6b14abacc1be8da6819bde0614d5b8fc06cddd3e01b4516c7ccbd39529514446

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20231023-en
resource tags

arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
submitted
13/11/2023, 00:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.c01f9529cf645b1c81ed845a6fa3d8a0.exe
Size

3KB
MD5

c01f9529cf645b1c81ed845a6fa3d8a0
SHA1

7dff85f3dc3c9e2e4dbedc2b60bfa8ca05de4beb
SHA256

6b14abacc1be8da6819bde0614d5b8fc06cddd3e01b4516c7ccbd39529514446
SHA512

58fc96d050c0b31f66cd2c2cbcb1f8fc8a422d077aae60045e40fd470225bfd9f0ad738d11d0a7a57bd83d677664c626bdd604c07465dfa78811c961b2f11d2a

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\Control Panel\International\Geo\Nation	NEAS.c01f9529cf645b1c81ed845a6fa3d8a0.exe

Executes dropped EXE 1 IoCs

pid	Process
3656	yxazj.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4556 wrote to memory of 3656	4556	NEAS.c01f9529cf645b1c81ed845a6fa3d8a0.exe	88
PID 4556 wrote to memory of 3656	4556	NEAS.c01f9529cf645b1c81ed845a6fa3d8a0.exe	88
PID 4556 wrote to memory of 3656	4556	NEAS.c01f9529cf645b1c81ed845a6fa3d8a0.exe	88

C:\Users\Admin\AppData\Local\Temp\NEAS.c01f9529cf645b1c81ed845a6fa3d8a0.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.c01f9529cf645b1c81ed845a6fa3d8a0.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4556
- C:\Users\Admin\AppData\Local\Temp\yxazj.exe
  "C:\Users\Admin\AppData\Local\Temp\yxazj.exe"
  2⤵
  - Executes dropped EXE
  PID:3656

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\yxazj.exe

Filesize
4KB

MD5
bd6e32e09e2315da3d3b770bd6a4d170

SHA1
0ff51a9fe93a1d5649854986bc101f1d1e34be3f

SHA256
6a424a83579a73bad34b42863f597f2c885325cf1d68129772d5d4909cec7282

SHA512
d0bc2e4345b1106b4ff43d6cfbd1254ec2e4f033fe30e24a04d251c2c28794f342a595b568498a7f35c5a2199c4c8490884ded984efccf47947e920b07e26fe1

Download Submit
C:\Users\Admin\AppData\Local\Temp\yxazj.exe

Filesize
4KB

MD5
bd6e32e09e2315da3d3b770bd6a4d170

SHA1
0ff51a9fe93a1d5649854986bc101f1d1e34be3f

SHA256
6a424a83579a73bad34b42863f597f2c885325cf1d68129772d5d4909cec7282

SHA512
d0bc2e4345b1106b4ff43d6cfbd1254ec2e4f033fe30e24a04d251c2c28794f342a595b568498a7f35c5a2199c4c8490884ded984efccf47947e920b07e26fe1

Download Submit
C:\Users\Admin\AppData\Local\Temp\yxazj.exe

Filesize
4KB

MD5
bd6e32e09e2315da3d3b770bd6a4d170

SHA1
0ff51a9fe93a1d5649854986bc101f1d1e34be3f

SHA256
6a424a83579a73bad34b42863f597f2c885325cf1d68129772d5d4909cec7282

SHA512
d0bc2e4345b1106b4ff43d6cfbd1254ec2e4f033fe30e24a04d251c2c28794f342a595b568498a7f35c5a2199c4c8490884ded984efccf47947e920b07e26fe1

Download Submit