bb01f765bdb41a2005818b81b6a25c8b3411032d5d147c870ff7dec4a568dbb8

Analysis

max time kernel
153s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
14-10-2023 18:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.85ab33ee4d5ef17e6bc741cc3db8be60.exe
Size

7KB
MD5

85ab33ee4d5ef17e6bc741cc3db8be60
SHA1

39aee3cac433acaae55e760442364d3b4dc91ae9
SHA256

bb01f765bdb41a2005818b81b6a25c8b3411032d5d147c870ff7dec4a568dbb8
SHA512

6db1887e9851c69dc32b5e71df8c91c49508b599f94a698e697b6bcee64094dc7cef31571b9b2bf1fdba0e24c61c1fdca7049847ca9e09a8f8a3182176370954
SSDEEP

96:Zc4v4mcWKh96tgC3R0nKymV44BCcc7jYNPcMsiXlTvhBoXU97W84Jhy2rs:GvmcWKG90nKfzBwYNPcMs0xJwrs

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Control Panel\International\Geo\Nation	NEAS.85ab33ee4d5ef17e6bc741cc3db8be60.exe

Executes dropped EXE 1 IoCs

pid	Process
4800	mpjnr.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1536 wrote to memory of 4800	1536	NEAS.85ab33ee4d5ef17e6bc741cc3db8be60.exe	86
PID 1536 wrote to memory of 4800	1536	NEAS.85ab33ee4d5ef17e6bc741cc3db8be60.exe	86
PID 1536 wrote to memory of 4800	1536	NEAS.85ab33ee4d5ef17e6bc741cc3db8be60.exe	86

C:\Users\Admin\AppData\Local\Temp\NEAS.85ab33ee4d5ef17e6bc741cc3db8be60.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.85ab33ee4d5ef17e6bc741cc3db8be60.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1536
- C:\Users\Admin\AppData\Local\Temp\mpjnr.exe
  "C:\Users\Admin\AppData\Local\Temp\mpjnr.exe"
  2⤵
  - Executes dropped EXE
  PID:4800

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\mpjnr.exe

Filesize
7KB

MD5
18cbd1e34e8a4e8458152bb4a411c788

SHA1
e5b9cbdba615b6111acf1e7197b848fe3d746f0d

SHA256
ccf9f645a82eb56dfb41b21dd0a82ddbac944047dbd4b5230899c9ce1389d679

SHA512
f5ba1a4fb9f90e7627544f9c49e3acc71eff7c18f57372ba3386878d9d1534b4291820c4f8a54c47b1a4bf122c5c0aa29f2f972238c8c12f84f3024b48a282cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\mpjnr.exe

Filesize
7KB

MD5
18cbd1e34e8a4e8458152bb4a411c788

SHA1
e5b9cbdba615b6111acf1e7197b848fe3d746f0d

SHA256
ccf9f645a82eb56dfb41b21dd0a82ddbac944047dbd4b5230899c9ce1389d679

SHA512
f5ba1a4fb9f90e7627544f9c49e3acc71eff7c18f57372ba3386878d9d1534b4291820c4f8a54c47b1a4bf122c5c0aa29f2f972238c8c12f84f3024b48a282cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\mpjnr.exe

Filesize
7KB

MD5
18cbd1e34e8a4e8458152bb4a411c788

SHA1
e5b9cbdba615b6111acf1e7197b848fe3d746f0d

SHA256
ccf9f645a82eb56dfb41b21dd0a82ddbac944047dbd4b5230899c9ce1389d679

SHA512
f5ba1a4fb9f90e7627544f9c49e3acc71eff7c18f57372ba3386878d9d1534b4291820c4f8a54c47b1a4bf122c5c0aa29f2f972238c8c12f84f3024b48a282cb

Download Submit