b2c46e11fb0f4072ed5c2cc532b514a561385eac26efebff707eab369f73a357

General

Target

e83e5501e9a9b444fb76debae366d530_NEAS.exe
Size

12KB
MD5

e83e5501e9a9b444fb76debae366d530
SHA1

fbaf45f9ff348727f3c28f402039112ca2985cd1
SHA256

b2c46e11fb0f4072ed5c2cc532b514a561385eac26efebff707eab369f73a357
SHA512

a34c1ae660d5a5b0bb6211b20c0b474ef6d867597d5ccacc25f5ba1071563be8b25e1f3b3aed7e2101d817292d51f32a0d241b3645889cbc8fce63e98bda3884
SSDEEP

384:jL7li/2zBq2DcEBvdfcJKLTp/NK9xaXZC:nxDZQ9cpC

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2340	tmp1C67.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
2340	tmp1C67.tmp.exe

Loads dropped DLL 1 IoCs

pid	Process
2052	e83e5501e9a9b444fb76debae366d530_NEAS.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2052	e83e5501e9a9b444fb76debae366d530_NEAS.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2052 wrote to memory of 1676	2052	e83e5501e9a9b444fb76debae366d530_NEAS.exe	28
PID 2052 wrote to memory of 1676	2052	e83e5501e9a9b444fb76debae366d530_NEAS.exe	28
PID 2052 wrote to memory of 1676	2052	e83e5501e9a9b444fb76debae366d530_NEAS.exe	28
PID 2052 wrote to memory of 1676	2052	e83e5501e9a9b444fb76debae366d530_NEAS.exe	28
PID 1676 wrote to memory of 2960	1676	vbc.exe	30
PID 1676 wrote to memory of 2960	1676	vbc.exe	30
PID 1676 wrote to memory of 2960	1676	vbc.exe	30
PID 1676 wrote to memory of 2960	1676	vbc.exe	30
PID 2052 wrote to memory of 2340	2052	e83e5501e9a9b444fb76debae366d530_NEAS.exe	31
PID 2052 wrote to memory of 2340	2052	e83e5501e9a9b444fb76debae366d530_NEAS.exe	31
PID 2052 wrote to memory of 2340	2052	e83e5501e9a9b444fb76debae366d530_NEAS.exe	31
PID 2052 wrote to memory of 2340	2052	e83e5501e9a9b444fb76debae366d530_NEAS.exe	31

C:\Users\Admin\AppData\Local\Temp\e83e5501e9a9b444fb76debae366d530_NEAS.exe
"C:\Users\Admin\AppData\Local\Temp\e83e5501e9a9b444fb76debae366d530_NEAS.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2052
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ld3znha5\ld3znha5.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1676
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1DEC.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcC137D76578774C228EA1FE647140BCF3.TMP"
    3⤵
    PID:2960
- C:\Users\Admin\AppData\Local\Temp\tmp1C67.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp1C67.tmp.exe" C:\Users\Admin\AppData\Local\Temp\e83e5501e9a9b444fb76debae366d530_NEAS.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  PID:2340

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RE.resources

Filesize
2KB

MD5
729cf60c67cb2d3922a927067404a2f3

SHA1
7ab8d8235c613987053726f6cfefd8b2e1b5c166

SHA256
b95b09f7ddc7ac0d8dd320f504a9aeca902a09a8c06709c3688c8884ef76bcdc

SHA512
0e8321bbfbcf47cbf053fba33fa8d09067d0c9d91431ca2bc8a5547b50785ccd46972751b9ac32ae5b34ee681c0df775e1907092e83adba354745ca7baf134ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES1DEC.tmp

Filesize
1KB

MD5
bf7db3f57e607e9e4fe6600354bbd95e

SHA1
8d91d3e4315054f9bd8b5573262421cfa50e5ee5

SHA256
6c9516801f55ac682efbac0407d3fa4c2b4f43d8656f57815d9a1552844bd5eb

SHA512
2d1bc0611c8dc951345a7c32091116c6946a0d414ff783a0a415af87ef2f73cf9f19423c2c80bff5f19129da8a8cb28a78742aa8d575cb9652f07a7ba2e4d829

Download Submit
C:\Users\Admin\AppData\Local\Temp\ld3znha5\ld3znha5.0.vb

Filesize
2KB

MD5
4e85ed66123d4683004980edcf1166ce

SHA1
9f268e751f5daf3cdfdce7f4ebc8f089b0ba8bbe

SHA256
425c9ffd5d0d07c49b8abc6fb144ec5f6cee7a23ea6e910f6c711de2625a192e

SHA512
3564c5eab1fa4a15f6240f61a2d47733513df8b70d9f37de84ef6d4636bfeefd8e8f5661301668f33b76a235f8407ba9e958306e402acdaf231d11a8326e2b7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\ld3znha5\ld3znha5.cmdline

Filesize
273B

MD5
ee5b06bc34f19665b27fbe8bcbfb4dcf

SHA1
090ac4637a3992ad646ecca202f9c66b7a9ae05d

SHA256
39c1e0e5c906ba9a6012feef4dfc38ba6faa6f677980b2a480bc510f3d419233

SHA512
fbef01fb0bfdbb5da6f87ce32d509e82977164dbe57334928b96a8c5d0fb281af7829dff9d090e29f8330677c150cfc42438fce8c48e088e5b30c31eedc08b41

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp1C67.tmp.exe

Filesize
12KB

MD5
5469326da67b71f1595f0966ce06b645

SHA1
9c38281e60f88d19d4b5ad589467b617a0b8b811

SHA256
a56408a4904bc444a2fe565643c4e5c149650e2c03bb09c0291caebdf82d6d39

SHA512
4ae1ac2857e3d11400045f266d069084af29b444671a746805d4bf90aaf2f14bc91c0cab3c4495e432b624e29c509b4c5006ca17008fb92f003ba4c9090c79d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcC137D76578774C228EA1FE647140BCF3.TMP

Filesize
1KB

MD5
9a0c2c77376b8219cfae2304931c151c

SHA1
83b7c1f6dcaf8c9bfc6ce1b27ff8d6cfba11e514

SHA256
c21c00f66db8ae5a6e82186f9ff1df70630b1b826bd488cfec0b0aa0f21f7f26

SHA512
1a1c7569d8d41fc5eefbd724dbef21ec1375777bbc7d3582714e078b90358bec120de401837b10349177c1230328184dfada022eab19070711369d0b895ee4b8

Download Submit
memory/2052-0-0x000000007459E000-0x000000007459F000-memory.dmp

Filesize
4KB

Download
memory/2052-1-0x00000000011B0000-0x00000000011BA000-memory.dmp

Filesize
40KB

Download
memory/2052-7-0x0000000074590000-0x0000000074C7E000-memory.dmp

Filesize
6.9MB

Download
memory/2052-24-0x0000000074590000-0x0000000074C7E000-memory.dmp

Filesize
6.9MB

Download
memory/2340-23-0x0000000000D60000-0x0000000000D6A000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing