c77488deccb7e8483632196b2dcd6e6506b57465382c8bc4b1a67c097cbbc8f3

General

Target

NEAS.1e07f0ca5cc5f41a0e9506a19c0917d0_JC.exe
Size

545KB
MD5

1e07f0ca5cc5f41a0e9506a19c0917d0
SHA1

55083109b7ca6eb45ca0f83e60e0598d7ece5787
SHA256

c77488deccb7e8483632196b2dcd6e6506b57465382c8bc4b1a67c097cbbc8f3
SHA512

a49878a36c05877a4b1b37e23a774c102f901b29fe341ab655ed8ac8614ec670d12af4eee9c6895517c9bf4b20e8c1aa32c161bc70dfbeb773095cde02f4de64
SSDEEP

6144:/pW2bgbbV28okoS1oWMkdlZQ5iioct0IwdNOut1VP75iphJz9r:/pW2IoioS66gphJz9r

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Disables Task Manager via registry modification
evasion

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NEAS.1e07f0ca5cc5f41a0e9506a19c0917d0_JC.exe BATCF %1"	NEAS.1e07f0ca5cc5f41a0e9506a19c0917d0_JC.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 13 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NEAS.1e07f0ca5cc5f41a0e9506a19c0917d0_JC.exe NTPAD %1"	NEAS.1e07f0ca5cc5f41a0e9506a19c0917d0_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\pngfile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NEAS.1e07f0ca5cc5f41a0e9506a19c0917d0_JC.exe JPGIF %1"	NEAS.1e07f0ca5cc5f41a0e9506a19c0917d0_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\giffile\shell\Open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NEAS.1e07f0ca5cc5f41a0e9506a19c0917d0_JC.exe JPGIF %1"	NEAS.1e07f0ca5cc5f41a0e9506a19c0917d0_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\rtffile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NEAS.1e07f0ca5cc5f41a0e9506a19c0917d0_JC.exe RTFDF %1"	NEAS.1e07f0ca5cc5f41a0e9506a19c0917d0_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NEAS.1e07f0ca5cc5f41a0e9506a19c0917d0_JC.exe BATCF %1"	NEAS.1e07f0ca5cc5f41a0e9506a19c0917d0_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\cmdfile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NEAS.1e07f0ca5cc5f41a0e9506a19c0917d0_JC.exe CMDSF %1"	NEAS.1e07f0ca5cc5f41a0e9506a19c0917d0_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\jpegfile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NEAS.1e07f0ca5cc5f41a0e9506a19c0917d0_JC.exe JPGIF %1"	NEAS.1e07f0ca5cc5f41a0e9506a19c0917d0_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\inifile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NEAS.1e07f0ca5cc5f41a0e9506a19c0917d0_JC.exe NTPAD %1"	NEAS.1e07f0ca5cc5f41a0e9506a19c0917d0_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NEAS.1e07f0ca5cc5f41a0e9506a19c0917d0_JC.exe VBSSF %1"	NEAS.1e07f0ca5cc5f41a0e9506a19c0917d0_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NEAS.1e07f0ca5cc5f41a0e9506a19c0917d0_JC.exe NTPAD %1"	NEAS.1e07f0ca5cc5f41a0e9506a19c0917d0_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NEAS.1e07f0ca5cc5f41a0e9506a19c0917d0_JC.exe HTMWF %1"	NEAS.1e07f0ca5cc5f41a0e9506a19c0917d0_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\xmlfile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NEAS.1e07f0ca5cc5f41a0e9506a19c0917d0_JC.exe NTPAD %1"	NEAS.1e07f0ca5cc5f41a0e9506a19c0917d0_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\icofile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NEAS.1e07f0ca5cc5f41a0e9506a19c0917d0_JC.exe JPGIF %1"	NEAS.1e07f0ca5cc5f41a0e9506a19c0917d0_JC.exe

Modifies registry key 1 TTPs 2 IoCs

Modify Registry

T1112

pid	Process
1236	reg.exe
2604	reg.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2096 wrote to memory of 2604	2096	NEAS.1e07f0ca5cc5f41a0e9506a19c0917d0_JC.exe	28
PID 2096 wrote to memory of 2604	2096	NEAS.1e07f0ca5cc5f41a0e9506a19c0917d0_JC.exe	28
PID 2096 wrote to memory of 2604	2096	NEAS.1e07f0ca5cc5f41a0e9506a19c0917d0_JC.exe	28
PID 2096 wrote to memory of 1236	2096	NEAS.1e07f0ca5cc5f41a0e9506a19c0917d0_JC.exe	29
PID 2096 wrote to memory of 1236	2096	NEAS.1e07f0ca5cc5f41a0e9506a19c0917d0_JC.exe	29
PID 2096 wrote to memory of 1236	2096	NEAS.1e07f0ca5cc5f41a0e9506a19c0917d0_JC.exe	29

C:\Users\Admin\AppData\Local\Temp\NEAS.1e07f0ca5cc5f41a0e9506a19c0917d0_JC.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.1e07f0ca5cc5f41a0e9506a19c0917d0_JC.exe"
1⤵
- Modifies system executable filetype association
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2096
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
  2⤵
  - UAC bypass
  - Modifies registry key
  PID:2604
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
  2⤵
  - Modifies registry key
  PID:1236

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

1

T1546

Change Default File Association

1

T1546.001

Privilege Escalation

Abuse Elevation Control Mechanism

1

T1548

Bypass User Account Control

1

T1548.002

Event Triggered Execution

1

T1546

Change Default File Association

1

T1546.001

Defense Evasion

Abuse Elevation Control Mechanism

1

T1548

Bypass User Account Control

1

T1548.002

Impair Defenses

1

T1562

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\dHVnoFoEYSh.exe

Filesize
545KB

MD5
99620014a9065e1ba7b057b1dbdd5fe4

SHA1
3fde7f96db6baf5d43cc1fcbe60dfa313d5d202b

SHA256
47189fbaa23d70f1da81454c3ed73147edb0a36b1523c56c1b45eee92d5287b5

SHA512
5b9ce38cc22b8b5101359e3f232ff341d646c689ed2b0465254651fb5212cecbbce34d15a01070bb78de8bdf89a072e4ddcd5f031acbcf1e38cf8a47048b626a

Download Submit
memory/2096-0-0x0000000000F40000-0x0000000000F68000-memory.dmp

Filesize
160KB

Download
memory/2096-1-0x000007FEF5A20000-0x000007FEF640C000-memory.dmp

Filesize
9.9MB

Download
memory/2096-2-0x000000001B240000-0x000000001B2C0000-memory.dmp

Filesize
512KB

Download
memory/2096-713-0x000007FEF5A20000-0x000007FEF640C000-memory.dmp

Filesize
9.9MB

Download
memory/2096-785-0x000000001B240000-0x000000001B2C0000-memory.dmp

Filesize
512KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads