b2944e8b2f4846d14ed176f47d347834b5088bfc13eefb7fecb39453c0b85f42

General

Target

NEAS.d8e037ddea1a65078b360812e7967686_JC.exe
Size

275KB
MD5

d8e037ddea1a65078b360812e7967686
SHA1

511f301e7906f0898b4c7611d1ba84c04df845a5
SHA256

b2944e8b2f4846d14ed176f47d347834b5088bfc13eefb7fecb39453c0b85f42
SHA512

f199994e19e590d670126d92bc231e176c6e0690bb669761cd26f028fc1e79ba86560d79a1dab4cc59091a892f3b3ca5c08811e18b4229f83550055312e88787
SSDEEP

6144:6NDhthvYISLGS+sz/QoooooooooooooooooUvu:Qx0ssz/0vu

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kblpcndd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kblpcndd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ledoegkm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ledoegkm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	NEAS.d8e037ddea1a65078b360812e7967686_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	NEAS.d8e037ddea1a65078b360812e7967686_JC.exe

Executes dropped EXE 3 IoCs

pid	Process
1572	Kblpcndd.exe
1256	Ledoegkm.exe
532	Ldikgdpe.exe

Drops file in System32 directory 9 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Lamgof32.dll	NEAS.d8e037ddea1a65078b360812e7967686_JC.exe
File created	C:\Windows\SysWOW64\Hopaik32.dll	Kblpcndd.exe
File created	C:\Windows\SysWOW64\Ldikgdpe.exe	Ledoegkm.exe
File created	C:\Windows\SysWOW64\Bekdaogi.dll	Ledoegkm.exe
File created	C:\Windows\SysWOW64\Kblpcndd.exe	NEAS.d8e037ddea1a65078b360812e7967686_JC.exe
File opened for modification	C:\Windows\SysWOW64\Kblpcndd.exe	NEAS.d8e037ddea1a65078b360812e7967686_JC.exe
File created	C:\Windows\SysWOW64\Ledoegkm.exe	Kblpcndd.exe
File opened for modification	C:\Windows\SysWOW64\Ledoegkm.exe	Kblpcndd.exe
File opened for modification	C:\Windows\SysWOW64\Ldikgdpe.exe	Ledoegkm.exe

Program crash 2 IoCs

pid	pid_target	Process	procid_target
1632	532	WerFault.exe	85
1316	532	WerFault.exe	85

Modifies registry class 12 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	NEAS.d8e037ddea1a65078b360812e7967686_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	NEAS.d8e037ddea1a65078b360812e7967686_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lamgof32.dll"	NEAS.d8e037ddea1a65078b360812e7967686_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	NEAS.d8e037ddea1a65078b360812e7967686_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kblpcndd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	NEAS.d8e037ddea1a65078b360812e7967686_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	NEAS.d8e037ddea1a65078b360812e7967686_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kblpcndd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hopaik32.dll"	Kblpcndd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ledoegkm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bekdaogi.dll"	Ledoegkm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ledoegkm.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 4728 wrote to memory of 1572	4728	NEAS.d8e037ddea1a65078b360812e7967686_JC.exe	83
PID 4728 wrote to memory of 1572	4728	NEAS.d8e037ddea1a65078b360812e7967686_JC.exe	83
PID 4728 wrote to memory of 1572	4728	NEAS.d8e037ddea1a65078b360812e7967686_JC.exe	83
PID 1572 wrote to memory of 1256	1572	Kblpcndd.exe	84
PID 1572 wrote to memory of 1256	1572	Kblpcndd.exe	84
PID 1572 wrote to memory of 1256	1572	Kblpcndd.exe	84
PID 1256 wrote to memory of 532	1256	Ledoegkm.exe	85
PID 1256 wrote to memory of 532	1256	Ledoegkm.exe	85
PID 1256 wrote to memory of 532	1256	Ledoegkm.exe	85
PID 532 wrote to memory of 1632	532	Ldikgdpe.exe	90
PID 532 wrote to memory of 1632	532	Ldikgdpe.exe	90
PID 532 wrote to memory of 1632	532	Ldikgdpe.exe	90

C:\Users\Admin\AppData\Local\Temp\NEAS.d8e037ddea1a65078b360812e7967686_JC.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.d8e037ddea1a65078b360812e7967686_JC.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4728
- C:\Windows\SysWOW64\Kblpcndd.exe
  C:\Windows\system32\Kblpcndd.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1572
- - C:\Windows\SysWOW64\Ledoegkm.exe
    C:\Windows\system32\Ledoegkm.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1256
  - - C:\Windows\SysWOW64\Ldikgdpe.exe
      C:\Windows\system32\Ldikgdpe.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:532
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 532 -s 392
        5⤵
        Program crash
        
        PID:1632
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 532 -s 392
        5⤵
        Program crash
        
        PID:1316

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 532 -ip 532
1⤵
PID:264

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Kblpcndd.exe

Filesize
275KB

MD5
157b4c570a0370f80f1035db8d1644e5

SHA1
90972367b0767cec435b91c7d274aca40c6094f0

SHA256
b6bf6ae244a760e7b46129950793b731c1bd32111a4a8918a9f96d28b9ec2652

SHA512
8e654738c373613c6518aa7a8ec2840ea6ed85978ff0506f1f67ee0aee76da7f986d04b68f5240cbc96a03949ec0b14e918931edf717bbc36813dc5d3fd44e49

Download Submit
C:\Windows\SysWOW64\Kblpcndd.exe

Filesize
275KB

MD5
157b4c570a0370f80f1035db8d1644e5

SHA1
90972367b0767cec435b91c7d274aca40c6094f0

SHA256
b6bf6ae244a760e7b46129950793b731c1bd32111a4a8918a9f96d28b9ec2652

SHA512
8e654738c373613c6518aa7a8ec2840ea6ed85978ff0506f1f67ee0aee76da7f986d04b68f5240cbc96a03949ec0b14e918931edf717bbc36813dc5d3fd44e49

Download Submit
C:\Windows\SysWOW64\Ldikgdpe.exe

Filesize
275KB

MD5
9bed2f6bb80eace151d7e6ae0ae53c9c

SHA1
b7d3bc805b2157f439bdce8678bf7a07eb09d02a

SHA256
3fbdaf26fe85fe2f63ef6bca84a0ec6040f458e654750c1118536a7fb97dc113

SHA512
45fa5af5c9e455ea00a876f2ad963d29974d4b66dbd120298bcebd1a54528c9a139f6adb9a6ce1d0329a7a186aca75b1bc5c9c21e3b9ff7a44eb0cfd80a824dc

Download Submit
C:\Windows\SysWOW64\Ldikgdpe.exe

Filesize
275KB

MD5
9bed2f6bb80eace151d7e6ae0ae53c9c

SHA1
b7d3bc805b2157f439bdce8678bf7a07eb09d02a

SHA256
3fbdaf26fe85fe2f63ef6bca84a0ec6040f458e654750c1118536a7fb97dc113

SHA512
45fa5af5c9e455ea00a876f2ad963d29974d4b66dbd120298bcebd1a54528c9a139f6adb9a6ce1d0329a7a186aca75b1bc5c9c21e3b9ff7a44eb0cfd80a824dc

Download Submit
C:\Windows\SysWOW64\Ledoegkm.exe

Filesize
275KB

MD5
42e185f28be5ef3e384672432166c12e

SHA1
8a490b4a49b7198d4d833ee988f4d3dd6a32ae19

SHA256
b1ae88381fdf9b529565204707d3e25235c7c6acfc4bb16c1e84291a921e3f40

SHA512
3caf57d807de758363af7ae161863729c9b65a7a58dac1f7482911b6a1f4edff89ab1ccf8ea91c0a275a645443f90dd6445230f33825c62fa2851facc90bcc3c

Download Submit
C:\Windows\SysWOW64\Ledoegkm.exe

Filesize
275KB

MD5
42e185f28be5ef3e384672432166c12e

SHA1
8a490b4a49b7198d4d833ee988f4d3dd6a32ae19

SHA256
b1ae88381fdf9b529565204707d3e25235c7c6acfc4bb16c1e84291a921e3f40

SHA512
3caf57d807de758363af7ae161863729c9b65a7a58dac1f7482911b6a1f4edff89ab1ccf8ea91c0a275a645443f90dd6445230f33825c62fa2851facc90bcc3c

Download Submit
memory/532-24-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/532-29-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1256-16-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1256-28-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1572-8-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1572-27-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4728-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4728-1-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4728-26-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads