de8a2abe9f3eab0e52cd7b96ecad91fa7950ae42779456f38b5b99fc0bfbb481

Analysis

max time kernel
150s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20231023-en
resource tags

arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
submitted
23-10-2023 21:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.dd0ad67e82126da35e13677f04fdd690_JC.exe
Size

76KB
MD5

dd0ad67e82126da35e13677f04fdd690
SHA1

c036864d81dd2694e268e25e53437c3a86779ec4
SHA256

de8a2abe9f3eab0e52cd7b96ecad91fa7950ae42779456f38b5b99fc0bfbb481
SHA512

76878f74fb1bd98bcf1b091162363d57ebf5e23edb195cf60a796a82b73b1b4801bb645763aa5ac62030ff8db39ae77f2fdf238262f470aaefd347e1b9197d49
SSDEEP

1536:MvP69lUyW1UwzJmWRaD1gXI7uMrpzrnacxfzZ1:G69lU2UmWVXI7uMlzTFz7

Score

7^/10

persistence upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000\Control Panel\International\Geo\Nation	NEAS.dd0ad67e82126da35e13677f04fdd690_JC.exe
Key value queried	\REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000\Control Panel\International\Geo\Nation	svchost.exe

Executes dropped EXE 5 IoCs

pid	Process
4648	NEAS.dd0ad67e82126da35e13677f04fdd690_JC.exe
2568	svchost.exe
1968	svchost.exe
3316	svchost.exe
3460	svchost.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4648-7-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/memory/4648-10-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/memory/4648-12-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/memory/4648-38-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/memory/4648-62-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/memory/1968-93-0x0000000000400000-0x000000000040B000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Video Driver = "C:\\Users\\Admin\\AppData\\Roaming\\system\\svchost.exe"	reg.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 3468 set thread context of 4648	3468	NEAS.dd0ad67e82126da35e13677f04fdd690_JC.exe	84
PID 2568 set thread context of 1968	2568	svchost.exe	90
PID 2568 set thread context of 3316	2568	svchost.exe	91
PID 3316 set thread context of 3460	3316	svchost.exe	92

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1968	svchost.exe
Token: SeDebugPrivilege	1968	svchost.exe
Token: SeDebugPrivilege	1968	svchost.exe
Token: SeDebugPrivilege	1968	svchost.exe
Token: SeDebugPrivilege	1968	svchost.exe
Token: SeDebugPrivilege	1968	svchost.exe
Token: SeDebugPrivilege	1968	svchost.exe
Token: SeDebugPrivilege	1968	svchost.exe
Token: SeDebugPrivilege	1968	svchost.exe
Token: SeDebugPrivilege	1968	svchost.exe
Token: SeDebugPrivilege	1968	svchost.exe
Token: SeDebugPrivilege	1968	svchost.exe
Token: SeDebugPrivilege	1968	svchost.exe
Token: SeDebugPrivilege	1968	svchost.exe
Token: SeDebugPrivilege	1968	svchost.exe
Token: SeDebugPrivilege	1968	svchost.exe
Token: SeDebugPrivilege	1968	svchost.exe
Token: SeDebugPrivilege	1968	svchost.exe
Token: SeDebugPrivilege	1968	svchost.exe
Token: SeDebugPrivilege	1968	svchost.exe
Token: SeDebugPrivilege	1968	svchost.exe
Token: SeDebugPrivilege	1968	svchost.exe
Token: SeDebugPrivilege	1968	svchost.exe
Token: SeDebugPrivilege	1968	svchost.exe
Token: SeDebugPrivilege	1968	svchost.exe
Token: SeDebugPrivilege	1968	svchost.exe
Token: SeDebugPrivilege	1968	svchost.exe
Token: SeDebugPrivilege	1968	svchost.exe
Token: SeDebugPrivilege	1968	svchost.exe
Token: SeDebugPrivilege	1968	svchost.exe
Token: SeDebugPrivilege	1968	svchost.exe
Token: SeDebugPrivilege	1968	svchost.exe
Token: SeDebugPrivilege	1968	svchost.exe
Token: SeDebugPrivilege	1968	svchost.exe
Token: SeDebugPrivilege	1968	svchost.exe
Token: SeDebugPrivilege	1968	svchost.exe
Token: SeDebugPrivilege	1968	svchost.exe
Token: SeDebugPrivilege	1968	svchost.exe
Token: SeDebugPrivilege	1968	svchost.exe
Token: SeDebugPrivilege	1968	svchost.exe
Token: SeDebugPrivilege	1968	svchost.exe
Token: SeDebugPrivilege	1968	svchost.exe
Token: SeDebugPrivilege	1968	svchost.exe
Token: SeDebugPrivilege	1968	svchost.exe
Token: SeDebugPrivilege	1968	svchost.exe
Token: SeDebugPrivilege	1968	svchost.exe
Token: SeDebugPrivilege	1968	svchost.exe
Token: SeDebugPrivilege	1968	svchost.exe
Token: SeDebugPrivilege	1968	svchost.exe
Token: SeDebugPrivilege	1968	svchost.exe
Token: SeDebugPrivilege	1968	svchost.exe
Token: SeDebugPrivilege	1968	svchost.exe
Token: SeDebugPrivilege	1968	svchost.exe
Token: SeDebugPrivilege	1968	svchost.exe
Token: SeDebugPrivilege	1968	svchost.exe
Token: SeDebugPrivilege	1968	svchost.exe
Token: SeDebugPrivilege	1968	svchost.exe
Token: SeDebugPrivilege	1968	svchost.exe
Token: SeDebugPrivilege	1968	svchost.exe
Token: SeDebugPrivilege	1968	svchost.exe
Token: SeDebugPrivilege	1968	svchost.exe
Token: SeDebugPrivilege	1968	svchost.exe
Token: SeDebugPrivilege	1968	svchost.exe
Token: SeDebugPrivilege	1968	svchost.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
3468	NEAS.dd0ad67e82126da35e13677f04fdd690_JC.exe
4648	NEAS.dd0ad67e82126da35e13677f04fdd690_JC.exe
2568	svchost.exe
1968	svchost.exe

Suspicious use of WriteProcessMemory 39 IoCs

description	pid	Process	procid_target
PID 3468 wrote to memory of 4648	3468	NEAS.dd0ad67e82126da35e13677f04fdd690_JC.exe	84
PID 3468 wrote to memory of 4648	3468	NEAS.dd0ad67e82126da35e13677f04fdd690_JC.exe	84
PID 3468 wrote to memory of 4648	3468	NEAS.dd0ad67e82126da35e13677f04fdd690_JC.exe	84
PID 3468 wrote to memory of 4648	3468	NEAS.dd0ad67e82126da35e13677f04fdd690_JC.exe	84
PID 3468 wrote to memory of 4648	3468	NEAS.dd0ad67e82126da35e13677f04fdd690_JC.exe	84
PID 3468 wrote to memory of 4648	3468	NEAS.dd0ad67e82126da35e13677f04fdd690_JC.exe	84
PID 3468 wrote to memory of 4648	3468	NEAS.dd0ad67e82126da35e13677f04fdd690_JC.exe	84
PID 3468 wrote to memory of 4648	3468	NEAS.dd0ad67e82126da35e13677f04fdd690_JC.exe	84
PID 4648 wrote to memory of 4436	4648	NEAS.dd0ad67e82126da35e13677f04fdd690_JC.exe	85
PID 4648 wrote to memory of 4436	4648	NEAS.dd0ad67e82126da35e13677f04fdd690_JC.exe	85
PID 4648 wrote to memory of 4436	4648	NEAS.dd0ad67e82126da35e13677f04fdd690_JC.exe	85
PID 4436 wrote to memory of 4376	4436	cmd.exe	88
PID 4436 wrote to memory of 4376	4436	cmd.exe	88
PID 4436 wrote to memory of 4376	4436	cmd.exe	88
PID 4648 wrote to memory of 2568	4648	NEAS.dd0ad67e82126da35e13677f04fdd690_JC.exe	89
PID 4648 wrote to memory of 2568	4648	NEAS.dd0ad67e82126da35e13677f04fdd690_JC.exe	89
PID 4648 wrote to memory of 2568	4648	NEAS.dd0ad67e82126da35e13677f04fdd690_JC.exe	89
PID 2568 wrote to memory of 1968	2568	svchost.exe	90
PID 2568 wrote to memory of 1968	2568	svchost.exe	90
PID 2568 wrote to memory of 1968	2568	svchost.exe	90
PID 2568 wrote to memory of 1968	2568	svchost.exe	90
PID 2568 wrote to memory of 1968	2568	svchost.exe	90
PID 2568 wrote to memory of 1968	2568	svchost.exe	90
PID 2568 wrote to memory of 1968	2568	svchost.exe	90
PID 2568 wrote to memory of 1968	2568	svchost.exe	90
PID 2568 wrote to memory of 3316	2568	svchost.exe	91
PID 2568 wrote to memory of 3316	2568	svchost.exe	91
PID 2568 wrote to memory of 3316	2568	svchost.exe	91
PID 2568 wrote to memory of 3316	2568	svchost.exe	91
PID 2568 wrote to memory of 3316	2568	svchost.exe	91
PID 2568 wrote to memory of 3316	2568	svchost.exe	91
PID 2568 wrote to memory of 3316	2568	svchost.exe	91
PID 3316 wrote to memory of 3460	3316	svchost.exe	92
PID 3316 wrote to memory of 3460	3316	svchost.exe	92
PID 3316 wrote to memory of 3460	3316	svchost.exe	92
PID 3316 wrote to memory of 3460	3316	svchost.exe	92
PID 3316 wrote to memory of 3460	3316	svchost.exe	92
PID 3316 wrote to memory of 3460	3316	svchost.exe	92
PID 3316 wrote to memory of 3460	3316	svchost.exe	92

C:\Users\Admin\AppData\Local\Temp\NEAS.dd0ad67e82126da35e13677f04fdd690_JC.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.dd0ad67e82126da35e13677f04fdd690_JC.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3468
- C:\Users\Admin\AppData\Local\Temp\NEAS.dd0ad67e82126da35e13677f04fdd690_JC.exe
  "C:\Users\Admin\AppData\Local\Temp\NEAS.dd0ad67e82126da35e13677f04fdd690_JC.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4648
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\REBQY.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4436
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Video Driver" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\svchost.exe" /f
      4⤵
      Adds Run key to start application
      PID:4376
- - C:\Users\Admin\AppData\Roaming\system\svchost.exe
    "C:\Users\Admin\AppData\Roaming\system\svchost.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2568
  - - C:\Users\Admin\AppData\Roaming\system\svchost.exe
      "C:\Users\Admin\AppData\Roaming\system\svchost.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:1968
  - - C:\Users\Admin\AppData\Roaming\system\svchost.exe
      "C:\Users\Admin\AppData\Roaming\system\svchost.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of WriteProcessMemory
      PID:3316
    - - C:\Users\Admin\AppData\Roaming\system\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\system\svchost.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:3460

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\cxz.exe

Filesize
294B

MD5
6f12e0ce0a5af5e8850a61524a87c864

SHA1
2fa219733f62eb41331b3ed8412c7d6a2450c7a8

SHA256
8a871ff36cb9186223c7be054adf5a5865adc30573244f47b36c451db0367f5a

SHA512
3cb3e19c6830a370e21fea0c20d1997cadd34085ba0948227344513747785bce282f91f7b4cc479f71371fdb06a9ea2db22efe0607e4237859fadf25319b673a

Download Submit
C:\Users\Admin\AppData\Local\Temp\NEAS.dd0ad67e82126da35e13677f04fdd690_JC.exe

Filesize
76KB

MD5
dd0ad67e82126da35e13677f04fdd690

SHA1
c036864d81dd2694e268e25e53437c3a86779ec4

SHA256
de8a2abe9f3eab0e52cd7b96ecad91fa7950ae42779456f38b5b99fc0bfbb481

SHA512
76878f74fb1bd98bcf1b091162363d57ebf5e23edb195cf60a796a82b73b1b4801bb645763aa5ac62030ff8db39ae77f2fdf238262f470aaefd347e1b9197d49

Download Submit
C:\Users\Admin\AppData\Local\Temp\REBQY.bat

Filesize
148B

MD5
05d958f804a3cb770b18371699915faf

SHA1
82e91a19f4f23340db8bb5c7d271aa0b590ff723

SHA256
61ae6f17d637624fd66d1dfad93a1c6a863aa7caf67d3e267910f4b9212bdf52

SHA512
3ff7be267167f2c447e9aeef2f5e84785dd45d08a10738b1b4c1b01b21d3ea29e637ede50b1091211b97fd40ae5b2bea54e053200778228ffde852f8a19ce921

Download Submit
C:\Users\Admin\AppData\Local\Temp\REBQY.txt

Filesize
148B

MD5
05d958f804a3cb770b18371699915faf

SHA1
82e91a19f4f23340db8bb5c7d271aa0b590ff723

SHA256
61ae6f17d637624fd66d1dfad93a1c6a863aa7caf67d3e267910f4b9212bdf52

SHA512
3ff7be267167f2c447e9aeef2f5e84785dd45d08a10738b1b4c1b01b21d3ea29e637ede50b1091211b97fd40ae5b2bea54e053200778228ffde852f8a19ce921

Download Submit
C:\Users\Admin\AppData\Roaming\system\svchost.exe

Filesize
76KB

MD5
6dc37bc5e4099277ba10c4a175f59f7d

SHA1
e8e83891dfb409da9ff6045635b813b190369718

SHA256
01f7f2d53fced3a8f065e8b6176f31fbd32d3d79bf34c8df6db1e488a9123ce5

SHA512
6fdec8ee370849cb8ea4aeab8fe292a2c26c13ef1cc51901ec06ff9979c00e2b6247468a41419f933f75a974eceb5bd388813b71e8b4b9d2c9170df01c3640f4

Download Submit
C:\Users\Admin\AppData\Roaming\system\svchost.exe

Filesize
76KB

MD5
6dc37bc5e4099277ba10c4a175f59f7d

SHA1
e8e83891dfb409da9ff6045635b813b190369718

SHA256
01f7f2d53fced3a8f065e8b6176f31fbd32d3d79bf34c8df6db1e488a9123ce5

SHA512
6fdec8ee370849cb8ea4aeab8fe292a2c26c13ef1cc51901ec06ff9979c00e2b6247468a41419f933f75a974eceb5bd388813b71e8b4b9d2c9170df01c3640f4

Download Submit
C:\Users\Admin\AppData\Roaming\system\svchost.exe

Filesize
76KB

MD5
6dc37bc5e4099277ba10c4a175f59f7d

SHA1
e8e83891dfb409da9ff6045635b813b190369718

SHA256
01f7f2d53fced3a8f065e8b6176f31fbd32d3d79bf34c8df6db1e488a9123ce5

SHA512
6fdec8ee370849cb8ea4aeab8fe292a2c26c13ef1cc51901ec06ff9979c00e2b6247468a41419f933f75a974eceb5bd388813b71e8b4b9d2c9170df01c3640f4

Download Submit
C:\Users\Admin\AppData\Roaming\system\svchost.exe

Filesize
76KB

MD5
6dc37bc5e4099277ba10c4a175f59f7d

SHA1
e8e83891dfb409da9ff6045635b813b190369718

SHA256
01f7f2d53fced3a8f065e8b6176f31fbd32d3d79bf34c8df6db1e488a9123ce5

SHA512
6fdec8ee370849cb8ea4aeab8fe292a2c26c13ef1cc51901ec06ff9979c00e2b6247468a41419f933f75a974eceb5bd388813b71e8b4b9d2c9170df01c3640f4

Download Submit
C:\Users\Admin\AppData\Roaming\system\svchost.exe

Filesize
76KB

MD5
6dc37bc5e4099277ba10c4a175f59f7d

SHA1
e8e83891dfb409da9ff6045635b813b190369718

SHA256
01f7f2d53fced3a8f065e8b6176f31fbd32d3d79bf34c8df6db1e488a9123ce5

SHA512
6fdec8ee370849cb8ea4aeab8fe292a2c26c13ef1cc51901ec06ff9979c00e2b6247468a41419f933f75a974eceb5bd388813b71e8b4b9d2c9170df01c3640f4

Download Submit
C:\Users\Admin\AppData\Roaming\system\svchost.exe

Filesize
76KB

MD5
6dc37bc5e4099277ba10c4a175f59f7d

SHA1
e8e83891dfb409da9ff6045635b813b190369718

SHA256
01f7f2d53fced3a8f065e8b6176f31fbd32d3d79bf34c8df6db1e488a9123ce5

SHA512
6fdec8ee370849cb8ea4aeab8fe292a2c26c13ef1cc51901ec06ff9979c00e2b6247468a41419f933f75a974eceb5bd388813b71e8b4b9d2c9170df01c3640f4

Download Submit
memory/1968-93-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2568-44-0x0000000003010000-0x0000000003011000-memory.dmp

Filesize
4KB

Download
memory/2568-48-0x00000000030A0000-0x00000000030A1000-memory.dmp

Filesize
4KB

Download
memory/2568-55-0x0000000002DC0000-0x0000000002DC1000-memory.dmp

Filesize
4KB

Download
memory/2568-59-0x0000000002DE0000-0x0000000002DE1000-memory.dmp

Filesize
4KB

Download
memory/2568-41-0x0000000002DC0000-0x0000000002DC1000-memory.dmp

Filesize
4KB

Download
memory/2568-42-0x0000000002DE0000-0x0000000002DE1000-memory.dmp

Filesize
4KB

Download
memory/2568-43-0x0000000003000000-0x0000000003001000-memory.dmp

Filesize
4KB

Download
memory/2568-45-0x0000000003030000-0x0000000003031000-memory.dmp

Filesize
4KB

Download
memory/3316-65-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download
memory/3316-51-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download
memory/3316-61-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download
memory/3316-57-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download
memory/3460-64-0x0000000000400000-0x0000000000404000-memory.dmp

Filesize
16KB

Download
memory/3460-69-0x0000000000400000-0x0000000000404000-memory.dmp

Filesize
16KB

Download
memory/3460-91-0x0000000000400000-0x0000000000404000-memory.dmp

Filesize
16KB

Download
memory/3468-2-0x0000000002AA0000-0x0000000002AA1000-memory.dmp

Filesize
4KB

Download
memory/3468-6-0x0000000002B10000-0x0000000002B11000-memory.dmp

Filesize
4KB

Download
memory/3468-5-0x0000000002AE0000-0x0000000002AE1000-memory.dmp

Filesize
4KB

Download
memory/3468-4-0x0000000002AF0000-0x0000000002AF1000-memory.dmp

Filesize
4KB

Download
memory/3468-3-0x0000000002AD0000-0x0000000002AD1000-memory.dmp

Filesize
4KB

Download
memory/4648-62-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/4648-7-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/4648-12-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/4648-38-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/4648-10-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads