.dll

Filesize
700KB

MD5
e4127ceb5db948172fd241be25b36358

SHA1
5a01fa3772c6d27630d50c73fadac9508780c51a

SHA256
f3e8cd29180b07115d0d33a3ecf0c542da05680aee99971aa7e9bd2423597f70

SHA512
13dd5db60d2faeaee632b62a3c92b323215931250ed8a1513a0af9b92c335dbf4b6c458e266bc08431eccff36256203dc81488e6f83185bdee737eed1a82883d

Download Submit
C:\Users\Admin\AppData\Local\Temp\vir.bat

Filesize
1KB

MD5
011e05a8cbcd0eeabb07ab6cb7da57bf

SHA1
3b08c8999d4212809efa06491fcff32e9697639f

SHA256
5729143d76953cde0651f3f1378fde36ab8ce4438fa139e7e624d9dbf95f1902

SHA512
84d678db23554208b8833afd06eab4b68e973c5fc58a44437444fd2b9e5bf46ee08dc6c14f22380c50777ce752d262dfd5a38282af7c1d957df2348121d374de

Download Submit
memory/1008-1-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/1008-0-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/1008-70-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/3396-55-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3396-62-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads