Analysis
-
max time kernel
171s -
max time network
179s -
platform
windows10-2004_x64 -
resource
win10v2004-20230915-en -
resource tags
arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system -
submitted
13/10/2023, 20:02
Behavioral task
behavioral1
Sample
NEAS.2128d65eea52936c695b39b8b54303d0.exe
Resource
win7-20230831-en
General
-
Target
NEAS.2128d65eea52936c695b39b8b54303d0.exe
-
Size
484KB
-
MD5
2128d65eea52936c695b39b8b54303d0
-
SHA1
f2afc7542687cd63fef814f699ca1dfe356c9389
-
SHA256
aae96674a0b19705dc25eef5837517d6e4eb43d0785b5d6d234d0fb001f1a587
-
SHA512
5071ec98ad8a24c78829e67c3eedeb38ccfcc317d2141443af616525050391622e437ea0ba683d1a34ffa33a263d1a01f19119d77e762ad21b3bbce46b6380cf
-
SSDEEP
6144:KxBWeMRygxDLbHxlSBxzJb1REBB6q1gBFJV6AvRqsf6YU+FM+3Yn/fCXjQGDq+t5:63MQIDKJPTq+Xxvo0U+d3s/fCX0a5
Malware Config
Extracted
urelas
121.88.5.183
218.54.30.235
Signatures
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\Control Panel\International\Geo\Nation NEAS.2128d65eea52936c695b39b8b54303d0.exe Key value queried \REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\Control Panel\International\Geo\Nation fodya.exe -
Executes dropped EXE 2 IoCs
pid Process 552 fodya.exe 4288 dimif.exe -
resource yara_rule behavioral2/memory/2988-0-0x0000000000940000-0x00000000009E7000-memory.dmp upx behavioral2/files/0x000200000002281c-6.dat upx behavioral2/memory/552-12-0x0000000000DA0000-0x0000000000E47000-memory.dmp upx behavioral2/files/0x000200000002281c-10.dat upx behavioral2/files/0x000200000002281c-9.dat upx behavioral2/memory/2988-14-0x0000000000940000-0x00000000009E7000-memory.dmp upx behavioral2/memory/552-17-0x0000000000DA0000-0x0000000000E47000-memory.dmp upx behavioral2/files/0x001000000002325f-22.dat upx behavioral2/memory/4288-26-0x0000000000A10000-0x0000000000ACA000-memory.dmp upx behavioral2/files/0x001000000002325f-25.dat upx behavioral2/memory/552-27-0x0000000000DA0000-0x0000000000E47000-memory.dmp upx behavioral2/files/0x001000000002325f-24.dat upx behavioral2/memory/4288-28-0x0000000000A10000-0x0000000000ACA000-memory.dmp upx behavioral2/memory/4288-29-0x0000000000A10000-0x0000000000ACA000-memory.dmp upx behavioral2/memory/4288-30-0x0000000000A10000-0x0000000000ACA000-memory.dmp upx behavioral2/memory/4288-31-0x0000000000A10000-0x0000000000ACA000-memory.dmp upx behavioral2/memory/4288-32-0x0000000000A10000-0x0000000000ACA000-memory.dmp upx behavioral2/memory/4288-33-0x0000000000A10000-0x0000000000ACA000-memory.dmp upx behavioral2/memory/4288-34-0x0000000000A10000-0x0000000000ACA000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2988 NEAS.2128d65eea52936c695b39b8b54303d0.exe 2988 NEAS.2128d65eea52936c695b39b8b54303d0.exe 552 fodya.exe 552 fodya.exe 4288 dimif.exe 4288 dimif.exe 4288 dimif.exe 4288 dimif.exe 4288 dimif.exe 4288 dimif.exe 4288 dimif.exe 4288 dimif.exe 4288 dimif.exe 4288 dimif.exe 4288 dimif.exe 4288 dimif.exe 4288 dimif.exe 4288 dimif.exe 4288 dimif.exe 4288 dimif.exe 4288 dimif.exe 4288 dimif.exe 4288 dimif.exe 4288 dimif.exe 4288 dimif.exe 4288 dimif.exe 4288 dimif.exe 4288 dimif.exe 4288 dimif.exe 4288 dimif.exe 4288 dimif.exe 4288 dimif.exe 4288 dimif.exe 4288 dimif.exe 4288 dimif.exe 4288 dimif.exe 4288 dimif.exe 4288 dimif.exe 4288 dimif.exe 4288 dimif.exe 4288 dimif.exe 4288 dimif.exe 4288 dimif.exe 4288 dimif.exe 4288 dimif.exe 4288 dimif.exe 4288 dimif.exe 4288 dimif.exe 4288 dimif.exe 4288 dimif.exe 4288 dimif.exe 4288 dimif.exe 4288 dimif.exe 4288 dimif.exe 4288 dimif.exe 4288 dimif.exe 4288 dimif.exe 4288 dimif.exe 4288 dimif.exe 4288 dimif.exe 4288 dimif.exe 4288 dimif.exe 4288 dimif.exe 4288 dimif.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 2988 wrote to memory of 552 2988 NEAS.2128d65eea52936c695b39b8b54303d0.exe 88 PID 2988 wrote to memory of 552 2988 NEAS.2128d65eea52936c695b39b8b54303d0.exe 88 PID 2988 wrote to memory of 552 2988 NEAS.2128d65eea52936c695b39b8b54303d0.exe 88 PID 2988 wrote to memory of 3336 2988 NEAS.2128d65eea52936c695b39b8b54303d0.exe 90 PID 2988 wrote to memory of 3336 2988 NEAS.2128d65eea52936c695b39b8b54303d0.exe 90 PID 2988 wrote to memory of 3336 2988 NEAS.2128d65eea52936c695b39b8b54303d0.exe 90 PID 552 wrote to memory of 4288 552 fodya.exe 100 PID 552 wrote to memory of 4288 552 fodya.exe 100 PID 552 wrote to memory of 4288 552 fodya.exe 100
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.2128d65eea52936c695b39b8b54303d0.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.2128d65eea52936c695b39b8b54303d0.exe"1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2988 -
C:\Users\Admin\AppData\Local\Temp\fodya.exe"C:\Users\Admin\AppData\Local\Temp\fodya.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:552 -
C:\Users\Admin\AppData\Local\Temp\dimif.exe"C:\Users\Admin\AppData\Local\Temp\dimif.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4288
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_sannuyex.bat" "2⤵PID:3336
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
287B
MD5085190a83c796ec4ae750fa40f950570
SHA19fd834adf35941bcd0b754c7135c95076609cc05
SHA25626be5329163392f1b37089d7cfcbefc6001ce40458991ee5afc448229b439099
SHA51283df415427403b0a075c18fb9ec70c6970663e49c7f44df9b58639cf6536e1e95e1b78677431e1f0fd3208aac5634e5c6bf1fe77d6ab604bbca242f23d47edb7
-
Filesize
243KB
MD52870e11672dfffc15678963c5612d381
SHA1b8b57b2421b3c659b46243ef91aceb7f604582b1
SHA2567a8ef413d865dffc5919af7ec3bd2fc7fd85a2c46b32480763158a62e46abfdf
SHA512bfb7072d00b85a7d3984e592b8ce46f13427e1eeb3c404a09c061b52e5293843220d112adaffb0d3ca7c37e3b4f33fb695def801564604b383c71a397f4df2c5
-
Filesize
243KB
MD52870e11672dfffc15678963c5612d381
SHA1b8b57b2421b3c659b46243ef91aceb7f604582b1
SHA2567a8ef413d865dffc5919af7ec3bd2fc7fd85a2c46b32480763158a62e46abfdf
SHA512bfb7072d00b85a7d3984e592b8ce46f13427e1eeb3c404a09c061b52e5293843220d112adaffb0d3ca7c37e3b4f33fb695def801564604b383c71a397f4df2c5
-
Filesize
243KB
MD52870e11672dfffc15678963c5612d381
SHA1b8b57b2421b3c659b46243ef91aceb7f604582b1
SHA2567a8ef413d865dffc5919af7ec3bd2fc7fd85a2c46b32480763158a62e46abfdf
SHA512bfb7072d00b85a7d3984e592b8ce46f13427e1eeb3c404a09c061b52e5293843220d112adaffb0d3ca7c37e3b4f33fb695def801564604b383c71a397f4df2c5
-
Filesize
484KB
MD5c5797968662811240990797a3131dc2c
SHA1a5edc55b0f9a0bcb4f18d26f0ca05432854f914a
SHA2560fcd0c81bcfd989b5c361df519a3ce06b43723dc3d18aeea2b32470b28abdbf8
SHA512eab77ade6c151e113849cbc92de267bc70caab2c8aa11fc286118bb5b809e135385f149b1438c948c4858d0c0510746261b483f9ea9ba474f481930180ed6448
-
Filesize
484KB
MD5c5797968662811240990797a3131dc2c
SHA1a5edc55b0f9a0bcb4f18d26f0ca05432854f914a
SHA2560fcd0c81bcfd989b5c361df519a3ce06b43723dc3d18aeea2b32470b28abdbf8
SHA512eab77ade6c151e113849cbc92de267bc70caab2c8aa11fc286118bb5b809e135385f149b1438c948c4858d0c0510746261b483f9ea9ba474f481930180ed6448
-
Filesize
484KB
MD5c5797968662811240990797a3131dc2c
SHA1a5edc55b0f9a0bcb4f18d26f0ca05432854f914a
SHA2560fcd0c81bcfd989b5c361df519a3ce06b43723dc3d18aeea2b32470b28abdbf8
SHA512eab77ade6c151e113849cbc92de267bc70caab2c8aa11fc286118bb5b809e135385f149b1438c948c4858d0c0510746261b483f9ea9ba474f481930180ed6448
-
Filesize
512B
MD58e4769c2882861526a44495df269406a
SHA13ddf431b64900d1adee37aa1d1d58f7bd896a5e2
SHA256b92a2ebf9df525fd05d892d5a2850f6a7ef007072697c3be9a423a343aaf6489
SHA5129c474150246129ae083f183d13d4df92f0c600a4a9ae2650eea17a065cbb403155be86185c17c72e8dfe651baf17a2d5c14d0376e532042d0a3d0ad83e00ad56