029ddcded7006f27c62a28a3c6c534deae30c57702aadbe021d5c21a4435a259

General

Target

NEAS.5d1032af44bb9577d5fa9b9aa6ebe310.exe
Size

12KB
MD5

5d1032af44bb9577d5fa9b9aa6ebe310
SHA1

da14d69875cd52a09cc2b15e78c8573b7523d2d2
SHA256

029ddcded7006f27c62a28a3c6c534deae30c57702aadbe021d5c21a4435a259
SHA512

c7d0bed666a5609991b3926aa537180982db9f211f4e9bb1f1c1d96c127fb3271def99321621660b2fe621634c93e8fcf3993601bda9ab6847fde8f9d20eaf00
SSDEEP

384:TL7li/2zuq2DcEQvdhcJKLTp/NK9xaEg:3mM/Q9cEg

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2496	tmp2FB9.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
2496	tmp2FB9.tmp.exe

Loads dropped DLL 1 IoCs

pid	Process
2188	NEAS.5d1032af44bb9577d5fa9b9aa6ebe310.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2188	NEAS.5d1032af44bb9577d5fa9b9aa6ebe310.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2188 wrote to memory of 2600	2188	NEAS.5d1032af44bb9577d5fa9b9aa6ebe310.exe	29
PID 2188 wrote to memory of 2600	2188	NEAS.5d1032af44bb9577d5fa9b9aa6ebe310.exe	29
PID 2188 wrote to memory of 2600	2188	NEAS.5d1032af44bb9577d5fa9b9aa6ebe310.exe	29
PID 2188 wrote to memory of 2600	2188	NEAS.5d1032af44bb9577d5fa9b9aa6ebe310.exe	29
PID 2600 wrote to memory of 2808	2600	vbc.exe	31
PID 2600 wrote to memory of 2808	2600	vbc.exe	31
PID 2600 wrote to memory of 2808	2600	vbc.exe	31
PID 2600 wrote to memory of 2808	2600	vbc.exe	31
PID 2188 wrote to memory of 2496	2188	NEAS.5d1032af44bb9577d5fa9b9aa6ebe310.exe	32
PID 2188 wrote to memory of 2496	2188	NEAS.5d1032af44bb9577d5fa9b9aa6ebe310.exe	32
PID 2188 wrote to memory of 2496	2188	NEAS.5d1032af44bb9577d5fa9b9aa6ebe310.exe	32
PID 2188 wrote to memory of 2496	2188	NEAS.5d1032af44bb9577d5fa9b9aa6ebe310.exe	32

C:\Users\Admin\AppData\Local\Temp\NEAS.5d1032af44bb9577d5fa9b9aa6ebe310.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.5d1032af44bb9577d5fa9b9aa6ebe310.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2188
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\smael10j\smael10j.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2600
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF42E.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc18460320CC2E41D3803CBD16FE96BA26.TMP"
    3⤵
    PID:2808
- C:\Users\Admin\AppData\Local\Temp\tmp2FB9.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp2FB9.tmp.exe" C:\Users\Admin\AppData\Local\Temp\NEAS.5d1032af44bb9577d5fa9b9aa6ebe310.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  PID:2496

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RE.resources

Filesize
2KB

MD5
3f15cab10563f698b8e32afefb8456e2

SHA1
a9d0676eee5f54258306c7f94616b863777254fc

SHA256
d5342596ef3a6ac6e26a2d9c7fc7356d861a55876fbdd1065bfc2c4f9ac2a01f

SHA512
8ba6524b476f7e969edc1208f2687c365e00436d075000ac3af7e9ff2e518330e5c7975b666c5ad0b183362ff169f0b6d9f6856ce3c5dc7ef3cdca47183aa02f

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESF42E.tmp

Filesize
1KB

MD5
bb2a6ba89d2caed9e3677c1c9ac0df89

SHA1
4bc9eeef059101488545ee8b18743ba2ae6e5387

SHA256
d79c24b831636e782204bedae0cdddfd8f941c01e6de17bf406fc395d3892546

SHA512
077a4cda3cef9698c7ce365be83fb5de603e3b21166cecbce35f8814167c57f1c8aac18e3fbf34bf5695f61d34a70ec33624d495d9762e3c06cc949d82e23174

Download Submit
C:\Users\Admin\AppData\Local\Temp\smael10j\smael10j.0.vb

Filesize
2KB

MD5
c477f8adca4c08f10e2be0c9d81aeddb

SHA1
a6058bff93566c7e3bef7338b81aee3844c41158

SHA256
6b4dfe80f00b24eb0097ad671fe3a73e53172458008e724595ce51c73bc2814d

SHA512
817e8df5c0872bbdbc0e12c818def258ef955cfad15532a15e9d7ea2e8b0fcaad5e72dfba40114df016a300687bbf8cc669baed13a21960d12a4060089704f3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\smael10j\smael10j.cmdline

Filesize
273B

MD5
193f175b01f1b8c68efdbb4b2760a1f2

SHA1
32ee25541c786b24441231041697bfa1983f388b

SHA256
a97a51178d338e0008f8e2d52da1d49ecb3232f945af55e8c7dd8c4be158b3a6

SHA512
1d48ef9998bc59da7eb45ba9d76237070e0cc41346d9eec403e0348de72691de8fe15f1752ec65c7d6de97f605751bb653378250aa010e2d49a280b3dc2676e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp2FB9.tmp.exe

Filesize
12KB

MD5
d0bd91195a81e04cfbaefd1b13e90cb1

SHA1
024a413ca5c24115c8f590efd8a7c50ecaba7378

SHA256
30ee686d53963c632c4522291f9fc635263c1835cfcfd0284d2f785e38e1c1e2

SHA512
758dd5133ecc08f3ff110903787849c5d74eb23de6a9bc9749b1bdf4db309ca582fb49cbdbd4574dcd70fff8de4fd77758a77b3a1727dd4d1c1ec0c17094ce28

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp2FB9.tmp.exe

Filesize
12KB

MD5
d0bd91195a81e04cfbaefd1b13e90cb1

SHA1
024a413ca5c24115c8f590efd8a7c50ecaba7378

SHA256
30ee686d53963c632c4522291f9fc635263c1835cfcfd0284d2f785e38e1c1e2

SHA512
758dd5133ecc08f3ff110903787849c5d74eb23de6a9bc9749b1bdf4db309ca582fb49cbdbd4574dcd70fff8de4fd77758a77b3a1727dd4d1c1ec0c17094ce28

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc18460320CC2E41D3803CBD16FE96BA26.TMP

Filesize
1KB

MD5
c3970187b22b8474034a0c6031302e07

SHA1
46824587f40d271a51b605cdafc2387120586f9f

SHA256
4a65f24282c9cddd89de93a03be59aceac24d74a2d6cdf1b439a63b3fb9da92e

SHA512
ecedae86967f264ef5dbf3a1d56a4eea4508471dd4561840bbfa6e4bbf5d902a7ee380df52701bb4491689610f21ea21ef00b3cc479d35a2561af09b7c25bde5

Download Submit
\Users\Admin\AppData\Local\Temp\tmp2FB9.tmp.exe

Filesize
12KB

MD5
d0bd91195a81e04cfbaefd1b13e90cb1

SHA1
024a413ca5c24115c8f590efd8a7c50ecaba7378

SHA256
30ee686d53963c632c4522291f9fc635263c1835cfcfd0284d2f785e38e1c1e2

SHA512
758dd5133ecc08f3ff110903787849c5d74eb23de6a9bc9749b1bdf4db309ca582fb49cbdbd4574dcd70fff8de4fd77758a77b3a1727dd4d1c1ec0c17094ce28

Download Submit
memory/2188-9-0x0000000004DF0000-0x0000000004E30000-memory.dmp

Filesize
256KB

Download
memory/2188-5-0x0000000004DF0000-0x0000000004E30000-memory.dmp

Filesize
256KB

Download
memory/2188-2-0x0000000073FD0000-0x00000000746BE000-memory.dmp

Filesize
6.9MB

Download
memory/2188-1-0x0000000000D00000-0x0000000000D0A000-memory.dmp

Filesize
40KB

Download
memory/2188-0-0x0000000073FD0000-0x00000000746BE000-memory.dmp

Filesize
6.9MB

Download
memory/2188-27-0x0000000073FD0000-0x00000000746BE000-memory.dmp

Filesize
6.9MB

Download
memory/2496-25-0x0000000000250000-0x000000000025A000-memory.dmp

Filesize
40KB

Download
memory/2496-26-0x0000000073FD0000-0x00000000746BE000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing