dc675548d26d4089a3a2e0eb8cfc3f3cded185dd7d2c11d5340cff6d18619689

Analysis

max time kernel
143s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20231023-en
resource tags

arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
submitted
28/10/2023, 18:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.2825e4a1b69997cea67a3a772de425c0.exe
Size

70KB
MD5

2825e4a1b69997cea67a3a772de425c0
SHA1

37122449bfd00aad0c4e0667517c17275fde76ca
SHA256

dc675548d26d4089a3a2e0eb8cfc3f3cded185dd7d2c11d5340cff6d18619689
SHA512

359706a55da9d64cf0c2cacfb58f2f2ef398cb8f3fbabacdec29c468e0893b30a9f21463a372c964aa456caed53c2afde64288eddb1b5e2916e9585a38382a69
SSDEEP

768:TrItKyw5WHXfQmjIiIk9ecAayMb96gyXPDLd+T:Tr3Z5IfQmv81a5DyXbZC

Score

8^/10

evasion

Malware Config

Signatures

Sets file to hidden 1 TTPs 1 IoCs

Modifies file attributes to stop it showing in Explorer etc.

evasion

Hidden Files and Directories

T1564.001

pid	Process
3464	attrib.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000\Control Panel\International\Geo\Nation	NEAS.2825e4a1b69997cea67a3a772de425c0.exe

Executes dropped EXE 1 IoCs

pid	Process
1920	akmhost.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\akmhost.exe	NEAS.2825e4a1b69997cea67a3a772de425c0.exe
File opened for modification	C:\Windows\Debug\akmhost.exe	attrib.exe
File created	C:\Windows\Debug\akmhost.exe	NEAS.2825e4a1b69997cea67a3a772de425c0.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4052	NEAS.2825e4a1b69997cea67a3a772de425c0.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4052 wrote to memory of 3464	4052	NEAS.2825e4a1b69997cea67a3a772de425c0.exe	90
PID 4052 wrote to memory of 3464	4052	NEAS.2825e4a1b69997cea67a3a772de425c0.exe	90
PID 4052 wrote to memory of 3464	4052	NEAS.2825e4a1b69997cea67a3a772de425c0.exe	90
PID 4052 wrote to memory of 776	4052	NEAS.2825e4a1b69997cea67a3a772de425c0.exe	93
PID 4052 wrote to memory of 776	4052	NEAS.2825e4a1b69997cea67a3a772de425c0.exe	93
PID 4052 wrote to memory of 776	4052	NEAS.2825e4a1b69997cea67a3a772de425c0.exe	93

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
3464	attrib.exe

C:\Users\Admin\AppData\Local\Temp\NEAS.2825e4a1b69997cea67a3a772de425c0.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.2825e4a1b69997cea67a3a772de425c0.exe"
1⤵
- Checks computer location settings
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4052
- C:\Windows\SysWOW64\attrib.exe
  attrib +a +s +h +r C:\Windows\Debug\akmhost.exe
  2⤵
  - Sets file to hidden
  - Drops file in Windows directory
  - Views/modifies file attributes
  PID:3464
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\NEAS28~1.EXE > nul
  2⤵
  PID:776

C:\Windows\Debug\akmhost.exe
C:\Windows\Debug\akmhost.exe
1⤵
- Executes dropped EXE
PID:1920

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Debug\akmhost.exe

Filesize
70KB

MD5
855111f355b5fa197b7f3d28f8977c24

SHA1
853127532e753ed8865c9870aa8e4857f837db72

SHA256
202bdcebb72deb15344a408287c3db8ff5b0058c87a61423b9618abc1c20334d

SHA512
206ee160a8aa10b2025d5f904e7d9242bc6a5fa42edfc27e537516fa7cd979d148892a5a37f8d01ea8bbbaa0fb4ded74f8a9e0a18590bc240ec83b383729cb19

Download Submit
C:\Windows\debug\akmhost.exe

Filesize
70KB

MD5
855111f355b5fa197b7f3d28f8977c24

SHA1
853127532e753ed8865c9870aa8e4857f837db72

SHA256
202bdcebb72deb15344a408287c3db8ff5b0058c87a61423b9618abc1c20334d

SHA512
206ee160a8aa10b2025d5f904e7d9242bc6a5fa42edfc27e537516fa7cd979d148892a5a37f8d01ea8bbbaa0fb4ded74f8a9e0a18590bc240ec83b383729cb19

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads