851d920c110d40cc4bdca1b11f8e6b0fc0713ea77b493c6e17f81ece233cb294

Analysis

max time kernel
149s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20231020-en
resource tags

arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
submitted
23-10-2023 16:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.cbe5eae9d5eaab0cce380174cae9ce90_JC.exe
Size

279KB
MD5

cbe5eae9d5eaab0cce380174cae9ce90
SHA1

f57feaf59764d11ea2034d8304eb399df90403e4
SHA256

851d920c110d40cc4bdca1b11f8e6b0fc0713ea77b493c6e17f81ece233cb294
SHA512

4ce29c9d7c645e532af26a66b642b7c549230a55c99bd05fe4c5602377b2c50edb33e42528a5dc3c6f9925daff3b7f46af2069bd07eb92ba9ef7325c2bb5dcd2
SSDEEP

3072:R8ERv3zZZm5c4Sq+YN95wFT0z+QadjN3rOwRXENk+Y0yFNzlUu0V6:R8EZrm55Zt5wFwz+TdpRXENFTAkV6

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-356073083-3299209671-3108880702-1000\Control Panel\International\Geo\Nation	NEAS.cbe5eae9d5eaab0cce380174cae9ce90_JC.exe

Deletes itself 1 IoCs

pid	Process
4876	Systeamxiicx.exe

Executes dropped EXE 1 IoCs

pid	Process
4876	Systeamxiicx.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4796	NEAS.cbe5eae9d5eaab0cce380174cae9ce90_JC.exe
4796	NEAS.cbe5eae9d5eaab0cce380174cae9ce90_JC.exe
4796	NEAS.cbe5eae9d5eaab0cce380174cae9ce90_JC.exe
4796	NEAS.cbe5eae9d5eaab0cce380174cae9ce90_JC.exe
4796	NEAS.cbe5eae9d5eaab0cce380174cae9ce90_JC.exe
4796	NEAS.cbe5eae9d5eaab0cce380174cae9ce90_JC.exe
4796	NEAS.cbe5eae9d5eaab0cce380174cae9ce90_JC.exe
4796	NEAS.cbe5eae9d5eaab0cce380174cae9ce90_JC.exe
4796	NEAS.cbe5eae9d5eaab0cce380174cae9ce90_JC.exe
4796	NEAS.cbe5eae9d5eaab0cce380174cae9ce90_JC.exe
4796	NEAS.cbe5eae9d5eaab0cce380174cae9ce90_JC.exe
4796	NEAS.cbe5eae9d5eaab0cce380174cae9ce90_JC.exe
4876	Systeamxiicx.exe
4876	Systeamxiicx.exe
4876	Systeamxiicx.exe
4876	Systeamxiicx.exe
4876	Systeamxiicx.exe
4876	Systeamxiicx.exe
4876	Systeamxiicx.exe
4876	Systeamxiicx.exe
4876	Systeamxiicx.exe
4876	Systeamxiicx.exe
4876	Systeamxiicx.exe
4876	Systeamxiicx.exe
4876	Systeamxiicx.exe
4876	Systeamxiicx.exe
4876	Systeamxiicx.exe
4876	Systeamxiicx.exe
4876	Systeamxiicx.exe
4876	Systeamxiicx.exe
4876	Systeamxiicx.exe
4876	Systeamxiicx.exe
4876	Systeamxiicx.exe
4876	Systeamxiicx.exe
4876	Systeamxiicx.exe
4876	Systeamxiicx.exe
4876	Systeamxiicx.exe
4876	Systeamxiicx.exe
4876	Systeamxiicx.exe
4876	Systeamxiicx.exe
4876	Systeamxiicx.exe
4876	Systeamxiicx.exe
4876	Systeamxiicx.exe
4876	Systeamxiicx.exe
4876	Systeamxiicx.exe
4876	Systeamxiicx.exe
4876	Systeamxiicx.exe
4876	Systeamxiicx.exe
4876	Systeamxiicx.exe
4876	Systeamxiicx.exe
4876	Systeamxiicx.exe
4876	Systeamxiicx.exe
4876	Systeamxiicx.exe
4876	Systeamxiicx.exe
4876	Systeamxiicx.exe
4876	Systeamxiicx.exe
4876	Systeamxiicx.exe
4876	Systeamxiicx.exe
4876	Systeamxiicx.exe
4876	Systeamxiicx.exe
4876	Systeamxiicx.exe
4876	Systeamxiicx.exe
4876	Systeamxiicx.exe
4876	Systeamxiicx.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4796 wrote to memory of 4876	4796	NEAS.cbe5eae9d5eaab0cce380174cae9ce90_JC.exe	86
PID 4796 wrote to memory of 4876	4796	NEAS.cbe5eae9d5eaab0cce380174cae9ce90_JC.exe	86
PID 4796 wrote to memory of 4876	4796	NEAS.cbe5eae9d5eaab0cce380174cae9ce90_JC.exe	86

C:\Users\Admin\AppData\Local\Temp\NEAS.cbe5eae9d5eaab0cce380174cae9ce90_JC.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.cbe5eae9d5eaab0cce380174cae9ce90_JC.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4796
- C:\Users\Admin\AppData\Local\Temp\Systeamxiicx.exe
  "C:\Users\Admin\AppData\Local\Temp\Systeamxiicx.exe"
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:4876

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Systeamxiicx.exe

Filesize
279KB

MD5
d88972e178f198f04efe410456abcc0c

SHA1
d5c073f4160669ed6c846a0b8fff2f48ceacd5a1

SHA256
c19a3d3994f96e2726908809613eeec0d5a2774d701fe1ebe1d8cdc373065525

SHA512
343c432226fadd40e6aa96adec26a544dcb9f6e29e43932d27b0f6b5986c7ee845a4b1dc9153ac13fc82e9b5fc0f5e4eac01de33fab3bba30296d45263d7f6c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Systeamxiicx.exe

Filesize
279KB

MD5
d88972e178f198f04efe410456abcc0c

SHA1
d5c073f4160669ed6c846a0b8fff2f48ceacd5a1

SHA256
c19a3d3994f96e2726908809613eeec0d5a2774d701fe1ebe1d8cdc373065525

SHA512
343c432226fadd40e6aa96adec26a544dcb9f6e29e43932d27b0f6b5986c7ee845a4b1dc9153ac13fc82e9b5fc0f5e4eac01de33fab3bba30296d45263d7f6c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Systeamxiicx.exe

Filesize
279KB

MD5
d88972e178f198f04efe410456abcc0c

SHA1
d5c073f4160669ed6c846a0b8fff2f48ceacd5a1

SHA256
c19a3d3994f96e2726908809613eeec0d5a2774d701fe1ebe1d8cdc373065525

SHA512
343c432226fadd40e6aa96adec26a544dcb9f6e29e43932d27b0f6b5986c7ee845a4b1dc9153ac13fc82e9b5fc0f5e4eac01de33fab3bba30296d45263d7f6c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpath.ini

Filesize
78B

MD5
594fc342607f4d0e7362c6b4ebb9f1cb

SHA1
d8d2d7babcaaac3bcd9fd0234c1ea83e498c43ff

SHA256
879ebb19288325a3045ba1be89e239e8e195ea1b2f5e72b910ea2d80c93792de

SHA512
0286ce235031f2e2ee9709729eeee1026a01585ce146214988c1112004281b4469b5ab7ab87d485903d0a7066de25311bd1da9843594a72beda2fd8a14191bca

Download Submit