2b503f1c2fa9bc1f20b5e033d1bce83512f8d061671effe506e995cb8fc155dd

Analysis

max time kernel
150s
max time network
158s
platform
windows10-2004_x64
resource
win10v2004-20231023-en
resource tags

arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
submitted
06/11/2023, 22:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.10587f1e2a65083ec70c9a6ba5cbd720.exe
Size

27KB
MD5

10587f1e2a65083ec70c9a6ba5cbd720
SHA1

71b54d2d76a379b77b8c26b12905ebc5acb123b0
SHA256

2b503f1c2fa9bc1f20b5e033d1bce83512f8d061671effe506e995cb8fc155dd
SHA512

a68fa3a05cf6db2a5fbd7a35bebebad9fcaae258e16664fb514332c39216837dfb2921aafc558db5cd79a3f11bbeab2f7c2f5587807a94727e3d8e28f1ca51c6
SSDEEP

192:jn9FwXnwR2bsfunHMnHFb1emUAFoP7u1Y:zOnwR2tHMnHFAmhyqY

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\Control Panel\International\Geo\Nation	NEAS.10587f1e2a65083ec70c9a6ba5cbd720.exe

Executes dropped EXE 1 IoCs

pid	Process
3740	hcbnaf.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2760 wrote to memory of 3740	2760	NEAS.10587f1e2a65083ec70c9a6ba5cbd720.exe	84
PID 2760 wrote to memory of 3740	2760	NEAS.10587f1e2a65083ec70c9a6ba5cbd720.exe	84
PID 2760 wrote to memory of 3740	2760	NEAS.10587f1e2a65083ec70c9a6ba5cbd720.exe	84

C:\Users\Admin\AppData\Local\Temp\NEAS.10587f1e2a65083ec70c9a6ba5cbd720.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.10587f1e2a65083ec70c9a6ba5cbd720.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2760
- C:\Users\Admin\AppData\Local\Temp\hcbnaf.exe
  "C:\Users\Admin\AppData\Local\Temp\hcbnaf.exe"
  2⤵
  - Executes dropped EXE
  PID:3740

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\hcbnaf.exe

Filesize
27KB

MD5
8b66a690781e699f51055c3d4c3595ea

SHA1
700f37402c276ee3d217e2ec5a55233ce01444c3

SHA256
1fa42bf6dd0e3e0e373146d5c8bedb12f11493722343c729244ef03647743fa3

SHA512
c5735744efb0e4f2304323488d1aa32e53331657611b9cd6031993f55fbba64d92d7fc1b4bf7529a0f61a0177a1596a49ec8589494f6799e874162a9163c31b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\hcbnaf.exe

Filesize
27KB

MD5
8b66a690781e699f51055c3d4c3595ea

SHA1
700f37402c276ee3d217e2ec5a55233ce01444c3

SHA256
1fa42bf6dd0e3e0e373146d5c8bedb12f11493722343c729244ef03647743fa3

SHA512
c5735744efb0e4f2304323488d1aa32e53331657611b9cd6031993f55fbba64d92d7fc1b4bf7529a0f61a0177a1596a49ec8589494f6799e874162a9163c31b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\hcbnaf.exe

Filesize
27KB

MD5
8b66a690781e699f51055c3d4c3595ea

SHA1
700f37402c276ee3d217e2ec5a55233ce01444c3

SHA256
1fa42bf6dd0e3e0e373146d5c8bedb12f11493722343c729244ef03647743fa3

SHA512
c5735744efb0e4f2304323488d1aa32e53331657611b9cd6031993f55fbba64d92d7fc1b4bf7529a0f61a0177a1596a49ec8589494f6799e874162a9163c31b5

Download Submit