f57e9a56307b50adf39f37957ede4d13ef50ac92dae033dbabc5829f4de14560

Analysis

max time kernel
140s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20231020-en
resource tags

arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
submitted
13/11/2023, 06:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.a96fff1caa1ee21afadeb6bbd67aeb40.exe
Size

288KB
MD5

a96fff1caa1ee21afadeb6bbd67aeb40
SHA1

4d1e75aeadd8371b661b1521c02e72c459208f67
SHA256

f57e9a56307b50adf39f37957ede4d13ef50ac92dae033dbabc5829f4de14560
SHA512

868a7567d6eec47b8b8ebac36b9732149194afa14a88e4d4a3b878d3b35dea695fb8bac4951f618579bdcdd5951ed3e79a1d79eb3b8b729c763ec9b7ee84f096
SSDEEP

6144:yQ+Tyfx4NF67Sbq2nW82X45gc3BaLZVS0mOoC8zbzDie:yQMyfmNFHfnWfhLZVHmOog

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\Control Panel\International\Geo\Nation	NEAS.a96fff1caa1ee21afadeb6bbd67aeb40.exe

Executes dropped EXE 2 IoCs

pid	Process
872	dwmsys.exe
4024	dwmsys.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 30 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000_Classes\systemui\DefaultIcon	NEAS.a96fff1caa1ee21afadeb6bbd67aeb40.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000_Classes\.exe\ = "systemui"	NEAS.a96fff1caa1ee21afadeb6bbd67aeb40.exe
Key created	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000_Classes\.exe\shell\runas\command	NEAS.a96fff1caa1ee21afadeb6bbd67aeb40.exe
Key created	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000_Classes\Local Settings	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000_Classes\systemui\shell\runas	NEAS.a96fff1caa1ee21afadeb6bbd67aeb40.exe
Key created	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000_Classes\.exe	NEAS.a96fff1caa1ee21afadeb6bbd67aeb40.exe
Key created	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000_Classes\.exe\shell	NEAS.a96fff1caa1ee21afadeb6bbd67aeb40.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000_Classes\.exe\shell\runas\command\IsolatedCommand = "\"%1\" %*"	NEAS.a96fff1caa1ee21afadeb6bbd67aeb40.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000_Classes\.exe\shell\runas\command\ = "\"%1\" %*"	NEAS.a96fff1caa1ee21afadeb6bbd67aeb40.exe
Key created	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000_Classes\systemui	NEAS.a96fff1caa1ee21afadeb6bbd67aeb40.exe
Key created	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000_Classes\systemui\shell\open\command	NEAS.a96fff1caa1ee21afadeb6bbd67aeb40.exe
Key created	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000_Classes\systemui\shell\open	NEAS.a96fff1caa1ee21afadeb6bbd67aeb40.exe
Key created	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000_Classes\.exe\shell\open\command	NEAS.a96fff1caa1ee21afadeb6bbd67aeb40.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000_Classes\systemui\Content-Type = "application/x-msdownload"	NEAS.a96fff1caa1ee21afadeb6bbd67aeb40.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000_Classes\systemui\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\SysWOW_amd64\\dwmsys.exe\" /START \"%1\" %*"	NEAS.a96fff1caa1ee21afadeb6bbd67aeb40.exe
Key created	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000_Classes\.exe\DefaultIcon	NEAS.a96fff1caa1ee21afadeb6bbd67aeb40.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000_Classes\.exe\shell\open\command\IsolatedCommand = "\"%1\" %*"	NEAS.a96fff1caa1ee21afadeb6bbd67aeb40.exe
Key created	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000_Classes\.exe\shell\runas	NEAS.a96fff1caa1ee21afadeb6bbd67aeb40.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	NEAS.a96fff1caa1ee21afadeb6bbd67aeb40.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000_Classes\systemui\DefaultIcon\ = "%1"	NEAS.a96fff1caa1ee21afadeb6bbd67aeb40.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000_Classes\systemui\shell\open\command\IsolatedCommand = "\"%1\" %*"	NEAS.a96fff1caa1ee21afadeb6bbd67aeb40.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000_Classes\systemui\shell\runas\command\ = "\"%1\" %*"	NEAS.a96fff1caa1ee21afadeb6bbd67aeb40.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000_Classes\.exe\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\SysWOW_amd64\\dwmsys.exe\" /START \"%1\" %*"	NEAS.a96fff1caa1ee21afadeb6bbd67aeb40.exe
Key created	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000_Classes\.exe\shell\open	NEAS.a96fff1caa1ee21afadeb6bbd67aeb40.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000_Classes\systemui\ = "Application"	NEAS.a96fff1caa1ee21afadeb6bbd67aeb40.exe
Key created	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000_Classes\systemui\shell\runas\command	NEAS.a96fff1caa1ee21afadeb6bbd67aeb40.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000_Classes\systemui\shell\runas\command\IsolatedCommand = "\"%1\" %*"	NEAS.a96fff1caa1ee21afadeb6bbd67aeb40.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000_Classes\.exe\DefaultIcon\ = "%1"	NEAS.a96fff1caa1ee21afadeb6bbd67aeb40.exe
Key created	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000_Classes\systemui\shell	NEAS.a96fff1caa1ee21afadeb6bbd67aeb40.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000_Classes\.exe\Content-Type = "application/x-msdownload"	NEAS.a96fff1caa1ee21afadeb6bbd67aeb40.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	872	dwmsys.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3844 wrote to memory of 872	3844	Process not Found	92
PID 3844 wrote to memory of 872	3844	Process not Found	92
PID 3844 wrote to memory of 872	3844	Process not Found	92
PID 872 wrote to memory of 4024	872	dwmsys.exe	91
PID 872 wrote to memory of 4024	872	dwmsys.exe	91
PID 872 wrote to memory of 4024	872	dwmsys.exe	91

C:\Users\Admin\AppData\Local\Temp\NEAS.a96fff1caa1ee21afadeb6bbd67aeb40.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.a96fff1caa1ee21afadeb6bbd67aeb40.exe"
1⤵
- Checks computer location settings
- Modifies registry class
PID:3844
- C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_amd64\dwmsys.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_amd64\dwmsys.exe" /START "C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_amd64\dwmsys.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:872

C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_amd64\dwmsys.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_amd64\dwmsys.exe"
1⤵
- Executes dropped EXE
PID:4024

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_amd64\dwmsys.exe

Filesize
288KB

MD5
298f97070c0d6bb8ac172c97405e0249

SHA1
51ee148f5a8cd3cbd7af62053583eb7090b2752a

SHA256
5bbbefd777da142438cd30b72b21e39168bc532484c3634bb2da4a1e90cb1c22

SHA512
00d1888a9fa727e2d0f26bf1297ddebf70e5174ceac2bc5bfc29082c3705e38f1c42efe056a7f4cae3053b9962f80481f0c49f6ca76d20079f193b23913408bf

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_amd64\dwmsys.exe

Filesize
288KB

MD5
298f97070c0d6bb8ac172c97405e0249

SHA1
51ee148f5a8cd3cbd7af62053583eb7090b2752a

SHA256
5bbbefd777da142438cd30b72b21e39168bc532484c3634bb2da4a1e90cb1c22

SHA512
00d1888a9fa727e2d0f26bf1297ddebf70e5174ceac2bc5bfc29082c3705e38f1c42efe056a7f4cae3053b9962f80481f0c49f6ca76d20079f193b23913408bf

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_amd64\dwmsys.exe

Filesize
288KB

MD5
298f97070c0d6bb8ac172c97405e0249

SHA1
51ee148f5a8cd3cbd7af62053583eb7090b2752a

SHA256
5bbbefd777da142438cd30b72b21e39168bc532484c3634bb2da4a1e90cb1c22

SHA512
00d1888a9fa727e2d0f26bf1297ddebf70e5174ceac2bc5bfc29082c3705e38f1c42efe056a7f4cae3053b9962f80481f0c49f6ca76d20079f193b23913408bf

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_amd64\dwmsys.exe

Filesize
288KB

MD5
298f97070c0d6bb8ac172c97405e0249

SHA1
51ee148f5a8cd3cbd7af62053583eb7090b2752a

SHA256
5bbbefd777da142438cd30b72b21e39168bc532484c3634bb2da4a1e90cb1c22

SHA512
00d1888a9fa727e2d0f26bf1297ddebf70e5174ceac2bc5bfc29082c3705e38f1c42efe056a7f4cae3053b9962f80481f0c49f6ca76d20079f193b23913408bf

Download Submit