cb5af2a03f9cbc70939e980c1a13615048606e4193161bcdd7e0d4bb4a8d6013

General

Target

NEAS.e10bb39fee51a367e005545842ddd7d0.exe
Size

2.1MB
MD5

e10bb39fee51a367e005545842ddd7d0
SHA1

5bbaf56c880f1da3f328d4866ba7f6ffc4e510bb
SHA256

cb5af2a03f9cbc70939e980c1a13615048606e4193161bcdd7e0d4bb4a8d6013
SHA512

5ca53b2601aee56b1bd47660a59a48b312f0cec081e374828abbac95150339e456faeaa380437b5ef4f1b43d2f315f394c0c7cc74a4da7db8cf3b09424b09115
SSDEEP

49152:ISuNRA57o33qeEeQyvK6NoKJjmPKSs9ksr9RCdsrxYAJbHCH:IS8Rb33qeL7v75jmPKSKr9zjTCH

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-568313063-1441237985-1542345083-1000\Control Panel\International\Geo\Nation	NEAS.e10bb39fee51a367e005545842ddd7d0.exe

Loads dropped DLL 2 IoCs

pid	Process
2784	rundll32.exe
536	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 4584 wrote to memory of 3416	4584	NEAS.e10bb39fee51a367e005545842ddd7d0.exe	86
PID 4584 wrote to memory of 3416	4584	NEAS.e10bb39fee51a367e005545842ddd7d0.exe	86
PID 4584 wrote to memory of 3416	4584	NEAS.e10bb39fee51a367e005545842ddd7d0.exe	86
PID 3416 wrote to memory of 1944	3416	cmd.exe	89
PID 3416 wrote to memory of 1944	3416	cmd.exe	89
PID 3416 wrote to memory of 1944	3416	cmd.exe	89
PID 1944 wrote to memory of 2784	1944	control.exe	92
PID 1944 wrote to memory of 2784	1944	control.exe	92
PID 1944 wrote to memory of 2784	1944	control.exe	92
PID 2784 wrote to memory of 3172	2784	rundll32.exe	94
PID 2784 wrote to memory of 3172	2784	rundll32.exe	94
PID 3172 wrote to memory of 536	3172	RunDll32.exe	95
PID 3172 wrote to memory of 536	3172	RunDll32.exe	95
PID 3172 wrote to memory of 536	3172	RunDll32.exe	95

C:\Users\Admin\AppData\Local\Temp\NEAS.e10bb39fee51a367e005545842ddd7d0.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.e10bb39fee51a367e005545842ddd7d0.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4584
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7z8D3281E8\Rz.cmd" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3416
- - C:\Windows\SysWOW64\control.exe
    CONTROL.ExE "C:\Users\Admin\AppData\Local\Temp\7z8D3281E8\R.G"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1944
  - - C:\Windows\SysWOW64\rundll32.exe
      "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\7z8D3281E8\R.G"
      4⤵
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2784
    - - C:\Windows\system32\RunDll32.exe
        
        C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\7z8D3281E8\R.G"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3172
      - C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 "C:\Users\Admin\AppData\Local\Temp\7z8D3281E8\R.G"
        6⤵
        Loads dropped DLL
        
        PID:536

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7z8D3281E8\R.G

Filesize
2.2MB

MD5
6bc5644050b53bb579a2603c7d6c7cfe

SHA1
a64be1090c9f1ee16d2e12abab5c154bd637965e

SHA256
8d0a8cbce31f63eb9e4bc11cb2ec1352151cdf9d948ff5ba39b657b38fe2d74d

SHA512
8cfb4b75409a38f487712ff7f7f0a8df85dd47f0afb167cac797f021dc0d23276dddef00940e0e01e665ca0a050024091fd7cfa2a380a9d6b74756d51fcb90ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\7z8D3281E8\R.g

Filesize
2.2MB

MD5
6bc5644050b53bb579a2603c7d6c7cfe

SHA1
a64be1090c9f1ee16d2e12abab5c154bd637965e

SHA256
8d0a8cbce31f63eb9e4bc11cb2ec1352151cdf9d948ff5ba39b657b38fe2d74d

SHA512
8cfb4b75409a38f487712ff7f7f0a8df85dd47f0afb167cac797f021dc0d23276dddef00940e0e01e665ca0a050024091fd7cfa2a380a9d6b74756d51fcb90ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\7z8D3281E8\R.g

Filesize
2.2MB

MD5
6bc5644050b53bb579a2603c7d6c7cfe

SHA1
a64be1090c9f1ee16d2e12abab5c154bd637965e

SHA256
8d0a8cbce31f63eb9e4bc11cb2ec1352151cdf9d948ff5ba39b657b38fe2d74d

SHA512
8cfb4b75409a38f487712ff7f7f0a8df85dd47f0afb167cac797f021dc0d23276dddef00940e0e01e665ca0a050024091fd7cfa2a380a9d6b74756d51fcb90ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\7z8D3281E8\Rz.cmd

Filesize
28B

MD5
84867930a2a73441556601a6aa1370b8

SHA1
d87fc8d222c02ee4692287ebe71bad3a088c0236

SHA256
82c7fbffb1eaa2b036e283a0b68702be31703058f10772eb92c2dcb10fa4183f

SHA512
beb55d7d25574d73385139b1cb25fecc20205f6f3284215f30bad4a7ef7091f90bba4df6b921e8f6240fb0322eec6d07fe2988f64d701e2f0be5a00d1046bf20

Download Submit
memory/536-31-0x0000000002DC0000-0x0000000002EAF000-memory.dmp

Filesize
956KB

Download
memory/536-30-0x0000000002DC0000-0x0000000002EAF000-memory.dmp

Filesize
956KB

Download
memory/536-27-0x0000000002DC0000-0x0000000002EAF000-memory.dmp

Filesize
956KB

Download
memory/536-26-0x0000000002CB0000-0x0000000002DBA000-memory.dmp

Filesize
1.0MB

Download
memory/536-21-0x0000000000B90000-0x0000000000B96000-memory.dmp

Filesize
24KB

Download
memory/2784-10-0x0000000010000000-0x000000001022C000-memory.dmp

Filesize
2.2MB

Download
memory/2784-19-0x0000000003240000-0x000000000332F000-memory.dmp

Filesize
956KB

Download
memory/2784-18-0x0000000003240000-0x000000000332F000-memory.dmp

Filesize
956KB

Download
memory/2784-15-0x0000000003240000-0x000000000332F000-memory.dmp

Filesize
956KB

Download
memory/2784-14-0x0000000003130000-0x000000000323A000-memory.dmp

Filesize
1.0MB

Download
memory/2784-9-0x0000000000FC0000-0x0000000000FC6000-memory.dmp

Filesize
24KB

Download

Analysis

Sharing