46275e49d9b75a9b62310855c4dd98b559ed57c60e5fcccdb0fd3144d6253577

Analysis

max time kernel
118s
max time network
122s
platform
windows7_x64
resource
win7-20231023-en
resource tags

arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system
submitted
23/10/2023, 21:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.f0306c82f45798e6ac34154b5071c990_JC.exe
Size

98KB
MD5

f0306c82f45798e6ac34154b5071c990
SHA1

b69094627b45247174f3c34a1a20bd76e5ef610e
SHA256

46275e49d9b75a9b62310855c4dd98b559ed57c60e5fcccdb0fd3144d6253577
SHA512

50321b92e700dc163c19ef68c64d9c03ff507cb17ef125a5ed176431a30d924e0aad50f3698b6ba4000d540db16528c8646dca4173a72c6438ee60446384f3bd
SSDEEP

3072:tA6unD6p9q+4dB1RPfZmE/eFKPD375lHzpa1P:4uwdRPwE/eYr75lHzpaF

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	NEAS.f0306c82f45798e6ac34154b5071c990_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	NEAS.f0306c82f45798e6ac34154b5071c990_JC.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nlcnda32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nlcnda32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncpcfkbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ncpcfkbg.exe

Executes dropped EXE 3 IoCs

pid	Process
840	Nlcnda32.exe
2704	Ncpcfkbg.exe
2632	Nlhgoqhh.exe

Loads dropped DLL 10 IoCs

pid	Process
2028	NEAS.f0306c82f45798e6ac34154b5071c990_JC.exe
2028	NEAS.f0306c82f45798e6ac34154b5071c990_JC.exe
840	Nlcnda32.exe
840	Nlcnda32.exe
2704	Ncpcfkbg.exe
2704	Ncpcfkbg.exe
2616	WerFault.exe
2616	WerFault.exe
2616	WerFault.exe
2616	WerFault.exe

Drops file in System32 directory 9 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Lamajm32.dll	Ncpcfkbg.exe
File created	C:\Windows\SysWOW64\Nlcnda32.exe	NEAS.f0306c82f45798e6ac34154b5071c990_JC.exe
File created	C:\Windows\SysWOW64\Ogjgkqaa.dll	NEAS.f0306c82f45798e6ac34154b5071c990_JC.exe
File opened for modification	C:\Windows\SysWOW64\Ncpcfkbg.exe	Nlcnda32.exe
File created	C:\Windows\SysWOW64\Pfdmil32.dll	Nlcnda32.exe
File opened for modification	C:\Windows\SysWOW64\Nlhgoqhh.exe	Ncpcfkbg.exe
File opened for modification	C:\Windows\SysWOW64\Nlcnda32.exe	NEAS.f0306c82f45798e6ac34154b5071c990_JC.exe
File created	C:\Windows\SysWOW64\Ncpcfkbg.exe	Nlcnda32.exe
File created	C:\Windows\SysWOW64\Nlhgoqhh.exe	Ncpcfkbg.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2616	2632	WerFault.exe	30

Modifies registry class 12 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	NEAS.f0306c82f45798e6ac34154b5071c990_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pfdmil32.dll"	Nlcnda32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ncpcfkbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lamajm32.dll"	Ncpcfkbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ncpcfkbg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	NEAS.f0306c82f45798e6ac34154b5071c990_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	NEAS.f0306c82f45798e6ac34154b5071c990_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}	NEAS.f0306c82f45798e6ac34154b5071c990_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nlcnda32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	NEAS.f0306c82f45798e6ac34154b5071c990_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogjgkqaa.dll"	NEAS.f0306c82f45798e6ac34154b5071c990_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nlcnda32.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2028 wrote to memory of 840	2028	NEAS.f0306c82f45798e6ac34154b5071c990_JC.exe	28
PID 2028 wrote to memory of 840	2028	NEAS.f0306c82f45798e6ac34154b5071c990_JC.exe	28
PID 2028 wrote to memory of 840	2028	NEAS.f0306c82f45798e6ac34154b5071c990_JC.exe	28
PID 2028 wrote to memory of 840	2028	NEAS.f0306c82f45798e6ac34154b5071c990_JC.exe	28
PID 840 wrote to memory of 2704	840	Nlcnda32.exe	29
PID 840 wrote to memory of 2704	840	Nlcnda32.exe	29
PID 840 wrote to memory of 2704	840	Nlcnda32.exe	29
PID 840 wrote to memory of 2704	840	Nlcnda32.exe	29
PID 2704 wrote to memory of 2632	2704	Ncpcfkbg.exe	30
PID 2704 wrote to memory of 2632	2704	Ncpcfkbg.exe	30
PID 2704 wrote to memory of 2632	2704	Ncpcfkbg.exe	30
PID 2704 wrote to memory of 2632	2704	Ncpcfkbg.exe	30
PID 2632 wrote to memory of 2616	2632	Nlhgoqhh.exe	31
PID 2632 wrote to memory of 2616	2632	Nlhgoqhh.exe	31
PID 2632 wrote to memory of 2616	2632	Nlhgoqhh.exe	31
PID 2632 wrote to memory of 2616	2632	Nlhgoqhh.exe	31

C:\Users\Admin\AppData\Local\Temp\NEAS.f0306c82f45798e6ac34154b5071c990_JC.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.f0306c82f45798e6ac34154b5071c990_JC.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2028
- C:\Windows\SysWOW64\Nlcnda32.exe
  C:\Windows\system32\Nlcnda32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:840
- - C:\Windows\SysWOW64\Ncpcfkbg.exe
    C:\Windows\system32\Ncpcfkbg.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2704
  - - C:\Windows\SysWOW64\Nlhgoqhh.exe
      C:\Windows\system32\Nlhgoqhh.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:2632
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2632 -s 140
        5⤵
        Loads dropped DLL
        Program crash
        
        PID:2616

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Ncpcfkbg.exe

Filesize
98KB

MD5
d88ba2fa45a446b86c063a710e6fa6e2

SHA1
53ade38b45eaf8293049d480d2de5816af79281f

SHA256
7f2e2208121d4bc6304fa3105b9105b493b555541db330d5f60e857ddcb8691f

SHA512
55b0c77b49504cbc6005fffeb4b15d5ac076b8812522b0f39b49fe1b79b758de59dd48166fcaf7c3696a341b9fefede3f536465547a23a36fc7d960eab09b32c

Download Submit
C:\Windows\SysWOW64\Ncpcfkbg.exe

Filesize
98KB

MD5
d88ba2fa45a446b86c063a710e6fa6e2

SHA1
53ade38b45eaf8293049d480d2de5816af79281f

SHA256
7f2e2208121d4bc6304fa3105b9105b493b555541db330d5f60e857ddcb8691f

SHA512
55b0c77b49504cbc6005fffeb4b15d5ac076b8812522b0f39b49fe1b79b758de59dd48166fcaf7c3696a341b9fefede3f536465547a23a36fc7d960eab09b32c

Download Submit
C:\Windows\SysWOW64\Ncpcfkbg.exe

Filesize
98KB

MD5
d88ba2fa45a446b86c063a710e6fa6e2

SHA1
53ade38b45eaf8293049d480d2de5816af79281f

SHA256
7f2e2208121d4bc6304fa3105b9105b493b555541db330d5f60e857ddcb8691f

SHA512
55b0c77b49504cbc6005fffeb4b15d5ac076b8812522b0f39b49fe1b79b758de59dd48166fcaf7c3696a341b9fefede3f536465547a23a36fc7d960eab09b32c

Download Submit
C:\Windows\SysWOW64\Nlcnda32.exe

Filesize
98KB

MD5
a261502aa5e7a48e4b9b00f3c7e2f5fe

SHA1
b57ad02ffb27430ed34cef2ad2bd33efb8a67993

SHA256
13717e609daf3f9abb593b34f349ef5f5583e2cc9ab447550dad2fabb9ac98cb

SHA512
0b510a920cbee5dec05c27d58b1a19e3043912a26ada0ea4195fd043f41f6b66ac96faa503f25fdb47ec92fdd8e7c109ba6824962688cb0e815d7f2f4b9943db

Download Submit
C:\Windows\SysWOW64\Nlcnda32.exe

Filesize
98KB

MD5
a261502aa5e7a48e4b9b00f3c7e2f5fe

SHA1
b57ad02ffb27430ed34cef2ad2bd33efb8a67993

SHA256
13717e609daf3f9abb593b34f349ef5f5583e2cc9ab447550dad2fabb9ac98cb

SHA512
0b510a920cbee5dec05c27d58b1a19e3043912a26ada0ea4195fd043f41f6b66ac96faa503f25fdb47ec92fdd8e7c109ba6824962688cb0e815d7f2f4b9943db

Download Submit
C:\Windows\SysWOW64\Nlcnda32.exe

Filesize
98KB

MD5
a261502aa5e7a48e4b9b00f3c7e2f5fe

SHA1
b57ad02ffb27430ed34cef2ad2bd33efb8a67993

SHA256
13717e609daf3f9abb593b34f349ef5f5583e2cc9ab447550dad2fabb9ac98cb

SHA512
0b510a920cbee5dec05c27d58b1a19e3043912a26ada0ea4195fd043f41f6b66ac96faa503f25fdb47ec92fdd8e7c109ba6824962688cb0e815d7f2f4b9943db

Download Submit
C:\Windows\SysWOW64\Nlhgoqhh.exe

Filesize
98KB

MD5
4fa07b12381fdb73ef4dbf4c461fec56

SHA1
4035562c357733194e02a197e7079ff26270a35b

SHA256
36d6733204474ffab25a1dbcf8d650fb86994bf2577ef3797fd41d76f8d539a5

SHA512
16b3e5fe936e906eb49bbad603b22451623eca38dee6b2a4659a306e8d37af110de64ff4324c11aa2a0bd6eed129dc499ff5e2efb32680980b8a53f62258815c

Download Submit
C:\Windows\SysWOW64\Nlhgoqhh.exe

Filesize
98KB

MD5
4fa07b12381fdb73ef4dbf4c461fec56

SHA1
4035562c357733194e02a197e7079ff26270a35b

SHA256
36d6733204474ffab25a1dbcf8d650fb86994bf2577ef3797fd41d76f8d539a5

SHA512
16b3e5fe936e906eb49bbad603b22451623eca38dee6b2a4659a306e8d37af110de64ff4324c11aa2a0bd6eed129dc499ff5e2efb32680980b8a53f62258815c

Download Submit
\Windows\SysWOW64\Ncpcfkbg.exe

Filesize
98KB

MD5
d88ba2fa45a446b86c063a710e6fa6e2

SHA1
53ade38b45eaf8293049d480d2de5816af79281f

SHA256
7f2e2208121d4bc6304fa3105b9105b493b555541db330d5f60e857ddcb8691f

SHA512
55b0c77b49504cbc6005fffeb4b15d5ac076b8812522b0f39b49fe1b79b758de59dd48166fcaf7c3696a341b9fefede3f536465547a23a36fc7d960eab09b32c

Download Submit
\Windows\SysWOW64\Ncpcfkbg.exe

Filesize
98KB

MD5
d88ba2fa45a446b86c063a710e6fa6e2

SHA1
53ade38b45eaf8293049d480d2de5816af79281f

SHA256
7f2e2208121d4bc6304fa3105b9105b493b555541db330d5f60e857ddcb8691f

SHA512
55b0c77b49504cbc6005fffeb4b15d5ac076b8812522b0f39b49fe1b79b758de59dd48166fcaf7c3696a341b9fefede3f536465547a23a36fc7d960eab09b32c

Download Submit
\Windows\SysWOW64\Nlcnda32.exe

Filesize
98KB

MD5
a261502aa5e7a48e4b9b00f3c7e2f5fe

SHA1
b57ad02ffb27430ed34cef2ad2bd33efb8a67993

SHA256
13717e609daf3f9abb593b34f349ef5f5583e2cc9ab447550dad2fabb9ac98cb

SHA512
0b510a920cbee5dec05c27d58b1a19e3043912a26ada0ea4195fd043f41f6b66ac96faa503f25fdb47ec92fdd8e7c109ba6824962688cb0e815d7f2f4b9943db

Download Submit
\Windows\SysWOW64\Nlcnda32.exe

Filesize
98KB

MD5
a261502aa5e7a48e4b9b00f3c7e2f5fe

SHA1
b57ad02ffb27430ed34cef2ad2bd33efb8a67993

SHA256
13717e609daf3f9abb593b34f349ef5f5583e2cc9ab447550dad2fabb9ac98cb

SHA512
0b510a920cbee5dec05c27d58b1a19e3043912a26ada0ea4195fd043f41f6b66ac96faa503f25fdb47ec92fdd8e7c109ba6824962688cb0e815d7f2f4b9943db

Download Submit
\Windows\SysWOW64\Nlhgoqhh.exe

Filesize
98KB

MD5
4fa07b12381fdb73ef4dbf4c461fec56

SHA1
4035562c357733194e02a197e7079ff26270a35b

SHA256
36d6733204474ffab25a1dbcf8d650fb86994bf2577ef3797fd41d76f8d539a5

SHA512
16b3e5fe936e906eb49bbad603b22451623eca38dee6b2a4659a306e8d37af110de64ff4324c11aa2a0bd6eed129dc499ff5e2efb32680980b8a53f62258815c

Download Submit
\Windows\SysWOW64\Nlhgoqhh.exe

Filesize
98KB

MD5
4fa07b12381fdb73ef4dbf4c461fec56

SHA1
4035562c357733194e02a197e7079ff26270a35b

SHA256
36d6733204474ffab25a1dbcf8d650fb86994bf2577ef3797fd41d76f8d539a5

SHA512
16b3e5fe936e906eb49bbad603b22451623eca38dee6b2a4659a306e8d37af110de64ff4324c11aa2a0bd6eed129dc499ff5e2efb32680980b8a53f62258815c

Download Submit
\Windows\SysWOW64\Nlhgoqhh.exe

Filesize
98KB

MD5
4fa07b12381fdb73ef4dbf4c461fec56

SHA1
4035562c357733194e02a197e7079ff26270a35b

SHA256
36d6733204474ffab25a1dbcf8d650fb86994bf2577ef3797fd41d76f8d539a5

SHA512
16b3e5fe936e906eb49bbad603b22451623eca38dee6b2a4659a306e8d37af110de64ff4324c11aa2a0bd6eed129dc499ff5e2efb32680980b8a53f62258815c

Download Submit
\Windows\SysWOW64\Nlhgoqhh.exe

Filesize
98KB

MD5
4fa07b12381fdb73ef4dbf4c461fec56

SHA1
4035562c357733194e02a197e7079ff26270a35b

SHA256
36d6733204474ffab25a1dbcf8d650fb86994bf2577ef3797fd41d76f8d539a5

SHA512
16b3e5fe936e906eb49bbad603b22451623eca38dee6b2a4659a306e8d37af110de64ff4324c11aa2a0bd6eed129dc499ff5e2efb32680980b8a53f62258815c

Download Submit
\Windows\SysWOW64\Nlhgoqhh.exe

Filesize
98KB

MD5
4fa07b12381fdb73ef4dbf4c461fec56

SHA1
4035562c357733194e02a197e7079ff26270a35b

SHA256
36d6733204474ffab25a1dbcf8d650fb86994bf2577ef3797fd41d76f8d539a5

SHA512
16b3e5fe936e906eb49bbad603b22451623eca38dee6b2a4659a306e8d37af110de64ff4324c11aa2a0bd6eed129dc499ff5e2efb32680980b8a53f62258815c

Download Submit
\Windows\SysWOW64\Nlhgoqhh.exe

Filesize
98KB

MD5
4fa07b12381fdb73ef4dbf4c461fec56

SHA1
4035562c357733194e02a197e7079ff26270a35b

SHA256
36d6733204474ffab25a1dbcf8d650fb86994bf2577ef3797fd41d76f8d539a5

SHA512
16b3e5fe936e906eb49bbad603b22451623eca38dee6b2a4659a306e8d37af110de64ff4324c11aa2a0bd6eed129dc499ff5e2efb32680980b8a53f62258815c

Download Submit
memory/840-24-0x0000000000220000-0x0000000000263000-memory.dmp

Filesize
268KB

Download
memory/840-47-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/840-41-0x0000000000220000-0x0000000000263000-memory.dmp

Filesize
268KB

Download
memory/2028-0-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2028-6-0x00000000002D0000-0x0000000000313000-memory.dmp

Filesize
268KB

Download
memory/2028-46-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2632-40-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2704-39-0x0000000000220000-0x0000000000263000-memory.dmp

Filesize
268KB

Download
memory/2704-26-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2704-48-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads