5450b8963409931838e2c07df32e0737bf1dcb86eb5395dc13ab2a3a9df28643

Analysis

max time kernel
139s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
14/10/2023, 08:22

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

NEAS.ef70ee6bd4ba69fe21245cb49f7be1a0.exe
Size

76KB
MD5

ef70ee6bd4ba69fe21245cb49f7be1a0
SHA1

736da9476065b8a61a6ec46b6590828febeb3359
SHA256

5450b8963409931838e2c07df32e0737bf1dcb86eb5395dc13ab2a3a9df28643
SHA512

bc3718f0ca97ceb44ed33b47a1e062e9408dbc36feceb513001ee4b9447500fea2d82b86311909ee023ec7efed82da852d04d57300991b9f87e3f628f0a955bb
SSDEEP

768:fT2NXnFk5dPsED3VK2+ZtyOjgO4r9vFAg2rqZG+f5:C1SYTjipvF2X+f5

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Control Panel\International\Geo\Nation	NEAS.ef70ee6bd4ba69fe21245cb49f7be1a0.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Control Panel\International\Geo\Nation	fcbnaf.exe

Executes dropped EXE 1 IoCs

pid	Process
1172	fcbnaf.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1252 wrote to memory of 1172	1252	NEAS.ef70ee6bd4ba69fe21245cb49f7be1a0.exe	84
PID 1252 wrote to memory of 1172	1252	NEAS.ef70ee6bd4ba69fe21245cb49f7be1a0.exe	84
PID 1252 wrote to memory of 1172	1252	NEAS.ef70ee6bd4ba69fe21245cb49f7be1a0.exe	84

C:\Users\Admin\AppData\Local\Temp\NEAS.ef70ee6bd4ba69fe21245cb49f7be1a0.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.ef70ee6bd4ba69fe21245cb49f7be1a0.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1252
- C:\Users\Admin\AppData\Local\Temp\fcbnaf.exe
  "C:\Users\Admin\AppData\Local\Temp\fcbnaf.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:1172

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\fcbnaf.exe

Filesize
76KB

MD5
9ce98d2024a01ebe72c177e4dcd11dc7

SHA1
ec7bc06bdcb1562f90b7b7727d810c3fe176bb4c

SHA256
a3447f8569b6a37935cde7b91277eae96106ca86a5aefc52c09deb48af73164f

SHA512
2f05ec260d6f12d6ff10f356c3c19d7ce16cbc4a0aacfe2d9a624d03863691942b725bdd58635b2eacfde008c341174f4a91257fba76a2d223018634f5cc4468

Download Submit
C:\Users\Admin\AppData\Local\Temp\fcbnaf.exe

Filesize
76KB

MD5
9ce98d2024a01ebe72c177e4dcd11dc7

SHA1
ec7bc06bdcb1562f90b7b7727d810c3fe176bb4c

SHA256
a3447f8569b6a37935cde7b91277eae96106ca86a5aefc52c09deb48af73164f

SHA512
2f05ec260d6f12d6ff10f356c3c19d7ce16cbc4a0aacfe2d9a624d03863691942b725bdd58635b2eacfde008c341174f4a91257fba76a2d223018634f5cc4468

Download Submit
C:\Users\Admin\AppData\Local\Temp\fcbnaf.exe

Filesize
76KB

MD5
9ce98d2024a01ebe72c177e4dcd11dc7

SHA1
ec7bc06bdcb1562f90b7b7727d810c3fe176bb4c

SHA256
a3447f8569b6a37935cde7b91277eae96106ca86a5aefc52c09deb48af73164f

SHA512
2f05ec260d6f12d6ff10f356c3c19d7ce16cbc4a0aacfe2d9a624d03863691942b725bdd58635b2eacfde008c341174f4a91257fba76a2d223018634f5cc4468

Download Submit