0c5bf9bfe9249435d8731ac4539a5f4fb8f5d00a7281ae4861209d553fe20b2d

Analysis

max time kernel
141s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20231023-en
resource tags

arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
submitted
17/11/2023, 00:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.7eb940014f6e917517d13e9e4d7ed240.exe
Size

45KB
MD5

7eb940014f6e917517d13e9e4d7ed240
SHA1

0c72cd837a4dc651e486714ca8ec755165f893cd
SHA256

0c5bf9bfe9249435d8731ac4539a5f4fb8f5d00a7281ae4861209d553fe20b2d
SHA512

b8d167d9a87345fcc861edec968917f488f9f2bd5b12ae1f3710b42555c92e6da07ae239a575ed8ca7e167f92d79330c30d993a696a109d008c96d658ee9ab22
SSDEEP

768:Fg2620RQuPn1qjHEW/oGiZEXAK6a7DUdjaYoCMHosGOnNP0mPefoC6JrE8:FDde/Pn1eHEriwFdSCMdvGa

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\Control Panel\International\Geo\Nation	NEAS.7eb940014f6e917517d13e9e4d7ed240.exe

Executes dropped EXE 1 IoCs

pid	Process
1860	hcbnaf.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1904 wrote to memory of 1860	1904	NEAS.7eb940014f6e917517d13e9e4d7ed240.exe	86
PID 1904 wrote to memory of 1860	1904	NEAS.7eb940014f6e917517d13e9e4d7ed240.exe	86
PID 1904 wrote to memory of 1860	1904	NEAS.7eb940014f6e917517d13e9e4d7ed240.exe	86

C:\Users\Admin\AppData\Local\Temp\NEAS.7eb940014f6e917517d13e9e4d7ed240.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.7eb940014f6e917517d13e9e4d7ed240.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1904
- C:\Users\Admin\AppData\Local\Temp\hcbnaf.exe
  "C:\Users\Admin\AppData\Local\Temp\hcbnaf.exe"
  2⤵
  - Executes dropped EXE
  PID:1860

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\hcbnaf.exe

Filesize
46KB

MD5
d850b34df7cd00c8cc750e531f6003bb

SHA1
51cb49d80f8f7a30ec135546d36c324a17569292

SHA256
366d3732ad9da4e1cb187ed1b82d47a11f359327f909dae0ce61e36ae42de016

SHA512
153948562eed1a11d570a0c00287f8f5ec9ddaed3514607e6dcb3583c165e7ecdb67b9bc9a98fd00c7051d44dd3b8998cba048dce0d7e6be62a918421643ce50

Download Submit
C:\Users\Admin\AppData\Local\Temp\hcbnaf.exe

Filesize
46KB

MD5
d850b34df7cd00c8cc750e531f6003bb

SHA1
51cb49d80f8f7a30ec135546d36c324a17569292

SHA256
366d3732ad9da4e1cb187ed1b82d47a11f359327f909dae0ce61e36ae42de016

SHA512
153948562eed1a11d570a0c00287f8f5ec9ddaed3514607e6dcb3583c165e7ecdb67b9bc9a98fd00c7051d44dd3b8998cba048dce0d7e6be62a918421643ce50

Download Submit
C:\Users\Admin\AppData\Local\Temp\hcbnaf.exe

Filesize
46KB

MD5
d850b34df7cd00c8cc750e531f6003bb

SHA1
51cb49d80f8f7a30ec135546d36c324a17569292

SHA256
366d3732ad9da4e1cb187ed1b82d47a11f359327f909dae0ce61e36ae42de016

SHA512
153948562eed1a11d570a0c00287f8f5ec9ddaed3514607e6dcb3583c165e7ecdb67b9bc9a98fd00c7051d44dd3b8998cba048dce0d7e6be62a918421643ce50

Download Submit
memory/1860-11-0x0000000000620000-0x0000000000624000-memory.dmp

Filesize
16KB

Download
memory/1860-12-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1904-0-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1904-2-0x0000000002320000-0x0000000002324000-memory.dmp

Filesize
16KB

Download
memory/1904-9-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download