e0674636210292f8c3a6292f5f5c8f96e6a505af7e6a268b96c7153c5ef0aedb

Analysis

max time kernel
141s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20231020-en
resource tags

arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
submitted
21/10/2023, 21:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.7b9b9853ef5877b00cc43e9760590ab0.exe
Size

208KB
MD5

7b9b9853ef5877b00cc43e9760590ab0
SHA1

7b4893137e7518b060ee6a0e185e53d779d841ad
SHA256

e0674636210292f8c3a6292f5f5c8f96e6a505af7e6a268b96c7153c5ef0aedb
SHA512

01b4da351de22899f9152375230cb77f7f8a1bdb3de2ebf67971c0abf6b08e5c55d244a7f0e32c48d39c1d0c6ae9f6163616e6ef0ce58740007998ce4f4f4c1b
SSDEEP

6144:YwDrqb3DppfVf07P1uxsyAIxh6SqWyKQEj1:Ywi/PNf07P1aQIxh6Sq/KQC

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\Control Panel\International\Geo\Nation	NEAS.7b9b9853ef5877b00cc43e9760590ab0.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\Control Panel\International\Geo\Nation	KDOOYM.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\Control Panel\International\Geo\Nation	JBDB.exe

Executes dropped EXE 3 IoCs

pid	Process
1540	KDOOYM.exe
1980	JBDB.exe
2776	UCK.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\windows\SysWOW64\UCK.exe	JBDB.exe
File opened for modification	C:\windows\SysWOW64\UCK.exe	JBDB.exe
File created	C:\windows\SysWOW64\UCK.exe.bat	JBDB.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File created	C:\windows\JBDB.exe.bat	KDOOYM.exe
File created	C:\windows\KDOOYM.exe	NEAS.7b9b9853ef5877b00cc43e9760590ab0.exe
File opened for modification	C:\windows\KDOOYM.exe	NEAS.7b9b9853ef5877b00cc43e9760590ab0.exe
File created	C:\windows\KDOOYM.exe.bat	NEAS.7b9b9853ef5877b00cc43e9760590ab0.exe
File created	C:\windows\JBDB.exe	KDOOYM.exe
File opened for modification	C:\windows\JBDB.exe	KDOOYM.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 4 IoCs

pid	pid_target	Process	procid_target
376	4580	WerFault.exe	84
3328	1540	WerFault.exe	93
1636	1980	WerFault.exe	99
3112	2776	WerFault.exe	104

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
4580	NEAS.7b9b9853ef5877b00cc43e9760590ab0.exe
4580	NEAS.7b9b9853ef5877b00cc43e9760590ab0.exe
1540	KDOOYM.exe
1540	KDOOYM.exe
1980	JBDB.exe
1980	JBDB.exe
2776	UCK.exe
2776	UCK.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
4580	NEAS.7b9b9853ef5877b00cc43e9760590ab0.exe
4580	NEAS.7b9b9853ef5877b00cc43e9760590ab0.exe
1540	KDOOYM.exe
1540	KDOOYM.exe
1980	JBDB.exe
1980	JBDB.exe
2776	UCK.exe
2776	UCK.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 4580 wrote to memory of 2312	4580	NEAS.7b9b9853ef5877b00cc43e9760590ab0.exe	89
PID 4580 wrote to memory of 2312	4580	NEAS.7b9b9853ef5877b00cc43e9760590ab0.exe	89
PID 4580 wrote to memory of 2312	4580	NEAS.7b9b9853ef5877b00cc43e9760590ab0.exe	89
PID 2312 wrote to memory of 1540	2312	cmd.exe	93
PID 2312 wrote to memory of 1540	2312	cmd.exe	93
PID 2312 wrote to memory of 1540	2312	cmd.exe	93
PID 1540 wrote to memory of 4036	1540	KDOOYM.exe	95
PID 1540 wrote to memory of 4036	1540	KDOOYM.exe	95
PID 1540 wrote to memory of 4036	1540	KDOOYM.exe	95
PID 4036 wrote to memory of 1980	4036	cmd.exe	99
PID 4036 wrote to memory of 1980	4036	cmd.exe	99
PID 4036 wrote to memory of 1980	4036	cmd.exe	99
PID 1980 wrote to memory of 4160	1980	JBDB.exe	100
PID 1980 wrote to memory of 4160	1980	JBDB.exe	100
PID 1980 wrote to memory of 4160	1980	JBDB.exe	100
PID 4160 wrote to memory of 2776	4160	cmd.exe	104
PID 4160 wrote to memory of 2776	4160	cmd.exe	104
PID 4160 wrote to memory of 2776	4160	cmd.exe	104

C:\Users\Admin\AppData\Local\Temp\NEAS.7b9b9853ef5877b00cc43e9760590ab0.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.7b9b9853ef5877b00cc43e9760590ab0.exe"
1⤵
- Checks computer location settings
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4580
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\windows\KDOOYM.exe.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2312
- - C:\windows\KDOOYM.exe
    C:\windows\KDOOYM.exe
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1540
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\windows\JBDB.exe.bat" "
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4036
    - - C:\windows\JBDB.exe
        
        C:\windows\JBDB.exe
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1980
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\system32\UCK.exe.bat" "
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:4160
        
        C:\windows\SysWOW64\UCK.exe
        
        C:\windows\system32\UCK.exe
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2776
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2776 -s 844
        8⤵
        Program crash
        
        PID:3112
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1980 -s 1296
        6⤵
        Program crash
        
        PID:1636
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1540 -s 1312
      4⤵
      Program crash
      PID:3328
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4580 -s 948
  2⤵
  - Program crash
  PID:376

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 4580 -ip 4580
1⤵
PID:5076

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 1540 -ip 1540
1⤵
PID:1236

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 1980 -ip 1980
1⤵
PID:1220

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 2776 -ip 2776
1⤵
PID:2172

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\JBDB.exe

Filesize
208KB

MD5
1de74250374e438bd4705459f429ba70

SHA1
2a577f9af86c54ceacb7478d27411187cdc74bf8

SHA256
5759bf7c364ccf9d6fffcc127ab27d28d9611bd8655035e4a0aa6a693ae22dd7

SHA512
57740ca1d0fd5dced742df63b203a3574263ca492c3b2588823564de48b3065f60549c3befa58c6d710a8815f27e38a3db646aebd7bfdfb162e434ca30eb1dd3

Download Submit
C:\Windows\JBDB.exe

Filesize
208KB

MD5
1de74250374e438bd4705459f429ba70

SHA1
2a577f9af86c54ceacb7478d27411187cdc74bf8

SHA256
5759bf7c364ccf9d6fffcc127ab27d28d9611bd8655035e4a0aa6a693ae22dd7

SHA512
57740ca1d0fd5dced742df63b203a3574263ca492c3b2588823564de48b3065f60549c3befa58c6d710a8815f27e38a3db646aebd7bfdfb162e434ca30eb1dd3

Download Submit
C:\Windows\KDOOYM.exe

Filesize
208KB

MD5
f0916a27a006ca4086b0ca7e3ab2cb28

SHA1
f4487d1b10f0e3ceaa09bf234407fbd24b56dcea

SHA256
cf745c426320203325bc4ddd136d893c35912374b5678499726b64ed081b8aa1

SHA512
65491a45b56e712b790f372246379f3c151e820f350f2e4aaf1f2ba038e4434ac5bcfeba214f6b8d0dd7f194cf77e7685d9061c4c9fd517f27f7420c69a79d53

Download Submit
C:\Windows\SysWOW64\UCK.exe

Filesize
208KB

MD5
1ca4ae0742333c645147b76e36d9931d

SHA1
c5b5f0ead671ad7ba877a055b7e5df6dd9d63808

SHA256
71e4cd3853f6b6ba20dd8a828f52281f5d2a7de361a0acf726bc4b936b24dc04

SHA512
1a85fe1d1bf9a03a1af4150bcc8f086cd5e92dfa4ee4efe6f81d483712424e40a0dbdd6b0f1ddddd2d3c92782e11e800afc786eed46c52be26f60a981f002fb8

Download Submit
C:\windows\JBDB.exe

Filesize
208KB

MD5
1de74250374e438bd4705459f429ba70

SHA1
2a577f9af86c54ceacb7478d27411187cdc74bf8

SHA256
5759bf7c364ccf9d6fffcc127ab27d28d9611bd8655035e4a0aa6a693ae22dd7

SHA512
57740ca1d0fd5dced742df63b203a3574263ca492c3b2588823564de48b3065f60549c3befa58c6d710a8815f27e38a3db646aebd7bfdfb162e434ca30eb1dd3

Download Submit
C:\windows\JBDB.exe.bat

Filesize
54B

MD5
56a4376e57e54742e94780170a49837c

SHA1
ca484b6c19feccdb6db2730ac3ba3d356eb8200e

SHA256
347aea07e79f03824e97081346c8e0e62e40e9c61c18daa93bf409bf79140b1d

SHA512
72f66c768979db760468fbe01a8e3ee5dd77874e257a738b6fda7e87d1c38baa1b7d67d4fbb36e1ab334c2b8563e3627d50f1832780ceb11c73bcae379986712

Download Submit
C:\windows\KDOOYM.exe

Filesize
208KB

MD5
f0916a27a006ca4086b0ca7e3ab2cb28

SHA1
f4487d1b10f0e3ceaa09bf234407fbd24b56dcea

SHA256
cf745c426320203325bc4ddd136d893c35912374b5678499726b64ed081b8aa1

SHA512
65491a45b56e712b790f372246379f3c151e820f350f2e4aaf1f2ba038e4434ac5bcfeba214f6b8d0dd7f194cf77e7685d9061c4c9fd517f27f7420c69a79d53

Download Submit
C:\windows\KDOOYM.exe.bat

Filesize
58B

MD5
02f7bf036032fc8a2a2bac206f781157

SHA1
2cb016b570f2dbb2cfcae0f92e786f8a97ba78e7

SHA256
680efdad23da030067b130bd7aed9270cc54a6beafc04f00f592832e1275eccf

SHA512
5b9eada6eb6b11093e92a6a81be16cbe8885fabc8d9db67acd736b583ef2e243e49423f849bb78fb90bff7ea7ec118b036103b463f80ed898d4627a4c39080f3

Download Submit
C:\windows\SysWOW64\UCK.exe

Filesize
208KB

MD5
1ca4ae0742333c645147b76e36d9931d

SHA1
c5b5f0ead671ad7ba877a055b7e5df6dd9d63808

SHA256
71e4cd3853f6b6ba20dd8a828f52281f5d2a7de361a0acf726bc4b936b24dc04

SHA512
1a85fe1d1bf9a03a1af4150bcc8f086cd5e92dfa4ee4efe6f81d483712424e40a0dbdd6b0f1ddddd2d3c92782e11e800afc786eed46c52be26f60a981f002fb8

Download Submit
C:\windows\SysWOW64\UCK.exe.bat

Filesize
70B

MD5
3eefb5e6fec4e2942911658edbad5146

SHA1
5fa67a0cd95affcc508111e622b522a107bfb508

SHA256
0ac955f6bbc4782bde6cef5702b1d01b5012a433f8c84417e047c9a93213f92c

SHA512
b2db571dbd204638b4eb427af834ae9c479262eb34003e7d35b6dbcc975e7f3465644323fc9855514aa8b19407676d51b52bec779ef83afbc28519bcbcde1be8

Download Submit
memory/1540-10-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1540-36-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1980-21-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1980-35-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2776-32-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2776-34-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4580-0-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4580-37-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download