Analysis

  • max time kernel
    157s
  • max time network
    167s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231023-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28-10-2023 19:55

General

  • Target

    NEAS.6f73aefca8eb7c05cb79f2de3d3e6f60.exe

  • Size

    2.1MB

  • MD5

    6f73aefca8eb7c05cb79f2de3d3e6f60

  • SHA1

    8ff2ce9b2425de429f50f5b22ac0993afb5bee51

  • SHA256

    0e6b9a4cedfdbdfbb57892f8fc8a0fbab0016aa23fee89aa3a397706a09ba15c

  • SHA512

    32ba78b881aaa2418e906d4d9fcd0efa26bc3d6765ddaa071e2d747072104fe4fede21998accc9a0e4e60b4b2943613a45cde1fac3fc188f9a4064b3ffdec2c9

  • SSDEEP

    6144:LcFvrd1rWkNYiclkBw1x42dy8r1YAbycKqH86JQPDHDdx/QtqV:w1dCicWy1xFc8r1NbZKQPJQPDHvd

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 3 IoCs
  • UAC bypass 3 TTPs 12 IoCs
  • Adds policy Run key to start application 2 TTPs 30 IoCs
  • Disables RegEdit via registry modification 6 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Adds Run key to start application 2 TTPs 64 IoCs
  • Checks whether UAC is enabled 1 TTPs 6 IoCs
  • Looks up external IP address via web service 5 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory 4 IoCs
  • Drops file in Program Files directory 4 IoCs
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 14 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs
  • System policy modification 1 TTPs 39 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\NEAS.6f73aefca8eb7c05cb79f2de3d3e6f60.exe
    "C:\Users\Admin\AppData\Local\Temp\NEAS.6f73aefca8eb7c05cb79f2de3d3e6f60.exe"
    1⤵
    • Modifies WinLogon for persistence
    • UAC bypass
    • Adds policy Run key to start application
    • Disables RegEdit via registry modification
    • Checks computer location settings
    • Adds Run key to start application
    • Checks whether UAC is enabled
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:4840
    • C:\Users\Admin\AppData\Local\Temp\yailv.exe
      "C:\Users\Admin\AppData\Local\Temp\yailv.exe" "-"
      2⤵
      • Modifies WinLogon for persistence
      • UAC bypass
      • Adds policy Run key to start application
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Adds Run key to start application
      • Checks whether UAC is enabled
      • Drops file in System32 directory
      • Drops file in Program Files directory
      • Drops file in Windows directory
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • System policy modification
      PID:3552
    • C:\Users\Admin\AppData\Local\Temp\yailv.exe
      "C:\Users\Admin\AppData\Local\Temp\yailv.exe" "-"
      2⤵
      • Modifies WinLogon for persistence
      • UAC bypass
      • Adds policy Run key to start application
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Adds Run key to start application
      • Checks whether UAC is enabled
      • Modifies registry class
      • System policy modification
      PID:4568
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
    1⤵
      PID:1900

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files (x86)\zwzxcbbcwzvvpmghrszwzx.bbc

      Filesize

      260B

      MD5

      055c5f3aa728d4f38620af235bae117b

      SHA1

      dfa6cce14ad7711ee59d1f6b741c7c27a44b9def

      SHA256

      3d8e5c9947e1996cafde5f4e594d3adaf1428f6d476cc0107293a2f9a0351d7d

      SHA512

      5cf2497e4cdb8cdae2a4e6705fefca675fa246129b9f92000bc1b18922ed0346a21c58ca05a758eb139417ce49cc3a2a474d204e1d8cc21e24d99c3aa8f13d2b

    • C:\Program Files (x86)\zwzxcbbcwzvvpmghrszwzx.bbc

      Filesize

      260B

      MD5

      e2779805c69d2b0a4ad1e7d92946fde0

      SHA1

      62e050718d4c7e29b26bf2d58e6bee59fe4e1082

      SHA256

      42d9768a8bd50bd7bb7814d1afba521008703c5b38fbe81c1677d3bf8293aede

      SHA512

      88d20da1b511c103829f2a865822c32e2cbddb37e10e72863353bc1cf43f16bdcd09a79eb3b09da65feb471d59f59f84f08aa8862642b100eb80bdbd2c3f7e0c

    • C:\Program Files (x86)\zwzxcbbcwzvvpmghrszwzx.bbc

      Filesize

      260B

      MD5

      39816b6ff2432988346f11b8ea6604f2

      SHA1

      a2adc9bb860e61aa2fcbd69dd282681ca6c9eafc

      SHA256

      6cec205568e3bed5f05983306e3a454ea5bb0ed497b4748e51e599b75dee7818

      SHA512

      a5404636f8ad89cb53c4e7ec90cdb13500a827132ff3075fe376afe6933d6c53f8c3a7e76a6b666673343e0279c34bb63886ac7ea817a7b38949cf876826289b

    • C:\Program Files (x86)\zwzxcbbcwzvvpmghrszwzx.bbc

      Filesize

      260B

      MD5

      3de8a0f0ae9d9417806bb8d155c3bd9d

      SHA1

      a2780529700179ea17b4a3d46f59135fe1bdfa85

      SHA256

      73dd3860063df37144e81148bbc1106ed07907fb6ad935c56ae0e4d825998a2c

      SHA512

      677963d2b7f6f630336a43d84a1ddfbdec4efced50e6b284974e1274e7fbb69e2a3106ffd1c964e41c749bad03e01b4527046e3f6ba60edf94a667f6e483d236

    • C:\Program Files (x86)\zwzxcbbcwzvvpmghrszwzx.bbc

      Filesize

      260B

      MD5

      0b6912690f3b98c0bd9ceb323d63064d

      SHA1

      ee3af52089ddfe4cc86a9ee150f8a63a9b1fcbdd

      SHA256

      bfcaf88a9ab7da6498c101fd9b6cc37edec6b723360dd701ada565f927303e41

      SHA512

      11127bc551249960b72d7cf7f053ac30f9d99da730d50bacd1cfa940b0630ab1bcc41f4cb76c956006a35e611aee4ebe40e37a2b77f6e7a91e99be2a71c3d270

    • C:\Users\Admin\AppData\Local\Temp\yailv.exe

      Filesize

      3.1MB

      MD5

      5c9d8cbb327a1c6d5aeb6ae5057c2c8e

      SHA1

      1724e1658247ee984135f42b82156c3841197b88

      SHA256

      ba4979d3b8d4273ee87363d48012a61fe8c5fdac9085db6714a45c2a01845da8

      SHA512

      b0d6bca6063f24dbf471f2a2d7a6270b800813fde1c2dd851ac04a199a129e44d0fe77f3a07fa316ce6f7a5704c2ef4e9cf064a118b544bcbabc084f7fbfbc8d

    • C:\Users\Admin\AppData\Local\Temp\yailv.exe

      Filesize

      3.1MB

      MD5

      5c9d8cbb327a1c6d5aeb6ae5057c2c8e

      SHA1

      1724e1658247ee984135f42b82156c3841197b88

      SHA256

      ba4979d3b8d4273ee87363d48012a61fe8c5fdac9085db6714a45c2a01845da8

      SHA512

      b0d6bca6063f24dbf471f2a2d7a6270b800813fde1c2dd851ac04a199a129e44d0fe77f3a07fa316ce6f7a5704c2ef4e9cf064a118b544bcbabc084f7fbfbc8d

    • C:\Users\Admin\AppData\Local\Temp\yailv.exe

      Filesize

      3.1MB

      MD5

      5c9d8cbb327a1c6d5aeb6ae5057c2c8e

      SHA1

      1724e1658247ee984135f42b82156c3841197b88

      SHA256

      ba4979d3b8d4273ee87363d48012a61fe8c5fdac9085db6714a45c2a01845da8

      SHA512

      b0d6bca6063f24dbf471f2a2d7a6270b800813fde1c2dd851ac04a199a129e44d0fe77f3a07fa316ce6f7a5704c2ef4e9cf064a118b544bcbabc084f7fbfbc8d

    • C:\Users\Admin\AppData\Local\Temp\yailv.exe

      Filesize

      3.1MB

      MD5

      5c9d8cbb327a1c6d5aeb6ae5057c2c8e

      SHA1

      1724e1658247ee984135f42b82156c3841197b88

      SHA256

      ba4979d3b8d4273ee87363d48012a61fe8c5fdac9085db6714a45c2a01845da8

      SHA512

      b0d6bca6063f24dbf471f2a2d7a6270b800813fde1c2dd851ac04a199a129e44d0fe77f3a07fa316ce6f7a5704c2ef4e9cf064a118b544bcbabc084f7fbfbc8d

    • C:\Users\Admin\AppData\Local\qymvlvgsxlsdiqvhcogoclblwinbitygl.sew

      Filesize

      3KB

      MD5

      5a84dd7243dc5fc91122eec20363c943

      SHA1

      0b60419aca5f26e4002bd81014093b2933f6c3b7

      SHA256

      6ed8c914080b9fadf54ae5ee76d3d2bf0a3b5de9293a20c58a2a204f0394733f

      SHA512

      fa619ad96152fb5109e866d73bf4de03e027757c2bced994069ed127b1ccaef22dabd8893f563200e91fe829910241dbd4553866bc044e0760bb3ef5b26f59bf

    • C:\Users\Admin\AppData\Local\zwzxcbbcwzvvpmghrszwzx.bbc

      Filesize

      260B

      MD5

      005f7fe3b39d72489713ddd1f78cb8b7

      SHA1

      79865979e149bbc41470f58a604b0a614ca4e7d1

      SHA256

      8fc73dcd5782cba408982439cc83c8881b17f50721601fbec81cc85d0195072d

      SHA512

      1810eabb92f2c1df3acc46a9a8c134f773e4152f3d347350d6f9f5c5dfd6ce2ed1519e772c9506296c3e4dccb6d73ca52a023f2a2abce1ae72823bb73a71c802