1283c61b174951f3655ec866f4f388c7ac11fd19500eaa112f53e99508e350e9

General

Target

315468cf07fb79ffb6250ce2f8ebc090_NEAS.exe
Size

12KB
MD5

315468cf07fb79ffb6250ce2f8ebc090
SHA1

cad11ed597eb5d61e13c58c1f65ccf8b15e4aff4
SHA256

1283c61b174951f3655ec866f4f388c7ac11fd19500eaa112f53e99508e350e9
SHA512

7d8e9c4b692090f185653854c93306dfb475fa8c19e7c4a57ff504c41ae265d4b94879166d9dc4bac9a5b6ef45e27cc2a253e46a1b4669bc0a4969b8cbb8cbd0
SSDEEP

384:bL7li/2zUq2DcEQvdhcJKLTp/NK9xa9v:PAM/Q9c9v

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	315468cf07fb79ffb6250ce2f8ebc090_NEAS.exe

Deletes itself 1 IoCs

pid	Process
4072	tmp7408.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
4072	tmp7408.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1572	315468cf07fb79ffb6250ce2f8ebc090_NEAS.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1572 wrote to memory of 1852	1572	315468cf07fb79ffb6250ce2f8ebc090_NEAS.exe	89
PID 1572 wrote to memory of 1852	1572	315468cf07fb79ffb6250ce2f8ebc090_NEAS.exe	89
PID 1572 wrote to memory of 1852	1572	315468cf07fb79ffb6250ce2f8ebc090_NEAS.exe	89
PID 1852 wrote to memory of 3524	1852	vbc.exe	91
PID 1852 wrote to memory of 3524	1852	vbc.exe	91
PID 1852 wrote to memory of 3524	1852	vbc.exe	91
PID 1572 wrote to memory of 4072	1572	315468cf07fb79ffb6250ce2f8ebc090_NEAS.exe	94
PID 1572 wrote to memory of 4072	1572	315468cf07fb79ffb6250ce2f8ebc090_NEAS.exe	94
PID 1572 wrote to memory of 4072	1572	315468cf07fb79ffb6250ce2f8ebc090_NEAS.exe	94

C:\Users\Admin\AppData\Local\Temp\315468cf07fb79ffb6250ce2f8ebc090_NEAS.exe
"C:\Users\Admin\AppData\Local\Temp\315468cf07fb79ffb6250ce2f8ebc090_NEAS.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1572
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\rzyrn05n\rzyrn05n.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1852
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES756E.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcB12886AF119D4F31BA42AE54F1036DF.TMP"
    3⤵
    PID:3524
- C:\Users\Admin\AppData\Local\Temp\tmp7408.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp7408.tmp.exe" C:\Users\Admin\AppData\Local\Temp\315468cf07fb79ffb6250ce2f8ebc090_NEAS.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  PID:4072

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RE.resources

Filesize
2KB

MD5
279dfe372bf97b0f16f26c01b38df0ae

SHA1
3dcb28c0373847b008e52daadbf4fb595605aa32

SHA256
51753483b41ad909290855b0c693da6b5182a46371ba71c757e03b3719254e97

SHA512
08359c1af8e54944a15d225003195b1587211c930bfedcfb080aa4e96fb7f0f4752c21432ae6c37826c68fa67cfeb9d5a47a0627c364d1134ac7b39985d65a90

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES756E.tmp

Filesize
1KB

MD5
38a5948dc0adbdd6812db4c62abe4dac

SHA1
c037197f0c5dac802e44de95c35405696e86e2e1

SHA256
a83d1a398794dc4b9cf4da5be7cb1f9488cba4118d67c6e7c1684f58042a6417

SHA512
350b6070dfad77186a0f4e232e07a1ce82002a7cb9320a09f239ea6f2cdb8d791d4b2f977e87690a4ab5ba07a25b29cc2fc0383ad174b679fce9927f6e204fb0

Download Submit
C:\Users\Admin\AppData\Local\Temp\rzyrn05n\rzyrn05n.0.vb

Filesize
2KB

MD5
27078adc3da0872741177fc825e6c4e2

SHA1
cc13e2ec1e440b360a1855768e601a71ae7a06d7

SHA256
7002e5e1555d2b3bcca3acbdc976ff445a757699e0d44c2d0f5efb5a9794cf1f

SHA512
7311e926c41ec6c69c3bd13d062b8f5bb8e63052cee9226ba13ffec6cce45928dd3fc6f31fd890b87b63149dae4b731722bcf0f973332ea858a623a9aa1700ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\rzyrn05n\rzyrn05n.cmdline

Filesize
273B

MD5
6426873c74a51cc86d0e71e306b331d5

SHA1
5d501733b6455feaed46836bafa4fafb9e82cf13

SHA256
dbeb2091c9840c936fd23c387ba1235a972a7c315ce526dd909b7881b6364dc1

SHA512
14edf774a8fd02a38c56265fed2e3faad115d182780e0fbc44ea6d73886a8897fb0b47c7c7603702b17a989e9e2e10e92f9346445fb1b810245555c3b2fdd6c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7408.tmp.exe

Filesize
12KB

MD5
f39acb5311667618df30802af9f0dc0f

SHA1
35503b816e760c38a74093763f09e5249c88c9d1

SHA256
9e0c20e2d776927dc18c99e9dde38b1008b990472fe08dc1e803f6880d6ac297

SHA512
6c15ba760fef07251142bfca01a769cf9df9d747975be64afef7d93740f371d7548463ed0c962fa8b3684ba62cbbd0d84b33db5854235cbb0d9d83c22662a2c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcB12886AF119D4F31BA42AE54F1036DF.TMP

Filesize
1KB

MD5
a2d18d26ef375b9b25f22e7c3e79a305

SHA1
57d4277da4b6fba86ba90d0d4b678d0b185e7fb4

SHA256
ef29a46d6b9c0a776b685e753057df059870819996b9887037c9d8578f6e4046

SHA512
e84ff817f0d9ae40de4179c93a63a8fe6fb298036b7e3730f489615b5a32a06024f41f34832647a5dcc9db0ad60079f2d7827722108c42ef499664760d4b459e

Download Submit
memory/1572-0-0x000000007536E000-0x000000007536F000-memory.dmp

Filesize
4KB

Download
memory/1572-8-0x0000000075360000-0x0000000075B10000-memory.dmp

Filesize
7.7MB

Download
memory/1572-2-0x00000000055D0000-0x000000000566C000-memory.dmp

Filesize
624KB

Download
memory/1572-1-0x0000000000C20000-0x0000000000C2A000-memory.dmp

Filesize
40KB

Download
memory/1572-24-0x0000000075360000-0x0000000075B10000-memory.dmp

Filesize
7.7MB

Download
memory/4072-25-0x0000000075360000-0x0000000075B10000-memory.dmp

Filesize
7.7MB

Download
memory/4072-26-0x0000000000900000-0x000000000090A000-memory.dmp

Filesize
40KB

Download
memory/4072-27-0x0000000005820000-0x0000000005DC4000-memory.dmp

Filesize
5.6MB

Download
memory/4072-28-0x0000000005270000-0x0000000005302000-memory.dmp

Filesize
584KB

Download
memory/4072-30-0x0000000075360000-0x0000000075B10000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing