df70b0babe81fc5f1dc1af99780b65f03b37a5f741d2e95bc4ad1bb5237bbf14

General

Target

NEAS.b13de33f04ab0411cb7f63398181167f.exe
Size

64KB
MD5

b13de33f04ab0411cb7f63398181167f
SHA1

b90414d9c0b81ffa6daab9708e36f2550b570ac7
SHA256

df70b0babe81fc5f1dc1af99780b65f03b37a5f741d2e95bc4ad1bb5237bbf14
SHA512

1ee93ff8dbf34dd25c629dc43b97dd5b96343d80a40277b4ec430a98b5c12f15b9ab9ad7b0c8136e0a76877b605e8d0ea3dd55cc327c8fa979d1c8db9d393bd8
SSDEEP

768:0YFe8gpEJDsYEXTNA2uY/cOO8rC5iJkhIgUJNKlTBZUdYg2p/1H54Xdnh0Usb0DV:NLg6JDshXx7ezokkOvUdYg2LwrDWBi

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	NEAS.b13de33f04ab0411cb7f63398181167f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	NEAS.b13de33f04ab0411cb7f63398181167f.exe

Executes dropped EXE 1 IoCs

pid	Process
1728	Cacacg32.exe

Loads dropped DLL 6 IoCs

pid	Process
1212	NEAS.b13de33f04ab0411cb7f63398181167f.exe
1212	NEAS.b13de33f04ab0411cb7f63398181167f.exe
2672	WerFault.exe
2672	WerFault.exe
2672	WerFault.exe
2672	WerFault.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Cacacg32.exe	NEAS.b13de33f04ab0411cb7f63398181167f.exe
File created	C:\Windows\SysWOW64\Fdlpjk32.dll	NEAS.b13de33f04ab0411cb7f63398181167f.exe
File created	C:\Windows\SysWOW64\Cacacg32.exe	NEAS.b13de33f04ab0411cb7f63398181167f.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2672	1728	WerFault.exe	28

Modifies registry class 6 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	NEAS.b13de33f04ab0411cb7f63398181167f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	NEAS.b13de33f04ab0411cb7f63398181167f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	NEAS.b13de33f04ab0411cb7f63398181167f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	NEAS.b13de33f04ab0411cb7f63398181167f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdlpjk32.dll"	NEAS.b13de33f04ab0411cb7f63398181167f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	NEAS.b13de33f04ab0411cb7f63398181167f.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1212 wrote to memory of 1728	1212	NEAS.b13de33f04ab0411cb7f63398181167f.exe	28
PID 1212 wrote to memory of 1728	1212	NEAS.b13de33f04ab0411cb7f63398181167f.exe	28
PID 1212 wrote to memory of 1728	1212	NEAS.b13de33f04ab0411cb7f63398181167f.exe	28
PID 1212 wrote to memory of 1728	1212	NEAS.b13de33f04ab0411cb7f63398181167f.exe	28
PID 1728 wrote to memory of 2672	1728	Cacacg32.exe	29
PID 1728 wrote to memory of 2672	1728	Cacacg32.exe	29
PID 1728 wrote to memory of 2672	1728	Cacacg32.exe	29
PID 1728 wrote to memory of 2672	1728	Cacacg32.exe	29

C:\Users\Admin\AppData\Local\Temp\NEAS.b13de33f04ab0411cb7f63398181167f.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.b13de33f04ab0411cb7f63398181167f.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1212
- C:\Windows\SysWOW64\Cacacg32.exe
  C:\Windows\system32\Cacacg32.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1728
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1728 -s 140
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:2672

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Cacacg32.exe

Filesize
64KB

MD5
499da2e5b72387e558ee794ceb7c09c0

SHA1
480b89877bb6cd6d7428aef67db5f016ea899f50

SHA256
f1426cbad8a9d1d440ca1b2cbd993744116c7ffc638af40f8a36383a0827de2d

SHA512
93bdecc1c0d7fb49ab6f65eff1a656006eb5868133e87818c7cc124f5083b0071c2a7299677142bd055bd83f7928aa5a238f4c0047b5e1f9bfcc8f369b195963

Download Submit
C:\Windows\SysWOW64\Cacacg32.exe

Filesize
64KB

MD5
499da2e5b72387e558ee794ceb7c09c0

SHA1
480b89877bb6cd6d7428aef67db5f016ea899f50

SHA256
f1426cbad8a9d1d440ca1b2cbd993744116c7ffc638af40f8a36383a0827de2d

SHA512
93bdecc1c0d7fb49ab6f65eff1a656006eb5868133e87818c7cc124f5083b0071c2a7299677142bd055bd83f7928aa5a238f4c0047b5e1f9bfcc8f369b195963

Download Submit
\Windows\SysWOW64\Cacacg32.exe

Filesize
64KB

MD5
499da2e5b72387e558ee794ceb7c09c0

SHA1
480b89877bb6cd6d7428aef67db5f016ea899f50

SHA256
f1426cbad8a9d1d440ca1b2cbd993744116c7ffc638af40f8a36383a0827de2d

SHA512
93bdecc1c0d7fb49ab6f65eff1a656006eb5868133e87818c7cc124f5083b0071c2a7299677142bd055bd83f7928aa5a238f4c0047b5e1f9bfcc8f369b195963

Download Submit
\Windows\SysWOW64\Cacacg32.exe

Filesize
64KB

MD5
499da2e5b72387e558ee794ceb7c09c0

SHA1
480b89877bb6cd6d7428aef67db5f016ea899f50

SHA256
f1426cbad8a9d1d440ca1b2cbd993744116c7ffc638af40f8a36383a0827de2d

SHA512
93bdecc1c0d7fb49ab6f65eff1a656006eb5868133e87818c7cc124f5083b0071c2a7299677142bd055bd83f7928aa5a238f4c0047b5e1f9bfcc8f369b195963

Download Submit
\Windows\SysWOW64\Cacacg32.exe

Filesize
64KB

MD5
499da2e5b72387e558ee794ceb7c09c0

SHA1
480b89877bb6cd6d7428aef67db5f016ea899f50

SHA256
f1426cbad8a9d1d440ca1b2cbd993744116c7ffc638af40f8a36383a0827de2d

SHA512
93bdecc1c0d7fb49ab6f65eff1a656006eb5868133e87818c7cc124f5083b0071c2a7299677142bd055bd83f7928aa5a238f4c0047b5e1f9bfcc8f369b195963

Download Submit
\Windows\SysWOW64\Cacacg32.exe

Filesize
64KB

MD5
499da2e5b72387e558ee794ceb7c09c0

SHA1
480b89877bb6cd6d7428aef67db5f016ea899f50

SHA256
f1426cbad8a9d1d440ca1b2cbd993744116c7ffc638af40f8a36383a0827de2d

SHA512
93bdecc1c0d7fb49ab6f65eff1a656006eb5868133e87818c7cc124f5083b0071c2a7299677142bd055bd83f7928aa5a238f4c0047b5e1f9bfcc8f369b195963

Download Submit
\Windows\SysWOW64\Cacacg32.exe

Filesize
64KB

MD5
499da2e5b72387e558ee794ceb7c09c0

SHA1
480b89877bb6cd6d7428aef67db5f016ea899f50

SHA256
f1426cbad8a9d1d440ca1b2cbd993744116c7ffc638af40f8a36383a0827de2d

SHA512
93bdecc1c0d7fb49ab6f65eff1a656006eb5868133e87818c7cc124f5083b0071c2a7299677142bd055bd83f7928aa5a238f4c0047b5e1f9bfcc8f369b195963

Download Submit
\Windows\SysWOW64\Cacacg32.exe

Filesize
64KB

MD5
499da2e5b72387e558ee794ceb7c09c0

SHA1
480b89877bb6cd6d7428aef67db5f016ea899f50

SHA256
f1426cbad8a9d1d440ca1b2cbd993744116c7ffc638af40f8a36383a0827de2d

SHA512
93bdecc1c0d7fb49ab6f65eff1a656006eb5868133e87818c7cc124f5083b0071c2a7299677142bd055bd83f7928aa5a238f4c0047b5e1f9bfcc8f369b195963

Download Submit
memory/1212-6-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download
memory/1212-14-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download
memory/1212-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1212-19-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1212-20-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download
memory/1728-13-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1728-21-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads