ec4c9a142ae609e23da082dc5f3109e1b93b8f65ade6468007037cc4e0e92dea

Analysis

max time kernel
150s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20231023-en
resource tags

arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
submitted
06/11/2023, 02:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.48139d3b860af7345483015903a31010.exe
Size

9KB
MD5

48139d3b860af7345483015903a31010
SHA1

68cb579d9e0f8e5ce2a7f3f59b4cad729a91eadd
SHA256

ec4c9a142ae609e23da082dc5f3109e1b93b8f65ade6468007037cc4e0e92dea
SHA512

13f48f36990d136eb583ab76dd22a4d549ee3a924a09f6af21f0c0415cdcad8f20e9796896727c9408865001c909a94459460d0c1176395e9390101607fa4d0f
SSDEEP

192:kKhDt6N6YTKQWRREHZ0RedJzJ8yx5OmDt4aIH:kK1MluQWRREHZlwCIH

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\Control Panel\International\Geo\Nation	NEAS.48139d3b860af7345483015903a31010.exe

Executes dropped EXE 1 IoCs

pid	Process
2600	srris.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2892 wrote to memory of 2600	2892	NEAS.48139d3b860af7345483015903a31010.exe	85
PID 2892 wrote to memory of 2600	2892	NEAS.48139d3b860af7345483015903a31010.exe	85
PID 2892 wrote to memory of 2600	2892	NEAS.48139d3b860af7345483015903a31010.exe	85

C:\Users\Admin\AppData\Local\Temp\NEAS.48139d3b860af7345483015903a31010.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.48139d3b860af7345483015903a31010.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2892
- C:\Users\Admin\AppData\Local\Temp\srris.exe
  "C:\Users\Admin\AppData\Local\Temp\srris.exe"
  2⤵
  - Executes dropped EXE
  PID:2600

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\srris.exe

Filesize
9KB

MD5
47579b61c45d9ee75a983a34974f8ab4

SHA1
19215cf20fdf216d272093aa37b5a584832c3bd0

SHA256
ddcb0ddf61156ac1025e57be1eb3e6f66e5b3ca1d034328d1a12d27a0efe2aa8

SHA512
fc2645fed36b59b6aa6640347bdf1143fdc74d7bf731a5699451d1c9e00fc694442ef0ed01e819651febbe46a96ce88306b40bd9ee16b4598cb973e1f534c00e

Download Submit
C:\Users\Admin\AppData\Local\Temp\srris.exe

Filesize
9KB

MD5
47579b61c45d9ee75a983a34974f8ab4

SHA1
19215cf20fdf216d272093aa37b5a584832c3bd0

SHA256
ddcb0ddf61156ac1025e57be1eb3e6f66e5b3ca1d034328d1a12d27a0efe2aa8

SHA512
fc2645fed36b59b6aa6640347bdf1143fdc74d7bf731a5699451d1c9e00fc694442ef0ed01e819651febbe46a96ce88306b40bd9ee16b4598cb973e1f534c00e

Download Submit
C:\Users\Admin\AppData\Local\Temp\srris.exe

Filesize
9KB

MD5
47579b61c45d9ee75a983a34974f8ab4

SHA1
19215cf20fdf216d272093aa37b5a584832c3bd0

SHA256
ddcb0ddf61156ac1025e57be1eb3e6f66e5b3ca1d034328d1a12d27a0efe2aa8

SHA512
fc2645fed36b59b6aa6640347bdf1143fdc74d7bf731a5699451d1c9e00fc694442ef0ed01e819651febbe46a96ce88306b40bd9ee16b4598cb973e1f534c00e

Download Submit