d17cc6e37908c64cf4744095542b564f52fea6fa128acecf03cd32ad4188167b

Analysis

max time kernel
151s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20231020-en
resource tags

arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
submitted
15/11/2023, 16:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.8f3523c7a35fd6b585974271ce1171ea.exe
Size

2.5MB
MD5

8f3523c7a35fd6b585974271ce1171ea
SHA1

95195f8f337c43b04e8c963cafd0c0ab9e0dee26
SHA256

d17cc6e37908c64cf4744095542b564f52fea6fa128acecf03cd32ad4188167b
SHA512

00836558538327b8680aa83d11855262e1eaadb8bf3460376ef33f3c0a39751ed40cae066513171da36d93c6ac10e55e3268b2e78100d31d24aa6e151301ce08
SSDEEP

49152:DCgYwZgyWDaaGtxlX9zb3S+OY8VrkpnAewgTSDTIdTkIwhW:Dp1Zgyuart1zb3S+p8VWnAewgTSYQW

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
320	svchost.exe
2012	NEAS.8f3523c7a35fd6b585974271ce1171ea.exe
2244	svchost.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	svchost.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	svchost.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	svchost.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	svchost.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	svchost.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe	svchost.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	svchost.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	svchost.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	svchost.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\svchost.exe	NEAS.8f3523c7a35fd6b585974271ce1171ea.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2012	NEAS.8f3523c7a35fd6b585974271ce1171ea.exe
2012	NEAS.8f3523c7a35fd6b585974271ce1171ea.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1348 wrote to memory of 320	1348	NEAS.8f3523c7a35fd6b585974271ce1171ea.exe	89
PID 1348 wrote to memory of 320	1348	NEAS.8f3523c7a35fd6b585974271ce1171ea.exe	89
PID 1348 wrote to memory of 320	1348	NEAS.8f3523c7a35fd6b585974271ce1171ea.exe	89
PID 320 wrote to memory of 2012	320	svchost.exe	90
PID 320 wrote to memory of 2012	320	svchost.exe	90
PID 320 wrote to memory of 2012	320	svchost.exe	90

C:\Users\Admin\AppData\Local\Temp\NEAS.8f3523c7a35fd6b585974271ce1171ea.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.8f3523c7a35fd6b585974271ce1171ea.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1348
- C:\Windows\svchost.exe
  "C:\Windows\svchost.exe" "C:\Users\Admin\AppData\Local\Temp\NEAS.8f3523c7a35fd6b585974271ce1171ea.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:320
- - C:\Users\Admin\AppData\Local\Temp\NEAS.8f3523c7a35fd6b585974271ce1171ea.exe
    "C:\Users\Admin\AppData\Local\Temp\NEAS.8f3523c7a35fd6b585974271ce1171ea.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:2012

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:2244

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\NEAS.8f3523c7a35fd6b585974271ce1171ea.exe

Filesize
2.4MB

MD5
61d0ec12f982480e0a34a15f74efb664

SHA1
4c94e29b7e07122068a43cb2b79f909ede170453

SHA256
582fd7ee78e38ebc2e3e44c6ae4a213ecba92a8040d0e8294d6aad4e06dd435d

SHA512
585572a649de29988c22dd94236351569f5027eb1424dac797bc9aa0fb58e36a133492a2d2ee1abf65bb50ffd54fa1c0c7b92c1e3f8670edb5d603086deefbb4

Download Submit
C:\Windows\svchost.exe

Filesize
35KB

MD5
9e3c13b6556d5636b745d3e466d47467

SHA1
2ac1c19e268c49bc508f83fe3d20f495deb3e538

SHA256
20af03add533a6870d524a7c4753b42bfceb56cddd46016c051e23581ba743f8

SHA512
5a07ba8a7fcb15f64b129fada2621252b8bc37eb34d4f614c075c064f8ac0d367301eba0c32c5e28b8aa633f6ab604f0dfcc363b34734ce0207ef0d4e8817c4b

Download Submit
C:\Windows\svchost.exe

Filesize
35KB

MD5
9e3c13b6556d5636b745d3e466d47467

SHA1
2ac1c19e268c49bc508f83fe3d20f495deb3e538

SHA256
20af03add533a6870d524a7c4753b42bfceb56cddd46016c051e23581ba743f8

SHA512
5a07ba8a7fcb15f64b129fada2621252b8bc37eb34d4f614c075c064f8ac0d367301eba0c32c5e28b8aa633f6ab604f0dfcc363b34734ce0207ef0d4e8817c4b

Download Submit
C:\Windows\svchost.exe

Filesize
35KB

MD5
9e3c13b6556d5636b745d3e466d47467

SHA1
2ac1c19e268c49bc508f83fe3d20f495deb3e538

SHA256
20af03add533a6870d524a7c4753b42bfceb56cddd46016c051e23581ba743f8

SHA512
5a07ba8a7fcb15f64b129fada2621252b8bc37eb34d4f614c075c064f8ac0d367301eba0c32c5e28b8aa633f6ab604f0dfcc363b34734ce0207ef0d4e8817c4b

Download Submit
memory/320-10-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/1348-3-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2012-13-0x0000000002600000-0x0000000002601000-memory.dmp

Filesize
4KB

Download
memory/2012-14-0x0000000000400000-0x00000000006BB000-memory.dmp

Filesize
2.7MB

Download
memory/2244-15-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/2244-18-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/2244-24-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download