0c5fd5437a92d39a3e7855c51e8d4b1122a2584b893bf8e937a79c9cc8022541

Analysis

max time kernel
146s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
11-10-2023 18:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.f14e307c06c329102a5a86f739ae3f28_JC.exe
Size

208KB
MD5

f14e307c06c329102a5a86f739ae3f28
SHA1

672389b1ecebf1a50aa13e88c2ea239e81de7c91
SHA256

0c5fd5437a92d39a3e7855c51e8d4b1122a2584b893bf8e937a79c9cc8022541
SHA512

93378cb7f5917dc05b50e67d5af4a827b551b1305157dff30fc853cdf86bd7fc9ed0c91cbf64797ce7bcef8216f74442bc271c184a554f1950e708c254f8d90c
SSDEEP

3072:bfKg7VtiYiVIi/ZBhY1mgvc2xJ4FhMY9acxo7lcL6Yzh4NLthEjQT6j:bfKg7VtizIEnhSh0I4ValCfzhQEj1

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Control Panel\International\Geo\Nation	NEAS.f14e307c06c329102a5a86f739ae3f28_JC.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Control Panel\International\Geo\Nation	VGYCXQT.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Control Panel\International\Geo\Nation	JAPIA.exe

Executes dropped EXE 3 IoCs

pid	Process
5068	VGYCXQT.exe
5108	JAPIA.exe
3900	HMZWU.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File opened for modification	C:\windows\SysWOW64\VGYCXQT.exe	NEAS.f14e307c06c329102a5a86f739ae3f28_JC.exe
File created	C:\windows\SysWOW64\VGYCXQT.exe.bat	NEAS.f14e307c06c329102a5a86f739ae3f28_JC.exe
File created	C:\windows\SysWOW64\VGYCXQT.exe	NEAS.f14e307c06c329102a5a86f739ae3f28_JC.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File opened for modification	C:\windows\JAPIA.exe	VGYCXQT.exe
File created	C:\windows\JAPIA.exe.bat	VGYCXQT.exe
File created	C:\windows\HMZWU.exe	JAPIA.exe
File opened for modification	C:\windows\HMZWU.exe	JAPIA.exe
File created	C:\windows\HMZWU.exe.bat	JAPIA.exe
File created	C:\windows\JAPIA.exe	VGYCXQT.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 4 IoCs

pid	pid_target	Process	procid_target
3776	1560	WerFault.exe	84
4236	5068	WerFault.exe	93
4116	5108	WerFault.exe	97
4996	3900	WerFault.exe	105

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
1560	NEAS.f14e307c06c329102a5a86f739ae3f28_JC.exe
1560	NEAS.f14e307c06c329102a5a86f739ae3f28_JC.exe
5068	VGYCXQT.exe
5068	VGYCXQT.exe
5108	JAPIA.exe
5108	JAPIA.exe
3900	HMZWU.exe
3900	HMZWU.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
1560	NEAS.f14e307c06c329102a5a86f739ae3f28_JC.exe
1560	NEAS.f14e307c06c329102a5a86f739ae3f28_JC.exe
5068	VGYCXQT.exe
5068	VGYCXQT.exe
5108	JAPIA.exe
5108	JAPIA.exe
3900	HMZWU.exe
3900	HMZWU.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1560 wrote to memory of 4520	1560	NEAS.f14e307c06c329102a5a86f739ae3f28_JC.exe	89
PID 1560 wrote to memory of 4520	1560	NEAS.f14e307c06c329102a5a86f739ae3f28_JC.exe	89
PID 1560 wrote to memory of 4520	1560	NEAS.f14e307c06c329102a5a86f739ae3f28_JC.exe	89
PID 4520 wrote to memory of 5068	4520	cmd.exe	93
PID 4520 wrote to memory of 5068	4520	cmd.exe	93
PID 4520 wrote to memory of 5068	4520	cmd.exe	93
PID 5068 wrote to memory of 3232	5068	VGYCXQT.exe	94
PID 5068 wrote to memory of 3232	5068	VGYCXQT.exe	94
PID 5068 wrote to memory of 3232	5068	VGYCXQT.exe	94
PID 3232 wrote to memory of 5108	3232	cmd.exe	97
PID 3232 wrote to memory of 5108	3232	cmd.exe	97
PID 3232 wrote to memory of 5108	3232	cmd.exe	97
PID 5108 wrote to memory of 2220	5108	JAPIA.exe	100
PID 5108 wrote to memory of 2220	5108	JAPIA.exe	100
PID 5108 wrote to memory of 2220	5108	JAPIA.exe	100
PID 2220 wrote to memory of 3900	2220	cmd.exe	105
PID 2220 wrote to memory of 3900	2220	cmd.exe	105
PID 2220 wrote to memory of 3900	2220	cmd.exe	105

C:\Users\Admin\AppData\Local\Temp\NEAS.f14e307c06c329102a5a86f739ae3f28_JC.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.f14e307c06c329102a5a86f739ae3f28_JC.exe"
1⤵
- Checks computer location settings
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1560
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\windows\system32\VGYCXQT.exe.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4520
- - C:\windows\SysWOW64\VGYCXQT.exe
    C:\windows\system32\VGYCXQT.exe
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:5068
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\windows\JAPIA.exe.bat" "
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3232
    - - C:\windows\JAPIA.exe
        
        C:\windows\JAPIA.exe
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:5108
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\HMZWU.exe.bat" "
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2220
        
        C:\windows\HMZWU.exe
        
        C:\windows\HMZWU.exe
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:3900
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3900 -s 844
        8⤵
        Program crash
        
        PID:4996
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5108 -s 1272
        6⤵
        Program crash
        
        PID:4116
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5068 -s 948
      4⤵
      Program crash
      PID:4236
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1560 -s 1304
  2⤵
  - Program crash
  PID:3776

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 1560 -ip 1560
1⤵
PID:1048

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 5068 -ip 5068
1⤵
PID:640

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 5108 -ip 5108
1⤵
PID:3708

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 3900 -ip 3900
1⤵
PID:4924

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\HMZWU.exe

Filesize
208KB

MD5
ed054e1bf82fe5f315ed11f25715e936

SHA1
51ab0a0a64d1c51dcb704cc6a6b580fd60b73632

SHA256
1df59e8211511bdfe328074a0fff571740be0cd03841ae515457ed0243eeaff4

SHA512
69192b7c2559ada26306356721e8c47241c85e866c0580d8afee92fa8fe7a38c7e80bbb6e0e12c61487475cb94f413986c8ab5e6b28d0186f5f4b4630bc4d635

Download Submit
C:\Windows\JAPIA.exe

Filesize
208KB

MD5
bec9e54fd0b6615c767b8d16e941ae0b

SHA1
c5d8c05c0961c3a02c3a440f13dddbd9e3f1c3b6

SHA256
6b11df0a99cad3929380c6af019be5c8452e6cc13b156fb82c781af99c2cfb83

SHA512
128247efe3baeef26bb643ee580ec58b70e119664866f3bf7f427b0a8e1120df9bf38bbc49b0bb2a723759e7f2eb3dddaa0be03343f018f21306851f83ae62fd

Download Submit
C:\Windows\JAPIA.exe

Filesize
208KB

MD5
50728c6b089c9c0f57811147bb8ffe83

SHA1
c6f1bec731529eab4fb3b0a2dae95227f58fee93

SHA256
a43c8a5e53f1e808db7786dc09fbe87e238d9c1ab4c0279b84d0eb6c346af491

SHA512
184a245f594e4b1ad776c0cd62a3151dfa66fc25f7a3e2cd3c4c1ba61c721caf4a9097432fa9f1b96da5943d869ac9eefbd8a8094fac79c2142bc49be80dcc60

Download Submit
C:\Windows\SysWOW64\VGYCXQT.exe

Filesize
208KB

MD5
e3dfd86ef37941ac46d697a66f2b60e7

SHA1
833cce4b07ec7635be4ed39a413f1c7de5789ae0

SHA256
0940f28b8e6d68ebcfe5449938a91d90d5303a05470cf362603e9e408a49230a

SHA512
c110671a5ba4dccb08aa0fa58d53b8884b3c02c3b03f880d2799bb627d578e4e32d9a82a0e51d1de2393fd5d9335a3d08338275eda955959489d2b39bf84d9a1

Download Submit
C:\windows\HMZWU.exe

Filesize
208KB

MD5
ed054e1bf82fe5f315ed11f25715e936

SHA1
51ab0a0a64d1c51dcb704cc6a6b580fd60b73632

SHA256
1df59e8211511bdfe328074a0fff571740be0cd03841ae515457ed0243eeaff4

SHA512
69192b7c2559ada26306356721e8c47241c85e866c0580d8afee92fa8fe7a38c7e80bbb6e0e12c61487475cb94f413986c8ab5e6b28d0186f5f4b4630bc4d635

Download Submit
C:\windows\HMZWU.exe.bat

Filesize
56B

MD5
a2b1f691fd6a1615090b64367bb1cda4

SHA1
87711824c9a009727c6e28f7fe6b045d9deafdc1

SHA256
057d2db5de506c6d89c180c3c5b7b320d21c12ea4c798a02e8c9b65d129babb4

SHA512
b8ca92e61fd620179a008c1d59980157205ea79a6e3aec2f78c1c6da6e7af411304117ad62dc7aa09cbe86b6e3d1a80001212532e7ab5149f0ba19d8f646c727

Download Submit
C:\windows\JAPIA.exe

Filesize
208KB

MD5
50728c6b089c9c0f57811147bb8ffe83

SHA1
c6f1bec731529eab4fb3b0a2dae95227f58fee93

SHA256
a43c8a5e53f1e808db7786dc09fbe87e238d9c1ab4c0279b84d0eb6c346af491

SHA512
184a245f594e4b1ad776c0cd62a3151dfa66fc25f7a3e2cd3c4c1ba61c721caf4a9097432fa9f1b96da5943d869ac9eefbd8a8094fac79c2142bc49be80dcc60

Download Submit
C:\windows\JAPIA.exe.bat

Filesize
56B

MD5
32ac87b84961edc8d659744538d8b23f

SHA1
730c746e59eb7f8976e2bbef097acd833dd64206

SHA256
67cd104c06d01ee77d96ce3603e5afd220b3401549d259c9949336ed226e91a4

SHA512
163fff3fb7bb5f86c84dcd8912421b13a2d4f337d49f3a89d697c8d0eb6c96a323c6388d3eaccffb831528a332d12f0831753bb2ac5d6a31d9f6e30a9c40fb23

Download Submit
C:\windows\SysWOW64\VGYCXQT.exe

Filesize
208KB

MD5
e3dfd86ef37941ac46d697a66f2b60e7

SHA1
833cce4b07ec7635be4ed39a413f1c7de5789ae0

SHA256
0940f28b8e6d68ebcfe5449938a91d90d5303a05470cf362603e9e408a49230a

SHA512
c110671a5ba4dccb08aa0fa58d53b8884b3c02c3b03f880d2799bb627d578e4e32d9a82a0e51d1de2393fd5d9335a3d08338275eda955959489d2b39bf84d9a1

Download Submit
C:\windows\SysWOW64\VGYCXQT.exe.bat

Filesize
78B

MD5
b12bb8ae3b536931698edd885f863971

SHA1
7a55c54d43d11e2676d9ad3c8c6817fe6df7b7b5

SHA256
ecbb8c84b6a6ef9e48f844bd5df55fc2a2a08d061ab6d35ccfbd5b65d8c9a29f

SHA512
25cb1e27de3a185d476db0d86b78c5eb155e7f70c0dd923b325e93480a76b0603fe0fb530f36829f2f4300b5e0a84eac21403a14e5644395d5b973007d9634ff

Download Submit
memory/1560-0-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1560-34-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3900-32-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3900-37-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/5068-10-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/5068-36-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/5108-22-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/5108-35-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download