4b747f699cdab219152094dd541ebcb6da7e47bbcc8fb33b226b0013d4c7d7f2

Analysis

max time kernel
162s
max time network
162s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
22/12/2023, 14:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

be62854618491cb4fe30b2299102bb1b.exe
Size

1.7MB
MD5

be62854618491cb4fe30b2299102bb1b
SHA1

9eefa9228fef11bd0ee3d064f06ab3a91667edcd
SHA256

4b747f699cdab219152094dd541ebcb6da7e47bbcc8fb33b226b0013d4c7d7f2
SHA512

6088d33d9871ee8c1e8d01f18466ca86a21cf89d892dc6f5d07a5dc0eea2dafc570a86352c0b151fd22e471d2f38ccfacca832e40228f2d1f7d3b9e5afb67cb7
SSDEEP

24576:uf1H2XHc6gL75XqyHlXv0L5U+u2C8ZfVLgBdJbREOzdwIgcy9ldmLdGxnPKLnMxp:ufkclLdfKZfByRdsirDc

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\Control Panel\International\Geo\Nation	nvneoqg.exe

Executes dropped EXE 4 IoCs

pid	Process
1784	nvneoqg.exe
3796	nvneoqg.exe
4892	nvneoqg.exe
3968	nvneoqg.exe

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\assembly\Desktop.ini	be62854618491cb4fe30b2299102bb1b.exe
File created	C:\Windows\assembly\Desktop.ini	be62854618491cb4fe30b2299102bb1b.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 4108 set thread context of 4584	4108	be62854618491cb4fe30b2299102bb1b.exe	93
PID 1784 set thread context of 3968	1784	nvneoqg.exe	96

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\assembly	be62854618491cb4fe30b2299102bb1b.exe
File created	C:\Windows\assembly\Desktop.ini	be62854618491cb4fe30b2299102bb1b.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	be62854618491cb4fe30b2299102bb1b.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2398549320-3657759451-817663969-1000\{E4A11CE1-C7A4-4AAA-A6E3-539328DBAACC}	explorer.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4584	be62854618491cb4fe30b2299102bb1b.exe
4584	be62854618491cb4fe30b2299102bb1b.exe
1784	nvneoqg.exe
1784	nvneoqg.exe
1784	nvneoqg.exe
1784	nvneoqg.exe
3968	nvneoqg.exe
3968	nvneoqg.exe
3968	nvneoqg.exe
3968	nvneoqg.exe
3968	nvneoqg.exe
3968	nvneoqg.exe
3968	nvneoqg.exe
3968	nvneoqg.exe
3968	nvneoqg.exe
3968	nvneoqg.exe
3968	nvneoqg.exe
3968	nvneoqg.exe
3968	nvneoqg.exe
3968	nvneoqg.exe
3968	nvneoqg.exe
3968	nvneoqg.exe
3968	nvneoqg.exe
3968	nvneoqg.exe
3968	nvneoqg.exe
3968	nvneoqg.exe
3968	nvneoqg.exe
3968	nvneoqg.exe
3968	nvneoqg.exe
3968	nvneoqg.exe
3968	nvneoqg.exe
3968	nvneoqg.exe
3968	nvneoqg.exe
3968	nvneoqg.exe
3968	nvneoqg.exe
3968	nvneoqg.exe
3968	nvneoqg.exe
3968	nvneoqg.exe
3968	nvneoqg.exe
3968	nvneoqg.exe
3968	nvneoqg.exe
3968	nvneoqg.exe
3968	nvneoqg.exe
3968	nvneoqg.exe
3968	nvneoqg.exe
3968	nvneoqg.exe
3968	nvneoqg.exe
3968	nvneoqg.exe
3968	nvneoqg.exe
3968	nvneoqg.exe
3968	nvneoqg.exe
3968	nvneoqg.exe
3968	nvneoqg.exe
3968	nvneoqg.exe
3968	nvneoqg.exe
3968	nvneoqg.exe
3968	nvneoqg.exe
3968	nvneoqg.exe
3968	nvneoqg.exe
3968	nvneoqg.exe
3968	nvneoqg.exe
3968	nvneoqg.exe
3968	nvneoqg.exe
3968	nvneoqg.exe

Suspicious use of AdjustPrivilegeToken 19 IoCs

description	pid	Process
Token: SeDebugPrivilege	1784	nvneoqg.exe
Token: SeDebugPrivilege	3968	nvneoqg.exe
Token: SeDebugPrivilege	3968	nvneoqg.exe
Token: SeShutdownPrivilege	3380	Explorer.EXE
Token: SeCreatePagefilePrivilege	3380	Explorer.EXE
Token: SeDebugPrivilege	3968	nvneoqg.exe
Token: SeShutdownPrivilege	4484	explorer.exe
Token: SeCreatePagefilePrivilege	4484	explorer.exe
Token: SeShutdownPrivilege	4484	explorer.exe
Token: SeCreatePagefilePrivilege	4484	explorer.exe
Token: SeShutdownPrivilege	4484	explorer.exe
Token: SeCreatePagefilePrivilege	4484	explorer.exe
Token: SeShutdownPrivilege	4484	explorer.exe
Token: SeCreatePagefilePrivilege	4484	explorer.exe
Token: SeDebugPrivilege	3968	nvneoqg.exe
Token: SeShutdownPrivilege	4484	explorer.exe
Token: SeCreatePagefilePrivilege	4484	explorer.exe
Token: SeShutdownPrivilege	4484	explorer.exe
Token: SeCreatePagefilePrivilege	4484	explorer.exe

Suspicious use of FindShellTrayWindow 6 IoCs

pid	Process
4484	explorer.exe
4484	explorer.exe
4484	explorer.exe
4484	explorer.exe
4484	explorer.exe
4484	explorer.exe

Suspicious use of SendNotifyMessage 8 IoCs

pid	Process
4484	explorer.exe
4484	explorer.exe
4484	explorer.exe
4484	explorer.exe
4484	explorer.exe
4484	explorer.exe
4484	explorer.exe
4484	explorer.exe

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 4108 wrote to memory of 4584	4108	be62854618491cb4fe30b2299102bb1b.exe	93
PID 4108 wrote to memory of 4584	4108	be62854618491cb4fe30b2299102bb1b.exe	93
PID 4108 wrote to memory of 4584	4108	be62854618491cb4fe30b2299102bb1b.exe	93
PID 4108 wrote to memory of 4584	4108	be62854618491cb4fe30b2299102bb1b.exe	93
PID 4108 wrote to memory of 4584	4108	be62854618491cb4fe30b2299102bb1b.exe	93
PID 4108 wrote to memory of 4584	4108	be62854618491cb4fe30b2299102bb1b.exe	93
PID 1784 wrote to memory of 3796	1784	nvneoqg.exe	95
PID 1784 wrote to memory of 3796	1784	nvneoqg.exe	95
PID 1784 wrote to memory of 3796	1784	nvneoqg.exe	95
PID 1784 wrote to memory of 4892	1784	nvneoqg.exe	97
PID 1784 wrote to memory of 4892	1784	nvneoqg.exe	97
PID 1784 wrote to memory of 4892	1784	nvneoqg.exe	97
PID 1784 wrote to memory of 3968	1784	nvneoqg.exe	96
PID 1784 wrote to memory of 3968	1784	nvneoqg.exe	96
PID 1784 wrote to memory of 3968	1784	nvneoqg.exe	96
PID 1784 wrote to memory of 3968	1784	nvneoqg.exe	96
PID 1784 wrote to memory of 3968	1784	nvneoqg.exe	96
PID 1784 wrote to memory of 3968	1784	nvneoqg.exe	96
PID 3968 wrote to memory of 3380	3968	nvneoqg.exe	42
PID 3968 wrote to memory of 2948	3968	nvneoqg.exe
PID 3968 wrote to memory of 4484	3968	nvneoqg.exe	108
PID 3968 wrote to memory of 4244	3968	nvneoqg.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3380
- C:\Users\Admin\AppData\Local\Temp\be62854618491cb4fe30b2299102bb1b.exe
  "C:\Users\Admin\AppData\Local\Temp\be62854618491cb4fe30b2299102bb1b.exe"
  2⤵
  - Drops desktop.ini file(s)
  - Suspicious use of SetThreadContext
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:4108
- - C:\Users\Admin\AppData\Local\Temp\be62854618491cb4fe30b2299102bb1b.exe
    "C:\Users\Admin\AppData\Local\Temp\be62854618491cb4fe30b2299102bb1b.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4584

C:\Users\Admin\AppData\Local\Temp\nvneoqg.exe
C:\Users\Admin\AppData\Local\Temp\nvneoqg.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1784
- C:\Users\Admin\AppData\Local\Temp\nvneoqg.exe
  "C:\Users\Admin\AppData\Local\Temp\nvneoqg.exe"
  2⤵
  - Executes dropped EXE
  PID:3796
- C:\Users\Admin\AppData\Local\Temp\nvneoqg.exe
  "C:\Users\Admin\AppData\Local\Temp\nvneoqg.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3968
- C:\Users\Admin\AppData\Local\Temp\nvneoqg.exe
  "C:\Users\Admin\AppData\Local\Temp\nvneoqg.exe"
  2⤵
  - Executes dropped EXE
  PID:4892

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4484

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Windows\Caches\{B4B53900-6E49-4AFF-BE92-5EAFC79984B2}.2.ver0x0000000000000001.db.dercozg

Filesize
1KB

MD5
a2d63af2bf310ce63f6d422d650f3b6b

SHA1
76afaf6038639588745342e0090966fe13478ea1

SHA256
72858ef9838cfb65df0057763e04b24a962b19853d4c6918708aee511b300c99

SHA512
9f30426d133f6456ee83e2676b18a55c580d0c934535535eda6f1b3e182c5c7b02e242f1344e19dd4b2790f6b8b0fb9fc854faa50918a731fb6e26ab349f34ea

Download Submit
C:\ProgramData\Microsoft\Windows\Caches\{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000001.db.dercozg

Filesize
622KB

MD5
4aea907f85fcd40a60a2886fbae0aab0

SHA1
a2a9cb08e067c4e68a32738ef25738a3922bde82

SHA256
77d7c41f1ff1ac0e261cc28e01a07bc8186cb36e348d99bdda011884e133b212

SHA512
54fe90ed98542145030f72663abaa3e10e46b4c722b92baa51576cdce6c19a26449b4079b5a45f2b3aea78e994a6a33c17d0ad5a6408bb08fb69780ab860354f

Download Submit
C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\efxilme

Filesize
654B

MD5
0c66cf4a69b9bac0d0b25c109ee2c176

SHA1
3c35971ca898736453107688f0a1b6e2dafa278c

SHA256
1c9a418ec0a4ac0788ddeb2ffb10f3455c73b61c46beac452e701d8a2d4fbd56

SHA512
a9e0387ae72115e0639781838df1f927a4daa02fc51d8cb628e7b3ead3b0f0887ff6919b10e864632507f8b6c0388e53219bad735b20e3e6e649a810788466a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\nvneoqg.exe

Filesize
624KB

MD5
6d09aa2907d7d1cc8a6b613a3e02d381

SHA1
ee05e49b45769edd964a83c986931ad7b6091e07

SHA256
6c069c62f575079e093162076563681e3132b1541149b3592a9492d59296df51

SHA512
32463f8d21ff6bfe860bb423d5c37d5d66cccd9a54419b074bd302e9136ee9f353652bb7f946972e1aebb2faea76a376604f240d30f7d7743c3941822f712983

Download Submit
C:\Users\Admin\AppData\Local\Temp\nvneoqg.exe

Filesize
274KB

MD5
e3b91c0cb13791fb3c00a47f96e74f66

SHA1
0052fec315620048b436920e3a06246a9fbe05b9

SHA256
deb6a0854b978f06666eaf255a1e9335a4502d7ea1f531e920c4fed121214c02

SHA512
ee34f614c3da4c135525a63e30a38538125d761b7dd5242a9f095ac67c8eab500e91de78c4c040a935940af83b440665fb9a4cd036edf32ccb9e4f2a12e0d41b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nvneoqg.exe

Filesize
578KB

MD5
57109e9ca2f78c9337492ed01e6f7652

SHA1
17438f40e715359e4d166d4cf32a0372fbc20469

SHA256
fe9da9acf88ee340eb6ed01543d8aaf18e877dda43fee7cd9cd1a83d99960d10

SHA512
0bb600ed0122cb62e80839cdf9d4fd962088b7ad2adefdea2bd3740663def8b466d063e09cd0bffa4e60374fc72ba7807f1aaad07a83d4193522d56ee7ed010f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nvneoqg.exe

Filesize
480KB

MD5
0c078e6de3199f4fdab50e9f356801fc

SHA1
14ab198d6c205078702461251a1d1c86a995a261

SHA256
26341cf8ee6e25ad7dc18f533eb3a8bfc93ff70d035846cb660a40697765b96d

SHA512
82915c27ce8f9f9f626d2270789dcea0eafe0366c5272cd1866a4f54c61e1ab34956e018119c1aa44ed0e3be6a2fb006a49d0cbde042e90e760b0d2de7be8c93

Download Submit
C:\Users\Admin\AppData\Local\Temp\nvneoqg.exe

Filesize
474KB

MD5
3e9fb6cf6e468b9040954e4c5fcf63c7

SHA1
160ea3188824253c3b45ab0937244be5a26fc7aa

SHA256
85bb03f4f67127727a5092aba12ab68637af5a4d83ceedcc2f31442a3440e884

SHA512
574f092706b13b22dfe7092040e01a9781779cbdf084c004d2ded3e76e31fac474c77e3e23dd476666392e9d5171aa3d7f3c2d3f8510d2f6c21ea59cce7d65f3

Download Submit
memory/1784-770-0x0000000074E10000-0x00000000753C1000-memory.dmp

Filesize
5.7MB

Download
memory/1784-771-0x0000000001650000-0x0000000001660000-memory.dmp

Filesize
64KB

Download
memory/1784-13-0x0000000074E10000-0x00000000753C1000-memory.dmp

Filesize
5.7MB

Download
memory/1784-15-0x0000000074E10000-0x00000000753C1000-memory.dmp

Filesize
5.7MB

Download
memory/1784-16-0x0000000001650000-0x0000000001660000-memory.dmp

Filesize
64KB

Download
memory/1784-14-0x0000000001650000-0x0000000001660000-memory.dmp

Filesize
64KB

Download
memory/1784-772-0x0000000001650000-0x0000000001660000-memory.dmp

Filesize
64KB

Download
memory/3380-3462-0x0000000002F00000-0x0000000002F01000-memory.dmp

Filesize
4KB

Download
memory/3380-650-0x0000000001290000-0x00000000012F5000-memory.dmp

Filesize
404KB

Download
memory/3380-31-0x0000000001290000-0x00000000012F5000-memory.dmp

Filesize
404KB

Download
memory/3380-35-0x0000000001290000-0x00000000012F5000-memory.dmp

Filesize
404KB

Download
memory/3380-33-0x0000000001290000-0x00000000012F5000-memory.dmp

Filesize
404KB

Download
memory/3380-3463-0x0000000001290000-0x00000000012F5000-memory.dmp

Filesize
404KB

Download
memory/3380-28-0x0000000001290000-0x00000000012F5000-memory.dmp

Filesize
404KB

Download
memory/3380-37-0x0000000001290000-0x00000000012F5000-memory.dmp

Filesize
404KB

Download
memory/3968-27-0x0000000001910000-0x0000000001B90000-memory.dmp

Filesize
2.5MB

Download
memory/3968-24-0x0000000001910000-0x0000000001B90000-memory.dmp

Filesize
2.5MB

Download
memory/4108-769-0x0000000001EB0000-0x0000000001EC0000-memory.dmp

Filesize
64KB

Download
memory/4108-129-0x0000000074E10000-0x00000000753C1000-memory.dmp

Filesize
5.7MB

Download
memory/4108-0-0x0000000074E10000-0x00000000753C1000-memory.dmp

Filesize
5.7MB

Download
memory/4108-1-0x0000000074E10000-0x00000000753C1000-memory.dmp

Filesize
5.7MB

Download
memory/4108-2-0x0000000001EB0000-0x0000000001EC0000-memory.dmp

Filesize
64KB

Download
memory/4484-3467-0x00000000020C0000-0x0000000002125000-memory.dmp

Filesize
404KB

Download
memory/4484-3469-0x00000000020C0000-0x0000000002125000-memory.dmp

Filesize
404KB

Download
memory/4484-3473-0x00000000020C0000-0x0000000002125000-memory.dmp

Filesize
404KB

Download
memory/4484-3475-0x00000000020C0000-0x0000000002125000-memory.dmp

Filesize
404KB

Download
memory/4584-7-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/4584-5-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/4584-9-0x00000000016B0000-0x0000000001930000-memory.dmp

Filesize
2.5MB

Download
memory/4584-8-0x0000000001460000-0x00000000016AF000-memory.dmp

Filesize
2.3MB

Download