57ca6de5f323eaccc5a4464662dae9f2efd04edbc7374e1b19810e03d772ef61

Analysis

max time kernel
181s
max time network
187s
platform
windows10-2004_x64
resource
win10v2004-20231020-en
resource tags

arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
submitted
11/11/2023, 05:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.284a18342040a19d358b9923721884a0.exe
Size

123KB
MD5

284a18342040a19d358b9923721884a0
SHA1

e5fe32c94011638218a7fff21684b2be5c37c85f
SHA256

57ca6de5f323eaccc5a4464662dae9f2efd04edbc7374e1b19810e03d772ef61
SHA512

f6c43351d8d0d64339f28ae73e46a8d3c9348ce09e34db51bc86ab103a45cc8a813778c1bab9eac9d0f86d5d19f3226169ed4d4c332a227119953cc23901a1eb
SSDEEP

384:tKX/YpauYp2Mq5S5GBpk/1S18EZUS0UxlSN72MJQlaNRCachf2l:IcWYr8k24N0UxuJQwrCaSf4

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000\Control Panel\International\Geo\Nation	NEAS.284a18342040a19d358b9923721884a0.exe

Executes dropped EXE 1 IoCs

pid	Process
2096	hummy.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 704 wrote to memory of 2096	704	NEAS.284a18342040a19d358b9923721884a0.exe	89
PID 704 wrote to memory of 2096	704	NEAS.284a18342040a19d358b9923721884a0.exe	89
PID 704 wrote to memory of 2096	704	NEAS.284a18342040a19d358b9923721884a0.exe	89

C:\Users\Admin\AppData\Local\Temp\NEAS.284a18342040a19d358b9923721884a0.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.284a18342040a19d358b9923721884a0.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:704
- C:\Users\Admin\AppData\Local\Temp\hummy.exe
  "C:\Users\Admin\AppData\Local\Temp\hummy.exe"
  2⤵
  - Executes dropped EXE
  PID:2096

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\hummy.exe

Filesize
123KB

MD5
01cb913e66685d1d08b587d7e27e008f

SHA1
200fda2047bccfc49e339407dd81c14f33e60297

SHA256
babb109e1e503b1da8d819f2576a90773bb2aca19536a9c1c8ab8e10db1716d4

SHA512
6a320eba7658a7cd6ebccf1098d3b095476f4d5b76dd11c58ac17212c4d7b4b8b0038c0ceecb07eb743b6d9c50d5d888cf45f4f86392d2af2bfd1497dd223d06

Download Submit
C:\Users\Admin\AppData\Local\Temp\hummy.exe

Filesize
123KB

MD5
01cb913e66685d1d08b587d7e27e008f

SHA1
200fda2047bccfc49e339407dd81c14f33e60297

SHA256
babb109e1e503b1da8d819f2576a90773bb2aca19536a9c1c8ab8e10db1716d4

SHA512
6a320eba7658a7cd6ebccf1098d3b095476f4d5b76dd11c58ac17212c4d7b4b8b0038c0ceecb07eb743b6d9c50d5d888cf45f4f86392d2af2bfd1497dd223d06

Download Submit
C:\Users\Admin\AppData\Local\Temp\hummy.exe

Filesize
123KB

MD5
01cb913e66685d1d08b587d7e27e008f

SHA1
200fda2047bccfc49e339407dd81c14f33e60297

SHA256
babb109e1e503b1da8d819f2576a90773bb2aca19536a9c1c8ab8e10db1716d4

SHA512
6a320eba7658a7cd6ebccf1098d3b095476f4d5b76dd11c58ac17212c4d7b4b8b0038c0ceecb07eb743b6d9c50d5d888cf45f4f86392d2af2bfd1497dd223d06

Download Submit
memory/704-0-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/704-9-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download