bcfb9abe343c0c3a93c86fd9923c79c95d97776f4733feba409c030908870071

General

Target

NEAS.20e3aa334802f806ed78c72f08d9d700.exe
Size

12KB
MD5

20e3aa334802f806ed78c72f08d9d700
SHA1

73256fdee8aca5ec85db0355dca6db869d63221e
SHA256

bcfb9abe343c0c3a93c86fd9923c79c95d97776f4733feba409c030908870071
SHA512

43235216e28828e919b3d0d4dcf6251171bddb5aff7c22fa2d4f5ab3a6bf33b3cc8c97d9c9af4bdd57af23c1f5e7de569b5c05aff59b2fb0d2716d71658521cc
SSDEEP

384:KL7li/2zDq2DcEQvdhcJKLTp/NK9xaPn:UHM/Q9cPn

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2680	tmp7F10.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
2680	tmp7F10.tmp.exe

Loads dropped DLL 1 IoCs

pid	Process
2872	NEAS.20e3aa334802f806ed78c72f08d9d700.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2872	NEAS.20e3aa334802f806ed78c72f08d9d700.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2872 wrote to memory of 2876	2872	NEAS.20e3aa334802f806ed78c72f08d9d700.exe	28
PID 2872 wrote to memory of 2876	2872	NEAS.20e3aa334802f806ed78c72f08d9d700.exe	28
PID 2872 wrote to memory of 2876	2872	NEAS.20e3aa334802f806ed78c72f08d9d700.exe	28
PID 2872 wrote to memory of 2876	2872	NEAS.20e3aa334802f806ed78c72f08d9d700.exe	28
PID 2876 wrote to memory of 2776	2876	vbc.exe	30
PID 2876 wrote to memory of 2776	2876	vbc.exe	30
PID 2876 wrote to memory of 2776	2876	vbc.exe	30
PID 2876 wrote to memory of 2776	2876	vbc.exe	30
PID 2872 wrote to memory of 2680	2872	NEAS.20e3aa334802f806ed78c72f08d9d700.exe	31
PID 2872 wrote to memory of 2680	2872	NEAS.20e3aa334802f806ed78c72f08d9d700.exe	31
PID 2872 wrote to memory of 2680	2872	NEAS.20e3aa334802f806ed78c72f08d9d700.exe	31
PID 2872 wrote to memory of 2680	2872	NEAS.20e3aa334802f806ed78c72f08d9d700.exe	31

C:\Users\Admin\AppData\Local\Temp\NEAS.20e3aa334802f806ed78c72f08d9d700.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.20e3aa334802f806ed78c72f08d9d700.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2872
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\lcc5whxl\lcc5whxl.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2876
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES87C6.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc6CF574B9927B4930A8D07598B286919.TMP"
    3⤵
    PID:2776
- C:\Users\Admin\AppData\Local\Temp\tmp7F10.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp7F10.tmp.exe" C:\Users\Admin\AppData\Local\Temp\NEAS.20e3aa334802f806ed78c72f08d9d700.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  PID:2680

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RE.resources

Filesize
2KB

MD5
16ff3ef6ff9020e570f42b94ef6ef59c

SHA1
78e1667064c3ed8a785af24fd196f982b152d19a

SHA256
6cf02b097ed3365b52fcb21506872030f97f6091741a4b0aa639e6168c31c1b0

SHA512
d519f85d8b82dbedac27607777226a528de1a14de7f624eeddf95ae22424a5021a33fd3ca02f1edfcf53f4f7783f52e1a5e394bc855240b1da96fd8dafda817b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES87C6.tmp

Filesize
1KB

MD5
dc74e393cc08b4118dd2893910737bb0

SHA1
73c5e023b2a8e45685ff9ee30c470fcaac55a660

SHA256
829c7925da775e4dac5c1c12680b4d8d68fb0b13b001c7f311b3a9d66f6365f7

SHA512
51c2e6fdde85fc1e275deac065dbe49d88696af738ded4a68df552b3386f17f3056e6ef65aa1c92621cbf3e5c5f626dcf0d37acdde951f458bedd297c382b037

Download Submit
C:\Users\Admin\AppData\Local\Temp\lcc5whxl\lcc5whxl.0.vb

Filesize
2KB

MD5
18c89170270aacd60db1f787b316f45a

SHA1
5b98b6ce3cf6767285fc54c6dde61f1170946e5f

SHA256
71552cf5f196e9162833e78a6ef53ce86e947143acfc972090644e240846f88c

SHA512
cdc4a923d39e6cd24d831d22723ced222615dee308e2593497a8a1ccba1f4fa44660dcf09a3e112d589a38362e9f2b63c1408333e54df5c3d4f522994f72895a

Download Submit
C:\Users\Admin\AppData\Local\Temp\lcc5whxl\lcc5whxl.cmdline

Filesize
273B

MD5
29a9800089e2fa979c75ba8c2a3376a6

SHA1
0e83fd0aaa1dfd429b7f2e4a0b4db00474265f76

SHA256
68b7abffaafe74cd297c9e5b2dda903b47185f6dc8c68dcd33383d43a97eea76

SHA512
86ff599833b3efcaf55721b812349eb93b51f047cdfa33bc39a3d19395169124c8b71bd22f113e7c00b56308da07ae92d4e149e738e08f81b79a4e34eb05b4ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7F10.tmp.exe

Filesize
12KB

MD5
ff177f3e1b3c92a003e81aa4967c22a2

SHA1
2dbb144079175fdee86f04ee79640d695a2e8c9b

SHA256
d3597175cc375fc575f9cf4d2cb84dacc6172c59f7daa05f6e43bc33bde1b197

SHA512
f3410aa0bdb820b8b9bdf39ff16d0a7b2d459b7015d6aa2d9b26b5d98d9a0b6dc6e892abbfa7a6662b2962800469490f5f9c854b792806fd7ee955b5f1730fa9

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7F10.tmp.exe

Filesize
12KB

MD5
ff177f3e1b3c92a003e81aa4967c22a2

SHA1
2dbb144079175fdee86f04ee79640d695a2e8c9b

SHA256
d3597175cc375fc575f9cf4d2cb84dacc6172c59f7daa05f6e43bc33bde1b197

SHA512
f3410aa0bdb820b8b9bdf39ff16d0a7b2d459b7015d6aa2d9b26b5d98d9a0b6dc6e892abbfa7a6662b2962800469490f5f9c854b792806fd7ee955b5f1730fa9

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc6CF574B9927B4930A8D07598B286919.TMP

Filesize
1KB

MD5
9f326af698cf394d22e71394229756b9

SHA1
691a445d4099c0fab10e52c160aa8a10d20c22b2

SHA256
ef35e29449d1f30249fd420d4360155c9ac1deed82d9a7a011ea1e0efa101b2f

SHA512
1a62febd9a10d035150e49a00b5495fd29dfdc3778fa2adceb4e55be1b0806524ff4367b612caef39365473d0bc8c5408ef970ae448921ec51fa5697d483588a

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7F10.tmp.exe

Filesize
12KB

MD5
ff177f3e1b3c92a003e81aa4967c22a2

SHA1
2dbb144079175fdee86f04ee79640d695a2e8c9b

SHA256
d3597175cc375fc575f9cf4d2cb84dacc6172c59f7daa05f6e43bc33bde1b197

SHA512
f3410aa0bdb820b8b9bdf39ff16d0a7b2d459b7015d6aa2d9b26b5d98d9a0b6dc6e892abbfa7a6662b2962800469490f5f9c854b792806fd7ee955b5f1730fa9

Download Submit
memory/2680-23-0x0000000000110000-0x000000000011A000-memory.dmp

Filesize
40KB

Download
memory/2680-24-0x0000000074720000-0x0000000074E0E000-memory.dmp

Filesize
6.9MB

Download
memory/2680-26-0x0000000074720000-0x0000000074E0E000-memory.dmp

Filesize
6.9MB

Download
memory/2872-0-0x0000000000220000-0x000000000022A000-memory.dmp

Filesize
40KB

Download
memory/2872-4-0x00000000020C0000-0x0000000002100000-memory.dmp

Filesize
256KB

Download
memory/2872-1-0x0000000074720000-0x0000000074E0E000-memory.dmp

Filesize
6.9MB

Download
memory/2872-25-0x0000000074720000-0x0000000074E0E000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing