c237b777e95c36d948dc908f4176e0b36d43f5921bf707ee6aa799ebeac30d8c

General

Target

NEAS.a2d8d66b20110ee8e24ca7ce35d848f0.exe
Size

92KB
MD5

a2d8d66b20110ee8e24ca7ce35d848f0
SHA1

bebfcc64e890414b3af1482f44423f0ad8dc706b
SHA256

c237b777e95c36d948dc908f4176e0b36d43f5921bf707ee6aa799ebeac30d8c
SHA512

f50b33db685f2963115ef1646262ae8462edad8a7af5369e1eb7267a6f94ba63fff9cfdfda59c7b4a9149a19006a5f2a869bcf524174f0727765d8390f5b38d1
SSDEEP

1536:hTdbsA6zsp5dCwUKlwI/46xnuoYljXq+66DFUABABOVLefE3:/Z6GCwUKlV/42nuoYlj6+JB8M3

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	NEAS.a2d8d66b20110ee8e24ca7ce35d848f0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	NEAS.a2d8d66b20110ee8e24ca7ce35d848f0.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nlfmbibo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nlfmbibo.exe

Executes dropped EXE 1 IoCs

pid	Process
2184	Nlfmbibo.exe

Loads dropped DLL 2 IoCs

pid	Process
1224	NEAS.a2d8d66b20110ee8e24ca7ce35d848f0.exe
1224	NEAS.a2d8d66b20110ee8e24ca7ce35d848f0.exe

Drops file in System32 directory 6 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Nlfmbibo.exe	NEAS.a2d8d66b20110ee8e24ca7ce35d848f0.exe
File opened for modification	C:\Windows\SysWOW64\Nlfmbibo.exe	NEAS.a2d8d66b20110ee8e24ca7ce35d848f0.exe
File created	C:\Windows\SysWOW64\Eemjkkbq.dll	NEAS.a2d8d66b20110ee8e24ca7ce35d848f0.exe
File created	C:\Windows\SysWOW64\Ffaaoh32.exe	Nlfmbibo.exe
File opened for modification	C:\Windows\SysWOW64\Ffaaoh32.exe	Nlfmbibo.exe
File created	C:\Windows\SysWOW64\Fdkehipd.dll	Nlfmbibo.exe

Modifies registry class 9 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	NEAS.a2d8d66b20110ee8e24ca7ce35d848f0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eemjkkbq.dll"	NEAS.a2d8d66b20110ee8e24ca7ce35d848f0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	NEAS.a2d8d66b20110ee8e24ca7ce35d848f0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	NEAS.a2d8d66b20110ee8e24ca7ce35d848f0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	NEAS.a2d8d66b20110ee8e24ca7ce35d848f0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nlfmbibo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdkehipd.dll"	Nlfmbibo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nlfmbibo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	NEAS.a2d8d66b20110ee8e24ca7ce35d848f0.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1224 wrote to memory of 2184	1224	NEAS.a2d8d66b20110ee8e24ca7ce35d848f0.exe	28
PID 1224 wrote to memory of 2184	1224	NEAS.a2d8d66b20110ee8e24ca7ce35d848f0.exe	28
PID 1224 wrote to memory of 2184	1224	NEAS.a2d8d66b20110ee8e24ca7ce35d848f0.exe	28
PID 1224 wrote to memory of 2184	1224	NEAS.a2d8d66b20110ee8e24ca7ce35d848f0.exe	28

C:\Users\Admin\AppData\Local\Temp\NEAS.a2d8d66b20110ee8e24ca7ce35d848f0.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.a2d8d66b20110ee8e24ca7ce35d848f0.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1224
- C:\Windows\SysWOW64\Nlfmbibo.exe
  C:\Windows\system32\Nlfmbibo.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  PID:2184

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Nlfmbibo.exe

Filesize
92KB

MD5
f4b64ea9ad133989db1700be779db3bb

SHA1
c7e1c5091c600e4bc8b47891a4b56dc08dbee53e

SHA256
73c2b9860fca6179fa37eebb5f47ccf46fa1d5e1afbc18ce2c971e23d504b14d

SHA512
6521c797cc3771ff8d8b17e6fa0f86bc722cff4e78245865f3fc110b9fff9dfe07ceef861eb71a1ec42c188d1a630273996eafc11499f05ec57cd7db8ed1c4d8

Download Submit
C:\Windows\SysWOW64\Nlfmbibo.exe

Filesize
92KB

MD5
f4b64ea9ad133989db1700be779db3bb

SHA1
c7e1c5091c600e4bc8b47891a4b56dc08dbee53e

SHA256
73c2b9860fca6179fa37eebb5f47ccf46fa1d5e1afbc18ce2c971e23d504b14d

SHA512
6521c797cc3771ff8d8b17e6fa0f86bc722cff4e78245865f3fc110b9fff9dfe07ceef861eb71a1ec42c188d1a630273996eafc11499f05ec57cd7db8ed1c4d8

Download Submit
C:\Windows\SysWOW64\Nlfmbibo.exe

Filesize
92KB

MD5
f4b64ea9ad133989db1700be779db3bb

SHA1
c7e1c5091c600e4bc8b47891a4b56dc08dbee53e

SHA256
73c2b9860fca6179fa37eebb5f47ccf46fa1d5e1afbc18ce2c971e23d504b14d

SHA512
6521c797cc3771ff8d8b17e6fa0f86bc722cff4e78245865f3fc110b9fff9dfe07ceef861eb71a1ec42c188d1a630273996eafc11499f05ec57cd7db8ed1c4d8

Download Submit
\Windows\SysWOW64\Nlfmbibo.exe

Filesize
92KB

MD5
f4b64ea9ad133989db1700be779db3bb

SHA1
c7e1c5091c600e4bc8b47891a4b56dc08dbee53e

SHA256
73c2b9860fca6179fa37eebb5f47ccf46fa1d5e1afbc18ce2c971e23d504b14d

SHA512
6521c797cc3771ff8d8b17e6fa0f86bc722cff4e78245865f3fc110b9fff9dfe07ceef861eb71a1ec42c188d1a630273996eafc11499f05ec57cd7db8ed1c4d8

Download Submit
\Windows\SysWOW64\Nlfmbibo.exe

Filesize
92KB

MD5
f4b64ea9ad133989db1700be779db3bb

SHA1
c7e1c5091c600e4bc8b47891a4b56dc08dbee53e

SHA256
73c2b9860fca6179fa37eebb5f47ccf46fa1d5e1afbc18ce2c971e23d504b14d

SHA512
6521c797cc3771ff8d8b17e6fa0f86bc722cff4e78245865f3fc110b9fff9dfe07ceef861eb71a1ec42c188d1a630273996eafc11499f05ec57cd7db8ed1c4d8

Download Submit
memory/1224-0-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1224-6-0x00000000002C0000-0x0000000000303000-memory.dmp

Filesize
268KB

Download
memory/1224-12-0x00000000002C0000-0x0000000000303000-memory.dmp

Filesize
268KB

Download
memory/2184-19-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads