Analysis

  • max time kernel
    150s
  • max time network
    155s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231020-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02-11-2023 08:56

General

  • Target

    NEAS.e279f4db9a67da5a8a8236db2fd54aa0_JC.exe

  • Size

    396KB

  • MD5

    e279f4db9a67da5a8a8236db2fd54aa0

  • SHA1

    4ba2adddadf8534ec714feec6210f0f5449fcba2

  • SHA256

    3b591aee9fb7e8e089f69cc8fe198df85e4e544cca580ec1d8850719b4cdff59

  • SHA512

    bfc6411fda5f956bf54785ca97bfa98f19a5c7d73fdc08071155bb171478a089e4a79118bdae343305560703dd883039c445b1cc3a5e0b79f63b1d439dc7386b

  • SSDEEP

    6144:yXIp3oRtL6q0SNyRSFKYyNU9t0JT8vKArIydVuw3GX1pv7DaPe+1qOWGMcQ1fXRj:y4StL68NWYKYyNUmAv7b4aPb4OWHcQ2

Score
10/10

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 51 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\NEAS.e279f4db9a67da5a8a8236db2fd54aa0_JC.exe
    "C:\Users\Admin\AppData\Local\Temp\NEAS.e279f4db9a67da5a8a8236db2fd54aa0_JC.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4104
    • C:\Users\Admin\guudeg.exe
      "C:\Users\Admin\guudeg.exe"
      2⤵
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      PID:1192

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\guudeg.exe

    Filesize

    396KB

    MD5

    44517a20ae8c6a7014fa63ad3297b549

    SHA1

    1bdcfeccb543bdff4fb62a1cee2b747523b96693

    SHA256

    056b6ba9a6c81022b829b448de5c86534e80ad5cca8181156662143bf7446216

    SHA512

    5434b5b1d66ee0d4dcf9442f7793ee7d16c849574279ee17b31f59329a0d039a075c4fd33eb0e0fe850aa8da82856ab2abcd64264970c238fdc634e63708cd55

  • C:\Users\Admin\guudeg.exe

    Filesize

    396KB

    MD5

    44517a20ae8c6a7014fa63ad3297b549

    SHA1

    1bdcfeccb543bdff4fb62a1cee2b747523b96693

    SHA256

    056b6ba9a6c81022b829b448de5c86534e80ad5cca8181156662143bf7446216

    SHA512

    5434b5b1d66ee0d4dcf9442f7793ee7d16c849574279ee17b31f59329a0d039a075c4fd33eb0e0fe850aa8da82856ab2abcd64264970c238fdc634e63708cd55

  • C:\Users\Admin\guudeg.exe

    Filesize

    396KB

    MD5

    44517a20ae8c6a7014fa63ad3297b549

    SHA1

    1bdcfeccb543bdff4fb62a1cee2b747523b96693

    SHA256

    056b6ba9a6c81022b829b448de5c86534e80ad5cca8181156662143bf7446216

    SHA512

    5434b5b1d66ee0d4dcf9442f7793ee7d16c849574279ee17b31f59329a0d039a075c4fd33eb0e0fe850aa8da82856ab2abcd64264970c238fdc634e63708cd55