cb84523e45e67322ac227f31fc1d448d26e3e6af773fd7553650aebf3be70077

General

Target

NEAS.5bc9aa72270594d342e44614969a30e0.exe
Size

12KB
MD5

5bc9aa72270594d342e44614969a30e0
SHA1

93563bcc7a91ad8d6b4548ab0b091ddfb2a54876
SHA256

cb84523e45e67322ac227f31fc1d448d26e3e6af773fd7553650aebf3be70077
SHA512

95dc84f519766f886159f8720a76d5fa0b100b04f8863b16f17c4547cdb8c50f8600336c43ef3e66a088861b6f15027e52c920a0010094498a3664ef5d8b4cf0
SSDEEP

384:2L7li/2z2q2DcEQvdhcJKLTp/NK9xaTq:w+M/Q9cTq

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2300	tmpE207.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
2300	tmpE207.tmp.exe

Loads dropped DLL 1 IoCs

pid	Process
1192	NEAS.5bc9aa72270594d342e44614969a30e0.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1192	NEAS.5bc9aa72270594d342e44614969a30e0.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1192 wrote to memory of 2524	1192	NEAS.5bc9aa72270594d342e44614969a30e0.exe	30
PID 1192 wrote to memory of 2524	1192	NEAS.5bc9aa72270594d342e44614969a30e0.exe	30
PID 1192 wrote to memory of 2524	1192	NEAS.5bc9aa72270594d342e44614969a30e0.exe	30
PID 1192 wrote to memory of 2524	1192	NEAS.5bc9aa72270594d342e44614969a30e0.exe	30
PID 2524 wrote to memory of 2564	2524	vbc.exe	32
PID 2524 wrote to memory of 2564	2524	vbc.exe	32
PID 2524 wrote to memory of 2564	2524	vbc.exe	32
PID 2524 wrote to memory of 2564	2524	vbc.exe	32
PID 1192 wrote to memory of 2300	1192	NEAS.5bc9aa72270594d342e44614969a30e0.exe	33
PID 1192 wrote to memory of 2300	1192	NEAS.5bc9aa72270594d342e44614969a30e0.exe	33
PID 1192 wrote to memory of 2300	1192	NEAS.5bc9aa72270594d342e44614969a30e0.exe	33
PID 1192 wrote to memory of 2300	1192	NEAS.5bc9aa72270594d342e44614969a30e0.exe	33

C:\Users\Admin\AppData\Local\Temp\NEAS.5bc9aa72270594d342e44614969a30e0.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.5bc9aa72270594d342e44614969a30e0.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1192
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\r00cronk\r00cronk.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2524
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESED9A.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc63D32EA0575C463BA36581574D6DE2C3.TMP"
    3⤵
    PID:2564
- C:\Users\Admin\AppData\Local\Temp\tmpE207.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpE207.tmp.exe" C:\Users\Admin\AppData\Local\Temp\NEAS.5bc9aa72270594d342e44614969a30e0.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  PID:2300

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RE.resources

Filesize
2KB

MD5
9934e7de12d46a6bcb4139fd5e5c25e7

SHA1
1df23524dc56fb91ff25439ed04cf354520d7fb5

SHA256
e2673c6731244ffbc9847b726cf39c9455190b2b0a6dd85041079320657a8365

SHA512
b1f7c530524815cfecd948eb116a98b66b176becac2e5822496d01e3bab9f71c41b429c087089366f8e1ffc78dab8d998f032450d19a3b3527c3c7e778265cd2

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESED9A.tmp

Filesize
1KB

MD5
ae6296d891dbc617cd3f406ab51cac35

SHA1
2bf57c2cd30d0833b7083646a017201869caf165

SHA256
a71f9b632cf1e6b8b8f5af59582dd35f13b6020a8bafc26dec98fd738a7e9b9b

SHA512
89fd0de12ad2e6608da0400e1d7ea007b27c76a4254f6f1021eb8828795348c2e0ff04c40e1fd11a32075a3af091f604c235a484fddec3f2a7321869068d7bfd

Download Submit
C:\Users\Admin\AppData\Local\Temp\r00cronk\r00cronk.0.vb

Filesize
2KB

MD5
426f9d00b3a5b2d842ea0d3603fc9437

SHA1
6c75365ee11a3dbc357d312ccedc3753cc517975

SHA256
a10c0a5661741b23104680e230e62023ce323ea2a9f9eeb5fa921422c6dc1bbd

SHA512
6ba5443656d1f096327caa8e3cb9215ac07bd28ed26475d041480664984613b8e59837c7c0c8efe557c1f569fba97ae7435f6dbf2db7b65ca3bfecd189c4e5db

Download Submit
C:\Users\Admin\AppData\Local\Temp\r00cronk\r00cronk.cmdline

Filesize
273B

MD5
03a317d1c6fdac3025dea329fe83c3ea

SHA1
e13a5a0803ee6015a074700f44e4fdf06d374ac9

SHA256
7c5196ed0349be9b9c178e43d8bbf3c39269955219c038b61a8fe955f71dee47

SHA512
6b2f226f80216961f3340a065addea0470fbb151228ebdd4cc191ce5e2b4b971f1edfa116baa87d0f0d2dfb628ad6c9baf7eb10af10e9f527cdcb1f9293257b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpE207.tmp.exe

Filesize
12KB

MD5
2a63347749bb33ae655a6f783e0f74f1

SHA1
ee8345c0fde0dd5becfc768c12b40f63835223b1

SHA256
2f26fb15ddecc2b37fde0d37bc2238d3112b9f8940bb2f0992aaf9720f89e97e

SHA512
add4f7e20f4a7948fb6a9938a85d6a8c7fee2164e227c99deb8d6c1f2c4e97cdbd3309fadb2b38cd75e326f4cf009870824e75d269795e20aaca67d7ce688a0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpE207.tmp.exe

Filesize
12KB

MD5
2a63347749bb33ae655a6f783e0f74f1

SHA1
ee8345c0fde0dd5becfc768c12b40f63835223b1

SHA256
2f26fb15ddecc2b37fde0d37bc2238d3112b9f8940bb2f0992aaf9720f89e97e

SHA512
add4f7e20f4a7948fb6a9938a85d6a8c7fee2164e227c99deb8d6c1f2c4e97cdbd3309fadb2b38cd75e326f4cf009870824e75d269795e20aaca67d7ce688a0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc63D32EA0575C463BA36581574D6DE2C3.TMP

Filesize
1KB

MD5
30ec69b96c16a3c189c211ea4b4208a3

SHA1
d369815405e9d517bf0b63e22b7b90175f2999c1

SHA256
66cd45413caa74cf5ecef78347fe98a17ec76658e20e667b1ec17cad904729b4

SHA512
6c7ee5120798469783518cae7500ae5e8efe568347fe71df1b2a816fb5092ddb737ba0308fba7b1ec9c95b40f2fdcd0ea9bc60f934a46cd8fd69ef79f079b90b

Download Submit
\Users\Admin\AppData\Local\Temp\tmpE207.tmp.exe

Filesize
12KB

MD5
2a63347749bb33ae655a6f783e0f74f1

SHA1
ee8345c0fde0dd5becfc768c12b40f63835223b1

SHA256
2f26fb15ddecc2b37fde0d37bc2238d3112b9f8940bb2f0992aaf9720f89e97e

SHA512
add4f7e20f4a7948fb6a9938a85d6a8c7fee2164e227c99deb8d6c1f2c4e97cdbd3309fadb2b38cd75e326f4cf009870824e75d269795e20aaca67d7ce688a0f

Download Submit
memory/1192-8-0x0000000004FA0000-0x0000000004FE0000-memory.dmp

Filesize
256KB

Download
memory/1192-5-0x0000000004FA0000-0x0000000004FE0000-memory.dmp

Filesize
256KB

Download
memory/1192-2-0x0000000074270000-0x000000007495E000-memory.dmp

Filesize
6.9MB

Download
memory/1192-1-0x00000000003A0000-0x00000000003AA000-memory.dmp

Filesize
40KB

Download
memory/1192-0-0x0000000074270000-0x000000007495E000-memory.dmp

Filesize
6.9MB

Download
memory/1192-27-0x0000000074270000-0x000000007495E000-memory.dmp

Filesize
6.9MB

Download
memory/2300-25-0x0000000000C10000-0x0000000000C1A000-memory.dmp

Filesize
40KB

Download
memory/2300-26-0x0000000074270000-0x000000007495E000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing