Analysis
-
max time kernel
195s -
max time network
212s -
platform
windows10-2004_x64 -
resource
win10v2004-20231023-en -
resource tags
arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system -
submitted
07/11/2023, 19:47
Static task
static1
Behavioral task
behavioral1
Sample
NEAS.070d3e7c2024c8d3a9a0c199b1dff460.exe
Resource
win7-20231023-en
Behavioral task
behavioral2
Sample
NEAS.070d3e7c2024c8d3a9a0c199b1dff460.exe
Resource
win10v2004-20231023-en
General
-
Target
NEAS.070d3e7c2024c8d3a9a0c199b1dff460.exe
-
Size
124KB
-
MD5
070d3e7c2024c8d3a9a0c199b1dff460
-
SHA1
5fbb4f8cc5b886552fbd22281cd2f06ca025667f
-
SHA256
95d18273250967d6b0e3bddab377c8aac51b6c1094ea982add4af9317c9ef5d1
-
SHA512
c2f81c886fc11d29df7a3d3bddd650499b4614c34d80bf28af007f0c67237d28075633eb82cb83ceaff7123096b877725e53cba0bbe24d4cbfe0fec90d9bd681
-
SSDEEP
3072:Eq8f/oic1i9uTAlPQSDwEyWefHEvGdxETCpPJZ:78f/U1iF/sUGdxETI
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\Control Panel\International\Geo\Nation NEAS.070d3e7c2024c8d3a9a0c199b1dff460.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeIncBasePriorityPrivilege 2244 NEAS.070d3e7c2024c8d3a9a0c199b1dff460.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 2244 wrote to memory of 3468 2244 NEAS.070d3e7c2024c8d3a9a0c199b1dff460.exe 92 PID 2244 wrote to memory of 3468 2244 NEAS.070d3e7c2024c8d3a9a0c199b1dff460.exe 92 PID 2244 wrote to memory of 3468 2244 NEAS.070d3e7c2024c8d3a9a0c199b1dff460.exe 92 PID 3468 wrote to memory of 768 3468 cmd.exe 95 PID 3468 wrote to memory of 768 3468 cmd.exe 95 PID 3468 wrote to memory of 768 3468 cmd.exe 95 -
Views/modifies file attributes 1 TTPs 1 IoCs
pid Process 768 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.070d3e7c2024c8d3a9a0c199b1dff460.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.070d3e7c2024c8d3a9a0c199b1dff460.exe"1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2244 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\dsy9E5.tmp.bat" "C:\Users\Admin\AppData\Local\Temp\NEAS.070d3e7c2024c8d3a9a0c199b1dff460.exe""2⤵
- Suspicious use of WriteProcessMemory
PID:3468 -
C:\Windows\SysWOW64\attrib.exeattrib -r -s -h "C:\Users\Admin\AppData\Local\Temp\NEAS.070d3e7c2024c8d3a9a0c199b1dff460.exe"3⤵
- Views/modifies file attributes
PID:768
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
53B
MD5260a1dd0b56eddc180507f5e95fe38ba
SHA1c9455ed5190512cdd645f831c92c7c1a073d8bbe
SHA256db1e894699d15de74b0c8cf81871b5f15ceb83844dc8ef10cc0986c5912ca944
SHA51262813f8e3df54bec0d61a540a83f97de55b0e88f58c2941f3119f40d083eb576435c181538fb0776145e61037223d917d7cf52daaff11145d10a553bd7120f08