93c0525f6427a7e4b2819f684db160cffb3614baaa789b3a5125ce78c32d50cd

General

Target

NEAS.a66b328dcddbb8ae65367a3cf6d1f6c0.exe
Size

53KB
MD5

a66b328dcddbb8ae65367a3cf6d1f6c0
SHA1

f878e7225d87f4ef7b685f72fda430a433ad63d4
SHA256

93c0525f6427a7e4b2819f684db160cffb3614baaa789b3a5125ce78c32d50cd
SHA512

3b3e28ebc1713071540eb70600bb076591ca7a4b34adec8f6550cb08405a081dbf744ade9e2ffd98ae6beeaba9b2170b6c9eeb9a0ca6309007e1bf0aa3e857d6
SSDEEP

384:DnfN2qlzZUrCjtfSSvUl0rBL2etVlt6SR50S8Skhe9XLt6y7+zQiF5KDLls0JK/W:J2GCpwjZ8ve9Xh6W+zQimran

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000\Control Panel\International\Geo\Nation	cfmon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000\Control Panel\International\Geo\Nation	WScript.exe

Executes dropped EXE 1 IoCs

pid	Process
1504	cfmon.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\taobao\cfmon.exe	NEAS.a66b328dcddbb8ae65367a3cf6d1f6c0.exe
File created	C:\Program Files\Common Files\taobao\cfmon.exe	NEAS.a66b328dcddbb8ae65367a3cf6d1f6c0.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Kills process with taskkill 1 IoCs

evasion

pid	Process
2488	taskkill.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000_Classes\Local Settings	cfmon.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	4020	NEAS.a66b328dcddbb8ae65367a3cf6d1f6c0.exe
Token: SeDebugPrivilege	2488	taskkill.exe
Token: SeDebugPrivilege	1504	cfmon.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 4020 wrote to memory of 2428	4020	NEAS.a66b328dcddbb8ae65367a3cf6d1f6c0.exe	86
PID 4020 wrote to memory of 2428	4020	NEAS.a66b328dcddbb8ae65367a3cf6d1f6c0.exe	86
PID 4020 wrote to memory of 2428	4020	NEAS.a66b328dcddbb8ae65367a3cf6d1f6c0.exe	86
PID 2428 wrote to memory of 2488	2428	cmd.exe	88
PID 2428 wrote to memory of 2488	2428	cmd.exe	88
PID 2428 wrote to memory of 2488	2428	cmd.exe	88
PID 4020 wrote to memory of 1504	4020	NEAS.a66b328dcddbb8ae65367a3cf6d1f6c0.exe	101
PID 4020 wrote to memory of 1504	4020	NEAS.a66b328dcddbb8ae65367a3cf6d1f6c0.exe	101
PID 4020 wrote to memory of 1504	4020	NEAS.a66b328dcddbb8ae65367a3cf6d1f6c0.exe	101
PID 4020 wrote to memory of 748	4020	NEAS.a66b328dcddbb8ae65367a3cf6d1f6c0.exe	102
PID 4020 wrote to memory of 748	4020	NEAS.a66b328dcddbb8ae65367a3cf6d1f6c0.exe	102
PID 4020 wrote to memory of 748	4020	NEAS.a66b328dcddbb8ae65367a3cf6d1f6c0.exe	102
PID 1504 wrote to memory of 5020	1504	cfmon.exe	104
PID 1504 wrote to memory of 5020	1504	cfmon.exe	104
PID 1504 wrote to memory of 5020	1504	cfmon.exe	104
PID 5020 wrote to memory of 3420	5020	WScript.exe	106
PID 5020 wrote to memory of 3420	5020	WScript.exe	106
PID 5020 wrote to memory of 3420	5020	WScript.exe	106

C:\Users\Admin\AppData\Local\Temp\NEAS.a66b328dcddbb8ae65367a3cf6d1f6c0.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.a66b328dcddbb8ae65367a3cf6d1f6c0.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4020
- C:\Windows\SysWOW64\cmd.exe
  cmd /c taskkill /im cfmon.exe /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2428
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im cfmon.exe /f
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2488
- C:\Program Files\Common Files\taobao\cfmon.exe
  "C:\Program Files\Common Files\taobao\cfmon.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1504
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\340.vbe"
    3⤵
    - Checks computer location settings
    - Suspicious use of WriteProcessMemory
    PID:5020
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c del C:\Windows\system32\drivers\etc\hosts
      4⤵
      PID:3420
- C:\Windows\SysWOW64\cmd.exe
  cmd /c del "C:\Users\Admin\AppData\Local\Temp\NEAS.a66b328dcddbb8ae65367a3cf6d1f6c0.exe"
  2⤵
  PID:748

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\340.vbe

Filesize
711B

MD5
2b473891d2ef2a3ff216f9e896a2499f

SHA1
ce696dc77121b14f936eb1dd68547043a49e616b

SHA256
c1c7c737a5248a89db3d4b30542a49ef8e9663e2d647276feab28de1a541a868

SHA512
0b07b82e1ed8694526180de2e3c14c3a3529975017d03cac81b357b514ea02530d37102f25e09e0d8b3505217d92743df66bb4c57ea42a374a95faf4dace1f5d

Download Submit
C:\Program Files\Common Files\taobao\cfmon.exe

Filesize
54KB

MD5
9cb41351d02a273ba9576dc074345c6c

SHA1
a9880659f18bc0a88e5fbbdcbb39a20947453046

SHA256
13e31a014573fa0e8b15bbce42e06739253188602e22ef965c39487b8de1fd91

SHA512
de79829c0ce97342c076a0a5c27bc66a2ba02927ed8a792c33c7661931f91ec59e18b162c90c6dba3b4a9ec5ff2f9d4a61b4bcc75e4ff70ab63b68fc1b513384

Download Submit
C:\Program Files\Common Files\taobao\cfmon.exe

Filesize
54KB

MD5
9cb41351d02a273ba9576dc074345c6c

SHA1
a9880659f18bc0a88e5fbbdcbb39a20947453046

SHA256
13e31a014573fa0e8b15bbce42e06739253188602e22ef965c39487b8de1fd91

SHA512
de79829c0ce97342c076a0a5c27bc66a2ba02927ed8a792c33c7661931f91ec59e18b162c90c6dba3b4a9ec5ff2f9d4a61b4bcc75e4ff70ab63b68fc1b513384

Download Submit

Analysis

Sharing