8586d00273940e3a67b744a4a8280aa051ea7f4c1a52ecbf63a9c2e08e86f865

General

Target

NEAS.e819264d61ce63b4944dd9590f251490_JC.exe
Size

464KB
MD5

e819264d61ce63b4944dd9590f251490
SHA1

372e81a36cc9d4af8384781e897e77d60ac6f36c
SHA256

8586d00273940e3a67b744a4a8280aa051ea7f4c1a52ecbf63a9c2e08e86f865
SHA512

f9394c892b50d5b8c63e972c16da4c706625f46365bf54d3fea9c7dcc73f19aae09ce6f16ace8e13d648af1ff61349ecaf962d5259749731eaca2b76a3a1d8c1
SSDEEP

6144:/pW2bgbbV28okoS1oWMkdlZQ5iioc+npLspl8uXH:/pW2IoioS6KCX

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Disables Task Manager via registry modification
evasion

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NEAS.e819264d61ce63b4944dd9590f251490_JC.exe BATCF %1"	NEAS.e819264d61ce63b4944dd9590f251490_JC.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 13 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NEAS.e819264d61ce63b4944dd9590f251490_JC.exe NTPAD %1"	NEAS.e819264d61ce63b4944dd9590f251490_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\pngfile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NEAS.e819264d61ce63b4944dd9590f251490_JC.exe JPGIF %1"	NEAS.e819264d61ce63b4944dd9590f251490_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\giffile\shell\Open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NEAS.e819264d61ce63b4944dd9590f251490_JC.exe JPGIF %1"	NEAS.e819264d61ce63b4944dd9590f251490_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\icofile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NEAS.e819264d61ce63b4944dd9590f251490_JC.exe JPGIF %1"	NEAS.e819264d61ce63b4944dd9590f251490_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\jpegfile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NEAS.e819264d61ce63b4944dd9590f251490_JC.exe JPGIF %1"	NEAS.e819264d61ce63b4944dd9590f251490_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\rtffile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NEAS.e819264d61ce63b4944dd9590f251490_JC.exe RTFDF %1"	NEAS.e819264d61ce63b4944dd9590f251490_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\inifile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NEAS.e819264d61ce63b4944dd9590f251490_JC.exe NTPAD %1"	NEAS.e819264d61ce63b4944dd9590f251490_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NEAS.e819264d61ce63b4944dd9590f251490_JC.exe BATCF %1"	NEAS.e819264d61ce63b4944dd9590f251490_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\cmdfile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NEAS.e819264d61ce63b4944dd9590f251490_JC.exe CMDSF %1"	NEAS.e819264d61ce63b4944dd9590f251490_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NEAS.e819264d61ce63b4944dd9590f251490_JC.exe HTMWF %1"	NEAS.e819264d61ce63b4944dd9590f251490_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\xmlfile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NEAS.e819264d61ce63b4944dd9590f251490_JC.exe NTPAD %1"	NEAS.e819264d61ce63b4944dd9590f251490_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NEAS.e819264d61ce63b4944dd9590f251490_JC.exe NTPAD %1"	NEAS.e819264d61ce63b4944dd9590f251490_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NEAS.e819264d61ce63b4944dd9590f251490_JC.exe VBSSF %1"	NEAS.e819264d61ce63b4944dd9590f251490_JC.exe

Modifies registry key 1 TTPs 2 IoCs

Modify Registry

T1112

pid	Process
2944	reg.exe
2964	reg.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2424 wrote to memory of 2944	2424	NEAS.e819264d61ce63b4944dd9590f251490_JC.exe	28
PID 2424 wrote to memory of 2944	2424	NEAS.e819264d61ce63b4944dd9590f251490_JC.exe	28
PID 2424 wrote to memory of 2944	2424	NEAS.e819264d61ce63b4944dd9590f251490_JC.exe	28
PID 2424 wrote to memory of 2964	2424	NEAS.e819264d61ce63b4944dd9590f251490_JC.exe	30
PID 2424 wrote to memory of 2964	2424	NEAS.e819264d61ce63b4944dd9590f251490_JC.exe	30
PID 2424 wrote to memory of 2964	2424	NEAS.e819264d61ce63b4944dd9590f251490_JC.exe	30

C:\Users\Admin\AppData\Local\Temp\NEAS.e819264d61ce63b4944dd9590f251490_JC.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.e819264d61ce63b4944dd9590f251490_JC.exe"
1⤵
- Modifies system executable filetype association
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2424
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
  2⤵
  - UAC bypass
  - Modifies registry key
  PID:2944
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
  2⤵
  - Modifies registry key
  PID:2964

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

1

T1546

Change Default File Association

1

T1546.001

Privilege Escalation

Abuse Elevation Control Mechanism

1

T1548

Bypass User Account Control

1

T1548.002

Event Triggered Execution

1

T1546

Change Default File Association

1

T1546.001

Defense Evasion

Abuse Elevation Control Mechanism

1

T1548

Bypass User Account Control

1

T1548.002

Impair Defenses

1

T1562

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\ds6hx1wqxv.exe

Filesize
464KB

MD5
8bac7c6191005ad52871bbd08c98ab7b

SHA1
ba8ff2806a1b9d7a6ed70db7e9375f4c3785d4b6

SHA256
7bcfba7977a0932295be23180eab9dc8c51fdfffd79dab8d8f33b11ca3bbbee3

SHA512
63520ae449cb292ba4be5a2a729c3ea386db366b35777441b60616e5fcd184df69e56cfa0aaf80dc6430bc6c14db27a03177c333923da8d9fa4aea6a75a1d95b

Download Submit
memory/2424-0-0x0000000000FD0000-0x0000000000FF8000-memory.dmp

Filesize
160KB

Download
memory/2424-1-0x000007FEF6140000-0x000007FEF6B2C000-memory.dmp

Filesize
9.9MB

Download
memory/2424-2-0x000000001A910000-0x000000001A990000-memory.dmp

Filesize
512KB

Download
memory/2424-737-0x000007FEF6140000-0x000007FEF6B2C000-memory.dmp

Filesize
9.9MB

Download
memory/2424-814-0x000000001A910000-0x000000001A990000-memory.dmp

Filesize
512KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads