d8ca377f34daa9fd48a260ecad57eeb2b45dbd537a499bcd2a0b03daf368dfb4

General

Target

NEAS.1f572f5c8188fc04a09ab88a46def380.exe
Size

480KB
MD5

1f572f5c8188fc04a09ab88a46def380
SHA1

9cd70e5870ffdcb24b74b198aa54de7e493ccc8c
SHA256

d8ca377f34daa9fd48a260ecad57eeb2b45dbd537a499bcd2a0b03daf368dfb4
SHA512

75cf455995e654ef02c9951fc5c361abb4ecbc767bd9b1a849b7fd8446ea327c74b0dac0232d5f3ff2c7568c29a4d0838642a711e892686753b5c2bcefe9024e
SSDEEP

12288:Zt7GvxI8aKSPh2kkkkK4kXkkkkkkkkl888888888888888888n6:sxI8gPh2kkkkK4kXkkkkkkkko

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	NEAS.1f572f5c8188fc04a09ab88a46def380.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	NEAS.1f572f5c8188fc04a09ab88a46def380.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Deagdn32.exe

Executes dropped EXE 2 IoCs

pid	Process
4696	Deagdn32.exe
3840	Dmllipeg.exe

Drops file in System32 directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Deagdn32.exe	NEAS.1f572f5c8188fc04a09ab88a46def380.exe
File created	C:\Windows\SysWOW64\Kahdohfm.dll	NEAS.1f572f5c8188fc04a09ab88a46def380.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Deagdn32.exe
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Deagdn32.exe
File created	C:\Windows\SysWOW64\Kngpec32.dll	Deagdn32.exe
File created	C:\Windows\SysWOW64\Deagdn32.exe	NEAS.1f572f5c8188fc04a09ab88a46def380.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3116	3840	WerFault.exe	89

Modifies registry class 9 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Deagdn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	NEAS.1f572f5c8188fc04a09ab88a46def380.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	NEAS.1f572f5c8188fc04a09ab88a46def380.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kahdohfm.dll"	NEAS.1f572f5c8188fc04a09ab88a46def380.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	NEAS.1f572f5c8188fc04a09ab88a46def380.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Deagdn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	NEAS.1f572f5c8188fc04a09ab88a46def380.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	NEAS.1f572f5c8188fc04a09ab88a46def380.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2360 wrote to memory of 4696	2360	NEAS.1f572f5c8188fc04a09ab88a46def380.exe	88
PID 2360 wrote to memory of 4696	2360	NEAS.1f572f5c8188fc04a09ab88a46def380.exe	88
PID 2360 wrote to memory of 4696	2360	NEAS.1f572f5c8188fc04a09ab88a46def380.exe	88
PID 4696 wrote to memory of 3840	4696	Deagdn32.exe	89
PID 4696 wrote to memory of 3840	4696	Deagdn32.exe	89
PID 4696 wrote to memory of 3840	4696	Deagdn32.exe	89

C:\Users\Admin\AppData\Local\Temp\NEAS.1f572f5c8188fc04a09ab88a46def380.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.1f572f5c8188fc04a09ab88a46def380.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2360
- C:\Windows\SysWOW64\Deagdn32.exe
  C:\Windows\system32\Deagdn32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4696
- - C:\Windows\SysWOW64\Dmllipeg.exe
    C:\Windows\system32\Dmllipeg.exe
    3⤵
    - Executes dropped EXE
    PID:3840
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3840 -s 396
      4⤵
      Program crash
      PID:3116

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3840 -ip 3840
1⤵
PID:3416

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Deagdn32.exe

Filesize
480KB

MD5
6436070a7570333c753a2f59cebaf7f7

SHA1
b6d508cbce1285793ddd9488ac053cec42e38647

SHA256
227518f23ac177c4d3ce5a3955f1441d4785a2c0a52bff5e8dd4cc1772ee9f06

SHA512
4dddff7e7894601628cb1d520500e057a68be4b9bb7b6d99e855f33b83b2553efdb82da93461f2fdaf3de8deb9d779dcbbcedd005fd56722aa6ce4aef180019f

Download Submit
C:\Windows\SysWOW64\Deagdn32.exe

Filesize
480KB

MD5
6436070a7570333c753a2f59cebaf7f7

SHA1
b6d508cbce1285793ddd9488ac053cec42e38647

SHA256
227518f23ac177c4d3ce5a3955f1441d4785a2c0a52bff5e8dd4cc1772ee9f06

SHA512
4dddff7e7894601628cb1d520500e057a68be4b9bb7b6d99e855f33b83b2553efdb82da93461f2fdaf3de8deb9d779dcbbcedd005fd56722aa6ce4aef180019f

Download Submit
C:\Windows\SysWOW64\Dmllipeg.exe

Filesize
480KB

MD5
1cfc70ef5303a0cfcf34c88545d7620c

SHA1
d2eada095076417f935fe7db8e7a2cdf4c4b480f

SHA256
f414a3bcf5155cc17d74bfd49ca721ad45b847d87c8a9b59b2ab27d018c58e98

SHA512
bd4c40c0fd6e9d80acb8d7eb13bdb5a56f29a5b0bb11ffd6f4d294388ede7d4179513afb56ab769ec8173ea7c57a7d9a89418195d6895c55c3112f5fb2d2380c

Download Submit
C:\Windows\SysWOW64\Dmllipeg.exe

Filesize
480KB

MD5
1cfc70ef5303a0cfcf34c88545d7620c

SHA1
d2eada095076417f935fe7db8e7a2cdf4c4b480f

SHA256
f414a3bcf5155cc17d74bfd49ca721ad45b847d87c8a9b59b2ab27d018c58e98

SHA512
bd4c40c0fd6e9d80acb8d7eb13bdb5a56f29a5b0bb11ffd6f4d294388ede7d4179513afb56ab769ec8173ea7c57a7d9a89418195d6895c55c3112f5fb2d2380c

Download Submit
memory/2360-0-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2360-5-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2360-20-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3840-17-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3840-18-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4696-8-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4696-19-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads