f419c66e18c1a6177cb130a36babaa194c803a29e961bc943a2639095ef0744b

Analysis

max time kernel
156s
max time network
162s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
14/10/2023, 19:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.b63d98724a0b3b2e5796ec36f3751a10.exe
Size

80KB
MD5

b63d98724a0b3b2e5796ec36f3751a10
SHA1

0d7d72976071481d246f417677015b06c81aad76
SHA256

f419c66e18c1a6177cb130a36babaa194c803a29e961bc943a2639095ef0744b
SHA512

dd1e430b1a9e9c1b25e91e44542a1d873622ba415d9507ce9fdb1178bd187d4c669717a59ee599c4a6245a639a71a039910adefa73a820d0f3301087b615d015
SSDEEP

1536:/6P9iAJ9Y2KkbNOKhI1+GO72Lt8wfi+TjRC/6i:iP9iAJ9Y2KkBOKhI1+/YKwf1TjYL

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	NEAS.b63d98724a0b3b2e5796ec36f3751a10.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	NEAS.b63d98724a0b3b2e5796ec36f3751a10.exe

Executes dropped EXE 1 IoCs

pid	Process
2476	Gmmgobfd.exe

Loads dropped DLL 7 IoCs

pid	Process
2732	NEAS.b63d98724a0b3b2e5796ec36f3751a10.exe
2732	NEAS.b63d98724a0b3b2e5796ec36f3751a10.exe
2504	WerFault.exe
2504	WerFault.exe
2504	WerFault.exe
2504	WerFault.exe
2504	WerFault.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Idlfno32.dll	NEAS.b63d98724a0b3b2e5796ec36f3751a10.exe
File created	C:\Windows\SysWOW64\Gmmgobfd.exe	NEAS.b63d98724a0b3b2e5796ec36f3751a10.exe
File opened for modification	C:\Windows\SysWOW64\Gmmgobfd.exe	NEAS.b63d98724a0b3b2e5796ec36f3751a10.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2504	2476	WerFault.exe	27

Modifies registry class 6 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	NEAS.b63d98724a0b3b2e5796ec36f3751a10.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	NEAS.b63d98724a0b3b2e5796ec36f3751a10.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	NEAS.b63d98724a0b3b2e5796ec36f3751a10.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	NEAS.b63d98724a0b3b2e5796ec36f3751a10.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	NEAS.b63d98724a0b3b2e5796ec36f3751a10.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idlfno32.dll"	NEAS.b63d98724a0b3b2e5796ec36f3751a10.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2732 wrote to memory of 2476	2732	NEAS.b63d98724a0b3b2e5796ec36f3751a10.exe	27
PID 2732 wrote to memory of 2476	2732	NEAS.b63d98724a0b3b2e5796ec36f3751a10.exe	27
PID 2732 wrote to memory of 2476	2732	NEAS.b63d98724a0b3b2e5796ec36f3751a10.exe	27
PID 2732 wrote to memory of 2476	2732	NEAS.b63d98724a0b3b2e5796ec36f3751a10.exe	27
PID 2476 wrote to memory of 2504	2476	Gmmgobfd.exe	28
PID 2476 wrote to memory of 2504	2476	Gmmgobfd.exe	28
PID 2476 wrote to memory of 2504	2476	Gmmgobfd.exe	28
PID 2476 wrote to memory of 2504	2476	Gmmgobfd.exe	28

C:\Users\Admin\AppData\Local\Temp\NEAS.b63d98724a0b3b2e5796ec36f3751a10.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.b63d98724a0b3b2e5796ec36f3751a10.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2732
- C:\Windows\SysWOW64\Gmmgobfd.exe
  C:\Windows\system32\Gmmgobfd.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2476
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2476 -s 140
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:2504

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Gmmgobfd.exe

Filesize
80KB

MD5
864ea9b0d8ab0b64baf347cacd5f12b2

SHA1
960c662622f5a730b05466bf175ef099cf710d5b

SHA256
aafa21d5bb22b99d4328cb92fd3f409c6b8b1e52f30a184e0efa6533513f94cd

SHA512
50c527ea1a90baec8b3faa72c10618961c526e2430bef839cd3d7b89fcf649789eb47b34831b1dda950e906c859f1318e0fc50946c53bcd92c71dbf530677dea

Download Submit
C:\Windows\SysWOW64\Gmmgobfd.exe

Filesize
80KB

MD5
864ea9b0d8ab0b64baf347cacd5f12b2

SHA1
960c662622f5a730b05466bf175ef099cf710d5b

SHA256
aafa21d5bb22b99d4328cb92fd3f409c6b8b1e52f30a184e0efa6533513f94cd

SHA512
50c527ea1a90baec8b3faa72c10618961c526e2430bef839cd3d7b89fcf649789eb47b34831b1dda950e906c859f1318e0fc50946c53bcd92c71dbf530677dea

Download Submit
\Windows\SysWOW64\Gmmgobfd.exe

Filesize
80KB

MD5
864ea9b0d8ab0b64baf347cacd5f12b2

SHA1
960c662622f5a730b05466bf175ef099cf710d5b

SHA256
aafa21d5bb22b99d4328cb92fd3f409c6b8b1e52f30a184e0efa6533513f94cd

SHA512
50c527ea1a90baec8b3faa72c10618961c526e2430bef839cd3d7b89fcf649789eb47b34831b1dda950e906c859f1318e0fc50946c53bcd92c71dbf530677dea

Download Submit
\Windows\SysWOW64\Gmmgobfd.exe

Filesize
80KB

MD5
864ea9b0d8ab0b64baf347cacd5f12b2

SHA1
960c662622f5a730b05466bf175ef099cf710d5b

SHA256
aafa21d5bb22b99d4328cb92fd3f409c6b8b1e52f30a184e0efa6533513f94cd

SHA512
50c527ea1a90baec8b3faa72c10618961c526e2430bef839cd3d7b89fcf649789eb47b34831b1dda950e906c859f1318e0fc50946c53bcd92c71dbf530677dea

Download Submit
\Windows\SysWOW64\Gmmgobfd.exe

Filesize
80KB

MD5
864ea9b0d8ab0b64baf347cacd5f12b2

SHA1
960c662622f5a730b05466bf175ef099cf710d5b

SHA256
aafa21d5bb22b99d4328cb92fd3f409c6b8b1e52f30a184e0efa6533513f94cd

SHA512
50c527ea1a90baec8b3faa72c10618961c526e2430bef839cd3d7b89fcf649789eb47b34831b1dda950e906c859f1318e0fc50946c53bcd92c71dbf530677dea

Download Submit
\Windows\SysWOW64\Gmmgobfd.exe

Filesize
80KB

MD5
864ea9b0d8ab0b64baf347cacd5f12b2

SHA1
960c662622f5a730b05466bf175ef099cf710d5b

SHA256
aafa21d5bb22b99d4328cb92fd3f409c6b8b1e52f30a184e0efa6533513f94cd

SHA512
50c527ea1a90baec8b3faa72c10618961c526e2430bef839cd3d7b89fcf649789eb47b34831b1dda950e906c859f1318e0fc50946c53bcd92c71dbf530677dea

Download Submit
\Windows\SysWOW64\Gmmgobfd.exe

Filesize
80KB

MD5
864ea9b0d8ab0b64baf347cacd5f12b2

SHA1
960c662622f5a730b05466bf175ef099cf710d5b

SHA256
aafa21d5bb22b99d4328cb92fd3f409c6b8b1e52f30a184e0efa6533513f94cd

SHA512
50c527ea1a90baec8b3faa72c10618961c526e2430bef839cd3d7b89fcf649789eb47b34831b1dda950e906c859f1318e0fc50946c53bcd92c71dbf530677dea

Download Submit
\Windows\SysWOW64\Gmmgobfd.exe

Filesize
80KB

MD5
864ea9b0d8ab0b64baf347cacd5f12b2

SHA1
960c662622f5a730b05466bf175ef099cf710d5b

SHA256
aafa21d5bb22b99d4328cb92fd3f409c6b8b1e52f30a184e0efa6533513f94cd

SHA512
50c527ea1a90baec8b3faa72c10618961c526e2430bef839cd3d7b89fcf649789eb47b34831b1dda950e906c859f1318e0fc50946c53bcd92c71dbf530677dea

Download Submit
\Windows\SysWOW64\Gmmgobfd.exe

Filesize
80KB

MD5
864ea9b0d8ab0b64baf347cacd5f12b2

SHA1
960c662622f5a730b05466bf175ef099cf710d5b

SHA256
aafa21d5bb22b99d4328cb92fd3f409c6b8b1e52f30a184e0efa6533513f94cd

SHA512
50c527ea1a90baec8b3faa72c10618961c526e2430bef839cd3d7b89fcf649789eb47b34831b1dda950e906c859f1318e0fc50946c53bcd92c71dbf530677dea

Download Submit
memory/2476-14-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2732-12-0x0000000000220000-0x0000000000260000-memory.dmp

Filesize
256KB

Download
memory/2732-6-0x0000000000220000-0x0000000000260000-memory.dmp

Filesize
256KB

Download
memory/2732-0-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2732-20-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads