b15079a7c820f6dbd06bab844043ae9030cdaca13901666a85705a4cbc4d61f3

Analysis

max time kernel
158s
max time network
168s
platform
windows10-2004_x64
resource
win10v2004-20231023-en
resource tags

arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
submitted
03/11/2023, 01:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.f4f0428f5d1c49b75c7c3456c6b7db60_JC.exe
Size

145KB
MD5

f4f0428f5d1c49b75c7c3456c6b7db60
SHA1

585cac14ab56ccbecd25dba698f91ff937ee8bec
SHA256

b15079a7c820f6dbd06bab844043ae9030cdaca13901666a85705a4cbc4d61f3
SHA512

d2a6a0dfcd9930084273c495b13a7ff48bafccfe230b31f839ab0792f3e5375d00a90036e20a0bcb0e01bb8fc1643ec553249b6bc85b8e1c342d0de158da7874
SSDEEP

3072:06G5HOoWBx3xrBx41z8QcMrgD56G5H26G5HOoWBx3xrBx4OFggF6G5HOoWB:FGpV1z8QXjGp/GpVOKGp

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Control Panel\International\Geo\Nation	NEAS.f4f0428f5d1c49b75c7c3456c6b7db60_JC.exe

Executes dropped EXE 1 IoCs

pid	Process
1716	rekeywiz.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\ProgramData\Microsoft\v2.0_2.0.0.0__c0ea44958341cea\rekeywiz.exe:Zone.Identifier	NEAS.f4f0428f5d1c49b75c7c3456c6b7db60_JC.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
1336	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1716	rekeywiz.exe
1716	rekeywiz.exe
1716	rekeywiz.exe
1716	rekeywiz.exe
1716	rekeywiz.exe
1716	rekeywiz.exe
1716	rekeywiz.exe
1716	rekeywiz.exe
1716	rekeywiz.exe
1716	rekeywiz.exe
1716	rekeywiz.exe
1716	rekeywiz.exe
1716	rekeywiz.exe
1716	rekeywiz.exe
1716	rekeywiz.exe
1716	rekeywiz.exe
1716	rekeywiz.exe
1716	rekeywiz.exe
1716	rekeywiz.exe
1716	rekeywiz.exe
1716	rekeywiz.exe
1716	rekeywiz.exe
1716	rekeywiz.exe
1716	rekeywiz.exe
1716	rekeywiz.exe
1716	rekeywiz.exe
1716	rekeywiz.exe
1716	rekeywiz.exe
1716	rekeywiz.exe
1716	rekeywiz.exe
1716	rekeywiz.exe
1716	rekeywiz.exe
1716	rekeywiz.exe
1716	rekeywiz.exe
1716	rekeywiz.exe
1716	rekeywiz.exe
1716	rekeywiz.exe
1716	rekeywiz.exe
1716	rekeywiz.exe
1716	rekeywiz.exe
1716	rekeywiz.exe
1716	rekeywiz.exe
1716	rekeywiz.exe
1716	rekeywiz.exe
1716	rekeywiz.exe
1716	rekeywiz.exe
1716	rekeywiz.exe
1716	rekeywiz.exe
1716	rekeywiz.exe
1716	rekeywiz.exe
1716	rekeywiz.exe
1716	rekeywiz.exe
1716	rekeywiz.exe
1716	rekeywiz.exe
1716	rekeywiz.exe
1716	rekeywiz.exe
1716	rekeywiz.exe
1716	rekeywiz.exe
1716	rekeywiz.exe
1716	rekeywiz.exe
1716	rekeywiz.exe
1716	rekeywiz.exe
1716	rekeywiz.exe
1716	rekeywiz.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4188 wrote to memory of 1468	4188	NEAS.f4f0428f5d1c49b75c7c3456c6b7db60_JC.exe	101
PID 4188 wrote to memory of 1468	4188	NEAS.f4f0428f5d1c49b75c7c3456c6b7db60_JC.exe	101
PID 4188 wrote to memory of 1468	4188	NEAS.f4f0428f5d1c49b75c7c3456c6b7db60_JC.exe	101
PID 1468 wrote to memory of 1336	1468	cmd.exe	103
PID 1468 wrote to memory of 1336	1468	cmd.exe	103
PID 1468 wrote to memory of 1336	1468	cmd.exe	103
PID 1468 wrote to memory of 4388	1468	cmd.exe	108
PID 1468 wrote to memory of 4388	1468	cmd.exe	108
PID 1468 wrote to memory of 4388	1468	cmd.exe	108

C:\Users\Admin\AppData\Local\Temp\NEAS.f4f0428f5d1c49b75c7c3456c6b7db60_JC.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.f4f0428f5d1c49b75c7c3456c6b7db60_JC.exe"
1⤵
- Checks computer location settings
- NTFS ADS
- Suspicious use of WriteProcessMemory
PID:4188
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /d /c ping -n 2 127.0.0.1 > NUL & fsutil file setzerodata offset=0 length=524288 "C:\Users\Admin\AppData\Local\Temp\NEAS.f4f0428f5d1c49b75c7c3456c6b7db60_JC.exe" & del "C:\Users\Admin\AppData\Local\Temp\NEAS.f4f0428f5d1c49b75c7c3456c6b7db60_JC.exe" > NUL & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1468
- - C:\Windows\SysWOW64\PING.EXE
    ping -n 2 127.0.0.1
    3⤵
    - Runs ping.exe
    PID:1336
- - C:\Windows\SysWOW64\fsutil.exe
    fsutil file setzerodata offset=0 length=524288 "C:\Users\Admin\AppData\Local\Temp\NEAS.f4f0428f5d1c49b75c7c3456c6b7db60_JC.exe"
    3⤵
    PID:4388

C:\ProgramData\Microsoft\v2.0_2.0.0.0__c0ea44958341cea\rekeywiz.exe
C:\ProgramData\Microsoft\v2.0_2.0.0.0__c0ea44958341cea\rekeywiz.exe
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1716

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\v2.0_2.0.0.0__c0ea44958341cea\rekeywiz.exe

Filesize
145KB

MD5
f4f0428f5d1c49b75c7c3456c6b7db60

SHA1
585cac14ab56ccbecd25dba698f91ff937ee8bec

SHA256
b15079a7c820f6dbd06bab844043ae9030cdaca13901666a85705a4cbc4d61f3

SHA512
d2a6a0dfcd9930084273c495b13a7ff48bafccfe230b31f839ab0792f3e5375d00a90036e20a0bcb0e01bb8fc1643ec553249b6bc85b8e1c342d0de158da7874

Download Submit
C:\ProgramData\Microsoft\v2.0_2.0.0.0__c0ea44958341cea\rekeywiz.exe

Filesize
145KB

MD5
f4f0428f5d1c49b75c7c3456c6b7db60

SHA1
585cac14ab56ccbecd25dba698f91ff937ee8bec

SHA256
b15079a7c820f6dbd06bab844043ae9030cdaca13901666a85705a4cbc4d61f3

SHA512
d2a6a0dfcd9930084273c495b13a7ff48bafccfe230b31f839ab0792f3e5375d00a90036e20a0bcb0e01bb8fc1643ec553249b6bc85b8e1c342d0de158da7874

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp8EDD.tmp

Filesize
145KB

MD5
f4f0428f5d1c49b75c7c3456c6b7db60

SHA1
585cac14ab56ccbecd25dba698f91ff937ee8bec

SHA256
b15079a7c820f6dbd06bab844043ae9030cdaca13901666a85705a4cbc4d61f3

SHA512
d2a6a0dfcd9930084273c495b13a7ff48bafccfe230b31f839ab0792f3e5375d00a90036e20a0bcb0e01bb8fc1643ec553249b6bc85b8e1c342d0de158da7874

Download Submit