Overview

overview

7

Static

static

3

056e10de60...AS.exe

windows7-x64

7

056e10de60...AS.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    148s
  • max time network
    105s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240419-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07-05-2024 08:15

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    056e10de60fd9634f6168e46e9ddf0d0_NEAS.exe

  • Size

    84KB

  • MD5

    056e10de60fd9634f6168e46e9ddf0d0

  • SHA1

    aaa39151ba0a28c482e69de129e1ba10b860f753

  • SHA256

    2aeb033a6e4dbad95e50a7eb444ab1cc0599135265065678eef7c9f281082471

  • SHA512

    f7b9677a24d47a3ec11cf4e99fb7aab8db68be03da368dd07accb302d2551b8a57da40f01d1e19577d2c4538b05a815ad6cd424b3961fc1bc02fd91ff459e1af

  • SSDEEP

    1536:1clIGFNMi+hJUneHoGTvvv4V9hqdhbtgS:+RMi+fUnCTvvv4V9hEhbCS

Score
7/10
persistenceupx

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 4 IoCs
  • UPX packed file 7 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 39 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\056e10de60fd9634f6168e46e9ddf0d0_NEAS.exe
    "C:\Users\Admin\AppData\Local\Temp\056e10de60fd9634f6168e46e9ddf0d0_NEAS.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3516
    • C:\Users\Admin\AppData\Local\Temp\056e10de60fd9634f6168e46e9ddf0d0_NEAS.exe
      "C:\Users\Admin\AppData\Local\Temp\056e10de60fd9634f6168e46e9ddf0d0_NEAS.exe"
      2⤵
      • Checks computer location settings
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:4880
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GFSIW.bat" "
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:3676
        • C:\Windows\SysWOW64\reg.exe
          REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Audio Driver" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\lsass.exe" /f
          4⤵
          • Adds Run key to start application
          PID:888
      • C:\Users\Admin\AppData\Roaming\system\lsass.exe
        "C:\Users\Admin\AppData\Roaming\system\lsass.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:4036
        • C:\Users\Admin\AppData\Roaming\system\lsass.exe
          "C:\Users\Admin\AppData\Roaming\system\lsass.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          PID:3704
        • C:\Users\Admin\AppData\Roaming\system\lsass.exe
          "C:\Users\Admin\AppData\Roaming\system\lsass.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • Suspicious use of WriteProcessMemory
          PID:2596
          • C:\Users\Admin\AppData\Roaming\system\lsass.exe
            "C:\Users\Admin\AppData\Roaming\system\lsass.exe"
            5⤵
            • Checks computer location settings
            • Executes dropped EXE
            PID:1900

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\cxz.exe
    Filesize

    294B

    MD5

    38b7711dd6b85cff6716c2bc79f78772

    SHA1

    9fce8b2afa1dec94ced06b0938f60723fb563602

    SHA256

    f447f1bc877099214493fcb61f36142cdc2e0efb93c2387c640cb0c10d457939

    SHA512

    991b281fd6fc99c293849353c2ee3748a7ebf25767e94cf83eeea85fe5c6f09f731bdc5388ade091a994fc7e24f7415835fabffd4e0c8995129c131f73da3150

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\GFSIW.txt
    Filesize

    146B

    MD5

    c8cba0a9d4d5600b5f53c4c0681d1115

    SHA1

    0e5348e210ca70b2b0ffdc3ff7e6f611716df80c

    SHA256

    ca2b63f6d7bf17480415ae93e115bf9f9699335e84e62719eefdbcc5a78bd2e1

    SHA512

    a2ad6eb5ae2f6d57ca15363ac2f0c57ca3580474e94b9c010750948814cf4d5ffa0c3e7ef44634a3593da23f56011703ff220a3d7780f6f01785bf3b6676ced0

    Download Submit

  • C:\Users\Admin\AppData\Roaming\system\lsass.exe
    Filesize

    84KB

    MD5

    cb57a8ff86182759b4b7e9ea8a2facd8

    SHA1

    88faede81a6a5d0448abf9a5a3098e03ee29f8c5

    SHA256

    7afdeaa3d67156240c2436cd8e2d260bb3cd41057dbd2073424f601232915a2a

    SHA512

    47373c3ad1be37b6d50bda6a759b0ac578de6c84c527ba31570b5cf7b773f8087fce15bb27f2dd1662396a8f69b1c63e4642551e9cc4c116348815d28beb598a

    Download Submit

  • memory/1900-93-0x0000000000400000-0x0000000000404000-memory.dmp

    Filesize

    16KB

    Download

  • memory/1900-71-0x0000000000400000-0x0000000000404000-memory.dmp

    Filesize

    16KB

    Download

  • memory/1900-66-0x0000000000400000-0x0000000000404000-memory.dmp

    Filesize

    16KB

    Download

  • memory/2596-67-0x0000000000400000-0x0000000000403000-memory.dmp

    Filesize

    12KB

    Download

  • memory/2596-58-0x0000000000400000-0x0000000000403000-memory.dmp

    Filesize

    12KB

    Download

  • memory/2596-62-0x0000000000400000-0x0000000000403000-memory.dmp

    Filesize

    12KB

    Download

  • memory/2596-63-0x0000000000400000-0x0000000000403000-memory.dmp

    Filesize

    12KB

    Download

  • memory/2596-54-0x0000000000400000-0x0000000000403000-memory.dmp

    Filesize

    12KB

    Download

  • memory/3516-7-0x0000000002100000-0x0000000002101000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3516-15-0x00000000021B0000-0x00000000021B1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3516-10-0x0000000002130000-0x0000000002131000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3516-9-0x0000000002120000-0x0000000002121000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3516-8-0x0000000002110000-0x0000000002111000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3516-20-0x0000000002200000-0x0000000002201000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3516-6-0x00000000020F0000-0x00000000020F1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3516-12-0x0000000002180000-0x0000000002181000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3516-13-0x0000000002190000-0x0000000002191000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3516-19-0x00000000021F0000-0x00000000021F1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3516-14-0x00000000021A0000-0x00000000021A1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3516-11-0x0000000002160000-0x0000000002161000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3516-16-0x00000000021C0000-0x00000000021C1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3516-18-0x00000000021E0000-0x00000000021E1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3516-17-0x00000000021D0000-0x00000000021D1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3704-61-0x0000000000400000-0x000000000040B000-memory.dmp

    Filesize

    44KB

    Download

  • memory/3704-95-0x0000000000400000-0x000000000040B000-memory.dmp

    Filesize

    44KB

    Download

  • memory/4036-60-0x0000000000400000-0x0000000000415000-memory.dmp

    Filesize

    84KB

    Download

  • memory/4880-64-0x0000000000400000-0x000000000040B000-memory.dmp

    Filesize

    44KB

    Download

  • memory/4880-47-0x0000000000400000-0x000000000040B000-memory.dmp

    Filesize

    44KB

    Download

  • memory/4880-4-0x0000000000400000-0x000000000040B000-memory.dmp

    Filesize

    44KB

    Download

  • memory/4880-21-0x0000000000400000-0x000000000040B000-memory.dmp

    Filesize

    44KB

    Download

  • memory/4880-2-0x0000000000400000-0x000000000040B000-memory.dmp

    Filesize

    44KB

    Download