648d448c21c568b2c47e94074faa94ba96ea969bca01683af676fb46e536e26c

General

Target

NEAS.a56ba5c6af0cb8bf872e208af0948cf0.exe
Size

80KB
MD5

a56ba5c6af0cb8bf872e208af0948cf0
SHA1

ac1d7b08d4e44e38c01b9e8b38a3f7aa080df541
SHA256

648d448c21c568b2c47e94074faa94ba96ea969bca01683af676fb46e536e26c
SHA512

38d1624b62bc7cfbf730550c66c4906186738ddbd0bede6a557446f24bd06c8680b81deb31b5caa1ecdf6eaeab0c75d95dcff3fd316941190f2656b1ff59b853
SSDEEP

1536:8PCHHM3xXT0XRhyRjVf3znOJTv3lcUK/+dWzCP7oYTcSQtK9/p1edp:8PCHs3xSyRxvY3md+dWWZyK9/Cp

Score

7^/10

persistence

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\Control Panel\International\Geo\Nation	NEAS.a56ba5c6af0cb8bf872e208af0948cf0.exe

Executes dropped EXE 1 IoCs

pid	Process
60	tmpD978.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ShFusRes = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\big5.exe\""	tmpD978.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2392	NEAS.a56ba5c6af0cb8bf872e208af0948cf0.exe
Token: SeDebugPrivilege	60	tmpD978.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2392 wrote to memory of 4348	2392	NEAS.a56ba5c6af0cb8bf872e208af0948cf0.exe	87
PID 2392 wrote to memory of 4348	2392	NEAS.a56ba5c6af0cb8bf872e208af0948cf0.exe	87
PID 2392 wrote to memory of 4348	2392	NEAS.a56ba5c6af0cb8bf872e208af0948cf0.exe	87
PID 4348 wrote to memory of 1600	4348	vbc.exe	91
PID 4348 wrote to memory of 1600	4348	vbc.exe	91
PID 4348 wrote to memory of 1600	4348	vbc.exe	91
PID 2392 wrote to memory of 60	2392	NEAS.a56ba5c6af0cb8bf872e208af0948cf0.exe	93
PID 2392 wrote to memory of 60	2392	NEAS.a56ba5c6af0cb8bf872e208af0948cf0.exe	93
PID 2392 wrote to memory of 60	2392	NEAS.a56ba5c6af0cb8bf872e208af0948cf0.exe	93

C:\Users\Admin\AppData\Local\Temp\NEAS.a56ba5c6af0cb8bf872e208af0948cf0.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.a56ba5c6af0cb8bf872e208af0948cf0.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2392
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\lxq3vccj.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4348
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA9A.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcD190B31580A3464C9833FDBCC731414.TMP"
    3⤵
    PID:1600
- C:\Users\Admin\AppData\Local\Temp\tmpD978.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpD978.tmp.exe" C:\Users\Admin\AppData\Local\Temp\NEAS.a56ba5c6af0cb8bf872e208af0948cf0.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of AdjustPrivilegeToken
  PID:60

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

Scripting

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESA9A.tmp

Filesize
1KB

MD5
fe239eb9890a13e0f7b923000e5f2f48

SHA1
3bcbb48c6260d0ffb5c9cdaac845362dfedddf61

SHA256
ee641ff87db8690f0985d7c8214a96bc039545930b129c2eaf55cfa3b739d75f

SHA512
98de03edcb2342504d34ebc1fb734f7e697624d51f6ce65b76fbce89442c6854fb9f5bdc87eec5e1d82c01011306c03c08dab1ee1eb70140cce74d1240332ec8

Download Submit
C:\Users\Admin\AppData\Local\Temp\lxq3vccj.0.vb

Filesize
15KB

MD5
07e548dd731fc5e83384d497102bae90

SHA1
3c3e1d7f76ab23bf5f89759de4bf993b7c997fb1

SHA256
68cb83b226f038de827faf1a8d8ce8054374b8e4a67c9b5485646a63ad47b2e2

SHA512
253dbb9ac07d41f86b0aa759bbe623a6a6e2f2c7a197815c62d0004dffd9e988b2d8b0436e98fbcbee7f2d11370362431215ac2bad3ac0702cbb3168f465c678

Download Submit
C:\Users\Admin\AppData\Local\Temp\lxq3vccj.cmdline

Filesize
266B

MD5
d9457f8caebe4852b7a7643ebed45072

SHA1
0e09b7e2d0fe6d1279d951fab39089dbde8f2204

SHA256
01f325bcf503b4134c8d1bea6d941146d8c087cca3b3369c9d3a5e47479882d4

SHA512
6aa854318294080261eb20c6bbaf8d5d46bc3de2e58e69ed3bbd827433aca27d34b85f186ea0c4bb0979562c6ae6ec8eeff90b5bd32295e70524c2f434ab3682

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpD978.tmp.exe

Filesize
78KB

MD5
71ed459a1233391d1a4e8e9b1ab625aa

SHA1
c163324266445f4ac70b92bb0658d411b12b9b4b

SHA256
b8dae68e8ff934a8fb9cffffdadf3f97c6ef90b4ba971fee664db204ab118e3d

SHA512
84ffd627bb8aaddb0fbb7f675251f358ba3282b0b2f623bd524a9232653957ecc436c94e78d644c1b9ede349731d80e396578a5e96781f4cf5ed1112b9453ce4

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpD978.tmp.exe

Filesize
78KB

MD5
71ed459a1233391d1a4e8e9b1ab625aa

SHA1
c163324266445f4ac70b92bb0658d411b12b9b4b

SHA256
b8dae68e8ff934a8fb9cffffdadf3f97c6ef90b4ba971fee664db204ab118e3d

SHA512
84ffd627bb8aaddb0fbb7f675251f358ba3282b0b2f623bd524a9232653957ecc436c94e78d644c1b9ede349731d80e396578a5e96781f4cf5ed1112b9453ce4

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcD190B31580A3464C9833FDBCC731414.TMP

Filesize
660B

MD5
fba1c4161cf78eacf99a842ca477c0aa

SHA1
e6f06d36a6dfc0a0ba7d34cff0c65b51318a7633

SHA256
a68f95e7f8383d463101665509e940df77784f420f4c2a39e32748b8a7cc406f

SHA512
8979599da712c765f38a8ec63a5c4f4ada264fff4fb1633fa8f5d7f8032a4d8234a46856b2d821653098a538d8c13ec2d8fa59a4414c1539efb34abe77d2191a

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
4f0e8cf79edb6cd381474b21cabfdf4a

SHA1
7018c96b4c5dab7957d4bcdc82c1e7bb3a4f80c4

SHA256
e54a257fa391065c120f55841de8c11116ea0e601d90fe1a35dcd340c5dd9cd5

SHA512
2451a59d09464e30d0df822d9322dbecb83faa92c5a5b71b7b9db62330c40cc7570d66235f137290074a3c4a9f3d8b3447067ed135f1bb60ea9e18d0df39a107

Download Submit
memory/60-24-0x0000000074820000-0x0000000074DD1000-memory.dmp

Filesize
5.7MB

Download
memory/60-30-0x0000000000D20000-0x0000000000D30000-memory.dmp

Filesize
64KB

Download
memory/60-25-0x0000000000D20000-0x0000000000D30000-memory.dmp

Filesize
64KB

Download
memory/60-26-0x0000000074820000-0x0000000074DD1000-memory.dmp

Filesize
5.7MB

Download
memory/60-27-0x0000000074820000-0x0000000074DD1000-memory.dmp

Filesize
5.7MB

Download
memory/60-29-0x0000000000D20000-0x0000000000D30000-memory.dmp

Filesize
64KB

Download
memory/2392-14-0x0000000001640000-0x0000000001650000-memory.dmp

Filesize
64KB

Download
memory/2392-10-0x0000000074820000-0x0000000074DD1000-memory.dmp

Filesize
5.7MB

Download
memory/2392-0-0x0000000074820000-0x0000000074DD1000-memory.dmp

Filesize
5.7MB

Download
memory/2392-23-0x0000000074820000-0x0000000074DD1000-memory.dmp

Filesize
5.7MB

Download
memory/2392-2-0x0000000001640000-0x0000000001650000-memory.dmp

Filesize
64KB

Download
memory/2392-1-0x0000000074820000-0x0000000074DD1000-memory.dmp

Filesize
5.7MB

Download
memory/4348-8-0x0000000002600000-0x0000000002610000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads