bf47a9013b280af8b576de1276c15f0f25f82c5af0076d6ff758ec3c7690cb5d

General

Target

NEAS.aa2353c29dd63a1f7b873929baff9690.exe
Size

441KB
MD5

aa2353c29dd63a1f7b873929baff9690
SHA1

28e69e15df7f0a03cc91222f0377449d50131a72
SHA256

bf47a9013b280af8b576de1276c15f0f25f82c5af0076d6ff758ec3c7690cb5d
SHA512

c9997c5428e4938611740a72d2343f9398f89976297c9fcc4e506c76a429d35064b9a8feab3fdc188547caac84e17bad55df86755019e1df1253be41feda057b
SSDEEP

6144:/pW2bgbbV28okoS1oWMkdlZQ5iioc+nBkl7x87t6Qq3AClQZy:/pW2IoioS6D/OZy

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Disables Task Manager via registry modification
evasion

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\Control Panel\International\Geo\Nation	NEAS.aa2353c29dd63a1f7b873929baff9690.exe

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NEAS.aa2353c29dd63a1f7b873929baff9690.exe BATCF %1"	NEAS.aa2353c29dd63a1f7b873929baff9690.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 10 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NEAS.aa2353c29dd63a1f7b873929baff9690.exe NTPAD %1"	NEAS.aa2353c29dd63a1f7b873929baff9690.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\rtffile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NEAS.aa2353c29dd63a1f7b873929baff9690.exe RTFDF %1"	NEAS.aa2353c29dd63a1f7b873929baff9690.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\xmlfile\shell\Open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NEAS.aa2353c29dd63a1f7b873929baff9690.exe NTPAD %1"	NEAS.aa2353c29dd63a1f7b873929baff9690.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\inifile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NEAS.aa2353c29dd63a1f7b873929baff9690.exe NTPAD %1"	NEAS.aa2353c29dd63a1f7b873929baff9690.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\giffile\shell\Open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NEAS.aa2353c29dd63a1f7b873929baff9690.exe JPGIF %1"	NEAS.aa2353c29dd63a1f7b873929baff9690.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NEAS.aa2353c29dd63a1f7b873929baff9690.exe VBSSF %1"	NEAS.aa2353c29dd63a1f7b873929baff9690.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NEAS.aa2353c29dd63a1f7b873929baff9690.exe HTMWF %1"	NEAS.aa2353c29dd63a1f7b873929baff9690.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NEAS.aa2353c29dd63a1f7b873929baff9690.exe NTPAD %1"	NEAS.aa2353c29dd63a1f7b873929baff9690.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NEAS.aa2353c29dd63a1f7b873929baff9690.exe BATCF %1"	NEAS.aa2353c29dd63a1f7b873929baff9690.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\cmdfile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NEAS.aa2353c29dd63a1f7b873929baff9690.exe CMDSF %1"	NEAS.aa2353c29dd63a1f7b873929baff9690.exe

Modifies registry key 1 TTPs 2 IoCs

Modify Registry

T1112

pid	Process
4216	reg.exe
464	reg.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3416 wrote to memory of 4216	3416	NEAS.aa2353c29dd63a1f7b873929baff9690.exe	86
PID 3416 wrote to memory of 4216	3416	NEAS.aa2353c29dd63a1f7b873929baff9690.exe	86
PID 3416 wrote to memory of 464	3416	NEAS.aa2353c29dd63a1f7b873929baff9690.exe	88
PID 3416 wrote to memory of 464	3416	NEAS.aa2353c29dd63a1f7b873929baff9690.exe	88

C:\Users\Admin\AppData\Local\Temp\NEAS.aa2353c29dd63a1f7b873929baff9690.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.aa2353c29dd63a1f7b873929baff9690.exe"
1⤵
- Checks computer location settings
- Modifies system executable filetype association
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3416
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
  2⤵
  - UAC bypass
  - Modifies registry key
  PID:4216
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
  2⤵
  - Modifies registry key
  PID:464

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

1

T1546

Change Default File Association

1

T1546.001

Privilege Escalation

Abuse Elevation Control Mechanism

1

T1548

Bypass User Account Control

1

T1548.002

Event Triggered Execution

1

T1546

Change Default File Association

1

T1546.001

Defense Evasion

Abuse Elevation Control Mechanism

1

T1548

Bypass User Account Control

1

T1548.002

Impair Defenses

1

T1562

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\r3wpegLh.exe

Filesize
441KB

MD5
20c52e71c04ca69670a90356045f2415

SHA1
86469b97b3eed568af814a4c7cbfb925ceb07a99

SHA256
d5afa3e9ffb24616927c8790509d70d71672e996c6053ac9021b4ec16e43e265

SHA512
86abc3cb1dcea5abd5a62225d8f7ed66d219e61dee64516ae9fbb3b44fdd74ea505c13a87db60dc5a013ea5d26dc626ed8ab36f37a5ba4ebc43b74fe2786d7ca

Download Submit
memory/3416-0-0x00000162DE3D0000-0x00000162DE3F8000-memory.dmp

Filesize
160KB

Download
memory/3416-1-0x00007FF9B4130000-0x00007FF9B4BF1000-memory.dmp

Filesize
10.8MB

Download
memory/3416-2-0x00000162F8A40000-0x00000162F8A50000-memory.dmp

Filesize
64KB

Download
memory/3416-224-0x00007FF9B4130000-0x00007FF9B4BF1000-memory.dmp

Filesize
10.8MB

Download
memory/3416-311-0x00000162F8A40000-0x00000162F8A50000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads