Overview

overview

7

Static

static

3

NEAS.b16dd...a0.exe

windows7-x64

7

NEAS.b16dd...a0.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    192s
  • max time network
    200s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231023-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
  • submitted
    17-11-2023 03:49

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    NEAS.b16dd8d1356cb654917de8907981d2a0.exe

  • Size

    327KB

  • MD5

    b16dd8d1356cb654917de8907981d2a0

  • SHA1

    64e7f465a4fbcb437699f298b71ab0b479f67b9c

  • SHA256

    72a125500299f5213f2d1755174d2fa4753467fbaba04049c58df46b37a74701

  • SHA512

    57648b9b79b400cfd75211a6ef6926bb71dbfbfea98322f64fc62ae5f3e07268b562c303ae64ca74ee8cc7e204144cf3418648d217898be6214b5200f964d76f

  • SSDEEP

    6144:B2+JS2sFafI8U0obHCW/2a7XQcsPMjVWrG89gkPzDh1v:B2TFafJiHCWBWPMjVWrXf1v

Score
7/10

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 30 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\NEAS.b16dd8d1356cb654917de8907981d2a0.exe
    "C:\Users\Admin\AppData\Local\Temp\NEAS.b16dd8d1356cb654917de8907981d2a0.exe"
    1⤵
    • Checks computer location settings
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:1112
    • C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_32\SearchIndexerDB.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_32\SearchIndexerDB.exe" /START "C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_32\SearchIndexerDB.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2348
      • C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_32\SearchIndexerDB.exe
        "C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_32\SearchIndexerDB.exe"
        3⤵
        • Executes dropped EXE
        PID:3076

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_32\SearchIndexerDB.exe
    Filesize

    327KB

    MD5

    f22b06b7d1434240886aad606043b3c9

    SHA1

    884b5e9c30041b447c5abc0e75c19fc99f5fcc39

    SHA256

    cb0745ca2cf9df219718e5aab5f936711261c8d684e1d8cccfe8777bdc3b9e9f

    SHA512

    a4d826c7e0f23308400f6996005ee3fb0786f5b2e9921fca1431cdb086c516ef78ef85975553a2c61c58911fb1d8b915ef8332dd384425f7318f4d853c6de73d

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_32\SearchIndexerDB.exe
    Filesize

    327KB

    MD5

    f22b06b7d1434240886aad606043b3c9

    SHA1

    884b5e9c30041b447c5abc0e75c19fc99f5fcc39

    SHA256

    cb0745ca2cf9df219718e5aab5f936711261c8d684e1d8cccfe8777bdc3b9e9f

    SHA512

    a4d826c7e0f23308400f6996005ee3fb0786f5b2e9921fca1431cdb086c516ef78ef85975553a2c61c58911fb1d8b915ef8332dd384425f7318f4d853c6de73d

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_32\SearchIndexerDB.exe
    Filesize

    327KB

    MD5

    f22b06b7d1434240886aad606043b3c9

    SHA1

    884b5e9c30041b447c5abc0e75c19fc99f5fcc39

    SHA256

    cb0745ca2cf9df219718e5aab5f936711261c8d684e1d8cccfe8777bdc3b9e9f

    SHA512

    a4d826c7e0f23308400f6996005ee3fb0786f5b2e9921fca1431cdb086c516ef78ef85975553a2c61c58911fb1d8b915ef8332dd384425f7318f4d853c6de73d

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_32\SearchIndexerDB.exe
    Filesize

    327KB

    MD5

    f22b06b7d1434240886aad606043b3c9

    SHA1

    884b5e9c30041b447c5abc0e75c19fc99f5fcc39

    SHA256

    cb0745ca2cf9df219718e5aab5f936711261c8d684e1d8cccfe8777bdc3b9e9f

    SHA512

    a4d826c7e0f23308400f6996005ee3fb0786f5b2e9921fca1431cdb086c516ef78ef85975553a2c61c58911fb1d8b915ef8332dd384425f7318f4d853c6de73d

    Download Submit