9c7dbcd40be9ee537b1b65886404d78a1d07cc5d047e24966c609e4ef3f2f772

General

Target

NEAS.6201df8d5fa568784957a7093dc2c1e0_JC.exe
Size

12KB
MD5

6201df8d5fa568784957a7093dc2c1e0
SHA1

24291330e4ec3a21299ba0e45636a296581e2834
SHA256

9c7dbcd40be9ee537b1b65886404d78a1d07cc5d047e24966c609e4ef3f2f772
SHA512

fa95898bddd8756743b681b6917e991c72ffa83a39d0df34fc25c13cfd251f1213062e048fb1b9626e352c5a2af71a262b3893561811315f30ee96d905559518
SSDEEP

384:uL7li/2z8q2DcEQvdhcJKLTp/NK9xaCp:4IM/Q9cCp

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Control Panel\International\Geo\Nation	NEAS.6201df8d5fa568784957a7093dc2c1e0_JC.exe

Executes dropped EXE 1 IoCs

pid	Process
564	tmpE9EF.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4100	NEAS.6201df8d5fa568784957a7093dc2c1e0_JC.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4100 wrote to memory of 648	4100	NEAS.6201df8d5fa568784957a7093dc2c1e0_JC.exe	96
PID 4100 wrote to memory of 648	4100	NEAS.6201df8d5fa568784957a7093dc2c1e0_JC.exe	96
PID 4100 wrote to memory of 648	4100	NEAS.6201df8d5fa568784957a7093dc2c1e0_JC.exe	96
PID 648 wrote to memory of 2660	648	vbc.exe	101
PID 648 wrote to memory of 2660	648	vbc.exe	101
PID 648 wrote to memory of 2660	648	vbc.exe	101
PID 4100 wrote to memory of 564	4100	NEAS.6201df8d5fa568784957a7093dc2c1e0_JC.exe	111
PID 4100 wrote to memory of 564	4100	NEAS.6201df8d5fa568784957a7093dc2c1e0_JC.exe	111
PID 4100 wrote to memory of 564	4100	NEAS.6201df8d5fa568784957a7093dc2c1e0_JC.exe	111

C:\Users\Admin\AppData\Local\Temp\NEAS.6201df8d5fa568784957a7093dc2c1e0_JC.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.6201df8d5fa568784957a7093dc2c1e0_JC.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4100
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\lwqhcgbo\lwqhcgbo.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:648
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4944.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc6A0E0841C1B443F38A18E9E99B2D55A9.TMP"
    3⤵
    PID:2660
- C:\Users\Admin\AppData\Local\Temp\tmpE9EF.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpE9EF.tmp.exe" C:\Users\Admin\AppData\Local\Temp\NEAS.6201df8d5fa568784957a7093dc2c1e0_JC.exe
  2⤵
  - Executes dropped EXE
  PID:564

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RE.resources

Filesize
2KB

MD5
1b6736e61cd284bd9ed369317ddf2816

SHA1
c5d90259f796ef5f5273d8bc2e33e56b75718a44

SHA256
c1c4d1cad7150ae8e4cc8673387428e5ea02656e1ac169225d717be1d17e9eca

SHA512
b4a6b37e4e8bd630bc93bd77b5b8c9c43e76d41e4aa61d61062e34fc7bf60ca38e86ec55d7d8777df958da28d52040fa5be656323ebb412837863506d8e72e18

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES4944.tmp

Filesize
1KB

MD5
f406956ac7016df1a88d13f0d1a97c40

SHA1
604ef0bd6f4dfea1a777a9377445a33a66151fa8

SHA256
9fcace5a7067991492184f21cac8ee1de78d1c4ac811b57043f8b15829a5843f

SHA512
32bf5516765eb22b9529f7dbf61c4de8fd914961ed18933f5c0103b69f124ec1aca0d245c01a2d0a90462772c43208a1735400323e56d14f6736b89af4492332

Download Submit
C:\Users\Admin\AppData\Local\Temp\lwqhcgbo\lwqhcgbo.0.vb

Filesize
2KB

MD5
f821b7ca619fee37cbc116055abcebcb

SHA1
8448e4196effb57a6fa810bcb419c6583fd0b104

SHA256
f10a7e38e43e6e8b572428e42208ddb552489ac1bdcac1c74ed22ffa406b142b

SHA512
1ff90c3d515031b6670e2d00373065fbd086bf040358b6a633846ff2cac28670c5d17a2cc6fab3fe39d1e85ef82b3d6c48903964841fa32f5db3e19aeffa40a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\lwqhcgbo\lwqhcgbo.cmdline

Filesize
273B

MD5
9c5f4dc1322641141ad12816e5f2b462

SHA1
e2b6d1ec729dda855a0c11e23443570ffa8e7679

SHA256
ce24f329a86b791ef9e1ad4d4a849861a523729ef09f734040a1f3abc8546705

SHA512
68b77ab2b9d2f9fa60d596904fcd8e5964457e827c07906380d47cbd86e8b489d44a8f2231e2173dd6f442e855c98e348ba12d485db931ef3fd089ff6c1b5cc9

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpE9EF.tmp.exe

Filesize
12KB

MD5
cd0fa5e5c373a9a502f62b50e514cd83

SHA1
2bb25ef5deb5d025da0f02c28d417e4324ba02b3

SHA256
3ec7514d9bb7f024abf7c935b2018e10c614625eec64a83beefa117ffb156582

SHA512
cb2cb5f474cbb02ced4900263834590a0b203c0a1de2a96cf6b09cf01de18cbf7928812deb3030e3492fb4f45b2c738a864f1092f196f50e3d17b3862e58e479

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpE9EF.tmp.exe

Filesize
12KB

MD5
cd0fa5e5c373a9a502f62b50e514cd83

SHA1
2bb25ef5deb5d025da0f02c28d417e4324ba02b3

SHA256
3ec7514d9bb7f024abf7c935b2018e10c614625eec64a83beefa117ffb156582

SHA512
cb2cb5f474cbb02ced4900263834590a0b203c0a1de2a96cf6b09cf01de18cbf7928812deb3030e3492fb4f45b2c738a864f1092f196f50e3d17b3862e58e479

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc6A0E0841C1B443F38A18E9E99B2D55A9.TMP

Filesize
1KB

MD5
3016ea43be5199021a2fb37fab957998

SHA1
d8aa945a3d275e23100e2ed224dad427a0a06ef5

SHA256
608325a652208634aa316205e65230d567b654b1d08da18154f2e0f15868df1b

SHA512
50de5b0b2f0f97cc005145a15f3c781c866f6a5ddf803675fcb531fa20e60050612c4a52e2007fe4dd9c13e8ca5150799d1aa908a12531979e219cb8c6149ec2

Download Submit
memory/564-29-0x0000000005C00000-0x00000000061A4000-memory.dmp

Filesize
5.6MB

Download
memory/564-25-0x0000000000B70000-0x0000000000B7A000-memory.dmp

Filesize
40KB

Download
memory/564-26-0x0000000074840000-0x0000000074FF0000-memory.dmp

Filesize
7.7MB

Download
memory/564-30-0x0000000074840000-0x0000000074FF0000-memory.dmp

Filesize
7.7MB

Download
memory/564-31-0x0000000005500000-0x0000000005592000-memory.dmp

Filesize
584KB

Download
memory/564-33-0x0000000074840000-0x0000000074FF0000-memory.dmp

Filesize
7.7MB

Download
memory/4100-2-0x0000000000C60000-0x0000000000C6A000-memory.dmp

Filesize
40KB

Download
memory/4100-3-0x0000000005630000-0x00000000056CC000-memory.dmp

Filesize
624KB

Download
memory/4100-1-0x0000000074840000-0x0000000074FF0000-memory.dmp

Filesize
7.7MB

Download
memory/4100-11-0x00000000057A0000-0x00000000057B0000-memory.dmp

Filesize
64KB

Download
memory/4100-0-0x0000000074840000-0x0000000074FF0000-memory.dmp

Filesize
7.7MB

Download
memory/4100-28-0x0000000074840000-0x0000000074FF0000-memory.dmp

Filesize
7.7MB

Download
memory/4100-6-0x00000000057A0000-0x00000000057B0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing