Analysis
-
max time kernel
141s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20231023-en -
resource tags
arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system -
submitted
02/11/2023, 16:45
Static task
static1
Behavioral task
behavioral1
Sample
NEAS.872a8871f090ce817f079b1fd6eba5d0.exe
Resource
win7-20231023-en
General
-
Target
NEAS.872a8871f090ce817f079b1fd6eba5d0.exe
-
Size
83KB
-
MD5
872a8871f090ce817f079b1fd6eba5d0
-
SHA1
be39c7abeabc7c37ddbfce5e1d4c7222946fd122
-
SHA256
6fc67be59975392c35d59cf8316d3788d311a79045dd8b1fc63cc2b879f74502
-
SHA512
7cc288ae47d59b393a2f6cbeceb1b6e1636b1a6a4d1c437bde8f02fed888a19a1c48cc14963e0cfb1eacb2fc5f1f274ab8c9acb7a10e2d754c7e89810bcdb5d3
-
SSDEEP
1536:71PWJsDkhsc5lw2tPZ1QF30BqIHr6jIfvx:i5l3m3aqI2Ifvx
Malware Config
Extracted
urelas
218.54.28.139
121.88.5.183
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000\Control Panel\International\Geo\Nation NEAS.872a8871f090ce817f079b1fd6eba5d0.exe -
Executes dropped EXE 1 IoCs
pid Process 3140 poldge.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 4816 wrote to memory of 3140 4816 NEAS.872a8871f090ce817f079b1fd6eba5d0.exe 89 PID 4816 wrote to memory of 3140 4816 NEAS.872a8871f090ce817f079b1fd6eba5d0.exe 89 PID 4816 wrote to memory of 3140 4816 NEAS.872a8871f090ce817f079b1fd6eba5d0.exe 89 PID 4816 wrote to memory of 2036 4816 NEAS.872a8871f090ce817f079b1fd6eba5d0.exe 90 PID 4816 wrote to memory of 2036 4816 NEAS.872a8871f090ce817f079b1fd6eba5d0.exe 90 PID 4816 wrote to memory of 2036 4816 NEAS.872a8871f090ce817f079b1fd6eba5d0.exe 90
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.872a8871f090ce817f079b1fd6eba5d0.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.872a8871f090ce817f079b1fd6eba5d0.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4816 -
C:\Users\Admin\AppData\Local\Temp\poldge.exe"C:\Users\Admin\AppData\Local\Temp\poldge.exe"2⤵
- Executes dropped EXE
PID:3140
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "2⤵PID:2036
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
512B
MD53f372385bf24b44385f4b1251d3aca4d
SHA183546de6ba8f20bd08a15896d34f6242ed64352f
SHA256b5edef052667b8380ff98c9ff2029faaaa0b1931818a5ef011ce766193ceda27
SHA512d2f888908ca52c1a99c3d45e83512e2eafd2cc3ae3b782ef0cc80165c4adaf7e488d1aba2028d83fc39e4b8c96c65f82436a10a94e319b9b8aec1f69cd76e5b7
-
Filesize
83KB
MD546257d0ec691b44c3df7a912d7ec7dc1
SHA180a5ab8bfc029e462a5ebaedb53042555bf7cb7f
SHA2565f9bfc6ec50da112a1bbfc75c21f4b791da96d2a9426a2df7ec1846179a45b7b
SHA51261b5859e4d7f4450b9fbf26def47d3478207b125f34bf6408a6b748822e959d5d80bebd63b973cb2d901a6b61ec8db33706ad9b4eb9ec49630baf899a82a93b5
-
Filesize
83KB
MD546257d0ec691b44c3df7a912d7ec7dc1
SHA180a5ab8bfc029e462a5ebaedb53042555bf7cb7f
SHA2565f9bfc6ec50da112a1bbfc75c21f4b791da96d2a9426a2df7ec1846179a45b7b
SHA51261b5859e4d7f4450b9fbf26def47d3478207b125f34bf6408a6b748822e959d5d80bebd63b973cb2d901a6b61ec8db33706ad9b4eb9ec49630baf899a82a93b5
-
Filesize
83KB
MD546257d0ec691b44c3df7a912d7ec7dc1
SHA180a5ab8bfc029e462a5ebaedb53042555bf7cb7f
SHA2565f9bfc6ec50da112a1bbfc75c21f4b791da96d2a9426a2df7ec1846179a45b7b
SHA51261b5859e4d7f4450b9fbf26def47d3478207b125f34bf6408a6b748822e959d5d80bebd63b973cb2d901a6b61ec8db33706ad9b4eb9ec49630baf899a82a93b5
-
Filesize
284B
MD5b0fe2c4db1a504925687059a864773db
SHA1b76ad7a1d91869061efa18cb3ed212810c56dbe2
SHA2569414174ccd3c914de75aa98301d5606de5e5e7a59bbfe6b6e6632c848c77231e
SHA512caa8a756e9e604153daab26934e0c7c3c14df4eda495ed0d6abe5e385c679dfab5997d2239bdf74cb67d3d70f5c5904ef8e0cc86d8f6dba1bd404c5734f90e1a