85f5c275af63378eff5f06a5d4e6a6425d4982b21e2e07ff9c60c1f12aba2ec3

Analysis

max time kernel
190s
max time network
191s
platform
windows10-2004_x64
resource
win10v2004-20231020-en
resource tags

arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
submitted
02/11/2023, 16:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.1a242f3b52a1b560d26406ccdca8cbf0.exe
Size

28KB
MD5

1a242f3b52a1b560d26406ccdca8cbf0
SHA1

54aea37c812ac79e093835ed664647da6e66662d
SHA256

85f5c275af63378eff5f06a5d4e6a6425d4982b21e2e07ff9c60c1f12aba2ec3
SHA512

db59b0688e314a2079e3ee41cfed7401d40d58b19620f806be34c5c1d393835d660e87be30a82175d0f920c4ee752e9b715782f246928a9f0a15d8ac2c8d8857
SSDEEP

384:Lzz3qWcd5DUVQQZM+JKcCNwU1Mf9Yl4ynIs3HuOXhjoh97pQmHlS6y:nz3qWc7RY1JgNwmZlj3OOVor7pxTy

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000\Control Panel\International\Geo\Nation	NEAS.1a242f3b52a1b560d26406ccdca8cbf0.exe

Executes dropped EXE 1 IoCs

pid	Process
4808	ztdvl.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4396 wrote to memory of 4808	4396	NEAS.1a242f3b52a1b560d26406ccdca8cbf0.exe	91
PID 4396 wrote to memory of 4808	4396	NEAS.1a242f3b52a1b560d26406ccdca8cbf0.exe	91
PID 4396 wrote to memory of 4808	4396	NEAS.1a242f3b52a1b560d26406ccdca8cbf0.exe	91

C:\Users\Admin\AppData\Local\Temp\NEAS.1a242f3b52a1b560d26406ccdca8cbf0.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.1a242f3b52a1b560d26406ccdca8cbf0.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4396
- C:\Users\Admin\AppData\Local\Temp\ztdvl.exe
  "C:\Users\Admin\AppData\Local\Temp\ztdvl.exe"
  2⤵
  - Executes dropped EXE
  PID:4808

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ztdvl.exe

Filesize
28KB

MD5
a96b4fc673e753f08b566cf74e99176c

SHA1
c522a944ba7ebdafed17eda8d137bd1b40587e8b

SHA256
f7be4af6b726702bef54bde785b415b3090fbb31fe009a363880c43ce15c3e17

SHA512
b9261d9ee3bebd4741c69798d6035fc710f3f010d49a6414d811fc9d8c5bdc5e094d0c1a413a62e5a29315badd8afd3b737f7472b3b32009a34933a80b4323f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\ztdvl.exe

Filesize
28KB

MD5
a96b4fc673e753f08b566cf74e99176c

SHA1
c522a944ba7ebdafed17eda8d137bd1b40587e8b

SHA256
f7be4af6b726702bef54bde785b415b3090fbb31fe009a363880c43ce15c3e17

SHA512
b9261d9ee3bebd4741c69798d6035fc710f3f010d49a6414d811fc9d8c5bdc5e094d0c1a413a62e5a29315badd8afd3b737f7472b3b32009a34933a80b4323f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\ztdvl.exe

Filesize
28KB

MD5
a96b4fc673e753f08b566cf74e99176c

SHA1
c522a944ba7ebdafed17eda8d137bd1b40587e8b

SHA256
f7be4af6b726702bef54bde785b415b3090fbb31fe009a363880c43ce15c3e17

SHA512
b9261d9ee3bebd4741c69798d6035fc710f3f010d49a6414d811fc9d8c5bdc5e094d0c1a413a62e5a29315badd8afd3b737f7472b3b32009a34933a80b4323f6

Download Submit
memory/4396-0-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/4808-9-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download