Analysis
-
max time kernel
151s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-20231023-en -
resource tags
arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system -
submitted
11/11/2023, 04:28
Static task
static1
Behavioral task
behavioral1
Sample
NEAS.d76292ec99b5d78861bab2187c494c80.exe
Resource
win7-20231025-en
Behavioral task
behavioral2
Sample
NEAS.d76292ec99b5d78861bab2187c494c80.exe
Resource
win10v2004-20231023-en
General
-
Target
NEAS.d76292ec99b5d78861bab2187c494c80.exe
-
Size
78KB
-
MD5
d76292ec99b5d78861bab2187c494c80
-
SHA1
bc0c1af3ea0e1a80cc6751888f5c2228145fcb0f
-
SHA256
33bfdf7cc9a7aeaae48dfd502ce3d7d9a4912b0968a985e9ecafd629a123138c
-
SHA512
c88fc1bf663cb9b669b1d7e2a8ad9e09b9cea5556dd7a8a51668501b25689a00ac0ffa6d2d2ab73ea6bfa15c94cbe477fb61e1fe92adaf69ee04479e7aff172c
-
SSDEEP
1536:6CHF3638dy0MochZDsC8Kl/99Z242UdIAkn3jKZPjoYaoQtZ9/8R11A:6CHFq3Ln7N041QqhgZ9/9
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000\Control Panel\International\Geo\Nation NEAS.d76292ec99b5d78861bab2187c494c80.exe -
Executes dropped EXE 1 IoCs
pid Process 3436 tmp9AF.tmp.exe -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\"" tmp9AF.tmp.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1328 NEAS.d76292ec99b5d78861bab2187c494c80.exe Token: SeDebugPrivilege 3436 tmp9AF.tmp.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 1328 wrote to memory of 4200 1328 NEAS.d76292ec99b5d78861bab2187c494c80.exe 91 PID 1328 wrote to memory of 4200 1328 NEAS.d76292ec99b5d78861bab2187c494c80.exe 91 PID 1328 wrote to memory of 4200 1328 NEAS.d76292ec99b5d78861bab2187c494c80.exe 91 PID 4200 wrote to memory of 3332 4200 vbc.exe 93 PID 4200 wrote to memory of 3332 4200 vbc.exe 93 PID 4200 wrote to memory of 3332 4200 vbc.exe 93 PID 1328 wrote to memory of 3436 1328 NEAS.d76292ec99b5d78861bab2187c494c80.exe 96 PID 1328 wrote to memory of 3436 1328 NEAS.d76292ec99b5d78861bab2187c494c80.exe 96 PID 1328 wrote to memory of 3436 1328 NEAS.d76292ec99b5d78861bab2187c494c80.exe 96
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.d76292ec99b5d78861bab2187c494c80.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.d76292ec99b5d78861bab2187c494c80.exe"1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1328 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\r4bipa2g.cmdline"2⤵
- Suspicious use of WriteProcessMemory
PID:4200 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESDC6.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcD41EF506D6CF4D82925851FB89BDC0.TMP"3⤵PID:3332
-
-
-
C:\Users\Admin\AppData\Local\Temp\tmp9AF.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp9AF.tmp.exe" C:\Users\Admin\AppData\Local\Temp\NEAS.d76292ec99b5d78861bab2187c494c80.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:3436
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5002a4693e43e28140ce60e41ff8ac694
SHA12c2400ffd3532fc3ab79536c527c8d21e22719f2
SHA2565713491de9f0c00c394c131152f08985087a87b8c4eff4e49ed7cf0e246fa13e
SHA512d2accd4845ef20883fd3abd3b28586beec4f74b59dfa91cefa9041b2da9df9553473410de644c6182a9606ab34b0910b86dbdfb769b76f54731465cefe50ff6f
-
Filesize
15KB
MD54d7099cd632075357a287f4b0da236d1
SHA189cfe022fe76f638daaadee478b351b872e2baa4
SHA256eb28ff9d13d245e1aafd4fd943f5e31271bd2a3d027f140907c9d726485983d7
SHA512cb46ab68650cc5334ad7f339cea7389b5de5bd4db07185258597ce0901011b169e6a96b4dd67cb272b6cb686a9590034ad30a1ed30130ed9bec175e471e2df05
-
Filesize
265B
MD5fa10649a11640b7b71ff80847d58c297
SHA129b3e6f0f6686269c566eaf1c1ef7e4298fb3282
SHA25695836a0e80143b085c7afefe29290015138eea80a40f618230c4dd8171d9ed97
SHA51253c88d3f86643acb052798f5bd452aad6c4ca5c5acce866993b8a8539f0314c71a46212871bc00ddc63d72b484bf7f1c136e43fa392955301182b98f6eae0f03
-
Filesize
78KB
MD5ccb464fb5564b87d6fe56dace12c9d09
SHA1e506e7ebf88071c6f214f84c80da72f65a423fff
SHA256329628400cdf705ec57395db2a094bcc7cdcd65cf993f73218046deab4ad60e5
SHA51245c883ec6f3d250af25f950aebc3dd8d45dc3ea85c89a12737181541735550838a8e472ed8601923ca298bceaaf785e9da37cd0f219bdc50c8e449bfff90cf62
-
Filesize
78KB
MD5ccb464fb5564b87d6fe56dace12c9d09
SHA1e506e7ebf88071c6f214f84c80da72f65a423fff
SHA256329628400cdf705ec57395db2a094bcc7cdcd65cf993f73218046deab4ad60e5
SHA51245c883ec6f3d250af25f950aebc3dd8d45dc3ea85c89a12737181541735550838a8e472ed8601923ca298bceaaf785e9da37cd0f219bdc50c8e449bfff90cf62
-
Filesize
660B
MD5513851d871c615d9fba298c29832447a
SHA1afd15e760d60679a61da1caf7c10b70f7d2da0c7
SHA256314da1c65278c7738350af8e0c1d40d2bfcb6b41efd9510eab9e5e32d528d0db
SHA512650d000cf3d1e845599577f8b38117a510f29c98abe7cbc72cb4263e1e7db553d06facc070a9c6e745509437ab31444183d8f8b7b0fd6ae8fbf02d005a172828
-
Filesize
62KB
MD5aa4bdac8c4e0538ec2bb4b7574c94192
SHA1ef76d834232b67b27ebd75708922adea97aeacce
SHA256d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430
SHA5120ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65