4c2e85fab6ab216760118a3d4f088136f4f861b494b5ca1842da8546f6621ee0

General

Target

NEAS.121dda580ffd1ccd3394a9281a545c60.exe
Size

12KB
MD5

121dda580ffd1ccd3394a9281a545c60
SHA1

1c53598432e545d1ff0dd117911d5dfedbe4ec69
SHA256

4c2e85fab6ab216760118a3d4f088136f4f861b494b5ca1842da8546f6621ee0
SHA512

b9a19117b7fc19d9e73399ad5423ad2b7162431cb48af173145df112bb2396714dfd72982e87212bce939e5808fc58e50917d64ffbdfa94cadc9eb8fb07541d2
SSDEEP

384:gL7li/2zTq2DcEQvdhcJKLTp/NK9xaGC:+PM/Q9cGC

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Control Panel\International\Geo\Nation	NEAS.121dda580ffd1ccd3394a9281a545c60.exe

Deletes itself 1 IoCs

pid	Process
2556	tmpF3A.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
2556	tmpF3A.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1208	NEAS.121dda580ffd1ccd3394a9281a545c60.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1208 wrote to memory of 1080	1208	NEAS.121dda580ffd1ccd3394a9281a545c60.exe	102
PID 1208 wrote to memory of 1080	1208	NEAS.121dda580ffd1ccd3394a9281a545c60.exe	102
PID 1208 wrote to memory of 1080	1208	NEAS.121dda580ffd1ccd3394a9281a545c60.exe	102
PID 1080 wrote to memory of 1684	1080	vbc.exe	105
PID 1080 wrote to memory of 1684	1080	vbc.exe	105
PID 1080 wrote to memory of 1684	1080	vbc.exe	105
PID 1208 wrote to memory of 2556	1208	NEAS.121dda580ffd1ccd3394a9281a545c60.exe	110
PID 1208 wrote to memory of 2556	1208	NEAS.121dda580ffd1ccd3394a9281a545c60.exe	110
PID 1208 wrote to memory of 2556	1208	NEAS.121dda580ffd1ccd3394a9281a545c60.exe	110

C:\Users\Admin\AppData\Local\Temp\NEAS.121dda580ffd1ccd3394a9281a545c60.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.121dda580ffd1ccd3394a9281a545c60.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1208
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\5zrormui\5zrormui.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1080
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES88DD.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcAB6CCAC8E0E4510A112E982AC46E248.TMP"
    3⤵
    PID:1684
- C:\Users\Admin\AppData\Local\Temp\tmpF3A.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpF3A.tmp.exe" C:\Users\Admin\AppData\Local\Temp\NEAS.121dda580ffd1ccd3394a9281a545c60.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  PID:2556

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\5zrormui\5zrormui.0.vb

Filesize
2KB

MD5
4b9ffd6785633ea0984c2efabef43286

SHA1
dbf863843f570d08fd329a33835e43b41ef46a47

SHA256
f851ba253e52fd2467158da9bf5b0188d6f5e8db616542a252b6ed8447a79f9b

SHA512
2fb82476edde1d0bf65fcef99660fc6c7cef227f1c9b2d8875805e4e0e351921a18fd600dc8e020a0337fd373429fa3ba3e21b37cf1bbcd7497edc5bd5f0c9e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\5zrormui\5zrormui.cmdline

Filesize
272B

MD5
626c610a5156a76f8565f35376413a2a

SHA1
3714d1d76dd3b543a6b0591b37c30bac9fc7fd16

SHA256
bc7d1cb90b248c5d022373449085b38b3e422536cbb8f02939f44ca3f4788098

SHA512
3caab33336056a6d21cc57d9da56078bfeb8d02d8b941d2600dc4e503d0d7bf12e03d66bf1d297ba5c3222be0b3952f03b44aef79702760fb4c8397aaadebace

Download Submit
C:\Users\Admin\AppData\Local\Temp\RE.resources

Filesize
2KB

MD5
96fd06b9b6c7b11c6ecd7adf52a2fe01

SHA1
230d315e6213d2402fb9c4214c00a734944b8a3b

SHA256
eaac7b61f41c3e1fab0ba680b3a71f6ff4868cac226973421b1f5cad29a12435

SHA512
683a7ced27d5244ae221d03ec852465e0fef65cc4cb9445aaa0aacade24f2fe033ee07fd349d9a0c9151831bbe73c9b448826050845d1b505a2b757151965dd2

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES88DD.tmp

Filesize
1KB

MD5
6d69d7cb4a1b5f6134466f92e1728268

SHA1
3a1231396cac74e37a34aa808e36bb552520e251

SHA256
b86de0218aea679665a5b7775f5ca8a5c05ca6a5a93696dd4ecbd477af73f0ba

SHA512
b57372deb77bf9b81a3448dbfcdb189a73a38acbf3be4bd66952d4621920c6130da0f0f570be2308a04d00b10b1007dca5b1f0065d29108c672b46a360d9a73f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpF3A.tmp.exe

Filesize
12KB

MD5
0d70a2e961739ea4e1afc017f0d4eccb

SHA1
6902acddb12b0a0746df9c09caa40c554d2d2b70

SHA256
05ddd0304008f85bf8773a8af820a3463015565423a2fb4202e2e210e06d328a

SHA512
8bb702aac7d8e9147fa14c7e4f779c5b3e43cbb08957b1812812e2b69b7b897cc15aaa960aaa2522842c567830d888cefd601f5ac7b07005d450ef504a074ad9

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpF3A.tmp.exe

Filesize
12KB

MD5
0d70a2e961739ea4e1afc017f0d4eccb

SHA1
6902acddb12b0a0746df9c09caa40c554d2d2b70

SHA256
05ddd0304008f85bf8773a8af820a3463015565423a2fb4202e2e210e06d328a

SHA512
8bb702aac7d8e9147fa14c7e4f779c5b3e43cbb08957b1812812e2b69b7b897cc15aaa960aaa2522842c567830d888cefd601f5ac7b07005d450ef504a074ad9

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcAB6CCAC8E0E4510A112E982AC46E248.TMP

Filesize
1KB

MD5
276f17cbfcc0b6bb68804e4071186761

SHA1
e2f85084b88b8b3a6bbb49ee7ea8117263324d33

SHA256
6b4c8c709b40d3e0202c67cc7df74d00aba9874dc852a4b9c905eb70098b423f

SHA512
697bccf85121a4ea1a7e080354d82f02d29d33eb6b7e8aa06ec37c3a50660b96246f5b992468c7cf561ff6efc10dff4e02543e21104d34adfd4cf1053511d373

Download Submit
memory/1208-1-0x0000000000900000-0x000000000090A000-memory.dmp

Filesize
40KB

Download
memory/1208-6-0x0000000005550000-0x0000000005560000-memory.dmp

Filesize
64KB

Download
memory/1208-2-0x0000000074AD0000-0x0000000075280000-memory.dmp

Filesize
7.7MB

Download
memory/1208-0-0x0000000074AD0000-0x0000000075280000-memory.dmp

Filesize
7.7MB

Download
memory/1208-11-0x0000000005550000-0x0000000005560000-memory.dmp

Filesize
64KB

Download
memory/1208-3-0x00000000052C0000-0x000000000535C000-memory.dmp

Filesize
624KB

Download
memory/1208-28-0x0000000074AD0000-0x0000000075280000-memory.dmp

Filesize
7.7MB

Download
memory/2556-26-0x0000000074AD0000-0x0000000075280000-memory.dmp

Filesize
7.7MB

Download
memory/2556-25-0x0000000000B40000-0x0000000000B4A000-memory.dmp

Filesize
40KB

Download
memory/2556-29-0x0000000005AB0000-0x0000000006054000-memory.dmp

Filesize
5.6MB

Download
memory/2556-30-0x0000000005500000-0x0000000005592000-memory.dmp

Filesize
584KB

Download
memory/2556-31-0x0000000074AD0000-0x0000000075280000-memory.dmp

Filesize
7.7MB

Download
memory/2556-33-0x0000000074AD0000-0x0000000075280000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing