46701a34497e64fea4b9893a548d935caaf497f2b9a7810b6191837bd86cdcce

Analysis

max time kernel
143s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20231025-en
resource tags

arch:x64arch:x86image:win10v2004-20231025-enlocale:en-usos:windows10-2004-x64system
submitted
28-10-2023 18:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.09c2f322d75465e808f44f6071ea0440.exe
Size

38KB
MD5

09c2f322d75465e808f44f6071ea0440
SHA1

fdbb234a0d538cf81d65b2f4c69ac2ebaa95aaf8
SHA256

46701a34497e64fea4b9893a548d935caaf497f2b9a7810b6191837bd86cdcce
SHA512

185d26216f0343416c816aab222cccbd0ced255b8f012aaf6a7add7f428b27c1c87a212a64ce03902856e466c5629f04d5c264c0ed3812640b3959bd54eb1bff
SSDEEP

384:oOY2HsF6QkSxbRxlFYs3xMR5WYKZseH59Vzrvb0BBM+YCro15BWT:oOY2HJSxb3HXBQFKV9V/vbwayro15A

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000\Control Panel\International\Geo\Nation	NEAS.09c2f322d75465e808f44f6071ea0440.exe
Key value queried	\REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000\Control Panel\International\Geo\Nation	hfdfjdk.exe

Executes dropped EXE 1 IoCs

pid	Process
3896	hfdfjdk.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3136 wrote to memory of 3896	3136	NEAS.09c2f322d75465e808f44f6071ea0440.exe	88
PID 3136 wrote to memory of 3896	3136	NEAS.09c2f322d75465e808f44f6071ea0440.exe	88
PID 3136 wrote to memory of 3896	3136	NEAS.09c2f322d75465e808f44f6071ea0440.exe	88

C:\Users\Admin\AppData\Local\Temp\NEAS.09c2f322d75465e808f44f6071ea0440.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.09c2f322d75465e808f44f6071ea0440.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3136
- C:\Users\Admin\AppData\Local\Temp\hfdfjdk.exe
  "C:\Users\Admin\AppData\Local\Temp\hfdfjdk.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:3896

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\hfdfjdk.exe

Filesize
38KB

MD5
a111d6f15f4e0b19e7a3445dce2740ad

SHA1
57eaecd0240fb96a97f92e1e10f1f22af9e2d08f

SHA256
de1637c80132f8693e2a56e779783b84a80ecf4a1e63966029fda2b6cb02f146

SHA512
44961de5f39f27f6cc42dd3945f5786b395d0249db913ca92d3a0b7bf8285c605218e671c79154cead58e5952bf4ac49b9b80eed83a1dbc051585294cba956aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\hfdfjdk.exe

Filesize
38KB

MD5
a111d6f15f4e0b19e7a3445dce2740ad

SHA1
57eaecd0240fb96a97f92e1e10f1f22af9e2d08f

SHA256
de1637c80132f8693e2a56e779783b84a80ecf4a1e63966029fda2b6cb02f146

SHA512
44961de5f39f27f6cc42dd3945f5786b395d0249db913ca92d3a0b7bf8285c605218e671c79154cead58e5952bf4ac49b9b80eed83a1dbc051585294cba956aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\hfdfjdk.exe

Filesize
38KB

MD5
a111d6f15f4e0b19e7a3445dce2740ad

SHA1
57eaecd0240fb96a97f92e1e10f1f22af9e2d08f

SHA256
de1637c80132f8693e2a56e779783b84a80ecf4a1e63966029fda2b6cb02f146

SHA512
44961de5f39f27f6cc42dd3945f5786b395d0249db913ca92d3a0b7bf8285c605218e671c79154cead58e5952bf4ac49b9b80eed83a1dbc051585294cba956aa

Download Submit
memory/3136-0-0x00000000011D0000-0x00000000011D4000-memory.dmp

Filesize
16KB

Download
memory/3896-9-0x0000000000E30000-0x0000000000E34000-memory.dmp

Filesize
16KB

Download