e13054b4f90e4e219b14c0d4c851ee2926e762bf3c5b347f795541def7741d60

Analysis

max time kernel
171s
max time network
204s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
16/10/2023, 18:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.4cafd6b114fd966f0cab005666cffec0.exe
Size

54KB
MD5

4cafd6b114fd966f0cab005666cffec0
SHA1

4efa58fb674d1923667b5cd7ff0b4d24eea9dad9
SHA256

e13054b4f90e4e219b14c0d4c851ee2926e762bf3c5b347f795541def7741d60
SHA512

1db1dc887cc85e840b33c368798cdb38c6c9ca1d6c9f8cf1ac36e2399265f67e3e44c99be85627f719b185140d32143f00ec1a19dd40991dfe3f579aa54abc37
SSDEEP

384:1di3ZSz+ECxuVczXKSuSHYKGJRSjyc3bcXX0p5UNPmGPJX3K0xvkJ/Nd+Jbd:1dH5CZTKSu3syc3peNPmGPJXdxSNd+JR

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Control Panel\International\Geo\Nation	NEAS.4cafd6b114fd966f0cab005666cffec0.exe

Executes dropped EXE 1 IoCs

pid	Process
3328	updater.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4128 wrote to memory of 3328	4128	NEAS.4cafd6b114fd966f0cab005666cffec0.exe	83
PID 4128 wrote to memory of 3328	4128	NEAS.4cafd6b114fd966f0cab005666cffec0.exe	83
PID 4128 wrote to memory of 3328	4128	NEAS.4cafd6b114fd966f0cab005666cffec0.exe	83

C:\Users\Admin\AppData\Local\Temp\NEAS.4cafd6b114fd966f0cab005666cffec0.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.4cafd6b114fd966f0cab005666cffec0.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4128
- C:\Users\Admin\AppData\Local\Temp\updater.exe
  "C:\Users\Admin\AppData\Local\Temp\updater.exe"
  2⤵
  - Executes dropped EXE
  PID:3328

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\updater.exe

Filesize
54KB

MD5
46bee3a89c85b2f95576916b41900f95

SHA1
4adb951ded14291342893fc561dfd21dee448387

SHA256
debf4c8f43198399d28c2fdec163a040ae6074664253d698c9585e2844fade09

SHA512
8b17f4a0394a18dafee3643aca3f808ae98015ed96f256ffbf071009e78be8c18bf6625969096eb9a2d51d1f897c31f54da476e1baac7962f0cd36575b13235d

Download Submit
C:\Users\Admin\AppData\Local\Temp\updater.exe

Filesize
54KB

MD5
46bee3a89c85b2f95576916b41900f95

SHA1
4adb951ded14291342893fc561dfd21dee448387

SHA256
debf4c8f43198399d28c2fdec163a040ae6074664253d698c9585e2844fade09

SHA512
8b17f4a0394a18dafee3643aca3f808ae98015ed96f256ffbf071009e78be8c18bf6625969096eb9a2d51d1f897c31f54da476e1baac7962f0cd36575b13235d

Download Submit
C:\Users\Admin\AppData\Local\Temp\updater.exe

Filesize
54KB

MD5
46bee3a89c85b2f95576916b41900f95

SHA1
4adb951ded14291342893fc561dfd21dee448387

SHA256
debf4c8f43198399d28c2fdec163a040ae6074664253d698c9585e2844fade09

SHA512
8b17f4a0394a18dafee3643aca3f808ae98015ed96f256ffbf071009e78be8c18bf6625969096eb9a2d51d1f897c31f54da476e1baac7962f0cd36575b13235d

Download Submit
memory/3328-13-0x0000000002170000-0x0000000002175000-memory.dmp

Filesize
20KB

Download
memory/3328-20-0x0000000002170000-0x0000000002175000-memory.dmp

Filesize
20KB

Download
memory/4128-0-0x00000000005A0000-0x00000000005A5000-memory.dmp

Filesize
20KB

Download
memory/4128-1-0x00000000005A0000-0x00000000005A5000-memory.dmp

Filesize
20KB

Download
memory/4128-2-0x00000000005A0000-0x00000000005A5000-memory.dmp

Filesize
20KB

Download
memory/4128-8-0x00000000005A0000-0x00000000005A5000-memory.dmp

Filesize
20KB

Download