b02972f02b18b57fb6b48292b34cc24a20e5bcccfb832c387de6f8f7a0cb9e63

Analysis

max time kernel
149s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
07/05/2024, 06:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7bf1e9aca849b615940fc8e49ad75ed0_NEAS.exe
Size

54KB
MD5

7bf1e9aca849b615940fc8e49ad75ed0
SHA1

36b8d2efab9e246a983f50c890b6fea897c713e9
SHA256

b02972f02b18b57fb6b48292b34cc24a20e5bcccfb832c387de6f8f7a0cb9e63
SHA512

eacda265bc6e44fdaba4ca49671a336ba90b8be3d071e70cb26965b4663ba171c4f28674cf425649e04bc1db602b1e7bc3cd157672f6c49976b2db6f46772e5f
SSDEEP

768:MApQr0fvdFJI341GxusOy9Rp1pLeAxoeC48PqK1OtaP6cCFzENREMZ7ZbM:MAaMJlBsh7pWezEPJB+OlbM

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	7bf1e9aca849b615940fc8e49ad75ed0_NEAS.exe

Executes dropped EXE 1 IoCs

pid	Process
4324	sal.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	\??\c:\windows\SysWOW64\sal.exe	7bf1e9aca849b615940fc8e49ad75ed0_NEAS.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3260 wrote to memory of 4324	3260	7bf1e9aca849b615940fc8e49ad75ed0_NEAS.exe	83
PID 3260 wrote to memory of 4324	3260	7bf1e9aca849b615940fc8e49ad75ed0_NEAS.exe	83
PID 3260 wrote to memory of 4324	3260	7bf1e9aca849b615940fc8e49ad75ed0_NEAS.exe	83

C:\Users\Admin\AppData\Local\Temp\7bf1e9aca849b615940fc8e49ad75ed0_NEAS.exe
"C:\Users\Admin\AppData\Local\Temp\7bf1e9aca849b615940fc8e49ad75ed0_NEAS.exe"
1⤵
- Checks computer location settings
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3260
- C:\windows\SysWOW64\sal.exe
  "C:\windows\system32\sal.exe"
  2⤵
  - Executes dropped EXE
  PID:4324

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\sal.exe

Filesize
54KB

MD5
e42c1ac158df81ad88fdaedb734e5ad7

SHA1
bf7b8fca91f8d112fefa39dbf6f2967f78ef8204

SHA256
4337d80ecd61a01e303924cb9f2b0b1d812d5de92c1d051a2ee93d6c58dafd0f

SHA512
b2a846692bd181fb170e7553d2dde201b70bea6bba1570d5125219fae5da18b7ba13b36d6691342d6d5bc162ed9ed5906af9cbe55afd11280f6a6d8d9d1cefcd

Download Submit
memory/3260-0-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/3260-9-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/4324-10-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download