a6ad29a682fd6a7cf38df045f7a5ccd51e60e632405606ddf28498bc356dc9c7

Analysis

max time kernel
131s
max time network
181s
platform
windows10-2004_x64
resource
win10v2004-20231023-en
resource tags

arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
submitted
02-11-2023 16:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.d4dacc913c03a7ac17a9caf24910e4c0.exe
Size

30KB
MD5

d4dacc913c03a7ac17a9caf24910e4c0
SHA1

f3c1975ec76e3239a16ba4f56d5cc634e63bc098
SHA256

a6ad29a682fd6a7cf38df045f7a5ccd51e60e632405606ddf28498bc356dc9c7
SHA512

29a036ac8c71744762dedd74ac3d2d9ea02c978cf0767131065077dac3e3168b75784c57d868a70ba60120c94b5f49d89656f03ec59421034e701de4f045b957
SSDEEP

192:RBVfonwR21BA/WjOU8EdmXDDl3A5I/J+n:xfonwR21BFjF8amlbJe

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Control Panel\International\Geo\Nation	NEAS.d4dacc913c03a7ac17a9caf24910e4c0.exe

Executes dropped EXE 1 IoCs

pid	Process
2704	samhe.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1720 wrote to memory of 2704	1720	NEAS.d4dacc913c03a7ac17a9caf24910e4c0.exe	93
PID 1720 wrote to memory of 2704	1720	NEAS.d4dacc913c03a7ac17a9caf24910e4c0.exe	93
PID 1720 wrote to memory of 2704	1720	NEAS.d4dacc913c03a7ac17a9caf24910e4c0.exe	93

C:\Users\Admin\AppData\Local\Temp\NEAS.d4dacc913c03a7ac17a9caf24910e4c0.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.d4dacc913c03a7ac17a9caf24910e4c0.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1720
- C:\Users\Admin\AppData\Local\Temp\samhe.exe
  "C:\Users\Admin\AppData\Local\Temp\samhe.exe"
  2⤵
  - Executes dropped EXE
  PID:2704

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\samhe.exe

Filesize
30KB

MD5
04a0e34762ba9e30b63c4f9eae709b97

SHA1
5a3890724312ad0ae87a5fc6242af7ac597ea489

SHA256
c4339568b98726a262ad4de63f2678db20114e8898797eb2c5a3fcc13bf4f716

SHA512
e2e3e86abe256f074c5853b4b04b0a0fd4e9fec4fa71465e099347e4924ade0155c87e9be7062848209844a6954007f7a615d394a99faecfc46c39e2d7ef7888

Download Submit
C:\Users\Admin\AppData\Local\Temp\samhe.exe

Filesize
30KB

MD5
04a0e34762ba9e30b63c4f9eae709b97

SHA1
5a3890724312ad0ae87a5fc6242af7ac597ea489

SHA256
c4339568b98726a262ad4de63f2678db20114e8898797eb2c5a3fcc13bf4f716

SHA512
e2e3e86abe256f074c5853b4b04b0a0fd4e9fec4fa71465e099347e4924ade0155c87e9be7062848209844a6954007f7a615d394a99faecfc46c39e2d7ef7888

Download Submit
C:\Users\Admin\AppData\Local\Temp\samhe.exe

Filesize
30KB

MD5
04a0e34762ba9e30b63c4f9eae709b97

SHA1
5a3890724312ad0ae87a5fc6242af7ac597ea489

SHA256
c4339568b98726a262ad4de63f2678db20114e8898797eb2c5a3fcc13bf4f716

SHA512
e2e3e86abe256f074c5853b4b04b0a0fd4e9fec4fa71465e099347e4924ade0155c87e9be7062848209844a6954007f7a615d394a99faecfc46c39e2d7ef7888

Download Submit