987f97122e3e1844f511b70bb2d45449375906db602ca57c6fff61d309923c76

Analysis

max time kernel
145s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
13/10/2023, 20:24

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

NEAS.5ba8a8d167b61a69da1bca08f795ad90.exe
Size

208KB
MD5

5ba8a8d167b61a69da1bca08f795ad90
SHA1

ef66a7fdc536429bbe162fd0f9f1097a73dce66e
SHA256

987f97122e3e1844f511b70bb2d45449375906db602ca57c6fff61d309923c76
SHA512

1633e40dc113a3d647087d3c1062d3e953bdb2d749c9b832ac772062ae882601d307ee0d1ec4313fac582609cfa0ce85265d1c596c45e37d1438d91fcc01d591
SSDEEP

3072:Hbq7xOtJt2u7iiRRYtNVvC54k7121JhO+dbVuxqu3Zzvr0i5J2uQ2NY5EO4M4NLe:5BB7QJvbVuxh3ZvrX5JdMQEj1

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\Control Panel\International\Geo\Nation	NEAS.5ba8a8d167b61a69da1bca08f795ad90.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\Control Panel\International\Geo\Nation	VGDKJID.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\Control Panel\International\Geo\Nation	LOY.exe

Executes dropped EXE 3 IoCs

pid	Process
3080	VGDKJID.exe
3736	LOY.exe
4080	HRH.exe

Drops file in Windows directory 9 IoCs

description	ioc	Process
File created	C:\windows\system\VGDKJID.exe	NEAS.5ba8a8d167b61a69da1bca08f795ad90.exe
File opened for modification	C:\windows\system\VGDKJID.exe	NEAS.5ba8a8d167b61a69da1bca08f795ad90.exe
File created	C:\windows\system\VGDKJID.exe.bat	NEAS.5ba8a8d167b61a69da1bca08f795ad90.exe
File created	C:\windows\LOY.exe	VGDKJID.exe
File opened for modification	C:\windows\LOY.exe	VGDKJID.exe
File created	C:\windows\LOY.exe.bat	VGDKJID.exe
File created	C:\windows\HRH.exe.bat	LOY.exe
File created	C:\windows\HRH.exe	LOY.exe
File opened for modification	C:\windows\HRH.exe	LOY.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 4 IoCs

pid	pid_target	Process	procid_target
2332	2224	WerFault.exe	84
1992	3080	WerFault.exe	90
4444	3736	WerFault.exe	97
2524	4080	WerFault.exe	102

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
2224	NEAS.5ba8a8d167b61a69da1bca08f795ad90.exe
2224	NEAS.5ba8a8d167b61a69da1bca08f795ad90.exe
3080	VGDKJID.exe
3080	VGDKJID.exe
3736	LOY.exe
3736	LOY.exe
4080	HRH.exe
4080	HRH.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
2224	NEAS.5ba8a8d167b61a69da1bca08f795ad90.exe
2224	NEAS.5ba8a8d167b61a69da1bca08f795ad90.exe
3080	VGDKJID.exe
3080	VGDKJID.exe
3736	LOY.exe
3736	LOY.exe
4080	HRH.exe
4080	HRH.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2224 wrote to memory of 3056	2224	NEAS.5ba8a8d167b61a69da1bca08f795ad90.exe	86
PID 2224 wrote to memory of 3056	2224	NEAS.5ba8a8d167b61a69da1bca08f795ad90.exe	86
PID 2224 wrote to memory of 3056	2224	NEAS.5ba8a8d167b61a69da1bca08f795ad90.exe	86
PID 3056 wrote to memory of 3080	3056	cmd.exe	90
PID 3056 wrote to memory of 3080	3056	cmd.exe	90
PID 3056 wrote to memory of 3080	3056	cmd.exe	90
PID 3080 wrote to memory of 4772	3080	VGDKJID.exe	93
PID 3080 wrote to memory of 4772	3080	VGDKJID.exe	93
PID 3080 wrote to memory of 4772	3080	VGDKJID.exe	93
PID 4772 wrote to memory of 3736	4772	cmd.exe	97
PID 4772 wrote to memory of 3736	4772	cmd.exe	97
PID 4772 wrote to memory of 3736	4772	cmd.exe	97
PID 3736 wrote to memory of 4728	3736	LOY.exe	98
PID 3736 wrote to memory of 4728	3736	LOY.exe	98
PID 3736 wrote to memory of 4728	3736	LOY.exe	98
PID 4728 wrote to memory of 4080	4728	cmd.exe	102
PID 4728 wrote to memory of 4080	4728	cmd.exe	102
PID 4728 wrote to memory of 4080	4728	cmd.exe	102

C:\Users\Admin\AppData\Local\Temp\NEAS.5ba8a8d167b61a69da1bca08f795ad90.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.5ba8a8d167b61a69da1bca08f795ad90.exe"
1⤵
- Checks computer location settings
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2224
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\windows\system\VGDKJID.exe.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3056
- - C:\windows\system\VGDKJID.exe
    C:\windows\system\VGDKJID.exe
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3080
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\windows\LOY.exe.bat" "
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4772
    - - C:\windows\LOY.exe
        
        C:\windows\LOY.exe
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3736
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\HRH.exe.bat" "
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:4728
        
        C:\windows\HRH.exe
        
        C:\windows\HRH.exe
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:4080
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4080 -s 852
        8⤵
        Program crash
        
        PID:2524
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3736 -s 1008
        6⤵
        Program crash
        
        PID:4444
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3080 -s 1236
      4⤵
      Program crash
      PID:1992
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2224 -s 1320
  2⤵
  - Program crash
  PID:2332

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 2224 -ip 2224
1⤵
PID:4812

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 3080 -ip 3080
1⤵
PID:2440

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 3736 -ip 3736
1⤵
PID:2704

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 644 -p 4080 -ip 4080
1⤵
PID:1760

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\HRH.exe

Filesize
208KB

MD5
ffde3237eb99f0fc1e1630ac7e8da650

SHA1
b79bfa812a82db3ba5a21db5bb6afab257bc4f15

SHA256
9bec512791b3611c266d07407ad3cf69c820a8cd29d5768a95e91c263a36c870

SHA512
7c0f560185783e8afb4a3c67bcbe1f4eb99f0e9915af32b4212f7e8d2bad6d361f843c58040d987fc3786400e307d948c52fe7cea47b36d3a5dc6f84f3bfebd3

Download Submit
C:\Windows\LOY.exe

Filesize
208KB

MD5
ad87fe086c6f809d284a77cd248ce786

SHA1
fc0f4d79a9261942799cb18bc78f80da074735b3

SHA256
11ca6ebb5422e109ca17caa8e1d94e1219134509fc2459f5ae72ba5adf63ca47

SHA512
5ce6580daa101c1e9badd2f3071cc06204f4a7fa59a621748990dadca9301e4b558b73fa904197e24276784c45559cb33fe87920f32cf3e7a87bc31fe92ad30f

Download Submit
C:\Windows\LOY.exe

Filesize
208KB

MD5
9383e9a8c8fc4fd7b5da114547b2de97

SHA1
1060ff7e700c700e3abc23ba8e3b0e30f7893bc4

SHA256
74df22db55ae47c20829dd0427bcb4a8e4e202182b462746a92f8a36cdf2d259

SHA512
d59fd7aac5121f5043484abf2e3bf0dda83391409241f640414e9fbbbd05b58a27d04acd535188e979dd2d04c850d6b95fced34896957b43564a9949d4ea18ab

Download Submit
C:\Windows\System\VGDKJID.exe

Filesize
208KB

MD5
407e2b3a70d5f6267d3c3057d4c2815a

SHA1
946ac78607643d750df24e5d657f2937c84c159f

SHA256
88f9374ebc76aee2d5d5f7d8ee87946547df507cae2430e39e9584c0c095d529

SHA512
7e677c08195c71bc6b4c080e2882e32be0ad01883c6d1ac4aab2c78f4f08b1381f002efc8321d4fe06b84d5be487895016aaead0478685d10393bfdc2349fa02

Download Submit
C:\windows\HRH.exe

Filesize
208KB

MD5
ffde3237eb99f0fc1e1630ac7e8da650

SHA1
b79bfa812a82db3ba5a21db5bb6afab257bc4f15

SHA256
9bec512791b3611c266d07407ad3cf69c820a8cd29d5768a95e91c263a36c870

SHA512
7c0f560185783e8afb4a3c67bcbe1f4eb99f0e9915af32b4212f7e8d2bad6d361f843c58040d987fc3786400e307d948c52fe7cea47b36d3a5dc6f84f3bfebd3

Download Submit
C:\windows\HRH.exe.bat

Filesize
52B

MD5
3087a05443fc08382c3fb15fed93e886

SHA1
fba8340047ec965a0fc04d86284a7a655363cfa6

SHA256
dfe4c3abd798a76a32327d10ea451cc124c013f478902e67edcac2913c7b0da3

SHA512
3f2f65b44d893b50241ea64ef4eadf8e309a0dd5cecf601c64aa740983929eaa7872b0a547475269dbc48b18d79ea568b4845ba0818a3bcdd992f2d28c7c1b07

Download Submit
C:\windows\LOY.exe

Filesize
208KB

MD5
9383e9a8c8fc4fd7b5da114547b2de97

SHA1
1060ff7e700c700e3abc23ba8e3b0e30f7893bc4

SHA256
74df22db55ae47c20829dd0427bcb4a8e4e202182b462746a92f8a36cdf2d259

SHA512
d59fd7aac5121f5043484abf2e3bf0dda83391409241f640414e9fbbbd05b58a27d04acd535188e979dd2d04c850d6b95fced34896957b43564a9949d4ea18ab

Download Submit
C:\windows\LOY.exe.bat

Filesize
52B

MD5
e2cba02919efbdc902c013e04a27c7b4

SHA1
cdc560eb8c48beeb3c2628b6472469b737fb5c3e

SHA256
a56d992904e8eee6db8f476f5f4e38c6bf274daef4bac7a35ec37844ef5bb248

SHA512
ed056f8776ef0d91702a008465c6e93edd9ce4ae6409da2bbb8a3e3be3ad86cb27a2c0ae8f702ed4a754c16366ead2385b1d4d4c5f7b217ea15a73e19d0a564c

Download Submit
C:\windows\system\VGDKJID.exe

Filesize
208KB

MD5
407e2b3a70d5f6267d3c3057d4c2815a

SHA1
946ac78607643d750df24e5d657f2937c84c159f

SHA256
88f9374ebc76aee2d5d5f7d8ee87946547df507cae2430e39e9584c0c095d529

SHA512
7e677c08195c71bc6b4c080e2882e32be0ad01883c6d1ac4aab2c78f4f08b1381f002efc8321d4fe06b84d5be487895016aaead0478685d10393bfdc2349fa02

Download Submit
C:\windows\system\VGDKJID.exe.bat

Filesize
74B

MD5
4e80bbffe2bfa45105f7b691cfafc601

SHA1
f8faf1522e8877fe03eddcc423f57011766d9b23

SHA256
bb859f0192813b7ef46786eb3db6745bf460ed47fbfcfa08d938dbbd3812365d

SHA512
5f6321b14e91547ac40462a2a23fe9b35114f47ede506b31a9d0327383dbb67c727a375f33605be451f930f198cf14b213df32bdaadd72e4d2915959a961bad5

Download Submit
memory/2224-0-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2224-35-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3080-10-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3080-34-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3736-22-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3736-36-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4080-33-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4080-37-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download