ef2c970a5722d121a2ab6cab00b8d60d68a5ff8428c6d73a1de5a85fb42bf6b5

General

Target

NEAS.736d6df31b1cfc42580f818558d9cbc0.exe
Size

227KB
MD5

736d6df31b1cfc42580f818558d9cbc0
SHA1

2886bcf715aabb4ec5111e6b55571c400a127fb4
SHA256

ef2c970a5722d121a2ab6cab00b8d60d68a5ff8428c6d73a1de5a85fb42bf6b5
SHA512

0af9e0d7f14a3a161ce59a8f9db29039ef550de9831f10040f11d4393a417917f08199c90850d8a047c245f4a56ee380f46e40c6b472e92ad69cdd110b48dffa
SSDEEP

3072:YsXRmUIMitiMQose27vc+Eld+xZp2vPRL1tT06zJoxAWBcKpSP//dwRmIBk:ZR5IuMQoseGk7RZBGxAycKpSPX2i

Score

7^/10

persistence

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000\Control Panel\International\Geo\Nation	NEAS.736d6df31b1cfc42580f818558d9cbc0.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000\Control Panel\International\Geo\Nation	browser_broker32.exe

Executes dropped EXE 2 IoCs

pid	Process
4884	browser_broker32.exe
4416	browser_broker32.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\*browser_broker32 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NEAS.736d6df31b1cfc42580f818558d9cbc0.exe"	NEAS.736d6df31b1cfc42580f818558d9cbc0.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\browser_broker32 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NEAS.736d6df31b1cfc42580f818558d9cbc0.exe"	NEAS.736d6df31b1cfc42580f818558d9cbc0.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
4420	schtasks.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
4064	timeout.exe

Suspicious behavior: EnumeratesProcesses 36 IoCs

pid	Process
4884	browser_broker32.exe
4884	browser_broker32.exe
4884	browser_broker32.exe
4884	browser_broker32.exe
4884	browser_broker32.exe
4884	browser_broker32.exe
4884	browser_broker32.exe
4884	browser_broker32.exe
4884	browser_broker32.exe
4884	browser_broker32.exe
4884	browser_broker32.exe
4884	browser_broker32.exe
4884	browser_broker32.exe
4884	browser_broker32.exe
4884	browser_broker32.exe
4884	browser_broker32.exe
4884	browser_broker32.exe
4884	browser_broker32.exe
4884	browser_broker32.exe
4884	browser_broker32.exe
4884	browser_broker32.exe
4884	browser_broker32.exe
4884	browser_broker32.exe
4884	browser_broker32.exe
4884	browser_broker32.exe
4884	browser_broker32.exe
4884	browser_broker32.exe
4884	browser_broker32.exe
4884	browser_broker32.exe
4884	browser_broker32.exe
4884	browser_broker32.exe
4884	browser_broker32.exe
4884	browser_broker32.exe
4884	browser_broker32.exe
4884	browser_broker32.exe
4884	browser_broker32.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4884	browser_broker32.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 1828 wrote to memory of 4884	1828	NEAS.736d6df31b1cfc42580f818558d9cbc0.exe	93
PID 1828 wrote to memory of 4884	1828	NEAS.736d6df31b1cfc42580f818558d9cbc0.exe	93
PID 1828 wrote to memory of 4260	1828	NEAS.736d6df31b1cfc42580f818558d9cbc0.exe	95
PID 1828 wrote to memory of 4260	1828	NEAS.736d6df31b1cfc42580f818558d9cbc0.exe	95
PID 1828 wrote to memory of 3516	1828	NEAS.736d6df31b1cfc42580f818558d9cbc0.exe	96
PID 1828 wrote to memory of 3516	1828	NEAS.736d6df31b1cfc42580f818558d9cbc0.exe	96
PID 3516 wrote to memory of 4064	3516	cmd.exe	100
PID 3516 wrote to memory of 4064	3516	cmd.exe	100
PID 4884 wrote to memory of 4420	4884	browser_broker32.exe	105
PID 4884 wrote to memory of 4420	4884	browser_broker32.exe	105

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\NEAS.736d6df31b1cfc42580f818558d9cbc0.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.736d6df31b1cfc42580f818558d9cbc0.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1828
- C:\Users\Admin\AppData\Local\_foldernamelocalappdata_\browser_broker32.exe
  "C:\Users\Admin\AppData\Local\_foldernamelocalappdata_\browser_broker32.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4884
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /tn Admin /tr "\"C:\Users\Admin\AppData\Local\_foldernamelocalappdata_\browser_broker32.exe\" arguments" /sc MINUTE /mo 1
    3⤵
    - Creates scheduled task(s)
    PID:4420
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:4260
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c timeout /t 5 && del "C:\Users\Admin\AppData\Local\Temp\NEAS.736d6df31b1cfc42580f818558d9cbc0.exe" && del "C:\Users\Admin\AppData\Local\Temp\NEAS.736d6df31b1cfc42580f818558d9cbc0.exe.config"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3516
- - C:\Windows\system32\timeout.exe
    timeout /t 5
    3⤵
    - Delays execution with timeout.exe
    PID:4064

C:\Users\Admin\AppData\Local\_foldernamelocalappdata_\browser_broker32.exe
C:\Users\Admin\AppData\Local\_foldernamelocalappdata_\browser_broker32.exe arguments
1⤵
- Executes dropped EXE
PID:4416

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\_foldernamelocalappdata_\browser_broker32.exe

Filesize
227KB

MD5
695aa8fd538dc7bd76c8f3fc0b60ea54

SHA1
201e1e4cbcf76fe205bca0243d43fef4135e0770

SHA256
98b73b7bdc9b7d16e9b6537dcd1899599971a4b99e462e4ac1441cf5392aa469

SHA512
223f42049bdcd49de102befced7c368d7644e3782529ba4e24a8eeacb49065f63f507b9dcf84587496b167498428ec206134894e86b100eeccaa44ae961fdaaf

Download Submit
C:\Users\Admin\AppData\Local\_foldernamelocalappdata_\browser_broker32.exe

Filesize
227KB

MD5
695aa8fd538dc7bd76c8f3fc0b60ea54

SHA1
201e1e4cbcf76fe205bca0243d43fef4135e0770

SHA256
98b73b7bdc9b7d16e9b6537dcd1899599971a4b99e462e4ac1441cf5392aa469

SHA512
223f42049bdcd49de102befced7c368d7644e3782529ba4e24a8eeacb49065f63f507b9dcf84587496b167498428ec206134894e86b100eeccaa44ae961fdaaf

Download Submit
C:\Users\Admin\AppData\Local\_foldernamelocalappdata_\browser_broker32.exe

Filesize
227KB

MD5
695aa8fd538dc7bd76c8f3fc0b60ea54

SHA1
201e1e4cbcf76fe205bca0243d43fef4135e0770

SHA256
98b73b7bdc9b7d16e9b6537dcd1899599971a4b99e462e4ac1441cf5392aa469

SHA512
223f42049bdcd49de102befced7c368d7644e3782529ba4e24a8eeacb49065f63f507b9dcf84587496b167498428ec206134894e86b100eeccaa44ae961fdaaf

Download Submit
C:\Users\Admin\AppData\Local\_foldernamelocalappdata_\browser_broker32.exe

Filesize
227KB

MD5
695aa8fd538dc7bd76c8f3fc0b60ea54

SHA1
201e1e4cbcf76fe205bca0243d43fef4135e0770

SHA256
98b73b7bdc9b7d16e9b6537dcd1899599971a4b99e462e4ac1441cf5392aa469

SHA512
223f42049bdcd49de102befced7c368d7644e3782529ba4e24a8eeacb49065f63f507b9dcf84587496b167498428ec206134894e86b100eeccaa44ae961fdaaf

Download Submit
C:\Users\Admin\AppData\Local\_foldernamelocalappdata_\browser_broker32.exe.config

Filesize
1KB

MD5
dd3d04c365984b4ec57a80503f81fddf

SHA1
c55fbcb61818e47dac9aae465faff91f0805bd7c

SHA256
40a59ca9744dc3d4647f246b2dc553f37f8095418c1b48a9bd94cdb5c03dbc5c

SHA512
0dd459def2abe9e3f0d1251049a0755c63f7dd3d85e91dba272c3f479f2578e3f3f2379e1cd6913190f7f596af721201eb5d9423ab28aed72bde5cd3cac7f785

Download Submit
memory/1828-6-0x000000001C030000-0x000000001C096000-memory.dmp

Filesize
408KB

Download
memory/1828-0-0x00007FF846470000-0x00007FF846E11000-memory.dmp

Filesize
9.6MB

Download
memory/1828-7-0x0000000001010000-0x0000000001020000-memory.dmp

Filesize
64KB

Download
memory/1828-8-0x0000000001010000-0x0000000001020000-memory.dmp

Filesize
64KB

Download
memory/1828-9-0x000000001C2B0000-0x000000001C2D2000-memory.dmp

Filesize
136KB

Download
memory/1828-10-0x000000001F280000-0x000000001F326000-memory.dmp

Filesize
664KB

Download
memory/1828-5-0x000000001B500000-0x000000001B508000-memory.dmp

Filesize
32KB

Download
memory/1828-4-0x0000000001010000-0x0000000001020000-memory.dmp

Filesize
64KB

Download
memory/1828-3-0x00007FF846470000-0x00007FF846E11000-memory.dmp

Filesize
9.6MB

Download
memory/1828-2-0x000000001B460000-0x000000001B4FC000-memory.dmp

Filesize
624KB

Download
memory/1828-1-0x000000001BA00000-0x000000001BECE000-memory.dmp

Filesize
4.8MB

Download
memory/1828-28-0x00007FF846470000-0x00007FF846E11000-memory.dmp

Filesize
9.6MB

Download
memory/4416-37-0x00007FF845890000-0x00007FF846231000-memory.dmp

Filesize
9.6MB

Download
memory/4884-27-0x00000000015F0000-0x0000000001600000-memory.dmp

Filesize
64KB

Download
memory/4884-30-0x00000000015F0000-0x0000000001600000-memory.dmp

Filesize
64KB

Download
memory/4884-31-0x00000000015F0000-0x0000000001600000-memory.dmp

Filesize
64KB

Download
memory/4884-32-0x000000001D650000-0x000000001D672000-memory.dmp

Filesize
136KB

Download
memory/4884-33-0x00000000015F0000-0x0000000001600000-memory.dmp

Filesize
64KB

Download
memory/4884-34-0x00000000015F0000-0x0000000001600000-memory.dmp

Filesize
64KB

Download
memory/4884-35-0x00007FF846470000-0x00007FF846E11000-memory.dmp

Filesize
9.6MB

Download
memory/4884-29-0x00007FF846470000-0x00007FF846E11000-memory.dmp

Filesize
9.6MB

Download
memory/4884-26-0x00007FF846470000-0x00007FF846E11000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads