48601587bc1c17eec6406176e308311e62d26660f96930c74ef6406919c69800

General

Target

NEAS.8fa39d7820f763186954d16fbc985030.exe
Size

436KB
MD5

8fa39d7820f763186954d16fbc985030
SHA1

41469d3e79dd266b3223d28a255176ec1822c16b
SHA256

48601587bc1c17eec6406176e308311e62d26660f96930c74ef6406919c69800
SHA512

614e02aef34f3e80760ecdd3ef08d4f1c198234f4f1837df77075d85c43df4b8b9d50233a1d10349ce11f52a93e6a5d8376f4e3d4076d2a98cf224f1c0c17b03
SSDEEP

6144:/pW2bgbbV28okoS1oWMkdlZQ5iioct0IwdNOut1V2lgVk:/pW2IoioS6J

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Disables Task Manager via registry modification
evasion

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NEAS.8fa39d7820f763186954d16fbc985030.exe BATCF %1"	NEAS.8fa39d7820f763186954d16fbc985030.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 13 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NEAS.8fa39d7820f763186954d16fbc985030.exe HTMWF %1"	NEAS.8fa39d7820f763186954d16fbc985030.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\rtffile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NEAS.8fa39d7820f763186954d16fbc985030.exe RTFDF %1"	NEAS.8fa39d7820f763186954d16fbc985030.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NEAS.8fa39d7820f763186954d16fbc985030.exe NTPAD %1"	NEAS.8fa39d7820f763186954d16fbc985030.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\jpegfile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NEAS.8fa39d7820f763186954d16fbc985030.exe JPGIF %1"	NEAS.8fa39d7820f763186954d16fbc985030.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\pngfile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NEAS.8fa39d7820f763186954d16fbc985030.exe JPGIF %1"	NEAS.8fa39d7820f763186954d16fbc985030.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\xmlfile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NEAS.8fa39d7820f763186954d16fbc985030.exe NTPAD %1"	NEAS.8fa39d7820f763186954d16fbc985030.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\inifile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NEAS.8fa39d7820f763186954d16fbc985030.exe NTPAD %1"	NEAS.8fa39d7820f763186954d16fbc985030.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NEAS.8fa39d7820f763186954d16fbc985030.exe NTPAD %1"	NEAS.8fa39d7820f763186954d16fbc985030.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\icofile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NEAS.8fa39d7820f763186954d16fbc985030.exe JPGIF %1"	NEAS.8fa39d7820f763186954d16fbc985030.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\cmdfile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NEAS.8fa39d7820f763186954d16fbc985030.exe CMDSF %1"	NEAS.8fa39d7820f763186954d16fbc985030.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\giffile\shell\Open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NEAS.8fa39d7820f763186954d16fbc985030.exe JPGIF %1"	NEAS.8fa39d7820f763186954d16fbc985030.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NEAS.8fa39d7820f763186954d16fbc985030.exe VBSSF %1"	NEAS.8fa39d7820f763186954d16fbc985030.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NEAS.8fa39d7820f763186954d16fbc985030.exe BATCF %1"	NEAS.8fa39d7820f763186954d16fbc985030.exe

Modifies registry key 1 TTPs 2 IoCs

Modify Registry

T1112

pid	Process
2324	reg.exe
2988	reg.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2256 wrote to memory of 2988	2256	NEAS.8fa39d7820f763186954d16fbc985030.exe	28
PID 2256 wrote to memory of 2988	2256	NEAS.8fa39d7820f763186954d16fbc985030.exe	28
PID 2256 wrote to memory of 2988	2256	NEAS.8fa39d7820f763186954d16fbc985030.exe	28
PID 2256 wrote to memory of 2324	2256	NEAS.8fa39d7820f763186954d16fbc985030.exe	29
PID 2256 wrote to memory of 2324	2256	NEAS.8fa39d7820f763186954d16fbc985030.exe	29
PID 2256 wrote to memory of 2324	2256	NEAS.8fa39d7820f763186954d16fbc985030.exe	29

C:\Users\Admin\AppData\Local\Temp\NEAS.8fa39d7820f763186954d16fbc985030.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.8fa39d7820f763186954d16fbc985030.exe"
1⤵
- Modifies system executable filetype association
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2256
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
  2⤵
  - UAC bypass
  - Modifies registry key
  PID:2988
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
  2⤵
  - Modifies registry key
  PID:2324

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

1

T1546

Change Default File Association

1

T1546.001

Privilege Escalation

Abuse Elevation Control Mechanism

1

T1548

Bypass User Account Control

1

T1548.002

Event Triggered Execution

1

T1546

Change Default File Association

1

T1546.001

Defense Evasion

Abuse Elevation Control Mechanism

1

T1548

Bypass User Account Control

1

T1548.002

Impair Defenses

1

T1562

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\ZVfDqSGxwhG.exe

Filesize
436KB

MD5
d1dae2d0376c9b6ebdee837b3c8a87d5

SHA1
1eea1db34797aad1fcea553eb92092207df39af6

SHA256
cc67119c2fb10109f2691f21edd16f66c951a86ac9c804b1b95a2c0dd56bc931

SHA512
7442100fbb38c6c4a4cc7077d52710cf358a7ff8354d8310fdcf14c985efbc8e430f4526e9dff63cebdc3d1da6fd003353e96db4a93071d106e5687532cba054

Download Submit
memory/2256-0-0x00000000013C0000-0x00000000013E8000-memory.dmp

Filesize
160KB

Download
memory/2256-1-0x000007FEF6060000-0x000007FEF6A4C000-memory.dmp

Filesize
9.9MB

Download
memory/2256-2-0x000000001B1D0000-0x000000001B250000-memory.dmp

Filesize
512KB

Download
memory/2256-725-0x000007FEF6060000-0x000007FEF6A4C000-memory.dmp

Filesize
9.9MB

Download
memory/2256-786-0x000000001B1D0000-0x000000001B250000-memory.dmp

Filesize
512KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads