0239576a5442f3ef88c8c6d962df0ae5d2e5d04d8a2bd74aaf420c1072dd5619

Analysis

max time kernel
167s
max time network
178s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
13-10-2023 20:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.45e261592af630d896b8e50a90154890.exe
Size

204KB
MD5

45e261592af630d896b8e50a90154890
SHA1

87e285f26e70e4c205a9df54873e6b2ebf543bd0
SHA256

0239576a5442f3ef88c8c6d962df0ae5d2e5d04d8a2bd74aaf420c1072dd5619
SHA512

0b1d8518fe9439ed561dca6fc2871902f5d02df36230e62dede3c7a87ce9b1a5677fb821a1bb6a1e05e1cc1687d40c0415e22d4fec4ea692179ace65f1511107
SSDEEP

3072:WmnW8pxS0tQ9nLHbB9W0c1TqECzR/mkSYGrl9ymgYUWLn:xWixS4QxL7B9W0c1RCzR/fSmlK

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	NEAS.45e261592af630d896b8e50a90154890.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	hzmub.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\Control Panel\International\Geo\Nation	NEAS.45e261592af630d896b8e50a90154890.exe

Executes dropped EXE 1 IoCs

pid	Process
3732	hzmub.exe

Adds Run key to start application 2 TTPs 27 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hzmub = "C:\\Users\\Admin\\hzmub.exe /v"	hzmub.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hzmub = "C:\\Users\\Admin\\hzmub.exe /u"	hzmub.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hzmub = "C:\\Users\\Admin\\hzmub.exe /h"	hzmub.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hzmub = "C:\\Users\\Admin\\hzmub.exe /l"	hzmub.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hzmub = "C:\\Users\\Admin\\hzmub.exe /i"	hzmub.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hzmub = "C:\\Users\\Admin\\hzmub.exe /n"	hzmub.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hzmub = "C:\\Users\\Admin\\hzmub.exe /b"	hzmub.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hzmub = "C:\\Users\\Admin\\hzmub.exe /w"	hzmub.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hzmub = "C:\\Users\\Admin\\hzmub.exe /q"	hzmub.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hzmub = "C:\\Users\\Admin\\hzmub.exe /s"	hzmub.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hzmub = "C:\\Users\\Admin\\hzmub.exe /e"	hzmub.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hzmub = "C:\\Users\\Admin\\hzmub.exe /o"	hzmub.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hzmub = "C:\\Users\\Admin\\hzmub.exe /p"	hzmub.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hzmub = "C:\\Users\\Admin\\hzmub.exe /z"	hzmub.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hzmub = "C:\\Users\\Admin\\hzmub.exe /j"	hzmub.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hzmub = "C:\\Users\\Admin\\hzmub.exe /x"	hzmub.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hzmub = "C:\\Users\\Admin\\hzmub.exe /g"	hzmub.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hzmub = "C:\\Users\\Admin\\hzmub.exe /c"	hzmub.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hzmub = "C:\\Users\\Admin\\hzmub.exe /a"	hzmub.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hzmub = "C:\\Users\\Admin\\hzmub.exe /m"	hzmub.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hzmub = "C:\\Users\\Admin\\hzmub.exe /f"	hzmub.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hzmub = "C:\\Users\\Admin\\hzmub.exe /y"	hzmub.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hzmub = "C:\\Users\\Admin\\hzmub.exe /t"	hzmub.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hzmub = "C:\\Users\\Admin\\hzmub.exe /k"	hzmub.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hzmub = "C:\\Users\\Admin\\hzmub.exe /d"	hzmub.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hzmub = "C:\\Users\\Admin\\hzmub.exe /r"	hzmub.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hzmub = "C:\\Users\\Admin\\hzmub.exe /t"	NEAS.45e261592af630d896b8e50a90154890.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4120	NEAS.45e261592af630d896b8e50a90154890.exe
4120	NEAS.45e261592af630d896b8e50a90154890.exe
3732	hzmub.exe
3732	hzmub.exe
3732	hzmub.exe
3732	hzmub.exe
3732	hzmub.exe
3732	hzmub.exe
3732	hzmub.exe
3732	hzmub.exe
3732	hzmub.exe
3732	hzmub.exe
3732	hzmub.exe
3732	hzmub.exe
3732	hzmub.exe
3732	hzmub.exe
3732	hzmub.exe
3732	hzmub.exe
3732	hzmub.exe
3732	hzmub.exe
3732	hzmub.exe
3732	hzmub.exe
3732	hzmub.exe
3732	hzmub.exe
3732	hzmub.exe
3732	hzmub.exe
3732	hzmub.exe
3732	hzmub.exe
3732	hzmub.exe
3732	hzmub.exe
3732	hzmub.exe
3732	hzmub.exe
3732	hzmub.exe
3732	hzmub.exe
3732	hzmub.exe
3732	hzmub.exe
3732	hzmub.exe
3732	hzmub.exe
3732	hzmub.exe
3732	hzmub.exe
3732	hzmub.exe
3732	hzmub.exe
3732	hzmub.exe
3732	hzmub.exe
3732	hzmub.exe
3732	hzmub.exe
3732	hzmub.exe
3732	hzmub.exe
3732	hzmub.exe
3732	hzmub.exe
3732	hzmub.exe
3732	hzmub.exe
3732	hzmub.exe
3732	hzmub.exe
3732	hzmub.exe
3732	hzmub.exe
3732	hzmub.exe
3732	hzmub.exe
3732	hzmub.exe
3732	hzmub.exe
3732	hzmub.exe
3732	hzmub.exe
3732	hzmub.exe
3732	hzmub.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4120	NEAS.45e261592af630d896b8e50a90154890.exe
3732	hzmub.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4120 wrote to memory of 3732	4120	NEAS.45e261592af630d896b8e50a90154890.exe	91
PID 4120 wrote to memory of 3732	4120	NEAS.45e261592af630d896b8e50a90154890.exe	91
PID 4120 wrote to memory of 3732	4120	NEAS.45e261592af630d896b8e50a90154890.exe	91

C:\Users\Admin\AppData\Local\Temp\NEAS.45e261592af630d896b8e50a90154890.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.45e261592af630d896b8e50a90154890.exe"
1⤵
- Modifies visiblity of hidden/system files in Explorer
- Checks computer location settings
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4120
- C:\Users\Admin\hzmub.exe
  "C:\Users\Admin\hzmub.exe"
  2⤵
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:3732

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\hzmub.exe

Filesize
204KB

MD5
c92a71d8b3b10f8991798f1598331ce3

SHA1
ccc028cac977a256349ef219c5989541c9a5a013

SHA256
9833687e7db517bf2fb91ee788f90a2ba6dc0f6079b2f456c16b3dcc7b890a5e

SHA512
36050b7e3afd5f5fdc9e05f9236b9b1f1598a14b4dfb655ec305dcca0e655710b79aff9250adcda4f38887f24ec120eee9bca7f9afd22e325529cad0e258f614

Download Submit
C:\Users\Admin\hzmub.exe

Filesize
204KB

MD5
c92a71d8b3b10f8991798f1598331ce3

SHA1
ccc028cac977a256349ef219c5989541c9a5a013

SHA256
9833687e7db517bf2fb91ee788f90a2ba6dc0f6079b2f456c16b3dcc7b890a5e

SHA512
36050b7e3afd5f5fdc9e05f9236b9b1f1598a14b4dfb655ec305dcca0e655710b79aff9250adcda4f38887f24ec120eee9bca7f9afd22e325529cad0e258f614

Download Submit
C:\Users\Admin\hzmub.exe

Filesize
204KB

MD5
c92a71d8b3b10f8991798f1598331ce3

SHA1
ccc028cac977a256349ef219c5989541c9a5a013

SHA256
9833687e7db517bf2fb91ee788f90a2ba6dc0f6079b2f456c16b3dcc7b890a5e

SHA512
36050b7e3afd5f5fdc9e05f9236b9b1f1598a14b4dfb655ec305dcca0e655710b79aff9250adcda4f38887f24ec120eee9bca7f9afd22e325529cad0e258f614

Download Submit