65441095e36617c054b491a76cd49d1a025df8960b3d196e85b465708c5e0805

General

Target

NEAS.6a15aae400c2e7fe8c0c5e81e489f4e0.exe
Size

12KB
MD5

6a15aae400c2e7fe8c0c5e81e489f4e0
SHA1

0431aefe469f6e2885e973315adfe1a9852d8a39
SHA256

65441095e36617c054b491a76cd49d1a025df8960b3d196e85b465708c5e0805
SHA512

68bd51656d98b77f6adee12c72ee73e8a62a7bfd99affcb13808e3b9888429d8b49278c3553ca1b839c9115ddb3b7f3e07dd5acd2bb1b0e8bf7a5fa094e93dd2
SSDEEP

384:3L7li/2zlq2DcEQvd2cJKLTp/NK9xaX9:7lM8Q9cX9

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\Control Panel\International\Geo\Nation	NEAS.6a15aae400c2e7fe8c0c5e81e489f4e0.exe

Executes dropped EXE 1 IoCs

pid	Process
4424	tmpADDB.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2808	NEAS.6a15aae400c2e7fe8c0c5e81e489f4e0.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2808 wrote to memory of 1240	2808	NEAS.6a15aae400c2e7fe8c0c5e81e489f4e0.exe	89
PID 2808 wrote to memory of 1240	2808	NEAS.6a15aae400c2e7fe8c0c5e81e489f4e0.exe	89
PID 2808 wrote to memory of 1240	2808	NEAS.6a15aae400c2e7fe8c0c5e81e489f4e0.exe	89
PID 1240 wrote to memory of 1452	1240	vbc.exe	91
PID 1240 wrote to memory of 1452	1240	vbc.exe	91
PID 1240 wrote to memory of 1452	1240	vbc.exe	91
PID 2808 wrote to memory of 4424	2808	NEAS.6a15aae400c2e7fe8c0c5e81e489f4e0.exe	96
PID 2808 wrote to memory of 4424	2808	NEAS.6a15aae400c2e7fe8c0c5e81e489f4e0.exe	96
PID 2808 wrote to memory of 4424	2808	NEAS.6a15aae400c2e7fe8c0c5e81e489f4e0.exe	96

C:\Users\Admin\AppData\Local\Temp\NEAS.6a15aae400c2e7fe8c0c5e81e489f4e0.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.6a15aae400c2e7fe8c0c5e81e489f4e0.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2808
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\r3knhtuc\r3knhtuc.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1240
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc4B6410A1CD6F468EBBCADC6AC36E4A39.TMP"
    3⤵
    PID:1452
- C:\Users\Admin\AppData\Local\Temp\tmpADDB.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpADDB.tmp.exe" C:\Users\Admin\AppData\Local\Temp\NEAS.6a15aae400c2e7fe8c0c5e81e489f4e0.exe
  2⤵
  - Executes dropped EXE
  PID:4424

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RE.resources

Filesize
2KB

MD5
8d7262e6ab2d03bb9ea461dad3e1ce45

SHA1
9199ff1c1490cea41385bc77e386fce16855d89b

SHA256
8cd3fb162175de1eac3a03ba89ad530420bfb841860ab894418dfb05f481b1e0

SHA512
6534c5954a907e334c762fd8e3c66d3456f50993c6c04f5dac69096b67e17fe98bd0902e95fba08832ce6c0333f61f91abb09ff7f9e7e130425f1efca36d1fce

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES1.tmp

Filesize
1KB

MD5
8517efd36b2dfd83e9a7da501a44b318

SHA1
f777f819a7900771a85188141f4dd4ea1898a428

SHA256
99acd4bdb96ea47db823ae98ae543b10858f8ea2fabcc60b2c5fd1b69dc70515

SHA512
b4bb5f82f66f0372502d8e724b51ff73478bff000459b10d5978dc4328a24e0e496c0293036140600f314b965e7f02f83eb2c7cd6383bc18193c53183f56f8a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\r3knhtuc\r3knhtuc.0.vb

Filesize
2KB

MD5
9049d2cf7f2c600057c740b14e64f8e8

SHA1
251ca01f41678afdb3deb4d177ea6064ad3584bf

SHA256
2bd26effdcb782cce2e48dbf6546a4c3da36d81bd477999f7ca4569fe5f2ef76

SHA512
72ccc18d8221bbab1f98d184c978b60bb917bc53bc003e5cf03615326b7bcfa13d9c210b2e17d755acaa7b7a8195565680da6d03f8c412407e776fd3a1247731

Download Submit
C:\Users\Admin\AppData\Local\Temp\r3knhtuc\r3knhtuc.cmdline

Filesize
273B

MD5
1c8150d547f8cf750e4089f8d5aaef0e

SHA1
2f9b9d0b4dd6d983f98ac129f173893d9df48f40

SHA256
a9cc0a5c4c3b592563572ffbe1e357941e41d69a8c9e9ba7ff78d072e4bb24e2

SHA512
0d526adacdc15cb19f5241bf1671557da6f1ee1fa6a7d2af4370a918039569e54bf6da9f0799ca0d308ff5b076fb391be3fe251a5377ae0187a2f9ef540dde6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpADDB.tmp.exe

Filesize
12KB

MD5
527c324aec678823a07740b165f192b5

SHA1
b87c0e7b13de3fb9ac03ea704bf020223a742f7e

SHA256
5ee5ff77f4d2ff57d66cdaa997afeeeb8b31553c2eefe133d855a3bc5e7abfc5

SHA512
12c094867935527e8f65b0a7c2767e2fce4a18bcb13b62df9b309a5b3084a48b0819a7e52fe5d282e20c47c582d1f363bca834b28b8a1f280a6ac28d1618ae88

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpADDB.tmp.exe

Filesize
12KB

MD5
527c324aec678823a07740b165f192b5

SHA1
b87c0e7b13de3fb9ac03ea704bf020223a742f7e

SHA256
5ee5ff77f4d2ff57d66cdaa997afeeeb8b31553c2eefe133d855a3bc5e7abfc5

SHA512
12c094867935527e8f65b0a7c2767e2fce4a18bcb13b62df9b309a5b3084a48b0819a7e52fe5d282e20c47c582d1f363bca834b28b8a1f280a6ac28d1618ae88

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc4B6410A1CD6F468EBBCADC6AC36E4A39.TMP

Filesize
1KB

MD5
6e1c0d6a7ccfc33747c2c872beb02c30

SHA1
8d53b1c29c90767b44d0a57d2e6226adad087371

SHA256
821b428d0cbd2dfe9a911b2b1ab39798877cefc15b936ec6b85b6c04c7cc9765

SHA512
f76ba3ad1db9d15f1346e42aca71255de8e7a86de07d5106aa47fbc603ef88cf50e01a2dc2e136829e3ef06393e8ac9f1d69a4d47958a1df03b1733321f82802

Download Submit
memory/2808-0-0x0000000074FD0000-0x0000000075780000-memory.dmp

Filesize
7.7MB

Download
memory/2808-3-0x0000000074FD0000-0x0000000075780000-memory.dmp

Filesize
7.7MB

Download
memory/2808-12-0x0000000005BA0000-0x0000000005BB0000-memory.dmp

Filesize
64KB

Download
memory/2808-2-0x0000000005900000-0x000000000599C000-memory.dmp

Filesize
624KB

Download
memory/2808-1-0x0000000000F60000-0x0000000000F6A000-memory.dmp

Filesize
40KB

Download
memory/2808-6-0x0000000005BA0000-0x0000000005BB0000-memory.dmp

Filesize
64KB

Download
memory/2808-28-0x0000000074FD0000-0x0000000075780000-memory.dmp

Filesize
7.7MB

Download
memory/4424-25-0x0000000000AE0000-0x0000000000AEA000-memory.dmp

Filesize
40KB

Download
memory/4424-26-0x0000000074FD0000-0x0000000075780000-memory.dmp

Filesize
7.7MB

Download
memory/4424-29-0x0000000005980000-0x0000000005F24000-memory.dmp

Filesize
5.6MB

Download
memory/4424-30-0x0000000005470000-0x0000000005502000-memory.dmp

Filesize
584KB

Download
memory/4424-32-0x0000000074FD0000-0x0000000075780000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing