8186eef16b08ab5e7f4b64fe8963d3789e2dac0ee3b87a0307074f82e7022f78

General

Target

NEAS.39cbdd80113c3daeec9bd0aa8f09cf90.exe
Size

352KB
MD5

39cbdd80113c3daeec9bd0aa8f09cf90
SHA1

4c84998aa5b6f0511d3427c369cb53dc84a14be8
SHA256

8186eef16b08ab5e7f4b64fe8963d3789e2dac0ee3b87a0307074f82e7022f78
SHA512

11c1b829ab8af7e3586d6106e94613530276740106f7b1d1f7cbb9a1d18fda8c7f01d1784df8e10fbcc824edea3f5fbf2df837fcdbf6c23345e647e277a68cd8
SSDEEP

6144:/pW2bgbbV28okoS1oWMkdlZQ5iinNrv2SxhIP4i:/pW2IoioS65xTi

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Disables Task Manager via registry modification
evasion

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\Control Panel\International\Geo\Nation	NEAS.39cbdd80113c3daeec9bd0aa8f09cf90.exe

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NEAS.39cbdd80113c3daeec9bd0aa8f09cf90.exe BATCF %1"	NEAS.39cbdd80113c3daeec9bd0aa8f09cf90.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 10 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NEAS.39cbdd80113c3daeec9bd0aa8f09cf90.exe BATCF %1"	NEAS.39cbdd80113c3daeec9bd0aa8f09cf90.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NEAS.39cbdd80113c3daeec9bd0aa8f09cf90.exe HTMWF %1"	NEAS.39cbdd80113c3daeec9bd0aa8f09cf90.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\xmlfile\shell\Open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NEAS.39cbdd80113c3daeec9bd0aa8f09cf90.exe NTPAD %1"	NEAS.39cbdd80113c3daeec9bd0aa8f09cf90.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NEAS.39cbdd80113c3daeec9bd0aa8f09cf90.exe NTPAD %1"	NEAS.39cbdd80113c3daeec9bd0aa8f09cf90.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\inifile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NEAS.39cbdd80113c3daeec9bd0aa8f09cf90.exe NTPAD %1"	NEAS.39cbdd80113c3daeec9bd0aa8f09cf90.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NEAS.39cbdd80113c3daeec9bd0aa8f09cf90.exe NTPAD %1"	NEAS.39cbdd80113c3daeec9bd0aa8f09cf90.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\cmdfile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NEAS.39cbdd80113c3daeec9bd0aa8f09cf90.exe CMDSF %1"	NEAS.39cbdd80113c3daeec9bd0aa8f09cf90.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\giffile\shell\Open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NEAS.39cbdd80113c3daeec9bd0aa8f09cf90.exe JPGIF %1"	NEAS.39cbdd80113c3daeec9bd0aa8f09cf90.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NEAS.39cbdd80113c3daeec9bd0aa8f09cf90.exe VBSSF %1"	NEAS.39cbdd80113c3daeec9bd0aa8f09cf90.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\rtffile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NEAS.39cbdd80113c3daeec9bd0aa8f09cf90.exe RTFDF %1"	NEAS.39cbdd80113c3daeec9bd0aa8f09cf90.exe

Modifies registry key 1 TTPs 2 IoCs

Modify Registry

T1112

pid	Process
4792	reg.exe
2108	reg.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3812 wrote to memory of 4792	3812	NEAS.39cbdd80113c3daeec9bd0aa8f09cf90.exe	87
PID 3812 wrote to memory of 4792	3812	NEAS.39cbdd80113c3daeec9bd0aa8f09cf90.exe	87
PID 3812 wrote to memory of 2108	3812	NEAS.39cbdd80113c3daeec9bd0aa8f09cf90.exe	89
PID 3812 wrote to memory of 2108	3812	NEAS.39cbdd80113c3daeec9bd0aa8f09cf90.exe	89

C:\Users\Admin\AppData\Local\Temp\NEAS.39cbdd80113c3daeec9bd0aa8f09cf90.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.39cbdd80113c3daeec9bd0aa8f09cf90.exe"
1⤵
- Checks computer location settings
- Modifies system executable filetype association
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3812
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
  2⤵
  - UAC bypass
  - Modifies registry key
  PID:4792
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
  2⤵
  - Modifies registry key
  PID:2108

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

1

T1546

Change Default File Association

1

T1546.001

Privilege Escalation

Abuse Elevation Control Mechanism

1

T1548

Bypass User Account Control

1

T1548.002

Event Triggered Execution

1

T1546

Change Default File Association

1

T1546.001

Defense Evasion

Abuse Elevation Control Mechanism

1

T1548

Bypass User Account Control

1

T1548.002

Impair Defenses

1

T1562

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\GvCSkOYnvD.exe

Filesize
352KB

MD5
4f2114b864c0c7a93581bd84e5c167d0

SHA1
c34358bb7f76a6aa0947afaa61b210963a23ea80

SHA256
90dd323e08327d83d22798a708acdb39f4d88282c3c800c2c904fb88f0d6a79b

SHA512
25756966bb5315da9aa824a534211f09ff320fe74cce6a3573a4fdbc585b727057e65bd65faf8ae68f83aa1c499e6dc9f818d5574ff1c49dd609f635dd9baefc

Download Submit
memory/3812-0-0x000001CE77040000-0x000001CE77068000-memory.dmp

Filesize
160KB

Download
memory/3812-1-0x00007FFD39320000-0x00007FFD39DE1000-memory.dmp

Filesize
10.8MB

Download
memory/3812-2-0x000001CE79680000-0x000001CE79690000-memory.dmp

Filesize
64KB

Download
memory/3812-3-0x00007FFD39320000-0x00007FFD39DE1000-memory.dmp

Filesize
10.8MB

Download
memory/3812-4-0x000001CE79680000-0x000001CE79690000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads