17ba2997f27841debc05ff56bec8877811ce31a1690bef34be35099e92d12000

Analysis

max time kernel
150s
max time network
159s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
16/10/2023, 18:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.9a5e0f43258cf084fdef50a3fdec7910.exe
Size

422KB
MD5

9a5e0f43258cf084fdef50a3fdec7910
SHA1

ebbbfb64a3e306e489198223a78b02ac4f2b7f6c
SHA256

17ba2997f27841debc05ff56bec8877811ce31a1690bef34be35099e92d12000
SHA512

ca80c78cd2ea493a91db0b55faedd1f0fba606cb6d10c14af671aab26df1c260b101c9f2bfd69dec8f86242ca7a3bb07eeb43cc28937135a3f55db67458bc116
SSDEEP

6144:UhuGbXZA2zqMPMPwVtiN44zAi5NAOig3TBrCZMszqXGgnki7ksvmacmWnZFe:ouypA2mESwGRwg3TB7nki7BvmZmwZY

Score

8^/10

upx

Malware Config

Signatures

Downloads MZ/PE file

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Control Panel\International\Geo\Nation	NEAS.9a5e0f43258cf084fdef50a3fdec7910.exe

Executes dropped EXE 1 IoCs

pid	Process
832	tYKobAD17t.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x000b000000023123-21.dat	upx
behavioral2/files/0x000b000000023123-29.dat	upx
behavioral2/files/0x000b000000023123-31.dat	upx
behavioral2/memory/832-30-0x0000000000400000-0x000000000053F000-memory.dmp	upx
behavioral2/memory/832-48-0x0000000000400000-0x000000000053F000-memory.dmp	upx
behavioral2/memory/832-57-0x0000000000400000-0x000000000053F000-memory.dmp	upx
behavioral2/memory/832-70-0x0000000000400000-0x000000000053F000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4488	4224	WerFault.exe	80

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4224	NEAS.9a5e0f43258cf084fdef50a3fdec7910.exe
4224	NEAS.9a5e0f43258cf084fdef50a3fdec7910.exe
832	tYKobAD17t.exe
832	tYKobAD17t.exe
832	tYKobAD17t.exe
832	tYKobAD17t.exe
832	tYKobAD17t.exe
832	tYKobAD17t.exe
832	tYKobAD17t.exe
832	tYKobAD17t.exe
832	tYKobAD17t.exe
832	tYKobAD17t.exe
832	tYKobAD17t.exe
832	tYKobAD17t.exe
832	tYKobAD17t.exe
832	tYKobAD17t.exe
832	tYKobAD17t.exe
832	tYKobAD17t.exe
832	tYKobAD17t.exe
832	tYKobAD17t.exe
832	tYKobAD17t.exe
832	tYKobAD17t.exe
832	tYKobAD17t.exe
832	tYKobAD17t.exe
832	tYKobAD17t.exe
832	tYKobAD17t.exe
832	tYKobAD17t.exe
832	tYKobAD17t.exe
832	tYKobAD17t.exe
832	tYKobAD17t.exe
832	tYKobAD17t.exe
832	tYKobAD17t.exe
832	tYKobAD17t.exe
832	tYKobAD17t.exe
832	tYKobAD17t.exe
832	tYKobAD17t.exe
832	tYKobAD17t.exe
832	tYKobAD17t.exe
832	tYKobAD17t.exe
832	tYKobAD17t.exe
832	tYKobAD17t.exe
832	tYKobAD17t.exe
832	tYKobAD17t.exe
832	tYKobAD17t.exe
832	tYKobAD17t.exe
832	tYKobAD17t.exe
832	tYKobAD17t.exe
832	tYKobAD17t.exe
832	tYKobAD17t.exe
832	tYKobAD17t.exe
832	tYKobAD17t.exe
832	tYKobAD17t.exe
832	tYKobAD17t.exe
832	tYKobAD17t.exe
832	tYKobAD17t.exe
832	tYKobAD17t.exe
832	tYKobAD17t.exe
832	tYKobAD17t.exe
832	tYKobAD17t.exe
832	tYKobAD17t.exe
832	tYKobAD17t.exe
832	tYKobAD17t.exe
832	tYKobAD17t.exe
832	tYKobAD17t.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
832	tYKobAD17t.exe
832	tYKobAD17t.exe
832	tYKobAD17t.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4224 wrote to memory of 832	4224	NEAS.9a5e0f43258cf084fdef50a3fdec7910.exe	87
PID 4224 wrote to memory of 832	4224	NEAS.9a5e0f43258cf084fdef50a3fdec7910.exe	87
PID 4224 wrote to memory of 832	4224	NEAS.9a5e0f43258cf084fdef50a3fdec7910.exe	87
PID 832 wrote to memory of 2872	832	tYKobAD17t.exe	95
PID 832 wrote to memory of 2872	832	tYKobAD17t.exe	95
PID 832 wrote to memory of 2872	832	tYKobAD17t.exe	95

C:\Users\Admin\AppData\Local\Temp\NEAS.9a5e0f43258cf084fdef50a3fdec7910.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.9a5e0f43258cf084fdef50a3fdec7910.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4224
- C:\Users\Admin\AppData\Roaming\tYKobAD17t.exe
  "C:\Users\Admin\AppData\Roaming\tYKobAD17t.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:832
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c echo.>c:\xxxx.ini
    3⤵
    PID:2872
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4224 -s 1448
  2⤵
  - Program crash
  PID:4488

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 4224 -ip 4224
1⤵
PID:4468

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_ir_tu2_temp_0\IRIMG3.JPG

Filesize
6KB

MD5
e39405e85e09f64ccde0f59392317dd3

SHA1
9c76db4b3d8c7972e7995ecfb1e3c47ee94fd14b

SHA256
cfd9677e1c0e10b1507f520c4ecd40f68db78154c0d4e6563403d540f3bf829f

SHA512
6733f330145b48d23c023c664090f4f240e9bbeb8368b486c8ee8682ec6a930b73275e24075648d1aa7e01db1ec7b7e259286917a006ba9af8fb7cba3439070a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_tu2_temp_0\IRIMG4.JPG

Filesize
36KB

MD5
f6bf82a293b69aa5b47d4e2de305d45a

SHA1
4948716616d4bbe68be2b4c5bf95350402d3f96f

SHA256
6a9368cdd7b3ff9b590e206c3536569bc45c338966d0059784959f73fe6281e0

SHA512
edf0f3ee60a620cf886184c1014f38d0505aac9e3703d61d7074cfb27d6922f80e570d1a3891593606a09f1296a88c8770445761c11c390a99a5341ee56478aa

Download Submit
C:\Users\Admin\AppData\Roaming\Edge.jpg

Filesize
358KB

MD5
a6108227ec2d81fa22955a2e1f8975ba

SHA1
381ac3e45c42a70c0e7a95ef032aa60465f25736

SHA256
35f6e96116a8e4e6d83d31eb2e9855a87fe800dbf55673260758a5fddd1f867b

SHA512
8d7e3f6f21cdd54a19f0799f76b6b660daa17167e777249aa0ae7abeddbb74628b71d6b462f7f7da16b7752201598e145c82f3a66b386c55846a0dd3c829fb6f

Download Submit
C:\Users\Admin\AppData\Roaming\edge.xml

Filesize
53KB

MD5
4ee9734def292885e438de15897a6807

SHA1
37dc288d17362c13ae834b0cb00ee2b1bfae5b7a

SHA256
eaa03130ac5da286567b1d930ae252490ee9936c8675dfc826addb2f3dc30eaa

SHA512
12b164f0bc7dc307158bdafa7f6904884292c0bcbc9fc821958ca3a19c98889b480388141e1eb89ebdeb459a11bf71d488670b3ccc4b12c2de26204690259abb

Download Submit
C:\Users\Admin\AppData\Roaming\tYKobAD17t.dat

Filesize
132KB

MD5
aed640db9dcdec122c3fc8afc503e9b5

SHA1
2848e6f470d37c63ffc3f898c992f7c508900968

SHA256
e0fee969485acaf5770bf59a2ef1df45f259e9334f1717a2fc1ebaf2f316d3c2

SHA512
e949d7e79fa60b6019148d750629f8094889c4eb9f6d4829c8498e9626f90ea3b3677c7824ae39ed765ceedbbc4ac220e079815cf83382d536389028e1f03c03

Download Submit
C:\Users\Admin\AppData\Roaming\tYKobAD17t.exe

Filesize
476KB

MD5
2a8cb72531364c728a5d258ae273f69e

SHA1
468bcf5fed89e7c8f06fc5e1c10813bd0bfdfcda

SHA256
9ec36a5e74861894d8f738e486956fd52899a780dbd759853b1ea8093645e090

SHA512
8785335e31b4d03160e2f3f81eb245065d88d13494dd69d486e63b813d755f7f63011e0b57b4f8f1f60d42dec72649000f88ebdfc29cb9bde2798fe75ec81b43

Download Submit
C:\Users\Admin\AppData\Roaming\tYKobAD17t.exe

Filesize
476KB

MD5
2a8cb72531364c728a5d258ae273f69e

SHA1
468bcf5fed89e7c8f06fc5e1c10813bd0bfdfcda

SHA256
9ec36a5e74861894d8f738e486956fd52899a780dbd759853b1ea8093645e090

SHA512
8785335e31b4d03160e2f3f81eb245065d88d13494dd69d486e63b813d755f7f63011e0b57b4f8f1f60d42dec72649000f88ebdfc29cb9bde2798fe75ec81b43

Download Submit
C:\Users\Admin\AppData\Roaming\tYKobAD17t.exe

Filesize
476KB

MD5
2a8cb72531364c728a5d258ae273f69e

SHA1
468bcf5fed89e7c8f06fc5e1c10813bd0bfdfcda

SHA256
9ec36a5e74861894d8f738e486956fd52899a780dbd759853b1ea8093645e090

SHA512
8785335e31b4d03160e2f3f81eb245065d88d13494dd69d486e63b813d755f7f63011e0b57b4f8f1f60d42dec72649000f88ebdfc29cb9bde2798fe75ec81b43

Download Submit
memory/832-48-0x0000000000400000-0x000000000053F000-memory.dmp

Filesize
1.2MB

Download
memory/832-54-0x0000000003450000-0x0000000003451000-memory.dmp

Filesize
4KB

Download
memory/832-56-0x00000000037A0000-0x00000000037B2000-memory.dmp

Filesize
72KB

Download
memory/832-57-0x0000000000400000-0x000000000053F000-memory.dmp

Filesize
1.2MB

Download
memory/832-59-0x0000000010000000-0x0000000010061000-memory.dmp

Filesize
388KB

Download
memory/832-30-0x0000000000400000-0x000000000053F000-memory.dmp

Filesize
1.2MB

Download
memory/832-70-0x0000000000400000-0x000000000053F000-memory.dmp

Filesize
1.2MB

Download
memory/4224-1-0x0000000010000000-0x0000000010016000-memory.dmp

Filesize
88KB

Download