3e47f1216f43a7d22b5e1b735163b335f86eee12e80ca17f7b4b64989af57601

Analysis

max time kernel
148s
max time network
164s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
14/10/2023, 08:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.f467ca28784a199dfc60a5aa2fd7c610.exe
Size

39KB
MD5

f467ca28784a199dfc60a5aa2fd7c610
SHA1

683ca11cda36bfa32e135edecd2fbd839a576be8
SHA256

3e47f1216f43a7d22b5e1b735163b335f86eee12e80ca17f7b4b64989af57601
SHA512

1013c1263704d5392fe6842f0c8724e509abde6cecf6c33c6e614e197f2c94a028ae9685c26fdc71e7db8ede8c759d1ec33522abfcc202c1424289dae87cd929
SSDEEP

768:4W1NCSAetFpamkQah9LSGhDYXdvliToO1cdHZIL:zFptJs9hSvlVz7IL

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Control Panel\International\Geo\Nation	NEAS.f467ca28784a199dfc60a5aa2fd7c610.exe

Executes dropped EXE 1 IoCs

pid	Process
2224	hromi.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 488 wrote to memory of 2224	488	NEAS.f467ca28784a199dfc60a5aa2fd7c610.exe	84
PID 488 wrote to memory of 2224	488	NEAS.f467ca28784a199dfc60a5aa2fd7c610.exe	84
PID 488 wrote to memory of 2224	488	NEAS.f467ca28784a199dfc60a5aa2fd7c610.exe	84

C:\Users\Admin\AppData\Local\Temp\NEAS.f467ca28784a199dfc60a5aa2fd7c610.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.f467ca28784a199dfc60a5aa2fd7c610.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:488
- C:\Users\Admin\AppData\Local\Temp\hromi.exe
  "C:\Users\Admin\AppData\Local\Temp\hromi.exe"
  2⤵
  - Executes dropped EXE
  PID:2224

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\hromi.exe

Filesize
39KB

MD5
0741d37b16d9fdbc1116ebd737b99fd9

SHA1
09db674ae5a3d475dcebb6010063fe870e4bba18

SHA256
1c792f33c9d8b45a42eca6afd50cff492e72c9f451194ea299c716bd9ed9919a

SHA512
9d056bba68cf013d99c90d1279bce6055d598ea2002e6a9bb3a8282a1137d0df6eebf821bb8f1473cead7c707207bfe4079ca2178547f5a1167c102dc18385af

Download Submit
C:\Users\Admin\AppData\Local\Temp\hromi.exe

Filesize
39KB

MD5
0741d37b16d9fdbc1116ebd737b99fd9

SHA1
09db674ae5a3d475dcebb6010063fe870e4bba18

SHA256
1c792f33c9d8b45a42eca6afd50cff492e72c9f451194ea299c716bd9ed9919a

SHA512
9d056bba68cf013d99c90d1279bce6055d598ea2002e6a9bb3a8282a1137d0df6eebf821bb8f1473cead7c707207bfe4079ca2178547f5a1167c102dc18385af

Download Submit
C:\Users\Admin\AppData\Local\Temp\hromi.exe

Filesize
39KB

MD5
0741d37b16d9fdbc1116ebd737b99fd9

SHA1
09db674ae5a3d475dcebb6010063fe870e4bba18

SHA256
1c792f33c9d8b45a42eca6afd50cff492e72c9f451194ea299c716bd9ed9919a

SHA512
9d056bba68cf013d99c90d1279bce6055d598ea2002e6a9bb3a8282a1137d0df6eebf821bb8f1473cead7c707207bfe4079ca2178547f5a1167c102dc18385af

Download Submit