059c0e893a3e30b66afa0e2379f7236004bdbb2dfdb2963964aae2c52b82e151

Analysis

max time kernel
140s
max time network
159s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
16/10/2023, 18:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.bd309f3c63b337dd1e416592d47ebbc0.exe
Size

30KB
MD5

bd309f3c63b337dd1e416592d47ebbc0
SHA1

555622c4c8a5047e456de1c45af25868b886f7b9
SHA256

059c0e893a3e30b66afa0e2379f7236004bdbb2dfdb2963964aae2c52b82e151
SHA512

53ea3dc2d618684321c2ffc07d3393e6470be8093a5c544dc27e747950dba2d8a605c82c2d2b438e4e7a7658d1537e2cf33c41bea40d788f3ca446a6588343f9
SSDEEP

384:IGnwLfOBOMoY894calJJjjjCRAAAAA7MHAKifyRPceS3ZE8h5XwUGwGggL6ueIAH:IGnekOEPJjjm/SeCkwfgGRIAH

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Control Panel\International\Geo\Nation	NEAS.bd309f3c63b337dd1e416592d47ebbc0.exe

Executes dropped EXE 1 IoCs

pid	Process
4464	codecupdater.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4220 wrote to memory of 4464	4220	NEAS.bd309f3c63b337dd1e416592d47ebbc0.exe	83
PID 4220 wrote to memory of 4464	4220	NEAS.bd309f3c63b337dd1e416592d47ebbc0.exe	83
PID 4220 wrote to memory of 4464	4220	NEAS.bd309f3c63b337dd1e416592d47ebbc0.exe	83

C:\Users\Admin\AppData\Local\Temp\NEAS.bd309f3c63b337dd1e416592d47ebbc0.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.bd309f3c63b337dd1e416592d47ebbc0.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4220
- C:\Users\Admin\AppData\Local\Temp\codecupdater.exe
  "C:\Users\Admin\AppData\Local\Temp\codecupdater.exe"
  2⤵
  - Executes dropped EXE
  PID:4464

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\HEITGDYC\pdf[1].enc

Filesize
5B

MD5
fda44910deb1a460be4ac5d56d61d837

SHA1
f6d0c643351580307b2eaa6a7560e76965496bc7

SHA256
933b971c6388d594a23fa1559825db5bec8ade2db1240aa8fc9d0c684949e8c9

SHA512
57dda9aa7c29f960cd7948a4e4567844d3289fa729e9e388e7f4edcbdf16bf6a94536598b4f9ff8942849f1f96bd3c00bc24a75e748a36fbf2a145f63bf904c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\codecupdater.exe

Filesize
30KB

MD5
1f6ca3c49036bd705fdbecee1da16a7b

SHA1
e3e1e2d7a47a7962f06ee3309172fd4e03f0edb4

SHA256
010f73894fd59169a30cb04cd28e7528eb5e8dd09146426b0730625b9e08da00

SHA512
d66ca393fce0f51b656cc4311bf0dcd35acae69b7702e690cea0733530b3a0263a4e451e86df17c7899815f7b990060dafbc412f5517b0a31ba626be259b8d6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\codecupdater.exe

Filesize
30KB

MD5
1f6ca3c49036bd705fdbecee1da16a7b

SHA1
e3e1e2d7a47a7962f06ee3309172fd4e03f0edb4

SHA256
010f73894fd59169a30cb04cd28e7528eb5e8dd09146426b0730625b9e08da00

SHA512
d66ca393fce0f51b656cc4311bf0dcd35acae69b7702e690cea0733530b3a0263a4e451e86df17c7899815f7b990060dafbc412f5517b0a31ba626be259b8d6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\codecupdater.exe

Filesize
30KB

MD5
1f6ca3c49036bd705fdbecee1da16a7b

SHA1
e3e1e2d7a47a7962f06ee3309172fd4e03f0edb4

SHA256
010f73894fd59169a30cb04cd28e7528eb5e8dd09146426b0730625b9e08da00

SHA512
d66ca393fce0f51b656cc4311bf0dcd35acae69b7702e690cea0733530b3a0263a4e451e86df17c7899815f7b990060dafbc412f5517b0a31ba626be259b8d6c

Download Submit
memory/4220-0-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/4464-9-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download