6acb3b43d98f272ef65bd7499ebd99cc2e55b5e361cde052d0c2f49ce78d4bc4

General

Target

NEAS.6acb3b43d98f272ef65bd7499ebd99cc2e55b5e361cde052d0c2f49ce78d4bc4.exe
Size

395KB
MD5

27f3ee84cf6c103db746602bd309b4ae
SHA1

e7e88cff99c7fec0e8661f1066f6503a967e424d
SHA256

6acb3b43d98f272ef65bd7499ebd99cc2e55b5e361cde052d0c2f49ce78d4bc4
SHA512

bd67b9e9424c6c817c7ff0790139276155b611944243dc57bc526b1577cd195885fc87d792a455fb7a75a755e0c05e29e80739d23834b760b9f40c5db27f3745
SSDEEP

6144:fLhat7FJYk9idwSOr0TLlDtIY6wR+fjSTyHeZ:fts7FJnqZhDtr6wofjSTy

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\Control Panel\International\Geo\Nation	NEAS.6acb3b43d98f272ef65bd7499ebd99cc2e55b5e361cde052d0c2f49ce78d4bc4.exe

Executes dropped EXE 1 IoCs

pid	Process
3052	Utsysc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 10 IoCs

pid	pid_target	Process	procid_target
924	2112	WerFault.exe	72
3416	2112	WerFault.exe	72
4460	2112	WerFault.exe	72
5112	2112	WerFault.exe	72
2804	2112	WerFault.exe	72
4732	2112	WerFault.exe	72
1420	2112	WerFault.exe	72
800	2112	WerFault.exe	72
4448	2112	WerFault.exe	72
4216	2112	WerFault.exe	72

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2112	NEAS.6acb3b43d98f272ef65bd7499ebd99cc2e55b5e361cde052d0c2f49ce78d4bc4.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2112 wrote to memory of 3052	2112	NEAS.6acb3b43d98f272ef65bd7499ebd99cc2e55b5e361cde052d0c2f49ce78d4bc4.exe	122
PID 2112 wrote to memory of 3052	2112	NEAS.6acb3b43d98f272ef65bd7499ebd99cc2e55b5e361cde052d0c2f49ce78d4bc4.exe	122
PID 2112 wrote to memory of 3052	2112	NEAS.6acb3b43d98f272ef65bd7499ebd99cc2e55b5e361cde052d0c2f49ce78d4bc4.exe	122

C:\Users\Admin\AppData\Local\Temp\NEAS.6acb3b43d98f272ef65bd7499ebd99cc2e55b5e361cde052d0c2f49ce78d4bc4.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.6acb3b43d98f272ef65bd7499ebd99cc2e55b5e361cde052d0c2f49ce78d4bc4.exe"
1⤵
- Checks computer location settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2112
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2112 -s 584
  2⤵
  - Program crash
  PID:924
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2112 -s 668
  2⤵
  - Program crash
  PID:3416
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2112 -s 736
  2⤵
  - Program crash
  PID:4460
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2112 -s 856
  2⤵
  - Program crash
  PID:5112
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2112 -s 844
  2⤵
  - Program crash
  PID:2804
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2112 -s 844
  2⤵
  - Program crash
  PID:4732
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2112 -s 1008
  2⤵
  - Program crash
  PID:1420
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2112 -s 1072
  2⤵
  - Program crash
  PID:800
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2112 -s 1124
  2⤵
  - Program crash
  PID:4448
- C:\Users\Admin\AppData\Local\Temp\d4dd819322\Utsysc.exe
  "C:\Users\Admin\AppData\Local\Temp\d4dd819322\Utsysc.exe"
  2⤵
  - Executes dropped EXE
  PID:3052
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2112 -s 1328
  2⤵
  - Program crash
  PID:4216

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 2112 -ip 2112
1⤵
PID:2924

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 2112 -ip 2112
1⤵
PID:2380

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 2112 -ip 2112
1⤵
PID:4672

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 2112 -ip 2112
1⤵
PID:5004

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 2112 -ip 2112
1⤵
PID:4780

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 2112 -ip 2112
1⤵
PID:1604

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 2112 -ip 2112
1⤵
PID:988

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 2112 -ip 2112
1⤵
PID:1120

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 2112 -ip 2112
1⤵
PID:4344

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 2112 -ip 2112
1⤵
PID:4392

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\d4dd819322\Utsysc.exe

Filesize
395KB

MD5
27f3ee84cf6c103db746602bd309b4ae

SHA1
e7e88cff99c7fec0e8661f1066f6503a967e424d

SHA256
6acb3b43d98f272ef65bd7499ebd99cc2e55b5e361cde052d0c2f49ce78d4bc4

SHA512
bd67b9e9424c6c817c7ff0790139276155b611944243dc57bc526b1577cd195885fc87d792a455fb7a75a755e0c05e29e80739d23834b760b9f40c5db27f3745

Download Submit
C:\Users\Admin\AppData\Local\Temp\d4dd819322\Utsysc.exe

Filesize
395KB

MD5
27f3ee84cf6c103db746602bd309b4ae

SHA1
e7e88cff99c7fec0e8661f1066f6503a967e424d

SHA256
6acb3b43d98f272ef65bd7499ebd99cc2e55b5e361cde052d0c2f49ce78d4bc4

SHA512
bd67b9e9424c6c817c7ff0790139276155b611944243dc57bc526b1577cd195885fc87d792a455fb7a75a755e0c05e29e80739d23834b760b9f40c5db27f3745

Download Submit
C:\Users\Admin\AppData\Local\Temp\d4dd819322\Utsysc.exe

Filesize
395KB

MD5
27f3ee84cf6c103db746602bd309b4ae

SHA1
e7e88cff99c7fec0e8661f1066f6503a967e424d

SHA256
6acb3b43d98f272ef65bd7499ebd99cc2e55b5e361cde052d0c2f49ce78d4bc4

SHA512
bd67b9e9424c6c817c7ff0790139276155b611944243dc57bc526b1577cd195885fc87d792a455fb7a75a755e0c05e29e80739d23834b760b9f40c5db27f3745

Download Submit
memory/2112-1-0x0000000000400000-0x0000000000515000-memory.dmp

Filesize
1.1MB

Download
memory/2112-2-0x0000000000650000-0x0000000000750000-memory.dmp

Filesize
1024KB

Download
memory/2112-3-0x0000000000750000-0x00000000007BC000-memory.dmp

Filesize
432KB

Download
memory/2112-4-0x0000000000400000-0x0000000000515000-memory.dmp

Filesize
1.1MB

Download
memory/2112-15-0x0000000000400000-0x0000000000515000-memory.dmp

Filesize
1.1MB

Download
memory/2112-16-0x0000000000750000-0x00000000007BC000-memory.dmp

Filesize
432KB

Download

Analysis

Sharing