32ce5ddd8dab4a3b7b3b78acb043765c9f41df24fd9a61ae9801a78cbab6573b

Analysis

max time kernel
140s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
13-10-2023 20:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.bf270079ece0c9e4d1dc837af17d0710.exe
Size

30KB
MD5

bf270079ece0c9e4d1dc837af17d0710
SHA1

8bb8782727d3a79026e2c08bbe99998271cca759
SHA256

32ce5ddd8dab4a3b7b3b78acb043765c9f41df24fd9a61ae9801a78cbab6573b
SHA512

5bc87f1f2fe73546edcec77546729f8a47974f1af1ffe0484497abe7b3bb8c84aa5343730975c2836d173900927190a7189cc2c124e344c4f36d9bb8c9a4f365
SSDEEP

384:7VG/EvX8tHEnD+rPkChwWtUIyipVyyCx2D1QjF+wpQjqPe:7I4DD+LzrnVKoQ7pVe

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Control Panel\International\Geo\Nation	NEAS.bf270079ece0c9e4d1dc837af17d0710.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Control Panel\International\Geo\Nation	fahik.exe

Executes dropped EXE 1 IoCs

pid	Process
2412	fahik.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1924 wrote to memory of 2412	1924	NEAS.bf270079ece0c9e4d1dc837af17d0710.exe	84
PID 1924 wrote to memory of 2412	1924	NEAS.bf270079ece0c9e4d1dc837af17d0710.exe	84
PID 1924 wrote to memory of 2412	1924	NEAS.bf270079ece0c9e4d1dc837af17d0710.exe	84

C:\Users\Admin\AppData\Local\Temp\NEAS.bf270079ece0c9e4d1dc837af17d0710.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.bf270079ece0c9e4d1dc837af17d0710.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1924
- C:\Users\Admin\AppData\Local\Temp\fahik.exe
  "C:\Users\Admin\AppData\Local\Temp\fahik.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:2412

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\fahik.exe

Filesize
30KB

MD5
17b84cc72284dc471ccfa29828f1cb97

SHA1
572fefb4a15a9e297ca3d1049dad238aa3460841

SHA256
d550f1bc32477edb3322cb9da8bb2239227e6f3b1f1ec4e855484d416f079382

SHA512
88364fe752bf1c4e41f05875a22ecc1040780ae6238840814ac9b14ca02ce3db57013c4cfabc4248caae87bff8ec672533ed189156c23c4f49104816eef9c8f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\fahik.exe

Filesize
30KB

MD5
17b84cc72284dc471ccfa29828f1cb97

SHA1
572fefb4a15a9e297ca3d1049dad238aa3460841

SHA256
d550f1bc32477edb3322cb9da8bb2239227e6f3b1f1ec4e855484d416f079382

SHA512
88364fe752bf1c4e41f05875a22ecc1040780ae6238840814ac9b14ca02ce3db57013c4cfabc4248caae87bff8ec672533ed189156c23c4f49104816eef9c8f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\fahik.exe

Filesize
30KB

MD5
17b84cc72284dc471ccfa29828f1cb97

SHA1
572fefb4a15a9e297ca3d1049dad238aa3460841

SHA256
d550f1bc32477edb3322cb9da8bb2239227e6f3b1f1ec4e855484d416f079382

SHA512
88364fe752bf1c4e41f05875a22ecc1040780ae6238840814ac9b14ca02ce3db57013c4cfabc4248caae87bff8ec672533ed189156c23c4f49104816eef9c8f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\temp23.exe

Filesize
70KB

MD5
cce3b59376b854017dd661a5a320d1d0

SHA1
784296ef21ec1398998feb9bc08b8ebb9893a679

SHA256
4e5ca646ed888316f32c7b7121a0ae8da881549458c59366a5e2f68735973559

SHA512
614059db40b6ac857a1599126a7f5b0ff35a3d41f701ca725876f70c43900b65cae7a37654ce3f8ced5f44a796b4f40c17e7bf8015daeff2cb2638032e2c8990

Download Submit
memory/1924-0-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/2412-9-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download