07731dac15ead8f017a4e7ab790214cefd6c51a22c9f73c0ffb7fe8448f09a74

Analysis

max time kernel
84s
max time network
178s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
13/10/2023, 15:58

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

NEAS.0517d799d3307ec47ed7dbe8d13bac60_JC.exe
Size

3.8MB
MD5

0517d799d3307ec47ed7dbe8d13bac60
SHA1

857858d855bcb5e82c280c6ca4ab4f261ff9961b
SHA256

07731dac15ead8f017a4e7ab790214cefd6c51a22c9f73c0ffb7fe8448f09a74
SHA512

9346a13e305f26e20d91e3235c0c0aa0b4e4adbf288f4a667b40bb7bcfa998f089f0a596fcaa1fd540d90efa0a8b9b324f29590afa95226e2e85ec1786456505
SSDEEP

98304:O06FOznLo0+Dd6uxcG+LsRib4vVcMDBP5J2dCrzkuI7f:O3F6n80W6uGGqsU0V9BP5JWduI7f

Score

7^/10

upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\Control Panel\International\Geo\Nation	NEAS.0517d799d3307ec47ed7dbe8d13bac60_JC.exe

Executes dropped EXE 2 IoCs

pid	Process
1628	irsetup.exe
4448	checx.exe

Loads dropped DLL 1 IoCs

pid	Process
1628	irsetup.exe

UPX packed file 12 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0006000000023099-5.dat	upx
behavioral2/files/0x0006000000023099-10.dat	upx
behavioral2/files/0x0006000000023099-11.dat	upx
behavioral2/memory/1628-12-0x0000000000400000-0x00000000007CB000-memory.dmp	upx
behavioral2/files/0x00060000000230b1-49.dat	upx
behavioral2/files/0x00060000000230b3-52.dat	upx
behavioral2/memory/1628-65-0x0000000000400000-0x00000000007CB000-memory.dmp	upx
behavioral2/files/0x00060000000230b3-75.dat	upx
behavioral2/files/0x00060000000230b3-74.dat	upx
behavioral2/memory/4036-76-0x0000000000400000-0x000000000053F000-memory.dmp	upx
behavioral2/memory/1628-117-0x0000000000400000-0x00000000007CB000-memory.dmp	upx
behavioral2/memory/4036-119-0x0000000000400000-0x000000000053F000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
1628	irsetup.exe
1628	irsetup.exe
1628	irsetup.exe
1628	irsetup.exe
1628	irsetup.exe
1628	irsetup.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
1628	irsetup.exe
1628	irsetup.exe
1628	irsetup.exe
4448	checx.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 428 wrote to memory of 1628	428	NEAS.0517d799d3307ec47ed7dbe8d13bac60_JC.exe	92
PID 428 wrote to memory of 1628	428	NEAS.0517d799d3307ec47ed7dbe8d13bac60_JC.exe	92
PID 428 wrote to memory of 1628	428	NEAS.0517d799d3307ec47ed7dbe8d13bac60_JC.exe	92
PID 1628 wrote to memory of 4448	1628	irsetup.exe	99
PID 1628 wrote to memory of 4448	1628	irsetup.exe	99
PID 1628 wrote to memory of 4448	1628	irsetup.exe	99

C:\Users\Admin\AppData\Local\Temp\NEAS.0517d799d3307ec47ed7dbe8d13bac60_JC.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.0517d799d3307ec47ed7dbe8d13bac60_JC.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:428
- C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
  "C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe" __IRAOFF:1742194 "__IRAFN:C:\Users\Admin\AppData\Local\Temp\NEAS.0517d799d3307ec47ed7dbe8d13bac60_JC.exe" "__IRCT:0" "__IRTSS:0" "__IRSID:S-1-5-21-1574508946-349927670-1185736483-1000"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1628
- - C:\Users\Public\Pictures\checx.exe
    "C:\Users\Public\Pictures\checx.exe" x -o+ -pqwert0 C:\Users\Public\Pictures\Packagx.rar update.exe update.dat edge.jpg edge1.jpg edge.xml C:\Users\Public\Pictures\
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:4448
- - C:\programdata\FXiUDATKkT\zGqwtHhI.exe
    "C:\programdata\FXiUDATKkT\zGqwtHhI.exe"
    3⤵
    PID:4036
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c echo.>c:\xxxx.ini
      4⤵
      PID:2124

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\FXiUDATKkT\edge.jpg

Filesize
358KB

MD5
21764c4dd174d98d2ff60da6e2c1d4fd

SHA1
fb49dab7b86743bbd1af853dd06d7a9643af292a

SHA256
cf72f7fc5384da3d0711aa39e742f5551c031eae6a36625a5582f56c799d132a

SHA512
92ffeb51bca30fe968dffe1a9465307811322c8739b1d4a01d04b17f539a0b5923a9481c0f9d5070544788f01ce5b0af510650c380c828a1d0664efc7664f05a

Download Submit
C:\ProgramData\FXiUDATKkT\edge.xml

Filesize
53KB

MD5
6a5dcb87c37319ff8ca99f3168878ea9

SHA1
89222169ced445fe32735e15939d17f89ba7923c

SHA256
b4a3fdee51e923d74294e50cbe5ef1897fbbda29bd44b42b72333eed97829a7c

SHA512
4f344799abcdd557df36b959106ab0abad5178c378800d28b8a14151a3daa5a4548744390ad2b095d0b05bc18054a8fb8baf365135f79926fe59bb6b04093895

Download Submit
C:\ProgramData\FXiUDATKkT\edge.xml

Filesize
53KB

MD5
6a5dcb87c37319ff8ca99f3168878ea9

SHA1
89222169ced445fe32735e15939d17f89ba7923c

SHA256
b4a3fdee51e923d74294e50cbe5ef1897fbbda29bd44b42b72333eed97829a7c

SHA512
4f344799abcdd557df36b959106ab0abad5178c378800d28b8a14151a3daa5a4548744390ad2b095d0b05bc18054a8fb8baf365135f79926fe59bb6b04093895

Download Submit
C:\ProgramData\FXiUDATKkT\zGqwtHhI.dat

Filesize
132KB

MD5
88f6188815c073f14a2cca1450ad360b

SHA1
840476613bec7c2fc58182d76bf8868aa6c887cc

SHA256
82984ea9a815ca80c0c70ce71807765351d9050a467ac56cbb75a0311f6792dd

SHA512
076ef04859caa07af050ac2b62c7499095daaa1835bfd6af2f8486b44228ac0e974302febffb736d597534d41122117a24a88c945bc8dd589acf34958879f47d

Download Submit
C:\ProgramData\FXiUDATKkT\zGqwtHhI.exe

Filesize
475KB

MD5
1b9d1c5bddaff4dd75a470fa12e35e66

SHA1
7078518f4236777d4e83217d53ddb9a82e7435d4

SHA256
09fa13690d4bb135b40e8c5a8abe1d0072955981ddc7d8361d1bc3a23e79255f

SHA512
b8e2f8aa597d860eacaee8c8bbb652ea5cdb0b14a6720b4c97481ec531fbdf2ba83b7f6e1d664447ae1c388c5e768bb972a6b8a9414151e2cc4374aae3ea3194

Download Submit
C:\ProgramData\FXiUDATKkT\zGqwtHhI.exe

Filesize
475KB

MD5
1b9d1c5bddaff4dd75a470fa12e35e66

SHA1
7078518f4236777d4e83217d53ddb9a82e7435d4

SHA256
09fa13690d4bb135b40e8c5a8abe1d0072955981ddc7d8361d1bc3a23e79255f

SHA512
b8e2f8aa597d860eacaee8c8bbb652ea5cdb0b14a6720b4c97481ec531fbdf2ba83b7f6e1d664447ae1c388c5e768bb972a6b8a9414151e2cc4374aae3ea3194

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

Filesize
1.3MB

MD5
dec931e86140139380ea0df57cd132b6

SHA1
b717fd548382064189c16cb94dda28b1967a5712

SHA256
5ffd4b20dccfb84c8890abdb780184a7651e760aefba4ab0c6fba5b2a81f97d9

SHA512
14d594e88c4a1f0ec8bc1b4fe2d66e26358f907b1106c047ada35d500ca9e608f1ce5a57599453cf10f11f4d9f1948ced9056ce8bd944b16eca7e9b83e8b27af

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

Filesize
1.3MB

MD5
dec931e86140139380ea0df57cd132b6

SHA1
b717fd548382064189c16cb94dda28b1967a5712

SHA256
5ffd4b20dccfb84c8890abdb780184a7651e760aefba4ab0c6fba5b2a81f97d9

SHA512
14d594e88c4a1f0ec8bc1b4fe2d66e26358f907b1106c047ada35d500ca9e608f1ce5a57599453cf10f11f4d9f1948ced9056ce8bd944b16eca7e9b83e8b27af

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

Filesize
1.3MB

MD5
dec931e86140139380ea0df57cd132b6

SHA1
b717fd548382064189c16cb94dda28b1967a5712

SHA256
5ffd4b20dccfb84c8890abdb780184a7651e760aefba4ab0c6fba5b2a81f97d9

SHA512
14d594e88c4a1f0ec8bc1b4fe2d66e26358f907b1106c047ada35d500ca9e608f1ce5a57599453cf10f11f4d9f1948ced9056ce8bd944b16eca7e9b83e8b27af

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\lua5.1.dll

Filesize
318KB

MD5
b5fc476c1bf08d5161346cc7dd4cb0ba

SHA1
280fac9cf711d93c95f6b80ac97d89cf5853c096

SHA256
12cb9b8f59c00ef40ea8f28bfc59a29f12dc28332bf44b1a5d8d6a8823365650

SHA512
17fa97f399287b941e958d2d42fe6adb62700b01d9dbe0c824604e8e06d903b330f9d7d8ffb109bfb7f6742f46e7e9cedad6981f0d94d629b8402d0a0174f697

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\lua5.1.dll

Filesize
318KB

MD5
b5fc476c1bf08d5161346cc7dd4cb0ba

SHA1
280fac9cf711d93c95f6b80ac97d89cf5853c096

SHA256
12cb9b8f59c00ef40ea8f28bfc59a29f12dc28332bf44b1a5d8d6a8823365650

SHA512
17fa97f399287b941e958d2d42fe6adb62700b01d9dbe0c824604e8e06d903b330f9d7d8ffb109bfb7f6742f46e7e9cedad6981f0d94d629b8402d0a0174f697

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_tu2_temp_0\IRIMG3.JPG

Filesize
6KB

MD5
e39405e85e09f64ccde0f59392317dd3

SHA1
9c76db4b3d8c7972e7995ecfb1e3c47ee94fd14b

SHA256
cfd9677e1c0e10b1507f520c4ecd40f68db78154c0d4e6563403d540f3bf829f

SHA512
6733f330145b48d23c023c664090f4f240e9bbeb8368b486c8ee8682ec6a930b73275e24075648d1aa7e01db1ec7b7e259286917a006ba9af8fb7cba3439070a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_tu2_temp_0\IRIMG4.JPG

Filesize
36KB

MD5
f6bf82a293b69aa5b47d4e2de305d45a

SHA1
4948716616d4bbe68be2b4c5bf95350402d3f96f

SHA256
6a9368cdd7b3ff9b590e206c3536569bc45c338966d0059784959f73fe6281e0

SHA512
edf0f3ee60a620cf886184c1014f38d0505aac9e3703d61d7074cfb27d6922f80e570d1a3891593606a09f1296a88c8770445761c11c390a99a5341ee56478aa

Download Submit
C:\Users\Public\Pictures\Packagx.rar

Filesize
1.2MB

MD5
8c3f513165e0996d5983a82591d798b2

SHA1
34c597c103cb5c8e2ef6e5041b4ec8e156f0b704

SHA256
78dbeb528146fdb6fc6fcdc48cb3fa5efd37c023022e20615ede57c6e4d343ca

SHA512
d667a993799fbef95999af1ef5a48f536603d4d44eef19c8af3fcd91e372505b83f52e585f3131f1dd356788465788e750f6053882b6b3c2225f61ff500fea3a

Download Submit
C:\Users\Public\Pictures\checx.exe

Filesize
400KB

MD5
54b3233604c2ac3ef0baca691b656222

SHA1
48ee22f3d0ad5e7b7fdb284d7a8aec4d6cc0ac06

SHA256
ba440e9db5ccef8acf13b745e93819793d4b6e045df727bc9b9d74c79cf4e762

SHA512
1c5399e1d3a9dbdc3d70f8ae72ca5733cbf95cdf90678c9574cc5b4ad5645faa38101ef318ba02b08b1abc9016a1495e458c980bf5218c20b236a709ad772852

Download Submit
C:\Users\Public\Pictures\checx.exe

Filesize
400KB

MD5
54b3233604c2ac3ef0baca691b656222

SHA1
48ee22f3d0ad5e7b7fdb284d7a8aec4d6cc0ac06

SHA256
ba440e9db5ccef8acf13b745e93819793d4b6e045df727bc9b9d74c79cf4e762

SHA512
1c5399e1d3a9dbdc3d70f8ae72ca5733cbf95cdf90678c9574cc5b4ad5645faa38101ef318ba02b08b1abc9016a1495e458c980bf5218c20b236a709ad772852

Download Submit
C:\Users\Public\Pictures\checx.exe

Filesize
400KB

MD5
54b3233604c2ac3ef0baca691b656222

SHA1
48ee22f3d0ad5e7b7fdb284d7a8aec4d6cc0ac06

SHA256
ba440e9db5ccef8acf13b745e93819793d4b6e045df727bc9b9d74c79cf4e762

SHA512
1c5399e1d3a9dbdc3d70f8ae72ca5733cbf95cdf90678c9574cc5b4ad5645faa38101ef318ba02b08b1abc9016a1495e458c980bf5218c20b236a709ad772852

Download Submit
C:\Users\Public\Pictures\edge.jpg

Filesize
358KB

MD5
21764c4dd174d98d2ff60da6e2c1d4fd

SHA1
fb49dab7b86743bbd1af853dd06d7a9643af292a

SHA256
cf72f7fc5384da3d0711aa39e742f5551c031eae6a36625a5582f56c799d132a

SHA512
92ffeb51bca30fe968dffe1a9465307811322c8739b1d4a01d04b17f539a0b5923a9481c0f9d5070544788f01ce5b0af510650c380c828a1d0664efc7664f05a

Download Submit
C:\Users\Public\Pictures\edge.xml

Filesize
53KB

MD5
6a5dcb87c37319ff8ca99f3168878ea9

SHA1
89222169ced445fe32735e15939d17f89ba7923c

SHA256
b4a3fdee51e923d74294e50cbe5ef1897fbbda29bd44b42b72333eed97829a7c

SHA512
4f344799abcdd557df36b959106ab0abad5178c378800d28b8a14151a3daa5a4548744390ad2b095d0b05bc18054a8fb8baf365135f79926fe59bb6b04093895

Download Submit
C:\Users\Public\Pictures\update.dat

Filesize
132KB

MD5
88f6188815c073f14a2cca1450ad360b

SHA1
840476613bec7c2fc58182d76bf8868aa6c887cc

SHA256
82984ea9a815ca80c0c70ce71807765351d9050a467ac56cbb75a0311f6792dd

SHA512
076ef04859caa07af050ac2b62c7499095daaa1835bfd6af2f8486b44228ac0e974302febffb736d597534d41122117a24a88c945bc8dd589acf34958879f47d

Download Submit
C:\Users\Public\Pictures\update.exe

Filesize
475KB

MD5
1b9d1c5bddaff4dd75a470fa12e35e66

SHA1
7078518f4236777d4e83217d53ddb9a82e7435d4

SHA256
09fa13690d4bb135b40e8c5a8abe1d0072955981ddc7d8361d1bc3a23e79255f

SHA512
b8e2f8aa597d860eacaee8c8bbb652ea5cdb0b14a6720b4c97481ec531fbdf2ba83b7f6e1d664447ae1c388c5e768bb972a6b8a9414151e2cc4374aae3ea3194

Download Submit
C:\programdata\FXiUDATKkT\Edge.jpg

Filesize
358KB

MD5
21764c4dd174d98d2ff60da6e2c1d4fd

SHA1
fb49dab7b86743bbd1af853dd06d7a9643af292a

SHA256
cf72f7fc5384da3d0711aa39e742f5551c031eae6a36625a5582f56c799d132a

SHA512
92ffeb51bca30fe968dffe1a9465307811322c8739b1d4a01d04b17f539a0b5923a9481c0f9d5070544788f01ce5b0af510650c380c828a1d0664efc7664f05a

Download Submit
C:\programdata\FXiUDATKkT\zGqwtHhI.dat

Filesize
132KB

MD5
88f6188815c073f14a2cca1450ad360b

SHA1
840476613bec7c2fc58182d76bf8868aa6c887cc

SHA256
82984ea9a815ca80c0c70ce71807765351d9050a467ac56cbb75a0311f6792dd

SHA512
076ef04859caa07af050ac2b62c7499095daaa1835bfd6af2f8486b44228ac0e974302febffb736d597534d41122117a24a88c945bc8dd589acf34958879f47d

Download Submit
C:\programdata\FXiUDATKkT\zGqwtHhI.exe

Filesize
475KB

MD5
1b9d1c5bddaff4dd75a470fa12e35e66

SHA1
7078518f4236777d4e83217d53ddb9a82e7435d4

SHA256
09fa13690d4bb135b40e8c5a8abe1d0072955981ddc7d8361d1bc3a23e79255f

SHA512
b8e2f8aa597d860eacaee8c8bbb652ea5cdb0b14a6720b4c97481ec531fbdf2ba83b7f6e1d664447ae1c388c5e768bb972a6b8a9414151e2cc4374aae3ea3194

Download Submit
memory/1628-12-0x0000000000400000-0x00000000007CB000-memory.dmp

Filesize
3.8MB

Download
memory/1628-65-0x0000000000400000-0x00000000007CB000-memory.dmp

Filesize
3.8MB

Download
memory/1628-117-0x0000000000400000-0x00000000007CB000-memory.dmp

Filesize
3.8MB

Download
memory/4036-76-0x0000000000400000-0x000000000053F000-memory.dmp

Filesize
1.2MB

Download
memory/4036-103-0x0000000010000000-0x0000000010061000-memory.dmp

Filesize
388KB

Download
memory/4036-101-0x0000000003750000-0x0000000003762000-memory.dmp

Filesize
72KB

Download
memory/4036-98-0x0000000000C00000-0x0000000000C01000-memory.dmp

Filesize
4KB

Download
memory/4036-119-0x0000000000400000-0x000000000053F000-memory.dmp

Filesize
1.2MB

Download