b74b87aa3f8b412be9f97fef55758b1351a0f3c30cb32075f6f036e7277fa31d

Analysis

max time kernel
180s
max time network
177s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
13/10/2023, 20:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.2ab60557e45962b4867ca99d040b3fc0.exe
Size

724KB
MD5

2ab60557e45962b4867ca99d040b3fc0
SHA1

ccb8569f756fc5e4a23194ef93b3101e0b65e770
SHA256

b74b87aa3f8b412be9f97fef55758b1351a0f3c30cb32075f6f036e7277fa31d
SHA512

2ee0945d042131af417f801cd8e06258f918c9879ca4db53b8673a0aa30ed4c094e4b62ea170a2833d9425d73d362154aed422fa1af52fd989f0dc11bc82bdf2
SSDEEP

12288:M4YOCY5f4X3seAxyv7g7NKE26omHfCJfxFyjga7FaULdohqP45RgC6:M4Ju7gh2EHfCZxF+FXLZkgC

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation	NEAS.2ab60557e45962b4867ca99d040b3fc0.exe

Executes dropped EXE 1 IoCs

pid	Process
3960	197E.tmp

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\msmdlocal.dll	197E.tmp
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\ONBttnIELinkedNotes.dll	197E.tmp
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\PPSLAX.DLL	197E.tmp
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\SystemX86\mfc140.dll	197E.tmp
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppvIsvSubsystems32.dll	197E.tmp
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\ADALPREVIOUS.DLL	197E.tmp
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\msvcr120.dll	197E.tmp
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\ONNXRuntime-0.5.X.dll	197E.tmp
File opened for modification	C:\Program Files\7-Zip\7z.sfx	197E.tmp
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\MSO.DLL	197E.tmp
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\MSOSB.DLL	197E.tmp
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\ADAL.DLL	197E.tmp
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\Mso20win32client.dll	197E.tmp
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\SQLDumper.exe	197E.tmp
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\NAMEEXT.DLL	197E.tmp
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\OCHelper.dll	197E.tmp
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\URLREDIR.DLL	197E.tmp
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\filecompare.exe	197E.tmp
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\SystemX86\concrt140.dll	197E.tmp
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\Csi.dll	197E.tmp
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Web Server Extensions\16\BIN\FPWEC.DLL	197E.tmp
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\MeetingJoinAxOC.dll	197E.tmp
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\MSOHTMED.EXE	197E.tmp
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\STSCOPY.DLL	197E.tmp
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\Mso40UIwin32client.dll	197E.tmp
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\msoshext.dll	197E.tmp
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\msolui.dll	197E.tmp
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\AppSharingHookController.exe	197E.tmp
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	197E.tmp
File opened for modification	C:\Program Files\7-Zip\7zCon.sfx	197E.tmp
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2R32.dll	197E.tmp
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\GROOVEEX.DLL	197E.tmp
File opened for modification	C:\Program Files\Microsoft Office\root\Integration\Addons\OneDriveSetup.exe	197E.tmp
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Portal\PortalConnectCore.dll	197E.tmp
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\MSOXMLMF.DLL	197E.tmp
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\Interceptor.dll	197E.tmp
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\mfc140u.dll	197E.tmp
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\MSOIDCLIL.DLL	197E.tmp
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\NPSPWRAP.DLL	197E.tmp
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	197E.tmp
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\EQUATION\concrt140.dll	197E.tmp
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\EQUATION\mfc140u.dll	197E.tmp
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\VVIEWER.DLL	197E.tmp
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\NAME.DLL	197E.tmp
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\ONLNTCOMLIB.DLL	197E.tmp
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\Mso30win32client.dll	197E.tmp
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\MSOHEV.DLL	197E.tmp
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\Backup	AdobeARM.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\concrt140.dll	197E.tmp
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\adal.dll	197E.tmp
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\msolap.dll	197E.tmp
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\xmsrv.dll	197E.tmp
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\ONBttnIE.dll	197E.tmp
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\Temp	AdobeARM.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\Mso98win32client.dll	197E.tmp
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\OLKFSTUB.DLL	197E.tmp
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\OWSCLT.DLL	197E.tmp
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\VVIEWDWG.DLL	197E.tmp
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\MSVCR110.DLL	197E.tmp
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\EQUATION\msvcr120.dll	197E.tmp
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Web Server Extensions\16\BIN\FPSRVUTL.DLL	197E.tmp
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\concrt140.dll	197E.tmp
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\IEAWSDC.DLL	197E.tmp
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\OWSSUPP.DLL	197E.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2960	NEAS.2ab60557e45962b4867ca99d040b3fc0.exe
2960	NEAS.2ab60557e45962b4867ca99d040b3fc0.exe
2960	NEAS.2ab60557e45962b4867ca99d040b3fc0.exe
2960	NEAS.2ab60557e45962b4867ca99d040b3fc0.exe
2960	NEAS.2ab60557e45962b4867ca99d040b3fc0.exe
2960	NEAS.2ab60557e45962b4867ca99d040b3fc0.exe
2960	NEAS.2ab60557e45962b4867ca99d040b3fc0.exe
2960	NEAS.2ab60557e45962b4867ca99d040b3fc0.exe
2960	NEAS.2ab60557e45962b4867ca99d040b3fc0.exe
2960	NEAS.2ab60557e45962b4867ca99d040b3fc0.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
624	AdobeARM.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2960 wrote to memory of 3960	2960	NEAS.2ab60557e45962b4867ca99d040b3fc0.exe	88
PID 2960 wrote to memory of 3960	2960	NEAS.2ab60557e45962b4867ca99d040b3fc0.exe	88
PID 2960 wrote to memory of 3960	2960	NEAS.2ab60557e45962b4867ca99d040b3fc0.exe	88
PID 2960 wrote to memory of 624	2960	NEAS.2ab60557e45962b4867ca99d040b3fc0.exe	89
PID 2960 wrote to memory of 624	2960	NEAS.2ab60557e45962b4867ca99d040b3fc0.exe	89
PID 2960 wrote to memory of 624	2960	NEAS.2ab60557e45962b4867ca99d040b3fc0.exe	89
PID 624 wrote to memory of 1512	624	AdobeARM.exe	101
PID 624 wrote to memory of 1512	624	AdobeARM.exe	101
PID 624 wrote to memory of 1512	624	AdobeARM.exe	101

C:\Users\Admin\AppData\Local\Temp\NEAS.2ab60557e45962b4867ca99d040b3fc0.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.2ab60557e45962b4867ca99d040b3fc0.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2960
- C:\Users\Admin\AppData\Local\Temp\197E.tmp
  C:\Users\Admin\AppData\Local\Temp\197E.tmp
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  PID:3960
- C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe
  "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
  2⤵
  - Drops file in Program Files directory
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:624
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Reader_sl.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Reader_sl.exe"
    3⤵
    PID:1512

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Adobe\ARM\ArmReport.ini

Filesize
634B

MD5
4600ea83e72c40d5b6d25248895c4d66

SHA1
666d119fa0398adce7093f434fc15437ca6913c5

SHA256
4f9b2f699943dc7a42321fde879d884202e9b3bd8391519cc69bd83d8d485aae

SHA512
08c1e1315bd3be50f47cce09a7b9c36aa38572495cdcbaa1053f6cc14af921437f3972c25d2d5c8df70a5b2e239a62d4cec6b3039de5b99e43b173eab4cb0bc9

Download Submit
C:\ProgramData\Adobe\ARM\ArmReport.ini

Filesize
746B

MD5
5757246b0746f04f7c6c7685c433d80f

SHA1
910a75876285c35fe0fa03c11f36257aeba8a2b3

SHA256
d33f7174ff6e717d72bfb38cf92e25135823d3d02273bf3f575f95d2afdc12dc

SHA512
8f2f3642154d4f016f7679567cc5879e8d4a794a07b62b9663905406a77aebb111b04032353588719a631d9e5223acf543499ef7f7b36e0e15ec966c638219f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\197E.tmp

Filesize
145KB

MD5
c610e7ccd6859872c585b2a85d7dc992

SHA1
362b3d4b72e3add687c209c79b500b7c6a246d46

SHA256
14063fc61dc71b9881d75e93a587c27a6daf8779ff5255a24a042beace541041

SHA512
8570aad2ae8b5dcba00fc5ebf3dc0ea117e96cc88a83febd820c5811bf617a6431c1367b3eb88332f43f80b30ebe2c298c22dcc44860a075f7b41bf350236666

Download Submit
C:\Users\Admin\AppData\Local\Temp\197E.tmp

Filesize
145KB

MD5
c610e7ccd6859872c585b2a85d7dc992

SHA1
362b3d4b72e3add687c209c79b500b7c6a246d46

SHA256
14063fc61dc71b9881d75e93a587c27a6daf8779ff5255a24a042beace541041

SHA512
8570aad2ae8b5dcba00fc5ebf3dc0ea117e96cc88a83febd820c5811bf617a6431c1367b3eb88332f43f80b30ebe2c298c22dcc44860a075f7b41bf350236666

Download Submit
C:\Users\Admin\AppData\Local\Temp\AdobeARM.log

Filesize
178B

MD5
18e40e58b976cd6e3e0e447a3d50d2d7

SHA1
5f9c1ca8045ad0688db08c3c515f54b1ce9ac6f2

SHA256
09b4cbc52df653e266f3f7a6a10a07ac1f4cb6204f4c4c959c2a6078e46354f7

SHA512
79ba9e58cedea63c74d8897ccaa2abe9e4e201246964ec9aefc0fb8b01f7db4271a748a8da1d882a5350661b885dd8dd7946255e927efb109f51df6d44106054

Download Submit
C:\Users\Admin\AppData\Local\Temp\ArmUI.ini

Filesize
251KB

MD5
864c22fb9a1c0670edf01c6ed3e4fbe4

SHA1
bf636f8baed998a1eb4531af9e833e6d3d8df129

SHA256
b4d4dcd9594d372d7c0c975d80ef5802c88502895ed4b8a26ca62e225f2f18b0

SHA512
ff23616ee67d51daa2640ae638f59a8d331930a29b98c2d1bd3b236d2f651f243f9bae38d58515714886cfbb13b9be721d490aad4f2d10cbba74d7701ab34e09

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tmp8FE7.tmp

Filesize
3KB

MD5
bbb796dd2b53f7fb7ce855bb39535e2f

SHA1
dfb022a179775c82893fe8c4f59df8f6d19bd2fd

SHA256
ff9b4cf04e3202f150f19c1711767361343935da7841c98b876c42fd2cabce9b

SHA512
0d122f454fcbf4524c2756692f0f33dc98f5bd2426839c6f03cd5c5f4fd507a8a15cf489d7a7ceadd1b95cf31b506c04bf03d613a9ba7d76add92766b1dc5c2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpB2A3.tmp

Filesize
3KB

MD5
ec946860cff4f4a6d325a8de7d6254d2

SHA1
7c909f646d9b2d23c58f73ec2bb603cd59dc11fd

SHA256
19fe53c801ad7edc635f61e9e28d07da31780c2480e6f37ecfc63fffe1b250fe

SHA512
38a98b18dbae063bc533a1ff25a3467a7de197651e07e77a1b22cf8ce251282ab31f61dcff5c51ef186cfd115dc506181d480eabffbe92af01dee6282cbee13e

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpBA17.tmp

Filesize
3KB

MD5
fc2430057cb1be74c788f10c2d4540c8

SHA1
cab67ee8d5191fbf9f25545825e06c1a822af2f2

SHA256
dcc9d2695125406282ba990fec39403c44b12964acf51b5e0dc7f2080d714398

SHA512
4e2b9709a9e3ca5173abb35816e5a0aebbf2a7aaf971d7f75f3ae66e4a812cbade103baa5016525f5ab83a60c18f8d3c278c90ff83e4afdae419f81673cb5aee

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpDDDC.tmp

Filesize
3KB

MD5
a58599260c64cb41ed7d156db8ac13ef

SHA1
fb9396eb1270e9331456a646ebf1419fc283dc06

SHA256
aabf92089e16fdb28706356dbc4efb5a81f5277946f2e67695b31676616ed2d2

SHA512
6970cbc42e7ec64ccdb8e5633b7017b1e9ec0d4ad094869e221e9275b814b1442b84827996190159543bdb5e86df6885c45197c533d657db4660fca8ad761a71

Download Submit
memory/2960-0-0x0000000000AB0000-0x0000000000B00000-memory.dmp

Filesize
320KB

Download
memory/2960-1-0x0000000000AB0000-0x0000000000B00000-memory.dmp

Filesize
320KB

Download