fb831d94d666313dcffac0a6416ac1f1598eb667b625245691147aa6fdf29266

General

Target

NEAS.a1b2a35a2d944efb563b012271dfc8f0_JC.exe
Size

413KB
MD5

a1b2a35a2d944efb563b012271dfc8f0
SHA1

45944b7f44c7ef9ffd9d8c63725de5b5a39c7c3f
SHA256

fb831d94d666313dcffac0a6416ac1f1598eb667b625245691147aa6fdf29266
SHA512

28c547ac5be946e447860041a898ba8f5d68bb7ae597ddfc6a80d2c82b73c6db5595b287519293b084d377d8c21fc266c7ba900836df3fc86d391029b7cecfc9
SSDEEP

6144:9e34PFeyuUoUCWNTi6VYcYssPokwcaKE6tNZPbwhvF7eyHFLpq0rKU/T+Ru782oW:DFeDWNe6lH/V36tNxkLyylM0Ok+Ruox

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2800	DomaIQ.exe

Loads dropped DLL 2 IoCs

pid	Process
2024	NEAS.a1b2a35a2d944efb563b012271dfc8f0_JC.exe
2024	NEAS.a1b2a35a2d944efb563b012271dfc8f0_JC.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2800	DomaIQ.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2800	DomaIQ.exe
2800	DomaIQ.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2024 wrote to memory of 2800	2024	NEAS.a1b2a35a2d944efb563b012271dfc8f0_JC.exe	28
PID 2024 wrote to memory of 2800	2024	NEAS.a1b2a35a2d944efb563b012271dfc8f0_JC.exe	28
PID 2024 wrote to memory of 2800	2024	NEAS.a1b2a35a2d944efb563b012271dfc8f0_JC.exe	28
PID 2024 wrote to memory of 2800	2024	NEAS.a1b2a35a2d944efb563b012271dfc8f0_JC.exe	28

C:\Users\Admin\AppData\Local\Temp\NEAS.a1b2a35a2d944efb563b012271dfc8f0_JC.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.a1b2a35a2d944efb563b012271dfc8f0_JC.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2024
- C:\Users\Admin\AppData\Local\Temp\DM\flashplayer_151\DomaIQ.exe
  C:\Users\Admin\AppData\Local\Temp\DM\flashplayer_151\DomaIQ.exe /path="C:\Users\Admin\AppData\Local\Temp\NEAS.a1b2a35a2d944efb563b012271dfc8f0_JC.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2800

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DM\flashplayer_151\DomaIQ.exe

Filesize
213KB

MD5
7845abad750348bed4aaf8906c80e31c

SHA1
340f244f59a0a08f9895cf240a48079ae7b9b915

SHA256
e135c53b07e1f08727f17139161b8ccaca05ab4532b57a9a0922cf0cc507b84d

SHA512
1e25ca873b4ae9e5c72d1424653162d6d641f6c97ac636bf067bcc8b151be0bb7825b3e72437376d5f3c60afb92760755d99de34e21d02ac4b3365e76603c969

Download Submit
C:\Users\Admin\AppData\Local\Temp\DM\flashplayer_151\DomaIQ.exe

Filesize
213KB

MD5
7845abad750348bed4aaf8906c80e31c

SHA1
340f244f59a0a08f9895cf240a48079ae7b9b915

SHA256
e135c53b07e1f08727f17139161b8ccaca05ab4532b57a9a0922cf0cc507b84d

SHA512
1e25ca873b4ae9e5c72d1424653162d6d641f6c97ac636bf067bcc8b151be0bb7825b3e72437376d5f3c60afb92760755d99de34e21d02ac4b3365e76603c969

Download Submit
C:\Users\Admin\AppData\Local\Temp\DM\flashplayer_151\config.dll

Filesize
36B

MD5
02f6e45f4408f64951806d585e6e9c4a

SHA1
864ac959cfbcae1513fbf399c151cacfd83daeb3

SHA256
8bc898ba04219478b52197de2cb44de8fd26fda76f838531eaea44d24257126d

SHA512
31e4017a9b5e7fce76d650c7916926e8319a2bc55e2c00af8685234943c734b7a5765185dd959f69cf4c4b53186a522dc4e434dc22a7b1001738493954ea60cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\DM\flashplayer_151\routes.dll

Filesize
259B

MD5
c637c118ce88b24aea014a27076801c9

SHA1
9364f7a34c4d9a3944e1d71392baa34468bd2a69

SHA256
d7d6e3b6b20a6508178efe58f7762a3c4e557340a864522d8084073b51475ce6

SHA512
743e40e1933efabb68fb87c49d0a5c1a80b95a39ca0717f73cc80a55e6a15a751bc5ebb15a84f6a7236791dd3ed188dde6e5b93ade29fc8948c30a71ec102218

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsi58BB.tmp\LangDLL.dll

Filesize
5KB

MD5
9384f4007c492d4fa040924f31c00166

SHA1
aba37faef30d7c445584c688a0b5638f5db31c7b

SHA256
60a964095af1be79f6a99b22212fefe2d16f5a0afd7e707d14394e4143e3f4f5

SHA512
68f158887e24302673227adffc688fd3edabf097d7f5410f983e06c6b9c7344ca1d8a45c7fa05553adcc5987993df3a298763477168d4842e554c4eb93b9aaaf

Download Submit
\Users\Admin\AppData\Local\Temp\DM\flashplayer_151\DomaIQ.exe

Filesize
213KB

MD5
7845abad750348bed4aaf8906c80e31c

SHA1
340f244f59a0a08f9895cf240a48079ae7b9b915

SHA256
e135c53b07e1f08727f17139161b8ccaca05ab4532b57a9a0922cf0cc507b84d

SHA512
1e25ca873b4ae9e5c72d1424653162d6d641f6c97ac636bf067bcc8b151be0bb7825b3e72437376d5f3c60afb92760755d99de34e21d02ac4b3365e76603c969

Download Submit
\Users\Admin\AppData\Local\Temp\nsi58BB.tmp\LangDLL.dll

Filesize
5KB

MD5
9384f4007c492d4fa040924f31c00166

SHA1
aba37faef30d7c445584c688a0b5638f5db31c7b

SHA256
60a964095af1be79f6a99b22212fefe2d16f5a0afd7e707d14394e4143e3f4f5

SHA512
68f158887e24302673227adffc688fd3edabf097d7f5410f983e06c6b9c7344ca1d8a45c7fa05553adcc5987993df3a298763477168d4842e554c4eb93b9aaaf

Download Submit
memory/2800-19-0x000000001B000000-0x000000001B080000-memory.dmp

Filesize
512KB

Download
memory/2800-18-0x000007FEF62A0000-0x000007FEF6C8C000-memory.dmp

Filesize
9.9MB

Download
memory/2800-20-0x000000001B000000-0x000000001B080000-memory.dmp

Filesize
512KB

Download
memory/2800-17-0x000007FEF62A0000-0x000007FEF6C8C000-memory.dmp

Filesize
9.9MB

Download
memory/2800-16-0x0000000000B80000-0x0000000000BBC000-memory.dmp

Filesize
240KB

Download
memory/2800-23-0x000000001B000000-0x000000001B080000-memory.dmp

Filesize
512KB

Download
memory/2800-24-0x000000001B000000-0x000000001B080000-memory.dmp

Filesize
512KB

Download
memory/2800-25-0x000000001B000000-0x000000001B080000-memory.dmp

Filesize
512KB

Download
memory/2800-26-0x000000001B000000-0x000000001B080000-memory.dmp

Filesize
512KB

Download
memory/2800-28-0x000007FEF62A0000-0x000007FEF6C8C000-memory.dmp

Filesize
9.9MB

Download

Analysis

Sharing