69f2adfafcb8e0a93ca793ff28df7b49100113ff2d7f92c7a2af4073a8db33ff

General

Target

NEAS.23806a8e7334a1ffd8120fafb989b440.exe
Size

9.4MB
MD5

23806a8e7334a1ffd8120fafb989b440
SHA1

fa2e0fd59d4ec8cf63c9003aa60cbeb729884b86
SHA256

69f2adfafcb8e0a93ca793ff28df7b49100113ff2d7f92c7a2af4073a8db33ff
SHA512

f2f8588ef3af44a5d855f0f6d82c08fae2abe71c565c5009b69a74e77dd5571e1b650152f7281fc1da29a9191220f145f81f1dfbb60d21bf42e6ed1a01bcfdfa
SSDEEP

98304:yI9BsiUtk8XI8XxK8XI8XBUqk8XI8X+Utk8XI8XxJ8XfUqk8XI8X+Utk8XI8XC:yI9hU/h5hRUkhOU/h0vUkhOU/hy

Score

8^/10

persistence

Malware Config

Signatures

Sets service image path in registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\k.sys\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\k.sys"	NEAS.23806a8e7334a1ffd8120fafb989b440.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\cuius.sys\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\cuius.sys"	quusaf.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\Control Panel\International\Geo\Nation	quusaf.exe

Executes dropped EXE 1 IoCs

pid	Process
4232	quusaf.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
4700	NEAS.23806a8e7334a1ffd8120fafb989b440.exe
4232	quusaf.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	4700	NEAS.23806a8e7334a1ffd8120fafb989b440.exe
Token: SeLoadDriverPrivilege	4700	NEAS.23806a8e7334a1ffd8120fafb989b440.exe
Token: SeDebugPrivilege	4232	quusaf.exe
Token: SeLoadDriverPrivilege	4232	quusaf.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4232	quusaf.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
4232	quusaf.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4232	quusaf.exe
4232	quusaf.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4700 wrote to memory of 4232	4700	NEAS.23806a8e7334a1ffd8120fafb989b440.exe	87
PID 4700 wrote to memory of 4232	4700	NEAS.23806a8e7334a1ffd8120fafb989b440.exe	87
PID 4700 wrote to memory of 4232	4700	NEAS.23806a8e7334a1ffd8120fafb989b440.exe	87
PID 4232 wrote to memory of 1872	4232	quusaf.exe	91
PID 4232 wrote to memory of 1872	4232	quusaf.exe	91
PID 4232 wrote to memory of 1872	4232	quusaf.exe	91

C:\Users\Admin\AppData\Local\Temp\NEAS.23806a8e7334a1ffd8120fafb989b440.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.23806a8e7334a1ffd8120fafb989b440.exe"
1⤵
- Sets service image path in registry
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4700
- C:\Users\Admin\AppData\Local\Temp\quusaf.exe
  C:\Users\Admin\AppData\Local\Temp\quusaf.exe -run C:\Users\Admin\AppData\Local\Temp\NEAS.23806a8e7334a1ffd8120fafb989b440.exe
  2⤵
  - Sets service image path in registry
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious behavior: LoadsDriver
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4232
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\quusaf.bat" "
    3⤵
    PID:1872

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\quusaf.bat

Filesize
139B

MD5
b4ebf159bbdfff0e1b30392ff92fd561

SHA1
213b016877c84c92665570b614f2681dd949c010

SHA256
cba0acf50f8df513ac341d258d271357dc49cdcbc6e9a6287c3c2731a4089299

SHA512
c75cacae58da0cb595de761df509bf1fd233d993df7525e004d55213b18ee84d002d0c28c469f55c023e4371483b7dfc6d9a07f7a3d15f03e347313a145638df

Download Submit
C:\Users\Admin\AppData\Local\Temp\quusaf.exe

Filesize
10.0MB

MD5
b25222a9fb19e1bb047dbf15bdcb61dc

SHA1
9cfb5442d57aa2c06f1fe23c354c49c8276f8509

SHA256
3252e7b88b1c2fc6b8840e2afbb0e937725a3e24ac8213e9abcff644cf15ad93

SHA512
bce5f5aa3d4d0d44bc82916009920b1c2c517902d182e04bda63396e6761520eaa04dcded6b25eae56d35ee8825c1fba1e732495c192b74387a78eb06de32c1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\quusaf.exe

Filesize
10.0MB

MD5
b25222a9fb19e1bb047dbf15bdcb61dc

SHA1
9cfb5442d57aa2c06f1fe23c354c49c8276f8509

SHA256
3252e7b88b1c2fc6b8840e2afbb0e937725a3e24ac8213e9abcff644cf15ad93

SHA512
bce5f5aa3d4d0d44bc82916009920b1c2c517902d182e04bda63396e6761520eaa04dcded6b25eae56d35ee8825c1fba1e732495c192b74387a78eb06de32c1d

Download Submit
memory/4232-9-0x00000000006E0000-0x00000000006E1000-memory.dmp

Filesize
4KB

Download
memory/4232-14-0x0000000000400000-0x0000000000527000-memory.dmp

Filesize
1.2MB

Download
memory/4232-16-0x00000000006E0000-0x00000000006E1000-memory.dmp

Filesize
4KB

Download
memory/4700-6-0x0000000000400000-0x0000000000527000-memory.dmp

Filesize
1.2MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads