4c2e85fab6ab216760118a3d4f088136f4f861b494b5ca1842da8546f6621ee0

General

Target

NEAS.121dda580ffd1ccd3394a9281a545c60.exe
Size

12KB
MD5

121dda580ffd1ccd3394a9281a545c60
SHA1

1c53598432e545d1ff0dd117911d5dfedbe4ec69
SHA256

4c2e85fab6ab216760118a3d4f088136f4f861b494b5ca1842da8546f6621ee0
SHA512

b9a19117b7fc19d9e73399ad5423ad2b7162431cb48af173145df112bb2396714dfd72982e87212bce939e5808fc58e50917d64ffbdfa94cadc9eb8fb07541d2
SSDEEP

384:gL7li/2zTq2DcEQvdhcJKLTp/NK9xaGC:+PM/Q9cGC

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2440	tmp8F36.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
2440	tmp8F36.tmp.exe

Loads dropped DLL 1 IoCs

pid	Process
2288	NEAS.121dda580ffd1ccd3394a9281a545c60.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2288	NEAS.121dda580ffd1ccd3394a9281a545c60.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2288 wrote to memory of 2304	2288	NEAS.121dda580ffd1ccd3394a9281a545c60.exe	28
PID 2288 wrote to memory of 2304	2288	NEAS.121dda580ffd1ccd3394a9281a545c60.exe	28
PID 2288 wrote to memory of 2304	2288	NEAS.121dda580ffd1ccd3394a9281a545c60.exe	28
PID 2288 wrote to memory of 2304	2288	NEAS.121dda580ffd1ccd3394a9281a545c60.exe	28
PID 2304 wrote to memory of 2652	2304	vbc.exe	30
PID 2304 wrote to memory of 2652	2304	vbc.exe	30
PID 2304 wrote to memory of 2652	2304	vbc.exe	30
PID 2304 wrote to memory of 2652	2304	vbc.exe	30
PID 2288 wrote to memory of 2440	2288	NEAS.121dda580ffd1ccd3394a9281a545c60.exe	31
PID 2288 wrote to memory of 2440	2288	NEAS.121dda580ffd1ccd3394a9281a545c60.exe	31
PID 2288 wrote to memory of 2440	2288	NEAS.121dda580ffd1ccd3394a9281a545c60.exe	31
PID 2288 wrote to memory of 2440	2288	NEAS.121dda580ffd1ccd3394a9281a545c60.exe	31

C:\Users\Admin\AppData\Local\Temp\NEAS.121dda580ffd1ccd3394a9281a545c60.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.121dda580ffd1ccd3394a9281a545c60.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2288
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\zc1b0hqb\zc1b0hqb.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2304
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES928F.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc7104EF8981B64CD19BED36C0EE1FFD29.TMP"
    3⤵
    PID:2652
- C:\Users\Admin\AppData\Local\Temp\tmp8F36.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp8F36.tmp.exe" C:\Users\Admin\AppData\Local\Temp\NEAS.121dda580ffd1ccd3394a9281a545c60.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  PID:2440

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RE.resources

Filesize
2KB

MD5
f6793bfc64d1bee5e91ee9a7c05ef77d

SHA1
b15e57baff96cd9fa187bd2138bb37f17e6c7907

SHA256
51cb5a06cce538d48202816d9b0ca987e119dcb052bde45630ae77e3d2cf19ae

SHA512
0eccd473143a6ecfe58493c5a8ce33dcb00b8b49c80610693b2431c94a76d2a19ba14c552bcbdd91e6081c9c5acb8e81567b960fc1608a64c018dacdcd9c33c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES928F.tmp

Filesize
1KB

MD5
44918d68dff70ce4ce65398967ed987c

SHA1
6873cc5da08326123a2e137ff943347933c10690

SHA256
3cdcdb4dd9a36ca257bcb10ac4ce88d7a5489d832b3354797c09813202a81236

SHA512
a91d8606667e0e72d32c65bd0ea1144043ee2fc2d1c8e59059d0280cd3924243ec7a4cc706619dbe366258d5f93f014b8c3a50fe6b0a654d3bc27e03daa4da2d

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp8F36.tmp.exe

Filesize
12KB

MD5
fe1d705d463758a5ec1e757e91015f6d

SHA1
756e1e7a1f0ec1243dc93f4f5b0ad0e5f1f25667

SHA256
643e0612fdd853c0856462bfc8c66a889dc018f3cfb952bec32c3544a58ed527

SHA512
544373e4b349ab5d4178d0b7a11114851fce5d6e9f0a78d49c9d6e437358544748bf495b1bf3f73310e790e9f7b24475687f021ce3e3abb23d4b056b569cdbd2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp8F36.tmp.exe

Filesize
12KB

MD5
fe1d705d463758a5ec1e757e91015f6d

SHA1
756e1e7a1f0ec1243dc93f4f5b0ad0e5f1f25667

SHA256
643e0612fdd853c0856462bfc8c66a889dc018f3cfb952bec32c3544a58ed527

SHA512
544373e4b349ab5d4178d0b7a11114851fce5d6e9f0a78d49c9d6e437358544748bf495b1bf3f73310e790e9f7b24475687f021ce3e3abb23d4b056b569cdbd2

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc7104EF8981B64CD19BED36C0EE1FFD29.TMP

Filesize
1KB

MD5
3786204ff01d4baf3f3b00c42338b0c0

SHA1
6b2767cf56e864aaa931eb4814d7c4c8fe49a111

SHA256
66a38587befe120788f547e18ebddea2d2f54ebd52c30580ecf9216ca0622225

SHA512
0788399c4d8fdb3f03c3e0a037808f61ffd85bd5b4c30d69ada8c00bb7cef3cfa893806b94b034c174f8509908a5926fa6319eccbd179698899ee28ac0a89ab6

Download Submit
C:\Users\Admin\AppData\Local\Temp\zc1b0hqb\zc1b0hqb.0.vb

Filesize
2KB

MD5
6d86f8d46eed341be89767d2c5eb470d

SHA1
ebbb87be6658e5dfadf6ef8f1dcbfa55d465846f

SHA256
c41d508918cc4935c74271d430a79556fd25fde891a572634091972653d9fc8f

SHA512
f31c933d7eacb3396da067a28fa0d45fffbd25972bbccf36a7fee68f60409f4896c13b2606f8514d9aaa3f17366257a0266d117a53b7da06c22872d886c0950e

Download Submit
C:\Users\Admin\AppData\Local\Temp\zc1b0hqb\zc1b0hqb.cmdline

Filesize
273B

MD5
1ea530f21b59e4e58f306c570fe50d2f

SHA1
c7f49406a5c9b83dad7f6cd696d1e1b5a38885f2

SHA256
240f939658fe72e5ac54785c8754d4b551514ca3758ade7ecffef5b8fee77bcb

SHA512
e68eac335c1eb9824af93ace3f8186b104db1e374f7c6bdd495797a42ded6f350940a0c2079a350f0b007a8fc17eb860107befdfe4539d60369221e66b8ba96f

Download Submit
\Users\Admin\AppData\Local\Temp\tmp8F36.tmp.exe

Filesize
12KB

MD5
fe1d705d463758a5ec1e757e91015f6d

SHA1
756e1e7a1f0ec1243dc93f4f5b0ad0e5f1f25667

SHA256
643e0612fdd853c0856462bfc8c66a889dc018f3cfb952bec32c3544a58ed527

SHA512
544373e4b349ab5d4178d0b7a11114851fce5d6e9f0a78d49c9d6e437358544748bf495b1bf3f73310e790e9f7b24475687f021ce3e3abb23d4b056b569cdbd2

Download Submit
memory/2288-0-0x0000000001080000-0x000000000108A000-memory.dmp

Filesize
40KB

Download
memory/2288-4-0x0000000004840000-0x0000000004880000-memory.dmp

Filesize
256KB

Download
memory/2288-1-0x0000000074A70000-0x000000007515E000-memory.dmp

Filesize
6.9MB

Download
memory/2288-24-0x0000000074A70000-0x000000007515E000-memory.dmp

Filesize
6.9MB

Download
memory/2440-23-0x0000000074A70000-0x000000007515E000-memory.dmp

Filesize
6.9MB

Download
memory/2440-25-0x0000000000AC0000-0x0000000000ACA000-memory.dmp

Filesize
40KB

Download
memory/2440-26-0x0000000074A70000-0x000000007515E000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing