Analysis
-
max time kernel
137s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20230915-en -
resource tags
-
submitted
14/10/2023, 18:09
General
-
Target
NEAS.a9149915d901b6ae83e6547ab62303d0.exe
-
Size
968KB
-
MD5
a9149915d901b6ae83e6547ab62303d0
-
SHA1
2be0fd779bb917e28e9b70d56c27fe2a6c2dc6bc
-
SHA256
b039bcec91abc7872f1650580881d4272060130ddc4155df3910f27359237f90
-
SHA512
f07c8a94de71f3fc3050b070ba3e5b69d1411123e4cf95d2305e420b31641153380264055904aac6aadc7141492af7f56ae702b85ef23b4457f421ddc860bca7
-
SSDEEP
24576:s8BdagveuEVvJ10IxmZu/8Ykkui6unVORW:sqagGRVR1/UoUYkWV8W
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 2 IoCs
-
Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
Drops file in Program Files directory 56 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
NSIS installer 4 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of SetWindowsHookEx 2 IoCs
-
Suspicious use of WriteProcessMemory 6 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.a9149915d901b6ae83e6547ab62303d0.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.a9149915d901b6ae83e6547ab62303d0.exe"1⤵
- Checks computer location settings
- Writes to the Master Boot Record (MBR)
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\minidownload.exeC:\Users\Admin\AppData\Local\Temp\\minidownload.exe2⤵
- Executes dropped EXE
- Drops file in Program Files directory
-
-
C:\Program Files (x86)\SogouDownLoad\DownLoadDlg.exe"C:\Program Files (x86)\SogouDownLoad\DownLoadDlg.exe" /Install?status=true&softurl=http%3A%2F%2Fwap.sogou.com%2Fweb%2Fredir.jsp%3Fappdown%3D1%26u%3DG30HdQ8G4nick4xtdkhRB3gSi8fSDCLufeqIU8uodu3f00wwpueH7qZGPHqG2ALwEZZwESz4Z6VU1Igx5K3OSb5xFRbwTsHooD7iUqf-4qkMa2tYmZTvyqU9gqRHj3ZrXdqUquLrVr0.%26pcid%3D3908477943292353343%26w%3D1950%26filename%3D360game_2.9.7.1011_XiaZaiBa.zip%26extra%3D0_xiazai8%26downloadtype%3Dsoftware&iconurl=http%3A%2F%2Fimgstore.cdn.sogou.com%2Fv2%2Fthumb%2Fretype%2Fext%2Fauto%2Fcls%2Fimagick%3Fappid%3D200504%26url%3Dhttp%3A%2F%2Fwww.xiazaiba.com%2Fuploadfiles%2Fico%2F2014%2F0514%2F2014051412232093042.png&softname=360%E6%B8%B8%E6%88%8F%E5%A4%A7%E5%8E%85&softsize=6.6%20MB2⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
775KB
MD528d831936d221f6055f473344a920b65
SHA1ec6e6a13a120a082c3aa8f0695a77250586d5e91
SHA256eb3a7108af966af7bb0094251f50c00732c1db0b4927466c6acff8c2c212fdf7
SHA5122460aa09dea21fe7c5649c6dd5696343b97f8f2d80e959eecbcc9279c4c856a5401aa13418d123e27c67f31c48cbb5aff0f495074509892520c74822bc16b195
-
Filesize
775KB
MD528d831936d221f6055f473344a920b65
SHA1ec6e6a13a120a082c3aa8f0695a77250586d5e91
SHA256eb3a7108af966af7bb0094251f50c00732c1db0b4927466c6acff8c2c212fdf7
SHA5122460aa09dea21fe7c5649c6dd5696343b97f8f2d80e959eecbcc9279c4c856a5401aa13418d123e27c67f31c48cbb5aff0f495074509892520c74822bc16b195
-
Filesize
116B
MD5ffa1443199298e2c4ff1122f1ae14b05
SHA196175a64c1f8ba142aa057e8f76e13467ecefb82
SHA2562d21ddb94831d5345bbfbe52ecd342067cf49c6eaf8c78057e1901b6c69c6574
SHA5123955846ed694c43d2d9857168e1c3fee9714ecea70c0af04b1db6d7be5b4805b92730d74bc4a74ed5464c47e4af558b8d040d0efc8ec276fcb8c50c346fe61de
-
Filesize
7KB
MD5e56c350f15af8d83546f4ab48bf6024c
SHA12ab5ca1d8d808d130d0388ec6b169d4dd75935dc
SHA256729d8098f254b3285d75c7300dd467676023385acc5d56233f915be800c70188
SHA5121c537acff27fffe1ae36393a2ab1509a6a446e92c2e32b138f54b906aac73b2c1fc000e6ecc163a3c59dbc96ec056986d69e5427b00eca5874b3016988060bb7
-
Filesize
7KB
MD5bb48ca982b518903fb45e27b3565c7ec
SHA1fb7fdc0677bf6e9d40c3c42d690ae71c79cb7407
SHA2560c717396581346dc64d553ac4bba2695a2124c9785623a7e5efe5e9b1af88603
SHA512d0d0e9038b2e2e23809232ea8a8b34fbbf501015c666ef75b7c6eeafa92d75d75e1aabc1d9b9e82ab22e0175f68fe1055e8fb6ec5d98ca1e591bbb9fd948d184
-
Filesize
657B
MD50e0ac8352cd69f396f271fa32f3ab554
SHA1ed6d306a5033707f45477df3318a53d15b47cf43
SHA256c2c34d6bf4e17b756954e409dc9b5663169d68997abd722ce1e86473b769f10c
SHA5125d2528489c21600f16f04559500be3ebe9db5a1dc7bf9abc9c1312187b4b8b7bc5966f9eb2a38e26bff26c854a6d964fa156641fed9501cf0e7befedb60fd7e0
-
Filesize
8KB
MD5be0eaa84d2a96305161fd62821ce9ba9
SHA14aad05d89be11c1b66613c224f64f1e646dbcf15
SHA256964891d5bb1ba3b30eefd9cd6bdc530aa9c160dda9c55eac38800d1f6c2f2d01
SHA512113a0840efa43c4a7e4d9778bff636312eaedc3eebeaca7a29475488c8c059faa4dfafcb6d3ba4feafb44d5b129ab76e846cef9cbf462ab23ca6e3cd89eeb527
-
Filesize
93KB
MD55790ead7ad3ba27397aedfa3d263b867
SHA18130544c215fe5d1ec081d83461bf4a711e74882
SHA2562ecd295d295bec062cedebe177e54b9d6b19fc0a841dc5c178c654c9ccff09c0
SHA512781acedc99de4ce8d53d9b43a158c645eab1b23dfdfd6b57b3c442b11acc4a344e0d5b0067d4b78bb173abbded75fb91c410f2b5a58f71d438aa6266d048d98a
-
Filesize
10KB
MD5631f38cfac458788af482eba736e5ac3
SHA1b1d09def39ec74eff2c9e0aafe0a7c12e7650150
SHA25613e6cf03cdd65a8174cce7b0cb40c9821d2aff04a79c3374e8664fb0abb5694d
SHA5123ae47c895cd586b1dca8bdf65c58bc896b27837881cc42bb7b3d55c9a71ea9e857939a69c5146b445b64714996393d1ec9c0d95b18d18fd5cb48f02bb8a53f42
-
Filesize
558KB
MD57b52d8856e9b603e4a1255a7834bd036
SHA1eb7554f8606edea1f72b568b89cd5e794c85ba59
SHA2566a01f78b01d46055eeee098b57c7981059c09c84a5f9c563917966962e383033
SHA512b54b7ab9a5e8ffe13ba3cfad4d029f10a4e894c9b85d9a76b75de3ddccbbb2fd732c3e0649bb4c1d627c48b704dcd375dd9f15f8f6971b2a8161787ec991d258
-
Filesize
558KB
MD57b52d8856e9b603e4a1255a7834bd036
SHA1eb7554f8606edea1f72b568b89cd5e794c85ba59
SHA2566a01f78b01d46055eeee098b57c7981059c09c84a5f9c563917966962e383033
SHA512b54b7ab9a5e8ffe13ba3cfad4d029f10a4e894c9b85d9a76b75de3ddccbbb2fd732c3e0649bb4c1d627c48b704dcd375dd9f15f8f6971b2a8161787ec991d258
-
Filesize
4KB
-
Filesize
4KB
