bcfb9abe343c0c3a93c86fd9923c79c95d97776f4733feba409c030908870071

General

Target

NEAS.20e3aa334802f806ed78c72f08d9d700.exe
Size

12KB
MD5

20e3aa334802f806ed78c72f08d9d700
SHA1

73256fdee8aca5ec85db0355dca6db869d63221e
SHA256

bcfb9abe343c0c3a93c86fd9923c79c95d97776f4733feba409c030908870071
SHA512

43235216e28828e919b3d0d4dcf6251171bddb5aff7c22fa2d4f5ab3a6bf33b3cc8c97d9c9af4bdd57af23c1f5e7de569b5c05aff59b2fb0d2716d71658521cc
SSDEEP

384:KL7li/2zDq2DcEQvdhcJKLTp/NK9xaPn:UHM/Q9cPn

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\Control Panel\International\Geo\Nation	NEAS.20e3aa334802f806ed78c72f08d9d700.exe

Deletes itself 1 IoCs

pid	Process
2288	tmpEBF7.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
2288	tmpEBF7.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2180	NEAS.20e3aa334802f806ed78c72f08d9d700.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2180 wrote to memory of 4976	2180	NEAS.20e3aa334802f806ed78c72f08d9d700.exe	87
PID 2180 wrote to memory of 4976	2180	NEAS.20e3aa334802f806ed78c72f08d9d700.exe	87
PID 2180 wrote to memory of 4976	2180	NEAS.20e3aa334802f806ed78c72f08d9d700.exe	87
PID 4976 wrote to memory of 2248	4976	vbc.exe	89
PID 4976 wrote to memory of 2248	4976	vbc.exe	89
PID 4976 wrote to memory of 2248	4976	vbc.exe	89
PID 2180 wrote to memory of 2288	2180	NEAS.20e3aa334802f806ed78c72f08d9d700.exe	90
PID 2180 wrote to memory of 2288	2180	NEAS.20e3aa334802f806ed78c72f08d9d700.exe	90
PID 2180 wrote to memory of 2288	2180	NEAS.20e3aa334802f806ed78c72f08d9d700.exe	90

C:\Users\Admin\AppData\Local\Temp\NEAS.20e3aa334802f806ed78c72f08d9d700.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.20e3aa334802f806ed78c72f08d9d700.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2180
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\jtbcgf51\jtbcgf51.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4976
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESEE48.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc3C0C021FFE524C0BA6FAB750EF3C38B.TMP"
    3⤵
    PID:2248
- C:\Users\Admin\AppData\Local\Temp\tmpEBF7.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpEBF7.tmp.exe" C:\Users\Admin\AppData\Local\Temp\NEAS.20e3aa334802f806ed78c72f08d9d700.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  PID:2288

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RE.resources

Filesize
2KB

MD5
a3eacc7b0731ad65b5166c942d5b1ca2

SHA1
ff7efeebdb6d0e3e9c0076e9ab1dbf3121068767

SHA256
8a913daad27129c510d8e7da6bb2c73711dab036972496f915cf9996bbf4468f

SHA512
a196aaa8d651c676a22f6d22842bd4e9a0239416f9454916dcdb4ab3cb6589f7bb745ed494df202fb9e2dd96969b76be02929c23d47506340d59f77a45c2f0a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESEE48.tmp

Filesize
1KB

MD5
6499cd8819d8ebb28063d5c381aa06cc

SHA1
e528b4ebb0eef22daf7418471bceb652cccc8ddc

SHA256
80898a3a1c55078a172d033ede4c1f635e904234a9de7ba92dbe52a2a04a0a5a

SHA512
ee194271ddb7fb9a7d6b806d5ebc8f8b8313343a717e5c7c38cad771ca0fd86a222384573c64a62e81fedf3ea3669b50582c72d88c93cd50e63f65f244d95683

Download Submit
C:\Users\Admin\AppData\Local\Temp\jtbcgf51\jtbcgf51.0.vb

Filesize
2KB

MD5
fd34ab7ea14dd17f2df76b30ab76fa60

SHA1
844e71092b4c0c8a5e850214479fd036d3248867

SHA256
fd14ff4935df8c393e264be7ab71948acae34dfac60a7eaeffa80090174ae8ce

SHA512
7f9f5ffaeeab935d98c83b7479da8091033b16664793e86bde0ecddb1fd5dcabc2f902faa5b7c9d2f55c17ea9809c1cf21b34649ef4629b2a69a49c6f0a3be30

Download Submit
C:\Users\Admin\AppData\Local\Temp\jtbcgf51\jtbcgf51.cmdline

Filesize
273B

MD5
a6f8f8ba47e431326d8ab89fdc2ba4ea

SHA1
34ac66e726893cc9a1e60ced2860fab09b0d2e81

SHA256
33042857e9287841d0fefe8ab1a134f5ee6385688ee458ca32e5704b3fa59787

SHA512
ecf397f2ed086f311e94d745edbb732b02f7c2a27943c4db1d0ae1069f74762397179b6e7bc85702abf6e6b5b0b0847622525b37632b859a3ff1f39dfee2bcde

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpEBF7.tmp.exe

Filesize
12KB

MD5
5fe2bb937155c63fe4556a25dc99f4ed

SHA1
801d0ba9456f22e1242125d850b48797ec4a4648

SHA256
581029a6f705855e151bbe24ecfb2d0e7b73b09c10f83c8d4de314dcc2a887c6

SHA512
26906cbfbca5104961939049634c0a99c6cad7af021f884dd506487d3dc9e7d7a77ff5dc6481cefc34ad6064087e20bf6828b6ff91ee443f1a0188376f90d90c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpEBF7.tmp.exe

Filesize
12KB

MD5
5fe2bb937155c63fe4556a25dc99f4ed

SHA1
801d0ba9456f22e1242125d850b48797ec4a4648

SHA256
581029a6f705855e151bbe24ecfb2d0e7b73b09c10f83c8d4de314dcc2a887c6

SHA512
26906cbfbca5104961939049634c0a99c6cad7af021f884dd506487d3dc9e7d7a77ff5dc6481cefc34ad6064087e20bf6828b6ff91ee443f1a0188376f90d90c

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc3C0C021FFE524C0BA6FAB750EF3C38B.TMP

Filesize
1KB

MD5
f7602a5907be4a9c9984f3a5bb5f2a68

SHA1
96f837eed09b5d429db0083bb35e32dffb3b4c89

SHA256
d2f0bd489f422ecc90a6f8dcf077880280ceeb676a0930768f6142118b6a5d10

SHA512
68ef6877daa3a13bc5f23fe06ec70d280bfef7f60466a7722c35f16d5ecdb7ec82e600ce228b9a34341d182dacd2fd34b8a57427ccd89633f4c8059ddf57bb20

Download Submit
memory/2180-0-0x0000000000850000-0x000000000085A000-memory.dmp

Filesize
40KB

Download
memory/2180-1-0x00000000746B0000-0x0000000074E60000-memory.dmp

Filesize
7.7MB

Download
memory/2180-2-0x0000000005280000-0x000000000531C000-memory.dmp

Filesize
624KB

Download
memory/2180-6-0x0000000005250000-0x0000000005260000-memory.dmp

Filesize
64KB

Download
memory/2180-24-0x00000000746B0000-0x0000000074E60000-memory.dmp

Filesize
7.7MB

Download
memory/2288-25-0x00000000746B0000-0x0000000074E60000-memory.dmp

Filesize
7.7MB

Download
memory/2288-26-0x0000000000350000-0x000000000035A000-memory.dmp

Filesize
40KB

Download
memory/2288-27-0x0000000005200000-0x00000000057A4000-memory.dmp

Filesize
5.6MB

Download
memory/2288-28-0x0000000004CF0000-0x0000000004D82000-memory.dmp

Filesize
584KB

Download
memory/2288-30-0x00000000746B0000-0x0000000074E60000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing