33bfdf7cc9a7aeaae48dfd502ce3d7d9a4912b0968a985e9ecafd629a123138c

General

Target

NEAS.d76292ec99b5d78861bab2187c494c80.exe
Size

78KB
MD5

d76292ec99b5d78861bab2187c494c80
SHA1

bc0c1af3ea0e1a80cc6751888f5c2228145fcb0f
SHA256

33bfdf7cc9a7aeaae48dfd502ce3d7d9a4912b0968a985e9ecafd629a123138c
SHA512

c88fc1bf663cb9b669b1d7e2a8ad9e09b9cea5556dd7a8a51668501b25689a00ac0ffa6d2d2ab73ea6bfa15c94cbe477fb61e1fe92adaf69ee04479e7aff172c
SSDEEP

1536:6CHF3638dy0MochZDsC8Kl/99Z242UdIAkn3jKZPjoYaoQtZ9/8R11A:6CHFq3Ln7N041QqhgZ9/9

Score

7^/10

persistence

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000\Control Panel\International\Geo\Nation	NEAS.d76292ec99b5d78861bab2187c494c80.exe

Executes dropped EXE 1 IoCs

pid	Process
3436	tmp9AF.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\""	tmp9AF.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1328	NEAS.d76292ec99b5d78861bab2187c494c80.exe
Token: SeDebugPrivilege	3436	tmp9AF.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1328 wrote to memory of 4200	1328	NEAS.d76292ec99b5d78861bab2187c494c80.exe	91
PID 1328 wrote to memory of 4200	1328	NEAS.d76292ec99b5d78861bab2187c494c80.exe	91
PID 1328 wrote to memory of 4200	1328	NEAS.d76292ec99b5d78861bab2187c494c80.exe	91
PID 4200 wrote to memory of 3332	4200	vbc.exe	93
PID 4200 wrote to memory of 3332	4200	vbc.exe	93
PID 4200 wrote to memory of 3332	4200	vbc.exe	93
PID 1328 wrote to memory of 3436	1328	NEAS.d76292ec99b5d78861bab2187c494c80.exe	96
PID 1328 wrote to memory of 3436	1328	NEAS.d76292ec99b5d78861bab2187c494c80.exe	96
PID 1328 wrote to memory of 3436	1328	NEAS.d76292ec99b5d78861bab2187c494c80.exe	96

C:\Users\Admin\AppData\Local\Temp\NEAS.d76292ec99b5d78861bab2187c494c80.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.d76292ec99b5d78861bab2187c494c80.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1328
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\r4bipa2g.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4200
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESDC6.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcD41EF506D6CF4D82925851FB89BDC0.TMP"
    3⤵
    PID:3332
- C:\Users\Admin\AppData\Local\Temp\tmp9AF.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp9AF.tmp.exe" C:\Users\Admin\AppData\Local\Temp\NEAS.d76292ec99b5d78861bab2187c494c80.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of AdjustPrivilegeToken
  PID:3436

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

Scripting

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESDC6.tmp

Filesize
1KB

MD5
002a4693e43e28140ce60e41ff8ac694

SHA1
2c2400ffd3532fc3ab79536c527c8d21e22719f2

SHA256
5713491de9f0c00c394c131152f08985087a87b8c4eff4e49ed7cf0e246fa13e

SHA512
d2accd4845ef20883fd3abd3b28586beec4f74b59dfa91cefa9041b2da9df9553473410de644c6182a9606ab34b0910b86dbdfb769b76f54731465cefe50ff6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\r4bipa2g.0.vb

Filesize
15KB

MD5
4d7099cd632075357a287f4b0da236d1

SHA1
89cfe022fe76f638daaadee478b351b872e2baa4

SHA256
eb28ff9d13d245e1aafd4fd943f5e31271bd2a3d027f140907c9d726485983d7

SHA512
cb46ab68650cc5334ad7f339cea7389b5de5bd4db07185258597ce0901011b169e6a96b4dd67cb272b6cb686a9590034ad30a1ed30130ed9bec175e471e2df05

Download Submit
C:\Users\Admin\AppData\Local\Temp\r4bipa2g.cmdline

Filesize
265B

MD5
fa10649a11640b7b71ff80847d58c297

SHA1
29b3e6f0f6686269c566eaf1c1ef7e4298fb3282

SHA256
95836a0e80143b085c7afefe29290015138eea80a40f618230c4dd8171d9ed97

SHA512
53c88d3f86643acb052798f5bd452aad6c4ca5c5acce866993b8a8539f0314c71a46212871bc00ddc63d72b484bf7f1c136e43fa392955301182b98f6eae0f03

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp9AF.tmp.exe

Filesize
78KB

MD5
ccb464fb5564b87d6fe56dace12c9d09

SHA1
e506e7ebf88071c6f214f84c80da72f65a423fff

SHA256
329628400cdf705ec57395db2a094bcc7cdcd65cf993f73218046deab4ad60e5

SHA512
45c883ec6f3d250af25f950aebc3dd8d45dc3ea85c89a12737181541735550838a8e472ed8601923ca298bceaaf785e9da37cd0f219bdc50c8e449bfff90cf62

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp9AF.tmp.exe

Filesize
78KB

MD5
ccb464fb5564b87d6fe56dace12c9d09

SHA1
e506e7ebf88071c6f214f84c80da72f65a423fff

SHA256
329628400cdf705ec57395db2a094bcc7cdcd65cf993f73218046deab4ad60e5

SHA512
45c883ec6f3d250af25f950aebc3dd8d45dc3ea85c89a12737181541735550838a8e472ed8601923ca298bceaaf785e9da37cd0f219bdc50c8e449bfff90cf62

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcD41EF506D6CF4D82925851FB89BDC0.TMP

Filesize
660B

MD5
513851d871c615d9fba298c29832447a

SHA1
afd15e760d60679a61da1caf7c10b70f7d2da0c7

SHA256
314da1c65278c7738350af8e0c1d40d2bfcb6b41efd9510eab9e5e32d528d0db

SHA512
650d000cf3d1e845599577f8b38117a510f29c98abe7cbc72cb4263e1e7db553d06facc070a9c6e745509437ab31444183d8f8b7b0fd6ae8fbf02d005a172828

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
aa4bdac8c4e0538ec2bb4b7574c94192

SHA1
ef76d834232b67b27ebd75708922adea97aeacce

SHA256
d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430

SHA512
0ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65

Download Submit
memory/1328-2-0x0000000000BA0000-0x0000000000BB0000-memory.dmp

Filesize
64KB

Download
memory/1328-4-0x0000000075130000-0x00000000756E1000-memory.dmp

Filesize
5.7MB

Download
memory/1328-10-0x0000000000BA0000-0x0000000000BB0000-memory.dmp

Filesize
64KB

Download
memory/1328-0-0x0000000075130000-0x00000000756E1000-memory.dmp

Filesize
5.7MB

Download
memory/1328-3-0x0000000075130000-0x00000000756E1000-memory.dmp

Filesize
5.7MB

Download
memory/1328-25-0x0000000075130000-0x00000000756E1000-memory.dmp

Filesize
5.7MB

Download
memory/1328-1-0x0000000075130000-0x00000000756E1000-memory.dmp

Filesize
5.7MB

Download
memory/3436-24-0x0000000075130000-0x00000000756E1000-memory.dmp

Filesize
5.7MB

Download
memory/3436-26-0x0000000000E50000-0x0000000000E60000-memory.dmp

Filesize
64KB

Download
memory/3436-27-0x0000000075130000-0x00000000756E1000-memory.dmp

Filesize
5.7MB

Download
memory/3436-29-0x0000000075130000-0x00000000756E1000-memory.dmp

Filesize
5.7MB

Download
memory/3436-30-0x0000000000E50000-0x0000000000E60000-memory.dmp

Filesize
64KB

Download
memory/3436-31-0x0000000000E50000-0x0000000000E60000-memory.dmp

Filesize
64KB

Download
memory/4200-11-0x00000000023E0000-0x00000000023F0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads