f6618ecceed655db5c80d702fe9511dbe206f981c8df937dc0f5f88893808e3e

Analysis

max time kernel
144s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20231023-en
resource tags

arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
submitted
31/10/2023, 09:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.e93e1dfb06e791938d6b2e090da85e60.exe
Size

34KB
MD5

e93e1dfb06e791938d6b2e090da85e60
SHA1

a4ec634d143d8a2a5c1bd1d2ec0f6269bab08b9f
SHA256

f6618ecceed655db5c80d702fe9511dbe206f981c8df937dc0f5f88893808e3e
SHA512

3fc8fe58e1f774cefe6b0ac13b3e658dad9e7df337bbf0625a98e1bbb55de6e62c663db505dba5aba53b1af380a22671cc5cb01b99566564493c9a0714f3931a
SSDEEP

384:btBYQg/WIEhUCSNyepEjYnDOAlzVol6U/zzo+tkq4l8tFFxE2B0qwmC:btB9g/WItCSsAGjX7r3BTwmC

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000\Control Panel\International\Geo\Nation	NEAS.e93e1dfb06e791938d6b2e090da85e60.exe

Executes dropped EXE 1 IoCs

pid	Process
4100	gewos.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4080 wrote to memory of 4100	4080	NEAS.e93e1dfb06e791938d6b2e090da85e60.exe	89
PID 4080 wrote to memory of 4100	4080	NEAS.e93e1dfb06e791938d6b2e090da85e60.exe	89
PID 4080 wrote to memory of 4100	4080	NEAS.e93e1dfb06e791938d6b2e090da85e60.exe	89

C:\Users\Admin\AppData\Local\Temp\NEAS.e93e1dfb06e791938d6b2e090da85e60.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.e93e1dfb06e791938d6b2e090da85e60.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4080
- C:\Users\Admin\AppData\Local\Temp\gewos.exe
  "C:\Users\Admin\AppData\Local\Temp\gewos.exe"
  2⤵
  - Executes dropped EXE
  PID:4100

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\gewos.exe

Filesize
34KB

MD5
da3494c3243b75033b2dd3b4007d4fbf

SHA1
121fd6e133d86414ce701c952de39295c51cd21d

SHA256
ef7b5ef2e87effe579689336406fba281eb5cbbaed822e371a3415025bb468c7

SHA512
8aa9dd23c58bd7cd9275bf9cbd6e0b5df06c754389775952f9d7e8a2e9fd7a2caa22782ab9a3f0ebedaca6e63b81bc3d465690b558062924a374fde7a232e113

Download Submit
C:\Users\Admin\AppData\Local\Temp\gewos.exe

Filesize
34KB

MD5
da3494c3243b75033b2dd3b4007d4fbf

SHA1
121fd6e133d86414ce701c952de39295c51cd21d

SHA256
ef7b5ef2e87effe579689336406fba281eb5cbbaed822e371a3415025bb468c7

SHA512
8aa9dd23c58bd7cd9275bf9cbd6e0b5df06c754389775952f9d7e8a2e9fd7a2caa22782ab9a3f0ebedaca6e63b81bc3d465690b558062924a374fde7a232e113

Download Submit
C:\Users\Admin\AppData\Local\Temp\gewos.exe

Filesize
34KB

MD5
da3494c3243b75033b2dd3b4007d4fbf

SHA1
121fd6e133d86414ce701c952de39295c51cd21d

SHA256
ef7b5ef2e87effe579689336406fba281eb5cbbaed822e371a3415025bb468c7

SHA512
8aa9dd23c58bd7cd9275bf9cbd6e0b5df06c754389775952f9d7e8a2e9fd7a2caa22782ab9a3f0ebedaca6e63b81bc3d465690b558062924a374fde7a232e113

Download Submit
memory/4080-0-0x0000000002EA0000-0x0000000002EA6000-memory.dmp

Filesize
24KB

Download
memory/4080-1-0x0000000002EA0000-0x0000000002EA6000-memory.dmp

Filesize
24KB

Download
memory/4080-2-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/4100-20-0x0000000002D60000-0x0000000002D66000-memory.dmp

Filesize
24KB

Download