Analysis
-
max time kernel
139s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20230915-en -
resource tags
arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system -
submitted
16-10-2023 18:30
Static task
static1
Behavioral task
behavioral1
Sample
NEAS.9bcf9a2676690ecbe4ee3fe52491ebe0.exe
Resource
win7-20230831-en
Behavioral task
behavioral2
Sample
NEAS.9bcf9a2676690ecbe4ee3fe52491ebe0.exe
Resource
win10v2004-20230915-en
General
-
Target
NEAS.9bcf9a2676690ecbe4ee3fe52491ebe0.exe
-
Size
34KB
-
MD5
9bcf9a2676690ecbe4ee3fe52491ebe0
-
SHA1
e259ea1455d6db0b980b7b83adfba57de153f9f4
-
SHA256
a06efe8ab23fd57915b4722d8abd452add1d246ab6b5bfd20fdc5a08ea8622b1
-
SHA512
bdd9b59c840842f55aca88bfda18365f1dd6b527546c15741c90aaed3a0f2d37715fef9972dae0a0928c6081769edd00dac6ffab50ea56da804b353329892fe2
-
SSDEEP
768:Ki9LHcFx26FCe+U63o/tdgI2MyzNORQtOflIwoHNV2XBFV72BOlA7ZsBhWu8gh7s:t9L8TXK3o/tdgI2MyzNORQtOflIwoHNF
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\Control Panel\International\Geo\Nation NEAS.9bcf9a2676690ecbe4ee3fe52491ebe0.exe Key value queried \REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\Control Panel\International\Geo\Nation ghsdtd.exe -
Executes dropped EXE 1 IoCs
pid Process 4800 ghsdtd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 2204 wrote to memory of 4800 2204 NEAS.9bcf9a2676690ecbe4ee3fe52491ebe0.exe 83 PID 2204 wrote to memory of 4800 2204 NEAS.9bcf9a2676690ecbe4ee3fe52491ebe0.exe 83 PID 2204 wrote to memory of 4800 2204 NEAS.9bcf9a2676690ecbe4ee3fe52491ebe0.exe 83
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.9bcf9a2676690ecbe4ee3fe52491ebe0.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.9bcf9a2676690ecbe4ee3fe52491ebe0.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2204 -
C:\Users\Admin\AppData\Local\Temp\ghsdtd.exe"C:\Users\Admin\AppData\Local\Temp\ghsdtd.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
PID:4800
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
500B
MD5bb8e766d452a4cf9da8cf157fba3aca7
SHA19b8391de3b62aeb7757bd13f4dd1895b2d4f4484
SHA256c211abaa49a7e1508941be8a0e2f33145e0f83efa0f03bdf3f4e9c8be38c3502
SHA512b2ebf307a47614719addc67f269508e3e97fe1f3556a02d4929bc555cebed762240cd241eb6a01cda555542ac88b9935c0464a6f05157574f8315033e5bd8d4d
-
Filesize
34KB
MD50de833261dfca3e18c6e25ecc1817b08
SHA1a1c34319047154a7d7a47f9a225f3b8fe0e9f355
SHA25601df09f05719bb9de3de817135a67617140f46700e60d7954aee3e54db3a7e2c
SHA512f73d2fcd6970f368e883b2e5238ad965c078259125cb6f7333c812110707f228378db4f5f579b22f4f253e484a21e14e2bf3ee520aa525e2b830e8a202189bb2
-
Filesize
34KB
MD50de833261dfca3e18c6e25ecc1817b08
SHA1a1c34319047154a7d7a47f9a225f3b8fe0e9f355
SHA25601df09f05719bb9de3de817135a67617140f46700e60d7954aee3e54db3a7e2c
SHA512f73d2fcd6970f368e883b2e5238ad965c078259125cb6f7333c812110707f228378db4f5f579b22f4f253e484a21e14e2bf3ee520aa525e2b830e8a202189bb2
-
Filesize
34KB
MD50de833261dfca3e18c6e25ecc1817b08
SHA1a1c34319047154a7d7a47f9a225f3b8fe0e9f355
SHA25601df09f05719bb9de3de817135a67617140f46700e60d7954aee3e54db3a7e2c
SHA512f73d2fcd6970f368e883b2e5238ad965c078259125cb6f7333c812110707f228378db4f5f579b22f4f253e484a21e14e2bf3ee520aa525e2b830e8a202189bb2