Overview

overview

7

Static

static

3

NEAS.6d134...e0.exe

windows7-x64

6

NEAS.6d134...e0.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    150s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231020-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07-11-2023 03:34

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    NEAS.6d13441dbcc0eb39c8579143bf1b23e0.exe

  • Size

    168KB

  • MD5

    6d13441dbcc0eb39c8579143bf1b23e0

  • SHA1

    e33af0fa2a43383e80ef9f273456ed6877263151

  • SHA256

    d7a1ea2715823fc0b0e060d5d70d3452336ebd3cec732502c4751bc853acbeec

  • SHA512

    7c8f6d262506d44b3f5d292db116a8ad84f9745092a1a35e47c0a84487f0e8ecfbab4961ff5bb180227e2dd458bbfe1d4b5dddec29efac423c28db84d541ddf3

  • SSDEEP

    3072:4XTTASJKf2n5AxE2NpxOa2XdU2QF4s5XgIDFyHb8kHofL/09rG:4vASJKenie2xT2NU2OTFQb8Fb0I

Score
7/10
persistence

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks for any installed AV software in registry 1 TTPs 3 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\NEAS.6d13441dbcc0eb39c8579143bf1b23e0.exe
    "C:\Users\Admin\AppData\Local\Temp\NEAS.6d13441dbcc0eb39c8579143bf1b23e0.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:3120
    • C:\Windows\SysWOW64\svchost.exe
      C:\ProgramData\2j6fjh00jb.exe
      2⤵
      • Adds Run key to start application
      • Checks for any installed AV software in registry
      • Suspicious behavior: EnumeratesProcesses
      PID:1856
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\oci68C9.tmp.bat" "C:\Users\Admin\AppData\Local\Temp\NEAS.6d13441dbcc0eb39c8579143bf1b23e0.exe""
      2⤵
        PID:1588

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\oci68C9.tmp.bat
      Filesize

      32B

      MD5

      29adefa9a0bac2ec84acc7745823b267

      SHA1

      f0510b05fb7591d64f9e919aed4e6ca087314b5f

      SHA256

      e5c0536c493f9595ecccd935d05dbabca79edc2cf0798080ad37390e8598d3ee

      SHA512

      5525965c6bf4ca9cd357947376c1e9bb9f6a803f9c62c1612a6fdbe1c8baa310bbce7341ec7820312329f145555d1eaf77586ac0149fef7963cac0b20f6c16ab

      Download Submit

    • memory/1856-292-0x0000000000C40000-0x0000000000CB6000-memory.dmp

      Filesize

      472KB

      Download

    • memory/1856-337-0x0000000000A00000-0x0000000000C00000-memory.dmp

      Filesize

      2.0MB

      Download

    • memory/1856-283-0x0000000000C40000-0x0000000000CB6000-memory.dmp

      Filesize

      472KB

      Download

    • memory/1856-285-0x0000000000A00000-0x0000000000C00000-memory.dmp

      Filesize

      2.0MB

      Download

    • memory/1856-286-0x0000000000C40000-0x0000000000CB6000-memory.dmp

      Filesize

      472KB

      Download

    • memory/1856-284-0x0000000000A00000-0x0000000000C00000-memory.dmp

      Filesize

      2.0MB

      Download

    • memory/1856-289-0x0000000000A00000-0x0000000000C00000-memory.dmp

      Filesize

      2.0MB

      Download

    • memory/1856-294-0x0000000000C40000-0x0000000000CB6000-memory.dmp

      Filesize

      472KB

      Download

    • memory/1856-339-0x0000000000A00000-0x0000000000C00000-memory.dmp

      Filesize

      2.0MB

      Download

    • memory/1856-2-0x0000000000C40000-0x0000000000CB6000-memory.dmp

      Filesize

      472KB

      Download

    • memory/1856-290-0x0000000000C40000-0x0000000000CB6000-memory.dmp

      Filesize

      472KB

      Download

    • memory/1856-296-0x0000000000A00000-0x0000000000C00000-memory.dmp

      Filesize

      2.0MB

      Download

    • memory/1856-297-0x0000000000C40000-0x0000000000CB6000-memory.dmp

      Filesize

      472KB

      Download

    • memory/1856-299-0x0000000002B80000-0x0000000002B90000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1856-309-0x0000000000C40000-0x0000000000CB6000-memory.dmp

      Filesize

      472KB

      Download

    • memory/1856-315-0x0000000000C40000-0x0000000000CB6000-memory.dmp

      Filesize

      472KB

      Download

    • memory/1856-336-0x0000000000A00000-0x0000000000C00000-memory.dmp

      Filesize

      2.0MB

      Download

    • memory/1856-1-0x00000000003E0000-0x00000000003E1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1856-338-0x0000000000A00000-0x0000000000C00000-memory.dmp

      Filesize

      2.0MB

      Download

    • memory/1856-291-0x0000000000C40000-0x0000000000CB6000-memory.dmp

      Filesize

      472KB

      Download