8f54df4085929128e6be50d0d9d113f62ba829518f10d0cca968aedcbd89adb3

General

Target

NEAS.1cea2b2f2e4071177f19f5f6d8e3e3f0.exe
Size

2.0MB
MD5

1cea2b2f2e4071177f19f5f6d8e3e3f0
SHA1

7fa064a7a55c7f672adae329757f665d23d2c580
SHA256

8f54df4085929128e6be50d0d9d113f62ba829518f10d0cca968aedcbd89adb3
SHA512

26b900be1b0dcf1f325b24dab653aecab70c06eec833f7ba6f92df79c114a9b7041e4af749151e43dcb3aca605a76ae41b9fc06fdd49088a4dd05ca94149cf8e
SSDEEP

49152:B884CWL0/fRZ12+zI9gQ2irbu9qhGjojqcs1LPhsUR:B8VjWJn69hF2RomcoLJ

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\Control Panel\International\Geo\Nation	cmd.exe

Loads dropped DLL 2 IoCs

pid	Process
5104	rundll32.exe
1536	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000_Classes\Local Settings	cmd.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 2024 wrote to memory of 2836	2024	NEAS.1cea2b2f2e4071177f19f5f6d8e3e3f0.exe	88
PID 2024 wrote to memory of 2836	2024	NEAS.1cea2b2f2e4071177f19f5f6d8e3e3f0.exe	88
PID 2024 wrote to memory of 2836	2024	NEAS.1cea2b2f2e4071177f19f5f6d8e3e3f0.exe	88
PID 2836 wrote to memory of 4796	2836	cmd.exe	91
PID 2836 wrote to memory of 4796	2836	cmd.exe	91
PID 2836 wrote to memory of 4796	2836	cmd.exe	91
PID 4796 wrote to memory of 5104	4796	control.exe	94
PID 4796 wrote to memory of 5104	4796	control.exe	94
PID 4796 wrote to memory of 5104	4796	control.exe	94
PID 5104 wrote to memory of 2892	5104	rundll32.exe	95
PID 5104 wrote to memory of 2892	5104	rundll32.exe	95
PID 2892 wrote to memory of 1536	2892	RunDll32.exe	96
PID 2892 wrote to memory of 1536	2892	RunDll32.exe	96
PID 2892 wrote to memory of 1536	2892	RunDll32.exe	96

C:\Users\Admin\AppData\Local\Temp\NEAS.1cea2b2f2e4071177f19f5f6d8e3e3f0.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.1cea2b2f2e4071177f19f5f6d8e3e3f0.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2024
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c .\B.cmD
  2⤵
  - Checks computer location settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2836
- - C:\Windows\SysWOW64\control.exe
    "C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\7zS8E7089E7\mbf.cpL",
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4796
  - - C:\Windows\SysWOW64\rundll32.exe
      "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\7zS8E7089E7\mbf.cpL",
      4⤵
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:5104
    - - C:\Windows\system32\RunDll32.exe
        
        C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\7zS8E7089E7\mbf.cpL",
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2892
      - C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 "C:\Users\Admin\AppData\Local\Temp\7zS8E7089E7\mbf.cpL",
        6⤵
        Loads dropped DLL
        
        PID:1536

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7zS8E7089E7\B.CmD

Filesize
56B

MD5
02d0caaa980d5deb736e6e609230847c

SHA1
445ba31b1613a0cff52cc8324c610206f73318fd

SHA256
d8fa9cde9a46cdfb3422855c05fc0be8131bd98f8ba1eac8f62041ca6b1f2bf6

SHA512
5555ad4cc7b27ce47602798fca7b7f40fea2cfd4ff32f7ed59f04e3294dc6b43109d3c93c7bad5f2ad1851e9d8b48c0594b48c4704e2ad7dc7d202e48d8636c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8E7089E7\mbf.cpL

Filesize
2.0MB

MD5
6c85abc6bd8a06c4d072e0b509ccc8b4

SHA1
fb78e5a18fc7a50b7e84d774c9624a351b5b6c31

SHA256
953a5b0d5a57eb4aa25d9acca6facf01960685f2dccfed545bc73a1b48faece4

SHA512
843f56d83d7648329408da9bdaf3e29c03b109bb2ca4f79cbd12f30dd586fd006f827b0f9362fec927331c5131fdaefde4c6d4b6feddefd4e09093f4a57aa86d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8E7089E7\mbf.cpL

Filesize
2.0MB

MD5
6c85abc6bd8a06c4d072e0b509ccc8b4

SHA1
fb78e5a18fc7a50b7e84d774c9624a351b5b6c31

SHA256
953a5b0d5a57eb4aa25d9acca6facf01960685f2dccfed545bc73a1b48faece4

SHA512
843f56d83d7648329408da9bdaf3e29c03b109bb2ca4f79cbd12f30dd586fd006f827b0f9362fec927331c5131fdaefde4c6d4b6feddefd4e09093f4a57aa86d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8E7089E7\mbf.cpL

Filesize
2.0MB

MD5
6c85abc6bd8a06c4d072e0b509ccc8b4

SHA1
fb78e5a18fc7a50b7e84d774c9624a351b5b6c31

SHA256
953a5b0d5a57eb4aa25d9acca6facf01960685f2dccfed545bc73a1b48faece4

SHA512
843f56d83d7648329408da9bdaf3e29c03b109bb2ca4f79cbd12f30dd586fd006f827b0f9362fec927331c5131fdaefde4c6d4b6feddefd4e09093f4a57aa86d

Download Submit
memory/1536-26-0x00000000033B0000-0x00000000034B7000-memory.dmp

Filesize
1.0MB

Download
memory/1536-25-0x00000000033B0000-0x00000000034B7000-memory.dmp

Filesize
1.0MB

Download
memory/1536-22-0x00000000033B0000-0x00000000034B7000-memory.dmp

Filesize
1.0MB

Download
memory/1536-21-0x0000000003280000-0x00000000033A2000-memory.dmp

Filesize
1.1MB

Download
memory/1536-18-0x00000000013F0000-0x00000000013F6000-memory.dmp

Filesize
24KB

Download
memory/5104-8-0x0000000002E40000-0x0000000002E46000-memory.dmp

Filesize
24KB

Download
memory/5104-16-0x00000000030D0000-0x00000000031D7000-memory.dmp

Filesize
1.0MB

Download
memory/5104-15-0x00000000030D0000-0x00000000031D7000-memory.dmp

Filesize
1.0MB

Download
memory/5104-12-0x00000000030D0000-0x00000000031D7000-memory.dmp

Filesize
1.0MB

Download
memory/5104-11-0x0000000002F90000-0x00000000030B2000-memory.dmp

Filesize
1.1MB

Download
memory/5104-9-0x0000000010000000-0x000000001020B000-memory.dmp

Filesize
2.0MB

Download

Analysis

Sharing