f34130c746de2b8406c7a8923d5e5e3dd7e11d354778d1376e725af467a5171f

Analysis

max time kernel
179s
max time network
166s
platform
windows10-2004_x64
resource
win10v2004-20231020-en
resource tags

arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
submitted
01-11-2023 14:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.ad2f3fd2674e227cfeb9ea3a373795f0.exe
Size

34KB
MD5

ad2f3fd2674e227cfeb9ea3a373795f0
SHA1

d7dbed428e67666ed11768a9f400fdff4c7f3cdb
SHA256

f34130c746de2b8406c7a8923d5e5e3dd7e11d354778d1376e725af467a5171f
SHA512

ab084b3669f9975e8437abc0d63a78f05edca9c25ad56afd23c7880f4fa45978ff964a1f05c863ef6a205c17deb66ccada6bc6bd7af7e64d9f2c4ed7414bb55e
SSDEEP

768:dYGtdtFR6M13vfdHldhwyEr+OGa0aEYS15:GIUM13vfdHldhwt+OGa017

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000\Control Panel\International\Geo\Nation	NEAS.ad2f3fd2674e227cfeb9ea3a373795f0.exe

Executes dropped EXE 1 IoCs

pid	Process
3460	updGA.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4164 wrote to memory of 3460	4164	NEAS.ad2f3fd2674e227cfeb9ea3a373795f0.exe	90
PID 4164 wrote to memory of 3460	4164	NEAS.ad2f3fd2674e227cfeb9ea3a373795f0.exe	90
PID 4164 wrote to memory of 3460	4164	NEAS.ad2f3fd2674e227cfeb9ea3a373795f0.exe	90

C:\Users\Admin\AppData\Local\Temp\NEAS.ad2f3fd2674e227cfeb9ea3a373795f0.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.ad2f3fd2674e227cfeb9ea3a373795f0.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4164
- C:\Users\Admin\AppData\Local\Temp\updGA.exe
  "C:\Users\Admin\AppData\Local\Temp\updGA.exe"
  2⤵
  - Executes dropped EXE
  PID:3460

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\updGA.exe

Filesize
34KB

MD5
4ca4115c68676477e7cb54d1c8535309

SHA1
e781be59549f0bb3bd4d108f5d91fb641e302569

SHA256
6c06e24f460846aa4963de382f5633170ba02c0bb8243433f5981112bee78556

SHA512
beff8fd25f20bc62ce86661c04b86275cb7e87bcfdf0a463c4b4ddbf2c596a2745284d32623fcb1dfd1e049318fb087d43dae75b74958d76ab5da259c1d2ce2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\updGA.exe

Filesize
34KB

MD5
4ca4115c68676477e7cb54d1c8535309

SHA1
e781be59549f0bb3bd4d108f5d91fb641e302569

SHA256
6c06e24f460846aa4963de382f5633170ba02c0bb8243433f5981112bee78556

SHA512
beff8fd25f20bc62ce86661c04b86275cb7e87bcfdf0a463c4b4ddbf2c596a2745284d32623fcb1dfd1e049318fb087d43dae75b74958d76ab5da259c1d2ce2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\updGA.exe

Filesize
34KB

MD5
4ca4115c68676477e7cb54d1c8535309

SHA1
e781be59549f0bb3bd4d108f5d91fb641e302569

SHA256
6c06e24f460846aa4963de382f5633170ba02c0bb8243433f5981112bee78556

SHA512
beff8fd25f20bc62ce86661c04b86275cb7e87bcfdf0a463c4b4ddbf2c596a2745284d32623fcb1dfd1e049318fb087d43dae75b74958d76ab5da259c1d2ce2a

Download Submit
memory/3460-18-0x0000000000490000-0x000000000049A000-memory.dmp

Filesize
40KB

Download
memory/4164-1-0x0000000002150000-0x000000000215A000-memory.dmp

Filesize
40KB

Download
memory/4164-0-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/4164-2-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download