81cff47887f6a46c2ebb25b2ff826a9a398ff1f64f0fe1d7b92a60b3883b58b3

General

Target

NEAS.9b26ff6418e56cff485a9ccc8c066f90.exe
Size

324KB
MD5

9b26ff6418e56cff485a9ccc8c066f90
SHA1

e1e722ffc64246de79ccd6df19decc1daba32feb
SHA256

81cff47887f6a46c2ebb25b2ff826a9a398ff1f64f0fe1d7b92a60b3883b58b3
SHA512

190244c1e754e92afc7de3915cdd3ad76c547e9234ee278fa5f383851fd003c627fddda4c80320b6840f51b38df3790baea0feee1b28cbdc821a98d14a72bf54
SSDEEP

6144:/pW2bgbbV28okoS1oWMkdlZQ5wQgid3vTv:/pW2IoioS6FL

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Disables Task Manager via registry modification
evasion

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\Control Panel\International\Geo\Nation	NEAS.9b26ff6418e56cff485a9ccc8c066f90.exe

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NEAS.9b26ff6418e56cff485a9ccc8c066f90.exe BATCF %1"	NEAS.9b26ff6418e56cff485a9ccc8c066f90.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 10 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NEAS.9b26ff6418e56cff485a9ccc8c066f90.exe BATCF %1"	NEAS.9b26ff6418e56cff485a9ccc8c066f90.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\rtffile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NEAS.9b26ff6418e56cff485a9ccc8c066f90.exe RTFDF %1"	NEAS.9b26ff6418e56cff485a9ccc8c066f90.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\inifile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NEAS.9b26ff6418e56cff485a9ccc8c066f90.exe NTPAD %1"	NEAS.9b26ff6418e56cff485a9ccc8c066f90.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NEAS.9b26ff6418e56cff485a9ccc8c066f90.exe NTPAD %1"	NEAS.9b26ff6418e56cff485a9ccc8c066f90.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NEAS.9b26ff6418e56cff485a9ccc8c066f90.exe NTPAD %1"	NEAS.9b26ff6418e56cff485a9ccc8c066f90.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\cmdfile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NEAS.9b26ff6418e56cff485a9ccc8c066f90.exe CMDSF %1"	NEAS.9b26ff6418e56cff485a9ccc8c066f90.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\giffile\shell\Open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NEAS.9b26ff6418e56cff485a9ccc8c066f90.exe JPGIF %1"	NEAS.9b26ff6418e56cff485a9ccc8c066f90.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NEAS.9b26ff6418e56cff485a9ccc8c066f90.exe VBSSF %1"	NEAS.9b26ff6418e56cff485a9ccc8c066f90.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NEAS.9b26ff6418e56cff485a9ccc8c066f90.exe HTMWF %1"	NEAS.9b26ff6418e56cff485a9ccc8c066f90.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\xmlfile\shell\Open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NEAS.9b26ff6418e56cff485a9ccc8c066f90.exe NTPAD %1"	NEAS.9b26ff6418e56cff485a9ccc8c066f90.exe

Modifies registry key 1 TTPs 2 IoCs

Modify Registry

T1112

pid	Process
3980	reg.exe
3596	reg.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 904 wrote to memory of 3980	904	NEAS.9b26ff6418e56cff485a9ccc8c066f90.exe	88
PID 904 wrote to memory of 3980	904	NEAS.9b26ff6418e56cff485a9ccc8c066f90.exe	88
PID 904 wrote to memory of 3596	904	NEAS.9b26ff6418e56cff485a9ccc8c066f90.exe	89
PID 904 wrote to memory of 3596	904	NEAS.9b26ff6418e56cff485a9ccc8c066f90.exe	89

C:\Users\Admin\AppData\Local\Temp\NEAS.9b26ff6418e56cff485a9ccc8c066f90.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.9b26ff6418e56cff485a9ccc8c066f90.exe"
1⤵
- Checks computer location settings
- Modifies system executable filetype association
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:904
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
  2⤵
  - UAC bypass
  - Modifies registry key
  PID:3980
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
  2⤵
  - Modifies registry key
  PID:3596

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

1

T1546

Change Default File Association

1

T1546.001

Privilege Escalation

Abuse Elevation Control Mechanism

1

T1548

Bypass User Account Control

1

T1548.002

Event Triggered Execution

1

T1546

Change Default File Association

1

T1546.001

Defense Evasion

Abuse Elevation Control Mechanism

1

T1548

Bypass User Account Control

1

T1548.002

Impair Defenses

1

T1562

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\54Ta229CACm.exe

Filesize
324KB

MD5
5407ada85fb9be2456c6d599e4a34cdd

SHA1
b17bcb0d9888d645e4a0b4a58d5339cbb2af38de

SHA256
ca73cbdacb3d5ee0b81a4b19a300a3f8b975f8afc0ad88001c32020dc1c9f980

SHA512
9f5eb7065b8289c8bdb10079a26fd85e5b753ac7de161d141cb7aa213066c09ed25f4964abf8798b6b4745a78a3bc8c777db5e66c7cfd9489bd3d061e959e491

Download Submit
memory/904-0-0x000002942DAF0000-0x000002942DB18000-memory.dmp

Filesize
160KB

Download
memory/904-1-0x00007FFE77440000-0x00007FFE77F01000-memory.dmp

Filesize
10.8MB

Download
memory/904-2-0x00000294482E0000-0x00000294482F0000-memory.dmp

Filesize
64KB

Download
memory/904-384-0x00007FFE77440000-0x00007FFE77F01000-memory.dmp

Filesize
10.8MB

Download
memory/904-585-0x00000294482F0000-0x0000029448499000-memory.dmp

Filesize
1.7MB

Download
memory/904-606-0x00000294482E0000-0x00000294482F0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads