63ac9747a66fc5a5832c46ba4e14560d11628b4622437c9a09aedbc480b08341

General

Target

NEAS.46f8f366ef12bd8c6c3e47c8a03d8610.exe
Size

12KB
MD5

46f8f366ef12bd8c6c3e47c8a03d8610
SHA1

e476251e083e7f43b5f73b6de25028d323de9f76
SHA256

63ac9747a66fc5a5832c46ba4e14560d11628b4622437c9a09aedbc480b08341
SHA512

9896588015163fcb916908dc8af76f2ae513dd820242930fcf9936d8ca50254ee20d7f24c84bf0b5bf4a9e84c4320a8c625cb0275380aa1d2fc44544baf1a311
SSDEEP

384:bL7li/2zBq2DcEQvdhcJKLTp/NK9xaPu:PJM/Q9cPu

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Control Panel\International\Geo\Nation	NEAS.46f8f366ef12bd8c6c3e47c8a03d8610.exe

Deletes itself 1 IoCs

pid	Process
4588	tmp9674.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
4588	tmp9674.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	864	NEAS.46f8f366ef12bd8c6c3e47c8a03d8610.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 864 wrote to memory of 1560	864	NEAS.46f8f366ef12bd8c6c3e47c8a03d8610.exe	83
PID 864 wrote to memory of 1560	864	NEAS.46f8f366ef12bd8c6c3e47c8a03d8610.exe	83
PID 864 wrote to memory of 1560	864	NEAS.46f8f366ef12bd8c6c3e47c8a03d8610.exe	83
PID 1560 wrote to memory of 1364	1560	vbc.exe	85
PID 1560 wrote to memory of 1364	1560	vbc.exe	85
PID 1560 wrote to memory of 1364	1560	vbc.exe	85
PID 864 wrote to memory of 4588	864	NEAS.46f8f366ef12bd8c6c3e47c8a03d8610.exe	86
PID 864 wrote to memory of 4588	864	NEAS.46f8f366ef12bd8c6c3e47c8a03d8610.exe	86
PID 864 wrote to memory of 4588	864	NEAS.46f8f366ef12bd8c6c3e47c8a03d8610.exe	86

C:\Users\Admin\AppData\Local\Temp\NEAS.46f8f366ef12bd8c6c3e47c8a03d8610.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.46f8f366ef12bd8c6c3e47c8a03d8610.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:864
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\43fo4lbg\43fo4lbg.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1560
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES98C5.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc824342BAEC7649EC9CA98119962258A.TMP"
    3⤵
    PID:1364
- C:\Users\Admin\AppData\Local\Temp\tmp9674.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp9674.tmp.exe" C:\Users\Admin\AppData\Local\Temp\NEAS.46f8f366ef12bd8c6c3e47c8a03d8610.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  PID:4588

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\43fo4lbg\43fo4lbg.0.vb

Filesize
2KB

MD5
f16e446d6a7a4d06b282922ed54f1adb

SHA1
0fa929ff85cc4798dcbae06d3ec04f4503069c92

SHA256
062d0286cd5391d1061a494d08d9201e7b8120572f3a014802cfe0a5fc9e0128

SHA512
a557fd06b3b78160272a9415b8dc6ebb4e4173c129478b4b9a66a66a490402a34bf6d381a07eb84a64fa2beec0e1e0cc938805ea588de3a827d61dc44121ed16

Download Submit
C:\Users\Admin\AppData\Local\Temp\43fo4lbg\43fo4lbg.cmdline

Filesize
273B

MD5
caa54a9ad1f2c30506db1e53ca6ea181

SHA1
1d4a8520d451750b0206a2a7b603f92397521346

SHA256
8f543f6cc36dad911d41eb6216b089010c758cc9b2722277a98a297f167db954

SHA512
a11965bbe1a38dac1203fda41b05a58697a3bb239746bbc9f80492db0f49df2e70adf0e897dbb270c3e32c422445564fe6024634a72bd10a1955f0f286cd9ab9

Download Submit
C:\Users\Admin\AppData\Local\Temp\RE.resources

Filesize
2KB

MD5
1da56c8b8046ab353de042420575f07a

SHA1
7dc00b110b96b0c4fb39c3086bacf15152eab5d2

SHA256
216ffd2688c03f2b1c3c8f5912c11b65796d9cf5ccf5d411f23cc48d72841e44

SHA512
a395fd690badf22ba660a8baf02c6612387115c24687ff65b2822765b1ff5b3711fd2bf0bd216c2893844489c40b553aaa7fa8aea7d543cc0b1201dd964457bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES98C5.tmp

Filesize
1KB

MD5
98bac1b6c7f27fc69fbe12215bd488b8

SHA1
bae4b0fe5cf5c43465cba6dbf4a7d20d77ba4ead

SHA256
ae94bf09ef4a239400b64bba0fcb97ad2277cc7a9a4b0f024e25f14f4eb9f0b1

SHA512
c36972c457d34ece8947c532443b8cb0c1ed644ff22509ad6e3f820b0a6e359acc995f0be2819b8cdcfa23e4858ee2f6da35f74d94781eb3f65f1feed6feca61

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp9674.tmp.exe

Filesize
12KB

MD5
748df33a3facd66e4d38e1a482fadec4

SHA1
d7bf1c0c7670be0f7cfaba6e13cf8a71a1f414d4

SHA256
cb65a0355ed995aa1d43d7798faf9e35b76eb3f3639a996d054828ad632fd5ff

SHA512
1991687c3f322704b2b9a92d206532c9df37bc7c74082ed85caa21f7ef33c925c71ecbb7923654a4f19b26a2f9e83678e71b7ce7ed754fcc6f0004f03b119052

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp9674.tmp.exe

Filesize
12KB

MD5
748df33a3facd66e4d38e1a482fadec4

SHA1
d7bf1c0c7670be0f7cfaba6e13cf8a71a1f414d4

SHA256
cb65a0355ed995aa1d43d7798faf9e35b76eb3f3639a996d054828ad632fd5ff

SHA512
1991687c3f322704b2b9a92d206532c9df37bc7c74082ed85caa21f7ef33c925c71ecbb7923654a4f19b26a2f9e83678e71b7ce7ed754fcc6f0004f03b119052

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc824342BAEC7649EC9CA98119962258A.TMP

Filesize
1KB

MD5
f42619c802437f6635629e4fe128660a

SHA1
a072bb4c577f1d28e41d616c89d3de874d4cc667

SHA256
1f9afdbdee907678cb9aeb145826468f5aa88abcd28993669021649148b8f8d2

SHA512
87584be31901501283959096fb9efd92c1a7488c0df6eb1f5c8c0852e509d3cad6fda60e7ed8b1581267c27d8ee0d4c71402096171d07c760d4b3661ef3b230a

Download Submit
memory/864-5-0x0000000005620000-0x0000000005630000-memory.dmp

Filesize
64KB

Download
memory/864-0-0x0000000000AB0000-0x0000000000ABA000-memory.dmp

Filesize
40KB

Download
memory/864-1-0x00000000749C0000-0x0000000075170000-memory.dmp

Filesize
7.7MB

Download
memory/864-2-0x0000000005460000-0x00000000054FC000-memory.dmp

Filesize
624KB

Download
memory/864-25-0x00000000749C0000-0x0000000075170000-memory.dmp

Filesize
7.7MB

Download
memory/4588-24-0x00000000749C0000-0x0000000075170000-memory.dmp

Filesize
7.7MB

Download
memory/4588-26-0x00000000009A0000-0x00000000009AA000-memory.dmp

Filesize
40KB

Download
memory/4588-27-0x00000000058B0000-0x0000000005E54000-memory.dmp

Filesize
5.6MB

Download
memory/4588-28-0x00000000053A0000-0x0000000005432000-memory.dmp

Filesize
584KB

Download
memory/4588-30-0x00000000749C0000-0x0000000075170000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing