b471e7ce97113007617763a33db2373103a929dd78b6c5e9ea0ca6ff99365995

General

Target

3ac16f92621f818815ad14b15e2cffd0_NEAS.exe
Size

12KB
MD5

3ac16f92621f818815ad14b15e2cffd0
SHA1

530e6e6d087ba618f85b4a10d34f971546dae60a
SHA256

b471e7ce97113007617763a33db2373103a929dd78b6c5e9ea0ca6ff99365995
SHA512

42324105b22c801e46745b4276897be6c3c8421f952d8ce13dfd4fa7eabd60a7acb48ce8df137121a5d979cab1ac95f603417e5dc0625ade90857cab3f4d6493
SSDEEP

384:2L7li/2zdq2DcEQvdhcJKLTp/NK9xabia:w9M/Q9cOa

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\Control Panel\International\Geo\Nation	3ac16f92621f818815ad14b15e2cffd0_NEAS.exe

Deletes itself 1 IoCs

pid	Process
2956	tmp4893.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
2956	tmp4893.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3120	3ac16f92621f818815ad14b15e2cffd0_NEAS.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3120 wrote to memory of 3788	3120	3ac16f92621f818815ad14b15e2cffd0_NEAS.exe	89
PID 3120 wrote to memory of 3788	3120	3ac16f92621f818815ad14b15e2cffd0_NEAS.exe	89
PID 3120 wrote to memory of 3788	3120	3ac16f92621f818815ad14b15e2cffd0_NEAS.exe	89
PID 3788 wrote to memory of 396	3788	vbc.exe	91
PID 3788 wrote to memory of 396	3788	vbc.exe	91
PID 3788 wrote to memory of 396	3788	vbc.exe	91
PID 3120 wrote to memory of 2956	3120	3ac16f92621f818815ad14b15e2cffd0_NEAS.exe	93
PID 3120 wrote to memory of 2956	3120	3ac16f92621f818815ad14b15e2cffd0_NEAS.exe	93
PID 3120 wrote to memory of 2956	3120	3ac16f92621f818815ad14b15e2cffd0_NEAS.exe	93

C:\Users\Admin\AppData\Local\Temp\3ac16f92621f818815ad14b15e2cffd0_NEAS.exe
"C:\Users\Admin\AppData\Local\Temp\3ac16f92621f818815ad14b15e2cffd0_NEAS.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3120
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\xx51mxro\xx51mxro.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3788
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4A76.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcE92410862EB446697CBFDBA7A61AF38.TMP"
    3⤵
    PID:396
- C:\Users\Admin\AppData\Local\Temp\tmp4893.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp4893.tmp.exe" C:\Users\Admin\AppData\Local\Temp\3ac16f92621f818815ad14b15e2cffd0_NEAS.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  PID:2956

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RE.resources

Filesize
2KB

MD5
b1a6baa2ab93f6182489c587ad5b85f7

SHA1
899fbe461073fdb623d45617725f20634646e766

SHA256
f905f03a51f2a4a8946f75f43dbae8d2035a28a18ba57bc029218f98e8d59edb

SHA512
1cc94bfb08959566aae168c1334beb2062b282c8418690569f3044e49b57901f27e2b0d2e4b9dc8162a04dd10dba32ae5c22a8268101345810c07cf833791829

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES4A76.tmp

Filesize
1KB

MD5
e957110bf6957a2fdcc2808acf8664d9

SHA1
dcc20de02eb215652869b64810153d85afce8e62

SHA256
8a29eb3fbda7638d296f0105defa03a075da1373ce6cc33bcd43fd4f7808389c

SHA512
2443aaa568226d83c28e2db2cb6009c7435d9cd2c71d8ab70b6631f49c9f5c0e51db65663d67b4c2e6a70cbde2898707aa735ca16b2cc3482f3cd55b38935bac

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp4893.tmp.exe

Filesize
12KB

MD5
0b65ccf18d5a96df13545e68a26a363e

SHA1
bf067e4ff9fbcad6561b791ca4b7503337fbd595

SHA256
c11eed988dbef4fd056711da0094dded67ed0b4c7e12a04b9d2e3d246e4815a4

SHA512
442a5acff24bfb96570dd60a0e6ceb8936aedffb4555c1a0cb1ec21df21e629bdff59fbfa97bc0b5af7b2a8d2d9e359dd0fff8e520400c2c40a0417dfb878951

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcE92410862EB446697CBFDBA7A61AF38.TMP

Filesize
1KB

MD5
0218e3d1ee11fd1240521ac00b210215

SHA1
35b993175cc870406062a22ede72908b83021c95

SHA256
3137eb01112c8f4dfb6dd32f4d5b1dc9aaec6b7c3c96de6e916ca28e78e265ca

SHA512
8bbd3941599020101c7990595a0c5d616d539837ff81a4bc177392343d6aea285c38cb9ad953d9de359803d3879a33dd4530dda950788317bcc5838a1ea93b61

Download Submit
C:\Users\Admin\AppData\Local\Temp\xx51mxro\xx51mxro.0.vb

Filesize
2KB

MD5
9731b8d9e752d194f5353523287b36b5

SHA1
3a9615b7fe365d58acb7204726ec2255b1e57468

SHA256
9a70250c47675fc82ae38935e2b29932234e9ea3caf524d9917db7866587e6e8

SHA512
ff877b29d2dbffeea070fc40f6abc2946a8ca049d26d31b6c020aa48bc2c9477a918d56effce3be1920d664b6a1054e55784b4d56f462f5cafd6c4d9ff17b75a

Download Submit
C:\Users\Admin\AppData\Local\Temp\xx51mxro\xx51mxro.cmdline

Filesize
273B

MD5
9003901f8dce2d1ec952d885a2b3ee4d

SHA1
bc560330e69e8e2344d35a8c6a185675460f3756

SHA256
f7024904fc198afeda545876124b941168393f58014ff516dd4553ac0d6a8ebb

SHA512
ecb02ff0d6f64b9aa225a6f8c6ddb70a8a6f842dc21b1890e63ffe51f0f3466b524adc06fcb6439ac5aa3e6f9dcee9d57d295c4afd7c190a5356ad6387f7af22

Download Submit
memory/2956-25-0x0000000074700000-0x0000000074EB0000-memory.dmp

Filesize
7.7MB

Download
memory/2956-26-0x0000000000D20000-0x0000000000D2A000-memory.dmp

Filesize
40KB

Download
memory/2956-27-0x0000000005C40000-0x00000000061E4000-memory.dmp

Filesize
5.6MB

Download
memory/2956-28-0x0000000005690000-0x0000000005722000-memory.dmp

Filesize
584KB

Download
memory/2956-30-0x0000000074700000-0x0000000074EB0000-memory.dmp

Filesize
7.7MB

Download
memory/3120-0-0x000000007470E000-0x000000007470F000-memory.dmp

Filesize
4KB

Download
memory/3120-8-0x0000000074700000-0x0000000074EB0000-memory.dmp

Filesize
7.7MB

Download
memory/3120-2-0x0000000005600000-0x000000000569C000-memory.dmp

Filesize
624KB

Download
memory/3120-1-0x0000000000BC0000-0x0000000000BCA000-memory.dmp

Filesize
40KB

Download
memory/3120-24-0x0000000074700000-0x0000000074EB0000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing