06f4bd294680c6d112ca8e41cf6b601b35f403f0a2dc543b2cca3ccc725927b8

Analysis

max time kernel
134s
max time network
162s
platform
windows10-2004_x64
resource
win10v2004-20231023-en
resource tags

arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
submitted
13/11/2023, 00:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.0edaa8b74416af7232ae03d4479fbfe0.exe
Size

68KB
MD5

0edaa8b74416af7232ae03d4479fbfe0
SHA1

30ad581685b6a024aa84e6095c598447e799b74d
SHA256

06f4bd294680c6d112ca8e41cf6b601b35f403f0a2dc543b2cca3ccc725927b8
SHA512

b4ece44c7cb1976d415bf75e67e8c167cf23a837586113eaee37081cccc291756c84eb99cea42de57f525b4b2153123c6ededdba24668690eb4daa862c4a2810
SSDEEP

384:MdPnITsHlTxk7ETVAyPyAtatgTkeI8rlHfc+EGPBoIt5r8gyOVTxpiB5njBn/i:MdAT05xk7HKQ8xog5r8BOVTKfE

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Control Panel\International\Geo\Nation	NEAS.0edaa8b74416af7232ae03d4479fbfe0.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Control Panel\International\Geo\Nation	hfdfjdk.exe

Executes dropped EXE 1 IoCs

pid	Process
396	hfdfjdk.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 5004 wrote to memory of 396	5004	NEAS.0edaa8b74416af7232ae03d4479fbfe0.exe	91
PID 5004 wrote to memory of 396	5004	NEAS.0edaa8b74416af7232ae03d4479fbfe0.exe	91
PID 5004 wrote to memory of 396	5004	NEAS.0edaa8b74416af7232ae03d4479fbfe0.exe	91

C:\Users\Admin\AppData\Local\Temp\NEAS.0edaa8b74416af7232ae03d4479fbfe0.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.0edaa8b74416af7232ae03d4479fbfe0.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:5004
- C:\Users\Admin\AppData\Local\Temp\hfdfjdk.exe
  "C:\Users\Admin\AppData\Local\Temp\hfdfjdk.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:396

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\hfdfjdk.exe

Filesize
68KB

MD5
9b530ea9d4931c5e7da23edfc417f72a

SHA1
5a21f42775ad1b20a861adbba31e9d259c8558b2

SHA256
02837dc3a71ad08e767469e61b0ea8c473ad8f1eec8067340c12a3c7ebd07580

SHA512
d0493f1abfe5166734d5dfa4355204501b5bb00af4a15ba2edac209f4de37a8bd71e8bf13715f0692bd7d420fd299088203c6fa4180f5e25d3b252e396494968

Download Submit
C:\Users\Admin\AppData\Local\Temp\hfdfjdk.exe

Filesize
68KB

MD5
9b530ea9d4931c5e7da23edfc417f72a

SHA1
5a21f42775ad1b20a861adbba31e9d259c8558b2

SHA256
02837dc3a71ad08e767469e61b0ea8c473ad8f1eec8067340c12a3c7ebd07580

SHA512
d0493f1abfe5166734d5dfa4355204501b5bb00af4a15ba2edac209f4de37a8bd71e8bf13715f0692bd7d420fd299088203c6fa4180f5e25d3b252e396494968

Download Submit
C:\Users\Admin\AppData\Local\Temp\hfdfjdk.exe

Filesize
68KB

MD5
9b530ea9d4931c5e7da23edfc417f72a

SHA1
5a21f42775ad1b20a861adbba31e9d259c8558b2

SHA256
02837dc3a71ad08e767469e61b0ea8c473ad8f1eec8067340c12a3c7ebd07580

SHA512
d0493f1abfe5166734d5dfa4355204501b5bb00af4a15ba2edac209f4de37a8bd71e8bf13715f0692bd7d420fd299088203c6fa4180f5e25d3b252e396494968

Download Submit