Analysis
-
max time kernel
150s -
max time network
101s -
platform
windows10-2004_x64 -
resource
win10v2004-20240419-en -
resource tags
arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system -
submitted
07/05/2024, 12:53
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
8b6b4dedc4785b68169ef666cc776020_NEAS.exe
Resource
win7-20240221-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
8b6b4dedc4785b68169ef666cc776020_NEAS.exe
Resource
win10v2004-20240419-en
windows10-2004-x64
8 signatures
150 seconds
General
-
Target
8b6b4dedc4785b68169ef666cc776020_NEAS.exe
-
Size
72KB
-
MD5
8b6b4dedc4785b68169ef666cc776020
-
SHA1
c82f006b7fb4206987f567b59c60271cdaac20cf
-
SHA256
955cdc49827962067a6d85ba9f56ddc1e0f7bb48cb4f470831d90b9eb147d4f8
-
SHA512
a8a2c1922d38f3756f12553c8fa63627a5eed0c4d5f98a27bcbd377d802cdeff345a256cff8beddeddadc68b07ed166b87ffcfbe0a0b6239aa4ab19453614c34
-
SSDEEP
768:j2Xw1owYOWJOaoUpd+WXfL4OznetSFB9Oty/N/X+YVhP5itZfP6v+XyQq:yXw1owchf3zegFLEmNfP8Sv+9q
Score
10/10
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" piuoqi.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Control Panel\International\Geo\Nation 8b6b4dedc4785b68169ef666cc776020_NEAS.exe -
Executes dropped EXE 1 IoCs
pid Process 4628 piuoqi.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\piuoqi = "C:\\Users\\Admin\\piuoqi.exe" piuoqi.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4628 piuoqi.exe 4628 piuoqi.exe 4628 piuoqi.exe 4628 piuoqi.exe 4628 piuoqi.exe 4628 piuoqi.exe 4628 piuoqi.exe 4628 piuoqi.exe 4628 piuoqi.exe 4628 piuoqi.exe 4628 piuoqi.exe 4628 piuoqi.exe 4628 piuoqi.exe 4628 piuoqi.exe 4628 piuoqi.exe 4628 piuoqi.exe 4628 piuoqi.exe 4628 piuoqi.exe 4628 piuoqi.exe 4628 piuoqi.exe 4628 piuoqi.exe 4628 piuoqi.exe 4628 piuoqi.exe 4628 piuoqi.exe 4628 piuoqi.exe 4628 piuoqi.exe 4628 piuoqi.exe 4628 piuoqi.exe 4628 piuoqi.exe 4628 piuoqi.exe 4628 piuoqi.exe 4628 piuoqi.exe 4628 piuoqi.exe 4628 piuoqi.exe 4628 piuoqi.exe 4628 piuoqi.exe 4628 piuoqi.exe 4628 piuoqi.exe 4628 piuoqi.exe 4628 piuoqi.exe 4628 piuoqi.exe 4628 piuoqi.exe 4628 piuoqi.exe 4628 piuoqi.exe 4628 piuoqi.exe 4628 piuoqi.exe 4628 piuoqi.exe 4628 piuoqi.exe 4628 piuoqi.exe 4628 piuoqi.exe 4628 piuoqi.exe 4628 piuoqi.exe 4628 piuoqi.exe 4628 piuoqi.exe 4628 piuoqi.exe 4628 piuoqi.exe 4628 piuoqi.exe 4628 piuoqi.exe 4628 piuoqi.exe 4628 piuoqi.exe 4628 piuoqi.exe 4628 piuoqi.exe 4628 piuoqi.exe 4628 piuoqi.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 4372 8b6b4dedc4785b68169ef666cc776020_NEAS.exe 4628 piuoqi.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4372 wrote to memory of 4628 4372 8b6b4dedc4785b68169ef666cc776020_NEAS.exe 90 PID 4372 wrote to memory of 4628 4372 8b6b4dedc4785b68169ef666cc776020_NEAS.exe 90 PID 4372 wrote to memory of 4628 4372 8b6b4dedc4785b68169ef666cc776020_NEAS.exe 90 PID 4628 wrote to memory of 4372 4628 piuoqi.exe 83 PID 4628 wrote to memory of 4372 4628 piuoqi.exe 83 PID 4628 wrote to memory of 4372 4628 piuoqi.exe 83 PID 4628 wrote to memory of 4372 4628 piuoqi.exe 83 PID 4628 wrote to memory of 4372 4628 piuoqi.exe 83 PID 4628 wrote to memory of 4372 4628 piuoqi.exe 83 PID 4628 wrote to memory of 4372 4628 piuoqi.exe 83 PID 4628 wrote to memory of 4372 4628 piuoqi.exe 83 PID 4628 wrote to memory of 4372 4628 piuoqi.exe 83 PID 4628 wrote to memory of 4372 4628 piuoqi.exe 83 PID 4628 wrote to memory of 4372 4628 piuoqi.exe 83 PID 4628 wrote to memory of 4372 4628 piuoqi.exe 83 PID 4628 wrote to memory of 4372 4628 piuoqi.exe 83 PID 4628 wrote to memory of 4372 4628 piuoqi.exe 83 PID 4628 wrote to memory of 4372 4628 piuoqi.exe 83 PID 4628 wrote to memory of 4372 4628 piuoqi.exe 83 PID 4628 wrote to memory of 4372 4628 piuoqi.exe 83 PID 4628 wrote to memory of 4372 4628 piuoqi.exe 83 PID 4628 wrote to memory of 4372 4628 piuoqi.exe 83 PID 4628 wrote to memory of 4372 4628 piuoqi.exe 83 PID 4628 wrote to memory of 4372 4628 piuoqi.exe 83 PID 4628 wrote to memory of 4372 4628 piuoqi.exe 83 PID 4628 wrote to memory of 4372 4628 piuoqi.exe 83 PID 4628 wrote to memory of 4372 4628 piuoqi.exe 83 PID 4628 wrote to memory of 4372 4628 piuoqi.exe 83 PID 4628 wrote to memory of 4372 4628 piuoqi.exe 83 PID 4628 wrote to memory of 4372 4628 piuoqi.exe 83 PID 4628 wrote to memory of 4372 4628 piuoqi.exe 83 PID 4628 wrote to memory of 4372 4628 piuoqi.exe 83 PID 4628 wrote to memory of 4372 4628 piuoqi.exe 83 PID 4628 wrote to memory of 4372 4628 piuoqi.exe 83 PID 4628 wrote to memory of 4372 4628 piuoqi.exe 83 PID 4628 wrote to memory of 4372 4628 piuoqi.exe 83 PID 4628 wrote to memory of 4372 4628 piuoqi.exe 83 PID 4628 wrote to memory of 4372 4628 piuoqi.exe 83 PID 4628 wrote to memory of 4372 4628 piuoqi.exe 83 PID 4628 wrote to memory of 4372 4628 piuoqi.exe 83 PID 4628 wrote to memory of 4372 4628 piuoqi.exe 83 PID 4628 wrote to memory of 4372 4628 piuoqi.exe 83 PID 4628 wrote to memory of 4372 4628 piuoqi.exe 83 PID 4628 wrote to memory of 4372 4628 piuoqi.exe 83 PID 4628 wrote to memory of 4372 4628 piuoqi.exe 83 PID 4628 wrote to memory of 4372 4628 piuoqi.exe 83 PID 4628 wrote to memory of 4372 4628 piuoqi.exe 83 PID 4628 wrote to memory of 4372 4628 piuoqi.exe 83 PID 4628 wrote to memory of 4372 4628 piuoqi.exe 83 PID 4628 wrote to memory of 4372 4628 piuoqi.exe 83 PID 4628 wrote to memory of 4372 4628 piuoqi.exe 83 PID 4628 wrote to memory of 4372 4628 piuoqi.exe 83 PID 4628 wrote to memory of 4372 4628 piuoqi.exe 83 PID 4628 wrote to memory of 4372 4628 piuoqi.exe 83 PID 4628 wrote to memory of 4372 4628 piuoqi.exe 83 PID 4628 wrote to memory of 4372 4628 piuoqi.exe 83 PID 4628 wrote to memory of 4372 4628 piuoqi.exe 83 PID 4628 wrote to memory of 4372 4628 piuoqi.exe 83 PID 4628 wrote to memory of 4372 4628 piuoqi.exe 83 PID 4628 wrote to memory of 4372 4628 piuoqi.exe 83 PID 4628 wrote to memory of 4372 4628 piuoqi.exe 83 PID 4628 wrote to memory of 4372 4628 piuoqi.exe 83 PID 4628 wrote to memory of 4372 4628 piuoqi.exe 83 PID 4628 wrote to memory of 4372 4628 piuoqi.exe 83
Processes
-
C:\Users\Admin\AppData\Local\Temp\8b6b4dedc4785b68169ef666cc776020_NEAS.exe"C:\Users\Admin\AppData\Local\Temp\8b6b4dedc4785b68169ef666cc776020_NEAS.exe"1⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4372 -
C:\Users\Admin\piuoqi.exe"C:\Users\Admin\piuoqi.exe"2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4628
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
72KB
MD53796dc32dc01e62f3f05d22bf39ad81f
SHA1d8ec090c9f1a17400c24e2bdae71c5684d0e4902
SHA256edf1a663ee931d961dd2e163d0f263a29aab0bfd50d9b37f52fa1c5322e04108
SHA512c1a1f35a5fe5ad0bbeb7da5529b6762a345c1ea13cbb6f25e90facbb27f6981b92193f7e3811925dd9402d7bad081a6f1bb6c13b1130836396c9201524d3ac9a