58416b176f97c07e7126d53c56c5b039f78adedbc6fb67094855548ee3b8f7ba

General

Target

NEAS.d846d479240efa3313bcce9534725190_JC.exe
Size

1.8MB
MD5

d846d479240efa3313bcce9534725190
SHA1

a6b3be5f81edf6e2823a19dac1b6eb882357a174
SHA256

58416b176f97c07e7126d53c56c5b039f78adedbc6fb67094855548ee3b8f7ba
SHA512

236e6e4df70c483a4147729df34efea387c0e810fbbe60c26f79d5900bb6091d1845d0cadb194f594e4214f96a85c59e56671354b0c702fd6d54ebba609be67d
SSDEEP

49152:wWhr59BfJXAE+UJDyWh2Rmwj++kA75EVdZod:wWhrPBfKEneWhumwq/Qq6

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000\Control Panel\International\Geo\Nation	NEAS.d846d479240efa3313bcce9534725190_JC.exe

Loads dropped DLL 4 IoCs

pid	Process
4680	rundll32.exe
4680	rundll32.exe
1456	rundll32.exe
1456	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000_Classes\Local Settings	NEAS.d846d479240efa3313bcce9534725190_JC.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 1164 wrote to memory of 4476	1164	NEAS.d846d479240efa3313bcce9534725190_JC.exe	89
PID 1164 wrote to memory of 4476	1164	NEAS.d846d479240efa3313bcce9534725190_JC.exe	89
PID 1164 wrote to memory of 4476	1164	NEAS.d846d479240efa3313bcce9534725190_JC.exe	89
PID 4476 wrote to memory of 4680	4476	control.exe	91
PID 4476 wrote to memory of 4680	4476	control.exe	91
PID 4476 wrote to memory of 4680	4476	control.exe	91
PID 4680 wrote to memory of 2708	4680	rundll32.exe	93
PID 4680 wrote to memory of 2708	4680	rundll32.exe	93
PID 2708 wrote to memory of 1456	2708	RunDll32.exe	95
PID 2708 wrote to memory of 1456	2708	RunDll32.exe	95
PID 2708 wrote to memory of 1456	2708	RunDll32.exe	95

C:\Users\Admin\AppData\Local\Temp\NEAS.d846d479240efa3313bcce9534725190_JC.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.d846d479240efa3313bcce9534725190_JC.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1164
- C:\Windows\SysWOW64\control.exe
  "C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\qB4Q22K0.CPL",
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4476
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\qB4Q22K0.CPL",
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:4680
  - - C:\Windows\system32\RunDll32.exe
      C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\qB4Q22K0.CPL",
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2708
    - - C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 "C:\Users\Admin\AppData\Local\Temp\qB4Q22K0.CPL",
        5⤵
        Loads dropped DLL
        
        PID:1456

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\qB4Q22K0.CPL

Filesize
1.4MB

MD5
60f22c16c679a8d488de57bd63b90962

SHA1
c066dd0969a5490ec30d2849abb8424cacc4ea6d

SHA256
fff463d5766db8cd0443b6fc0b0ae4b55e39727110ac40dc640cfcb35d5be4c0

SHA512
fecb2da87dda5730ce64b475b901f1d4b361f1c857b57792c02a53ad05b520cdd895d17bcc0ef2f7cd378774dde67cbf09bf1a70de6985c938e7135ddb262e4b

Download Submit
C:\Users\Admin\AppData\Local\Temp\qB4q22K0.cpl

Filesize
1.4MB

MD5
60f22c16c679a8d488de57bd63b90962

SHA1
c066dd0969a5490ec30d2849abb8424cacc4ea6d

SHA256
fff463d5766db8cd0443b6fc0b0ae4b55e39727110ac40dc640cfcb35d5be4c0

SHA512
fecb2da87dda5730ce64b475b901f1d4b361f1c857b57792c02a53ad05b520cdd895d17bcc0ef2f7cd378774dde67cbf09bf1a70de6985c938e7135ddb262e4b

Download Submit
C:\Users\Admin\AppData\Local\Temp\qB4q22K0.cpl

Filesize
1.4MB

MD5
60f22c16c679a8d488de57bd63b90962

SHA1
c066dd0969a5490ec30d2849abb8424cacc4ea6d

SHA256
fff463d5766db8cd0443b6fc0b0ae4b55e39727110ac40dc640cfcb35d5be4c0

SHA512
fecb2da87dda5730ce64b475b901f1d4b361f1c857b57792c02a53ad05b520cdd895d17bcc0ef2f7cd378774dde67cbf09bf1a70de6985c938e7135ddb262e4b

Download Submit
C:\Users\Admin\AppData\Local\Temp\qB4q22K0.cpl

Filesize
1.4MB

MD5
60f22c16c679a8d488de57bd63b90962

SHA1
c066dd0969a5490ec30d2849abb8424cacc4ea6d

SHA256
fff463d5766db8cd0443b6fc0b0ae4b55e39727110ac40dc640cfcb35d5be4c0

SHA512
fecb2da87dda5730ce64b475b901f1d4b361f1c857b57792c02a53ad05b520cdd895d17bcc0ef2f7cd378774dde67cbf09bf1a70de6985c938e7135ddb262e4b

Download Submit
C:\Users\Admin\AppData\Local\Temp\qB4q22K0.cpl

Filesize
1.4MB

MD5
60f22c16c679a8d488de57bd63b90962

SHA1
c066dd0969a5490ec30d2849abb8424cacc4ea6d

SHA256
fff463d5766db8cd0443b6fc0b0ae4b55e39727110ac40dc640cfcb35d5be4c0

SHA512
fecb2da87dda5730ce64b475b901f1d4b361f1c857b57792c02a53ad05b520cdd895d17bcc0ef2f7cd378774dde67cbf09bf1a70de6985c938e7135ddb262e4b

Download Submit
C:\Users\Admin\AppData\Local\Temp\qB4q22K0.cpl

Filesize
1.4MB

MD5
60f22c16c679a8d488de57bd63b90962

SHA1
c066dd0969a5490ec30d2849abb8424cacc4ea6d

SHA256
fff463d5766db8cd0443b6fc0b0ae4b55e39727110ac40dc640cfcb35d5be4c0

SHA512
fecb2da87dda5730ce64b475b901f1d4b361f1c857b57792c02a53ad05b520cdd895d17bcc0ef2f7cd378774dde67cbf09bf1a70de6985c938e7135ddb262e4b

Download Submit
memory/1456-32-0x0000000002D20000-0x0000000002E01000-memory.dmp

Filesize
900KB

Download
memory/1456-29-0x0000000002D20000-0x0000000002E01000-memory.dmp

Filesize
900KB

Download
memory/1456-28-0x0000000002C20000-0x0000000002D1A000-memory.dmp

Filesize
1000KB

Download
memory/1456-26-0x0000000002860000-0x00000000029BF000-memory.dmp

Filesize
1.4MB

Download
memory/1456-25-0x0000000000B30000-0x0000000000B36000-memory.dmp

Filesize
24KB

Download
memory/1456-33-0x0000000002D20000-0x0000000002E01000-memory.dmp

Filesize
900KB

Download
memory/1456-24-0x0000000002860000-0x00000000029BF000-memory.dmp

Filesize
1.4MB

Download
memory/4680-13-0x0000000002220000-0x0000000002226000-memory.dmp

Filesize
24KB

Download
memory/4680-21-0x0000000002BE0000-0x0000000002CC1000-memory.dmp

Filesize
900KB

Download
memory/4680-20-0x0000000002BE0000-0x0000000002CC1000-memory.dmp

Filesize
900KB

Download
memory/4680-17-0x0000000002BE0000-0x0000000002CC1000-memory.dmp

Filesize
900KB

Download
memory/4680-16-0x0000000002AE0000-0x0000000002BDA000-memory.dmp

Filesize
1000KB

Download
memory/4680-14-0x0000000002670000-0x00000000027CF000-memory.dmp

Filesize
1.4MB

Download
memory/4680-12-0x0000000002670000-0x00000000027CF000-memory.dmp

Filesize
1.4MB

Download

Analysis

Sharing