8d9a1d442be7d73b01146cf1a505b89831e79a6f1958765fd4baaef8b6dff9d0

Analysis

max time kernel
156s
max time network
161s
platform
windows10-2004_x64
resource
win10v2004-20231020-en
resource tags

arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
submitted
01/11/2023, 14:20

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

NEAS.d166f84c9465ea4da0c4461d8d217ea0.exe
Size

37KB
MD5

d166f84c9465ea4da0c4461d8d217ea0
SHA1

3e28919620e5961b5720d445fc66a5665f457913
SHA256

8d9a1d442be7d73b01146cf1a505b89831e79a6f1958765fd4baaef8b6dff9d0
SHA512

7a4eb1e92732bd8584bb04e9ff8f5e6e8842ff914aad94edd9ec1c2a836aa4cbcae8c64c97d03c51ed988c0a89ded021d519476c0cd9a92a831ec317f56b17ed
SSDEEP

768:sAI5y4MnESa8AELv4Y3xXJrv5KtWCwQgaV:skEuANY3BrqwQgaV

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\Control Panel\International\Geo\Nation	NEAS.d166f84c9465ea4da0c4461d8d217ea0.exe

Executes dropped EXE 1 IoCs

pid	Process
1644	ieupdate.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2132 wrote to memory of 1644	2132	NEAS.d166f84c9465ea4da0c4461d8d217ea0.exe	89
PID 2132 wrote to memory of 1644	2132	NEAS.d166f84c9465ea4da0c4461d8d217ea0.exe	89
PID 2132 wrote to memory of 1644	2132	NEAS.d166f84c9465ea4da0c4461d8d217ea0.exe	89

C:\Users\Admin\AppData\Local\Temp\NEAS.d166f84c9465ea4da0c4461d8d217ea0.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.d166f84c9465ea4da0c4461d8d217ea0.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2132
- C:\Users\Admin\AppData\Local\Temp\ieupdate.exe
  "C:\Users\Admin\AppData\Local\Temp\ieupdate.exe"
  2⤵
  - Executes dropped EXE
  PID:1644

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ieupdate.exe

Filesize
37KB

MD5
df517eddebaac68c2ccea686dad61e8c

SHA1
75d3d069f86dc41b4ef6e37abe905b07a3d6c61c

SHA256
0f0f5fe739f88a36de06a83bcd11a366332b1c128e45bb2bc00fd10c7c3f39e5

SHA512
5dcd7c21fb1f78626dea253f6760cdd5f4bf92a2eea4d4e6c7468b7659ed9c5ef27bd9494fdb7e7b1affff47fb2e7ffa26dd44e1c80424d7df0198cf91a8e27c

Download Submit
C:\Users\Admin\AppData\Local\Temp\ieupdate.exe

Filesize
37KB

MD5
df517eddebaac68c2ccea686dad61e8c

SHA1
75d3d069f86dc41b4ef6e37abe905b07a3d6c61c

SHA256
0f0f5fe739f88a36de06a83bcd11a366332b1c128e45bb2bc00fd10c7c3f39e5

SHA512
5dcd7c21fb1f78626dea253f6760cdd5f4bf92a2eea4d4e6c7468b7659ed9c5ef27bd9494fdb7e7b1affff47fb2e7ffa26dd44e1c80424d7df0198cf91a8e27c

Download Submit
C:\Users\Admin\AppData\Local\Temp\ieupdate.exe

Filesize
37KB

MD5
df517eddebaac68c2ccea686dad61e8c

SHA1
75d3d069f86dc41b4ef6e37abe905b07a3d6c61c

SHA256
0f0f5fe739f88a36de06a83bcd11a366332b1c128e45bb2bc00fd10c7c3f39e5

SHA512
5dcd7c21fb1f78626dea253f6760cdd5f4bf92a2eea4d4e6c7468b7659ed9c5ef27bd9494fdb7e7b1affff47fb2e7ffa26dd44e1c80424d7df0198cf91a8e27c

Download Submit
memory/1644-9-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/1644-16-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/2132-0-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download