36c64a5ffd905b6a98075115618b6ae51e9a221a7ea7d63ee2002ab502ba7ffa

General

Target

NEAS.e4cb082f052b38ce6886f048d84d0e20_JC.exe
Size

97KB
MD5

e4cb082f052b38ce6886f048d84d0e20
SHA1

b2ee91f4df3d9db81137b5a8cc8f0f55e6d80a09
SHA256

36c64a5ffd905b6a98075115618b6ae51e9a221a7ea7d63ee2002ab502ba7ffa
SHA512

fefa67a05daadbc04c9870826b093a6473cecd97b81892c2ea2fbd410303decfa2575d14ab4f910928cf7135391962d4e20379b1b710ebed3d303786733d7fe3
SSDEEP

1536:32GB8tvyj9t4VDU2hryQO7E8uZBVdKv2I+vJXeYZ6:N8puCDFOQO7MZBVd02IWJXeK6

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dhocqigp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	NEAS.e4cb082f052b38ce6886f048d84d0e20_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	NEAS.e4cb082f052b38ce6886f048d84d0e20_JC.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dfpgffpm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Daekdooc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhocqigp.exe

Executes dropped EXE 4 IoCs

pid	Process
4876	Dfpgffpm.exe
2600	Daekdooc.exe
3540	Dhocqigp.exe
4504	Dmllipeg.exe

Drops file in System32 directory 12 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Dfpgffpm.exe	NEAS.e4cb082f052b38ce6886f048d84d0e20_JC.exe
File created	C:\Windows\SysWOW64\Kmdjdl32.dll	NEAS.e4cb082f052b38ce6886f048d84d0e20_JC.exe
File opened for modification	C:\Windows\SysWOW64\Daekdooc.exe	Dfpgffpm.exe
File created	C:\Windows\SysWOW64\Ohmoom32.dll	Dfpgffpm.exe
File created	C:\Windows\SysWOW64\Dhocqigp.exe	Daekdooc.exe
File created	C:\Windows\SysWOW64\Kngpec32.dll	Dhocqigp.exe
File created	C:\Windows\SysWOW64\Dfpgffpm.exe	NEAS.e4cb082f052b38ce6886f048d84d0e20_JC.exe
File created	C:\Windows\SysWOW64\Daekdooc.exe	Dfpgffpm.exe
File opened for modification	C:\Windows\SysWOW64\Dhocqigp.exe	Daekdooc.exe
File created	C:\Windows\SysWOW64\Elkadb32.dll	Daekdooc.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Dhocqigp.exe
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Dhocqigp.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3132	4504	WerFault.exe	90

Modifies registry class 15 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Daekdooc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dhocqigp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dfpgffpm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elkadb32.dll"	Daekdooc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}	NEAS.e4cb082f052b38ce6886f048d84d0e20_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	NEAS.e4cb082f052b38ce6886f048d84d0e20_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	NEAS.e4cb082f052b38ce6886f048d84d0e20_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohmoom32.dll"	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dhocqigp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	NEAS.e4cb082f052b38ce6886f048d84d0e20_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	NEAS.e4cb082f052b38ce6886f048d84d0e20_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmdjdl32.dll"	NEAS.e4cb082f052b38ce6886f048d84d0e20_JC.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 4840 wrote to memory of 4876	4840	NEAS.e4cb082f052b38ce6886f048d84d0e20_JC.exe	87
PID 4840 wrote to memory of 4876	4840	NEAS.e4cb082f052b38ce6886f048d84d0e20_JC.exe	87
PID 4840 wrote to memory of 4876	4840	NEAS.e4cb082f052b38ce6886f048d84d0e20_JC.exe	87
PID 4876 wrote to memory of 2600	4876	Dfpgffpm.exe	88
PID 4876 wrote to memory of 2600	4876	Dfpgffpm.exe	88
PID 4876 wrote to memory of 2600	4876	Dfpgffpm.exe	88
PID 2600 wrote to memory of 3540	2600	Daekdooc.exe	89
PID 2600 wrote to memory of 3540	2600	Daekdooc.exe	89
PID 2600 wrote to memory of 3540	2600	Daekdooc.exe	89
PID 3540 wrote to memory of 4504	3540	Dhocqigp.exe	90
PID 3540 wrote to memory of 4504	3540	Dhocqigp.exe	90
PID 3540 wrote to memory of 4504	3540	Dhocqigp.exe	90

C:\Users\Admin\AppData\Local\Temp\NEAS.e4cb082f052b38ce6886f048d84d0e20_JC.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.e4cb082f052b38ce6886f048d84d0e20_JC.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4840
- C:\Windows\SysWOW64\Dfpgffpm.exe
  C:\Windows\system32\Dfpgffpm.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4876
- - C:\Windows\SysWOW64\Daekdooc.exe
    C:\Windows\system32\Daekdooc.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2600
  - - C:\Windows\SysWOW64\Dhocqigp.exe
      C:\Windows\system32\Dhocqigp.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3540
    - - C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        5⤵
        Executes dropped EXE
        
        PID:4504
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4504 -s 408
        6⤵
        Program crash
        
        PID:3132

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4504 -ip 4504
1⤵
PID:4484

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Daekdooc.exe

Filesize
97KB

MD5
3b2d7f7abb5f893ce24cbfb6006b7057

SHA1
e3d2d42e82638987083f2a86a21f1913b07aa970

SHA256
96c25fe9f6c7951426c5b42d449d2e48c81113f2deef6e4a7deb73a8a18cbda7

SHA512
422b618d3aa0bb21825127c09356b3dac7ab33c6abfd63ded8d89ba041dcf1a0875f26f6cedc2cbe0e53a49943e66a1e36397d1625b13932b619b9355700fc26

Download Submit
C:\Windows\SysWOW64\Daekdooc.exe

Filesize
97KB

MD5
3b2d7f7abb5f893ce24cbfb6006b7057

SHA1
e3d2d42e82638987083f2a86a21f1913b07aa970

SHA256
96c25fe9f6c7951426c5b42d449d2e48c81113f2deef6e4a7deb73a8a18cbda7

SHA512
422b618d3aa0bb21825127c09356b3dac7ab33c6abfd63ded8d89ba041dcf1a0875f26f6cedc2cbe0e53a49943e66a1e36397d1625b13932b619b9355700fc26

Download Submit
C:\Windows\SysWOW64\Dfpgffpm.exe

Filesize
97KB

MD5
8cd5d635b891fb089cb03e7d6eda790f

SHA1
cb0c03202ab0346dde9453cbf1a0ef907e9c17ce

SHA256
442bfd3aa81d9ee5f298db7a74715a7d1d5a1e8eb1dfd326b7fa962592cd8748

SHA512
f27842ab29fd8a4818bd5a7426dcfc20b8b57ca8e2855d0768d43f1b6417b046d9398dfc4dc8988c8c612f8daf4fd9d198aa3ce0ad07d09cc7b00ca10bf4040b

Download Submit
C:\Windows\SysWOW64\Dfpgffpm.exe

Filesize
97KB

MD5
8cd5d635b891fb089cb03e7d6eda790f

SHA1
cb0c03202ab0346dde9453cbf1a0ef907e9c17ce

SHA256
442bfd3aa81d9ee5f298db7a74715a7d1d5a1e8eb1dfd326b7fa962592cd8748

SHA512
f27842ab29fd8a4818bd5a7426dcfc20b8b57ca8e2855d0768d43f1b6417b046d9398dfc4dc8988c8c612f8daf4fd9d198aa3ce0ad07d09cc7b00ca10bf4040b

Download Submit
C:\Windows\SysWOW64\Dhocqigp.exe

Filesize
97KB

MD5
0e44917273b776fb186d1343f5ff6987

SHA1
544618a3e3fa7387f389018c038550f776641571

SHA256
81c2afb17c903e97443a71efc9ae57959759b1411206750f264874b1c7ed7cd2

SHA512
3140645928e94ae3a4c9cccbe8c840cb3784f2406b6e6fed73e58ef4c0d89e5ac55ee3d721ef2222ad6402167c08e6b9310670394410093ad70f18e1819e0fc6

Download Submit
C:\Windows\SysWOW64\Dhocqigp.exe

Filesize
97KB

MD5
0e44917273b776fb186d1343f5ff6987

SHA1
544618a3e3fa7387f389018c038550f776641571

SHA256
81c2afb17c903e97443a71efc9ae57959759b1411206750f264874b1c7ed7cd2

SHA512
3140645928e94ae3a4c9cccbe8c840cb3784f2406b6e6fed73e58ef4c0d89e5ac55ee3d721ef2222ad6402167c08e6b9310670394410093ad70f18e1819e0fc6

Download Submit
C:\Windows\SysWOW64\Dmllipeg.exe

Filesize
97KB

MD5
abcbff19b20c3b058ea8f0195d1605b3

SHA1
4abb6ff6dccc5a54d9c6b52d3ee3e5b394cd6974

SHA256
96a08a4745bfcb373cf282f669b67a60f916f1c16f3b82efe541838387be46b3

SHA512
4126b355f94c6a6a54dd2c0bbe44950ee8a78b9cc26bb6834daf6a06d2cad536f6818ad1aff780383dffc3589996d974c872fe30c699210e900c11e0d79ef13a

Download Submit
C:\Windows\SysWOW64\Dmllipeg.exe

Filesize
97KB

MD5
abcbff19b20c3b058ea8f0195d1605b3

SHA1
4abb6ff6dccc5a54d9c6b52d3ee3e5b394cd6974

SHA256
96a08a4745bfcb373cf282f669b67a60f916f1c16f3b82efe541838387be46b3

SHA512
4126b355f94c6a6a54dd2c0bbe44950ee8a78b9cc26bb6834daf6a06d2cad536f6818ad1aff780383dffc3589996d974c872fe30c699210e900c11e0d79ef13a

Download Submit
memory/2600-15-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2600-35-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3540-24-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3540-36-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4504-31-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4504-37-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4840-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4840-33-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4876-7-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4876-34-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads