6d3315f6774309f4463ca822d08e5d8870dabfd65fa39cc02d80fdce6682b297

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20231020-en
resource tags

arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
submitted
01/11/2023, 02:59

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

NEAS.ae4d29521b8bd6e64c251763ddf67a90.exe
Size

22KB
MD5

ae4d29521b8bd6e64c251763ddf67a90
SHA1

5c7c275c0ff39ef484387d3bec9cc7baa61c0d19
SHA256

6d3315f6774309f4463ca822d08e5d8870dabfd65fa39cc02d80fdce6682b297
SHA512

a5bda1d4e7c38a065ef825b6b576a22edbded93ee6d81899413783a346a5fcb8649f51f9bcb6e36b0192ee95899b6ed8c0995ec496a2711e4da9e6f708851130
SSDEEP

384:Gk2Wz6pL3a2a999999996cNyoYkytbdH4THKSRX3G1:Z1z6pLxa999999996cgoYkytbdH4zKSw

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\Control Panel\International\Geo\Nation	NEAS.ae4d29521b8bd6e64c251763ddf67a90.exe

Executes dropped EXE 1 IoCs

pid	Process
1848	lsemc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4308 wrote to memory of 1848	4308	NEAS.ae4d29521b8bd6e64c251763ddf67a90.exe	74
PID 4308 wrote to memory of 1848	4308	NEAS.ae4d29521b8bd6e64c251763ddf67a90.exe	74
PID 4308 wrote to memory of 1848	4308	NEAS.ae4d29521b8bd6e64c251763ddf67a90.exe	74

C:\Users\Admin\AppData\Local\Temp\NEAS.ae4d29521b8bd6e64c251763ddf67a90.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.ae4d29521b8bd6e64c251763ddf67a90.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4308
- C:\Users\Admin\AppData\Local\Temp\lsemc.exe
  "C:\Users\Admin\AppData\Local\Temp\lsemc.exe"
  2⤵
  - Executes dropped EXE
  PID:1848

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\lsemc.exe

Filesize
22KB

MD5
10cfbb8caa94b3946908d2fb24d63a98

SHA1
8d26b8973f5b3f9674e9f10ece29b114676aa78e

SHA256
60fc0d4afbd8b824d6bba1118d9d5ae6e4deeb326f5792082ed02b84ca3b188b

SHA512
f0037cdc356fcc0eb48ad4ec0e9961f87a09cf7d1dbcdaf9694f8f2c3f1056f9d909f90f941cb3c9a799d9e428b0750e0a1571a19f833b57fa63abcc4659f71b

Download Submit
C:\Users\Admin\AppData\Local\Temp\lsemc.exe

Filesize
22KB

MD5
10cfbb8caa94b3946908d2fb24d63a98

SHA1
8d26b8973f5b3f9674e9f10ece29b114676aa78e

SHA256
60fc0d4afbd8b824d6bba1118d9d5ae6e4deeb326f5792082ed02b84ca3b188b

SHA512
f0037cdc356fcc0eb48ad4ec0e9961f87a09cf7d1dbcdaf9694f8f2c3f1056f9d909f90f941cb3c9a799d9e428b0750e0a1571a19f833b57fa63abcc4659f71b

Download Submit
C:\Users\Admin\AppData\Local\Temp\lsemc.exe

Filesize
22KB

MD5
10cfbb8caa94b3946908d2fb24d63a98

SHA1
8d26b8973f5b3f9674e9f10ece29b114676aa78e

SHA256
60fc0d4afbd8b824d6bba1118d9d5ae6e4deeb326f5792082ed02b84ca3b188b

SHA512
f0037cdc356fcc0eb48ad4ec0e9961f87a09cf7d1dbcdaf9694f8f2c3f1056f9d909f90f941cb3c9a799d9e428b0750e0a1571a19f833b57fa63abcc4659f71b

Download Submit
memory/1848-9-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4308-0-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download