58f84d1b9ee39f628c3852b136c62e9a64c0b4f56a40b9c84ce61266687f0594

Analysis

max time kernel
265s
max time network
319s
platform
windows7_x64
resource
win7-20231023-en
resource tags

arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system
submitted
01/11/2023, 08:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.f3c94d5d5f1ebda5b15713e7e56960e8.exe
Size

386KB
MD5

f3c94d5d5f1ebda5b15713e7e56960e8
SHA1

f622e8dd591d84301d8039691433dcb5479e0d0a
SHA256

58f84d1b9ee39f628c3852b136c62e9a64c0b4f56a40b9c84ce61266687f0594
SHA512

5c592759de02bcca141fb119eb8a68dd4f5e84ac7c3cffd1112b9dc26c2a4090ffb8b8a70280056902a33dbb534d6d0fecf8a047c3fd96cced1d5c9a311b9ec6
SSDEEP

12288:qwCcJ0X4i0wQZ7287xmPFRkfJg9qwQZ7287xmP:qvk0X0ZZ/aFKm9qZZ/a

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	NEAS.f3c94d5d5f1ebda5b15713e7e56960e8.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Blkgdmbp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Blkgdmbp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ipnigl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ipnigl32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	NEAS.f3c94d5d5f1ebda5b15713e7e56960e8.exe

Executes dropped EXE 3 IoCs

pid	Process
2564	Blkgdmbp.exe
2476	Ipnigl32.exe
2840	Iifnpagn.exe

Loads dropped DLL 10 IoCs

pid	Process
2548	NEAS.f3c94d5d5f1ebda5b15713e7e56960e8.exe
2548	NEAS.f3c94d5d5f1ebda5b15713e7e56960e8.exe
2564	Blkgdmbp.exe
2564	Blkgdmbp.exe
2476	Ipnigl32.exe
2476	Ipnigl32.exe
2828	WerFault.exe
2828	WerFault.exe
2828	WerFault.exe
2828	WerFault.exe

Drops file in System32 directory 9 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Blkgdmbp.exe	NEAS.f3c94d5d5f1ebda5b15713e7e56960e8.exe
File created	C:\Windows\SysWOW64\Ipnigl32.exe	Blkgdmbp.exe
File opened for modification	C:\Windows\SysWOW64\Ipnigl32.exe	Blkgdmbp.exe
File opened for modification	C:\Windows\SysWOW64\Blkgdmbp.exe	NEAS.f3c94d5d5f1ebda5b15713e7e56960e8.exe
File created	C:\Windows\SysWOW64\Aojbhk32.dll	NEAS.f3c94d5d5f1ebda5b15713e7e56960e8.exe
File created	C:\Windows\SysWOW64\Nnmeaaiq.dll	Blkgdmbp.exe
File created	C:\Windows\SysWOW64\Iifnpagn.exe	Ipnigl32.exe
File opened for modification	C:\Windows\SysWOW64\Iifnpagn.exe	Ipnigl32.exe
File created	C:\Windows\SysWOW64\Kbebkmci.dll	Ipnigl32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2828	2840	WerFault.exe	29

Modifies registry class 12 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	NEAS.f3c94d5d5f1ebda5b15713e7e56960e8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Blkgdmbp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nnmeaaiq.dll"	Blkgdmbp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ipnigl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kbebkmci.dll"	Ipnigl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ipnigl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	NEAS.f3c94d5d5f1ebda5b15713e7e56960e8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}	NEAS.f3c94d5d5f1ebda5b15713e7e56960e8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aojbhk32.dll"	NEAS.f3c94d5d5f1ebda5b15713e7e56960e8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Blkgdmbp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	NEAS.f3c94d5d5f1ebda5b15713e7e56960e8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	NEAS.f3c94d5d5f1ebda5b15713e7e56960e8.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2548 wrote to memory of 2564	2548	NEAS.f3c94d5d5f1ebda5b15713e7e56960e8.exe	27
PID 2548 wrote to memory of 2564	2548	NEAS.f3c94d5d5f1ebda5b15713e7e56960e8.exe	27
PID 2548 wrote to memory of 2564	2548	NEAS.f3c94d5d5f1ebda5b15713e7e56960e8.exe	27
PID 2548 wrote to memory of 2564	2548	NEAS.f3c94d5d5f1ebda5b15713e7e56960e8.exe	27
PID 2564 wrote to memory of 2476	2564	Blkgdmbp.exe	28
PID 2564 wrote to memory of 2476	2564	Blkgdmbp.exe	28
PID 2564 wrote to memory of 2476	2564	Blkgdmbp.exe	28
PID 2564 wrote to memory of 2476	2564	Blkgdmbp.exe	28
PID 2476 wrote to memory of 2840	2476	Ipnigl32.exe	29
PID 2476 wrote to memory of 2840	2476	Ipnigl32.exe	29
PID 2476 wrote to memory of 2840	2476	Ipnigl32.exe	29
PID 2476 wrote to memory of 2840	2476	Ipnigl32.exe	29
PID 2840 wrote to memory of 2828	2840	Iifnpagn.exe	30
PID 2840 wrote to memory of 2828	2840	Iifnpagn.exe	30
PID 2840 wrote to memory of 2828	2840	Iifnpagn.exe	30
PID 2840 wrote to memory of 2828	2840	Iifnpagn.exe	30

C:\Users\Admin\AppData\Local\Temp\NEAS.f3c94d5d5f1ebda5b15713e7e56960e8.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.f3c94d5d5f1ebda5b15713e7e56960e8.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2548
- C:\Windows\SysWOW64\Blkgdmbp.exe
  C:\Windows\system32\Blkgdmbp.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2564
- - C:\Windows\SysWOW64\Ipnigl32.exe
    C:\Windows\system32\Ipnigl32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2476
  - - C:\Windows\SysWOW64\Iifnpagn.exe
      C:\Windows\system32\Iifnpagn.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:2840
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2840 -s 140
        5⤵
        Loads dropped DLL
        Program crash
        
        PID:2828

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Blkgdmbp.exe

Filesize
386KB

MD5
cc7ef4a32d5a91fb76649ccbadb0a58c

SHA1
58cd81c5809076494df4697e93aa873644ac9231

SHA256
c2a1fd2b30902607c55d74e7d1d8891bf3a332f541b432ef5f0b8c5add19d131

SHA512
5deb1c35e9c3e0e02c4c6a87724064f8d9be0d34052621512ca3559442d89133b25010c0bc5ae0aec0ae3886aa065e001284f4679044111d7d3187f6dd33d286

Download Submit
C:\Windows\SysWOW64\Blkgdmbp.exe

Filesize
386KB

MD5
cc7ef4a32d5a91fb76649ccbadb0a58c

SHA1
58cd81c5809076494df4697e93aa873644ac9231

SHA256
c2a1fd2b30902607c55d74e7d1d8891bf3a332f541b432ef5f0b8c5add19d131

SHA512
5deb1c35e9c3e0e02c4c6a87724064f8d9be0d34052621512ca3559442d89133b25010c0bc5ae0aec0ae3886aa065e001284f4679044111d7d3187f6dd33d286

Download Submit
C:\Windows\SysWOW64\Blkgdmbp.exe

Filesize
386KB

MD5
cc7ef4a32d5a91fb76649ccbadb0a58c

SHA1
58cd81c5809076494df4697e93aa873644ac9231

SHA256
c2a1fd2b30902607c55d74e7d1d8891bf3a332f541b432ef5f0b8c5add19d131

SHA512
5deb1c35e9c3e0e02c4c6a87724064f8d9be0d34052621512ca3559442d89133b25010c0bc5ae0aec0ae3886aa065e001284f4679044111d7d3187f6dd33d286

Download Submit
C:\Windows\SysWOW64\Iifnpagn.exe

Filesize
386KB

MD5
0ce8c2d82e092f94983dc4e1d3be2a93

SHA1
488747b45b236c3a7c92f3515cba5641a49963f3

SHA256
86b367c730fcdafbebd0d3937c80a44a32d2fcbf5cf3510b1b9881213040e8db

SHA512
c6c7c35663c2212dbc40a6b776a58704dff301e8973750770648cc6c66013c4f11ac8a5bcf824c8244108f743d27946b09d54eeba55c46085640628298e8636f

Download Submit
C:\Windows\SysWOW64\Iifnpagn.exe

Filesize
386KB

MD5
0ce8c2d82e092f94983dc4e1d3be2a93

SHA1
488747b45b236c3a7c92f3515cba5641a49963f3

SHA256
86b367c730fcdafbebd0d3937c80a44a32d2fcbf5cf3510b1b9881213040e8db

SHA512
c6c7c35663c2212dbc40a6b776a58704dff301e8973750770648cc6c66013c4f11ac8a5bcf824c8244108f743d27946b09d54eeba55c46085640628298e8636f

Download Submit
C:\Windows\SysWOW64\Ipnigl32.exe

Filesize
386KB

MD5
15c528f85b1772a8461b0179f1ac0375

SHA1
0d3198b0e0c38a15812fe8a54af536931bf7122a

SHA256
27930d95f28115e5c10e48029ebac9f6b88fb99de5a11f7b0a837d615e94a21d

SHA512
90834f66f767ed3eafb8535a16298439ab7ea4013f58eccba89df0cf54800ca73e6cd0c0a9be7a41c4ee23eb458c89e6aad34a499fa1ad9a59db045a09e05435

Download Submit
C:\Windows\SysWOW64\Ipnigl32.exe

Filesize
386KB

MD5
15c528f85b1772a8461b0179f1ac0375

SHA1
0d3198b0e0c38a15812fe8a54af536931bf7122a

SHA256
27930d95f28115e5c10e48029ebac9f6b88fb99de5a11f7b0a837d615e94a21d

SHA512
90834f66f767ed3eafb8535a16298439ab7ea4013f58eccba89df0cf54800ca73e6cd0c0a9be7a41c4ee23eb458c89e6aad34a499fa1ad9a59db045a09e05435

Download Submit
C:\Windows\SysWOW64\Ipnigl32.exe

Filesize
386KB

MD5
15c528f85b1772a8461b0179f1ac0375

SHA1
0d3198b0e0c38a15812fe8a54af536931bf7122a

SHA256
27930d95f28115e5c10e48029ebac9f6b88fb99de5a11f7b0a837d615e94a21d

SHA512
90834f66f767ed3eafb8535a16298439ab7ea4013f58eccba89df0cf54800ca73e6cd0c0a9be7a41c4ee23eb458c89e6aad34a499fa1ad9a59db045a09e05435

Download Submit
\Windows\SysWOW64\Blkgdmbp.exe

Filesize
386KB

MD5
cc7ef4a32d5a91fb76649ccbadb0a58c

SHA1
58cd81c5809076494df4697e93aa873644ac9231

SHA256
c2a1fd2b30902607c55d74e7d1d8891bf3a332f541b432ef5f0b8c5add19d131

SHA512
5deb1c35e9c3e0e02c4c6a87724064f8d9be0d34052621512ca3559442d89133b25010c0bc5ae0aec0ae3886aa065e001284f4679044111d7d3187f6dd33d286

Download Submit
\Windows\SysWOW64\Blkgdmbp.exe

Filesize
386KB

MD5
cc7ef4a32d5a91fb76649ccbadb0a58c

SHA1
58cd81c5809076494df4697e93aa873644ac9231

SHA256
c2a1fd2b30902607c55d74e7d1d8891bf3a332f541b432ef5f0b8c5add19d131

SHA512
5deb1c35e9c3e0e02c4c6a87724064f8d9be0d34052621512ca3559442d89133b25010c0bc5ae0aec0ae3886aa065e001284f4679044111d7d3187f6dd33d286

Download Submit
\Windows\SysWOW64\Iifnpagn.exe

Filesize
386KB

MD5
0ce8c2d82e092f94983dc4e1d3be2a93

SHA1
488747b45b236c3a7c92f3515cba5641a49963f3

SHA256
86b367c730fcdafbebd0d3937c80a44a32d2fcbf5cf3510b1b9881213040e8db

SHA512
c6c7c35663c2212dbc40a6b776a58704dff301e8973750770648cc6c66013c4f11ac8a5bcf824c8244108f743d27946b09d54eeba55c46085640628298e8636f

Download Submit
\Windows\SysWOW64\Iifnpagn.exe

Filesize
386KB

MD5
0ce8c2d82e092f94983dc4e1d3be2a93

SHA1
488747b45b236c3a7c92f3515cba5641a49963f3

SHA256
86b367c730fcdafbebd0d3937c80a44a32d2fcbf5cf3510b1b9881213040e8db

SHA512
c6c7c35663c2212dbc40a6b776a58704dff301e8973750770648cc6c66013c4f11ac8a5bcf824c8244108f743d27946b09d54eeba55c46085640628298e8636f

Download Submit
\Windows\SysWOW64\Iifnpagn.exe

Filesize
386KB

MD5
0ce8c2d82e092f94983dc4e1d3be2a93

SHA1
488747b45b236c3a7c92f3515cba5641a49963f3

SHA256
86b367c730fcdafbebd0d3937c80a44a32d2fcbf5cf3510b1b9881213040e8db

SHA512
c6c7c35663c2212dbc40a6b776a58704dff301e8973750770648cc6c66013c4f11ac8a5bcf824c8244108f743d27946b09d54eeba55c46085640628298e8636f

Download Submit
\Windows\SysWOW64\Iifnpagn.exe

Filesize
386KB

MD5
0ce8c2d82e092f94983dc4e1d3be2a93

SHA1
488747b45b236c3a7c92f3515cba5641a49963f3

SHA256
86b367c730fcdafbebd0d3937c80a44a32d2fcbf5cf3510b1b9881213040e8db

SHA512
c6c7c35663c2212dbc40a6b776a58704dff301e8973750770648cc6c66013c4f11ac8a5bcf824c8244108f743d27946b09d54eeba55c46085640628298e8636f

Download Submit
\Windows\SysWOW64\Iifnpagn.exe

Filesize
386KB

MD5
0ce8c2d82e092f94983dc4e1d3be2a93

SHA1
488747b45b236c3a7c92f3515cba5641a49963f3

SHA256
86b367c730fcdafbebd0d3937c80a44a32d2fcbf5cf3510b1b9881213040e8db

SHA512
c6c7c35663c2212dbc40a6b776a58704dff301e8973750770648cc6c66013c4f11ac8a5bcf824c8244108f743d27946b09d54eeba55c46085640628298e8636f

Download Submit
\Windows\SysWOW64\Iifnpagn.exe

Filesize
386KB

MD5
0ce8c2d82e092f94983dc4e1d3be2a93

SHA1
488747b45b236c3a7c92f3515cba5641a49963f3

SHA256
86b367c730fcdafbebd0d3937c80a44a32d2fcbf5cf3510b1b9881213040e8db

SHA512
c6c7c35663c2212dbc40a6b776a58704dff301e8973750770648cc6c66013c4f11ac8a5bcf824c8244108f743d27946b09d54eeba55c46085640628298e8636f

Download Submit
\Windows\SysWOW64\Ipnigl32.exe

Filesize
386KB

MD5
15c528f85b1772a8461b0179f1ac0375

SHA1
0d3198b0e0c38a15812fe8a54af536931bf7122a

SHA256
27930d95f28115e5c10e48029ebac9f6b88fb99de5a11f7b0a837d615e94a21d

SHA512
90834f66f767ed3eafb8535a16298439ab7ea4013f58eccba89df0cf54800ca73e6cd0c0a9be7a41c4ee23eb458c89e6aad34a499fa1ad9a59db045a09e05435

Download Submit
\Windows\SysWOW64\Ipnigl32.exe

Filesize
386KB

MD5
15c528f85b1772a8461b0179f1ac0375

SHA1
0d3198b0e0c38a15812fe8a54af536931bf7122a

SHA256
27930d95f28115e5c10e48029ebac9f6b88fb99de5a11f7b0a837d615e94a21d

SHA512
90834f66f767ed3eafb8535a16298439ab7ea4013f58eccba89df0cf54800ca73e6cd0c0a9be7a41c4ee23eb458c89e6aad34a499fa1ad9a59db045a09e05435

Download Submit
memory/2476-35-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/2476-64-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/2548-14-0x0000000000220000-0x00000000002A7000-memory.dmp

Filesize
540KB

Download
memory/2548-0-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/2548-60-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/2548-6-0x0000000000220000-0x00000000002A7000-memory.dmp

Filesize
540KB

Download
memory/2564-21-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/2564-34-0x0000000000220000-0x00000000002A7000-memory.dmp

Filesize
540KB

Download
memory/2564-62-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/2840-43-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads