af5e3803793356212bf103604b0ec6e311f4fec6efa614a2ede9d533ed273c0c

Analysis

max time kernel
130s
max time network
170s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
12/10/2023, 15:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.014d8f899a583e3e8bd0965811dc7f50_JC.exe
Size

33KB
MD5

014d8f899a583e3e8bd0965811dc7f50
SHA1

114595f45460d0b8cf249e1e7d8048de97e8ba15
SHA256

af5e3803793356212bf103604b0ec6e311f4fec6efa614a2ede9d533ed273c0c
SHA512

d9c91341fa52b5cd2f01f950052a921251a016b26a5b47108fda7fa26cc0c3fda29be6a46efbdb09398451166871f95d42245e56dcfb19d84e6fc0aff0c64ff7
SSDEEP

384:cIZAvJmRPDN/jSyC8MxVLzFXME7dgPWlVnCPq3io8HdP5luQQzdFLeZ:hAvJ4LSyC8aVN7bX3V0SZna

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\Control Panel\International\Geo\Nation	NEAS.014d8f899a583e3e8bd0965811dc7f50_JC.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\Control Panel\International\Geo\Nation	comhost.exe

Executes dropped EXE 1 IoCs

pid	Process
1668	comhost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4088 wrote to memory of 1668	4088	NEAS.014d8f899a583e3e8bd0965811dc7f50_JC.exe	86
PID 4088 wrote to memory of 1668	4088	NEAS.014d8f899a583e3e8bd0965811dc7f50_JC.exe	86
PID 4088 wrote to memory of 1668	4088	NEAS.014d8f899a583e3e8bd0965811dc7f50_JC.exe	86

C:\Users\Admin\AppData\Local\Temp\NEAS.014d8f899a583e3e8bd0965811dc7f50_JC.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.014d8f899a583e3e8bd0965811dc7f50_JC.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4088
- C:\Users\Admin\AppData\Local\Temp\comhost.exe
  "C:\Users\Admin\AppData\Local\Temp\comhost.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:1668

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\comhost.exe

Filesize
33KB

MD5
20b82fe4cc441ae19a2030e696a72635

SHA1
2b08e41809be286338e688a975af2c323fb5077f

SHA256
1c2b1397d2f54667c508a6df8c0f89b895255c9ad9fe08cf5881e6bdc8b13534

SHA512
bd5dba9de1633dd5386ed0f5273a27ab9a390507fe4e0a13437c3fd1ed0aface4ca8ef6671ba8075bc119c176bc007018614ef8063dc8a273659d053e140c52a

Download Submit
C:\Users\Admin\AppData\Local\Temp\comhost.exe

Filesize
33KB

MD5
20b82fe4cc441ae19a2030e696a72635

SHA1
2b08e41809be286338e688a975af2c323fb5077f

SHA256
1c2b1397d2f54667c508a6df8c0f89b895255c9ad9fe08cf5881e6bdc8b13534

SHA512
bd5dba9de1633dd5386ed0f5273a27ab9a390507fe4e0a13437c3fd1ed0aface4ca8ef6671ba8075bc119c176bc007018614ef8063dc8a273659d053e140c52a

Download Submit
C:\Users\Admin\AppData\Local\Temp\comhost.exe

Filesize
33KB

MD5
20b82fe4cc441ae19a2030e696a72635

SHA1
2b08e41809be286338e688a975af2c323fb5077f

SHA256
1c2b1397d2f54667c508a6df8c0f89b895255c9ad9fe08cf5881e6bdc8b13534

SHA512
bd5dba9de1633dd5386ed0f5273a27ab9a390507fe4e0a13437c3fd1ed0aface4ca8ef6671ba8075bc119c176bc007018614ef8063dc8a273659d053e140c52a

Download Submit
C:\Users\Admin\AppData\Local\Temp\rzmaw.exe

Filesize
18KB

MD5
82ed3dc33cd71025510a05b664eb558b

SHA1
fb1523ae7fa073a173afac08df9eaf3340fa962b

SHA256
f088b073091ffca7ca0063658e01021738be4665c4407ba475a8b9774e1b1ccb

SHA512
3edb2cde8d1477bec536361c9a931050b03348dd49284d443df34efb2fb62260cfaffe8a47fa20f05c7fde014b60be3ebeb2b533957ed215ba458655a81633a7

Download Submit
memory/1668-9-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4088-0-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download