b7daf73d00e7f1f9dc8a9693c6923ac7758e1bbc49eb2505c8039f61b906f6e0

General

Target

NEAS.04c6213298de319e2161728651593ef0.exe
Size

194KB
MD5

04c6213298de319e2161728651593ef0
SHA1

0cb893bf4cf0feaf04d1add2baa67b526cb97406
SHA256

b7daf73d00e7f1f9dc8a9693c6923ac7758e1bbc49eb2505c8039f61b906f6e0
SHA512

4b5397977473b54413806ba3726de66ab94e9044e1baafe5562f6f5871b39efb60186235e05b28048e2db6fce67819d1eda1a477cd87e7ec6af3f86fef0efe7c
SSDEEP

1536:nXGltGuSLhcr0R1uUOgeHgWm0JZatMIM/5/KEatMIGuatMIc/zT4a5GV:uYTXrexm0PmMIM/kEmMIGumMIc/1GV

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fkjfakng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fkjfakng.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gkalbj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gkalbj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gclafmej.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gclafmej.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	NEAS.04c6213298de319e2161728651593ef0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	NEAS.04c6213298de319e2161728651593ef0.exe

Executes dropped EXE 4 IoCs

pid	Process
4120	Fkjfakng.exe
4684	Gkalbj32.exe
4884	Gclafmej.exe
5092	Gbmadd32.exe

Drops file in System32 directory 12 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Fofobm32.dll	NEAS.04c6213298de319e2161728651593ef0.exe
File created	C:\Windows\SysWOW64\Gkalbj32.exe	Fkjfakng.exe
File created	C:\Windows\SysWOW64\Gclafmej.exe	Gkalbj32.exe
File opened for modification	C:\Windows\SysWOW64\Gclafmej.exe	Gkalbj32.exe
File created	C:\Windows\SysWOW64\Gbmadd32.exe	Gclafmej.exe
File created	C:\Windows\SysWOW64\Fkjfakng.exe	NEAS.04c6213298de319e2161728651593ef0.exe
File opened for modification	C:\Windows\SysWOW64\Gkalbj32.exe	Fkjfakng.exe
File created	C:\Windows\SysWOW64\Apocmn32.dll	Fkjfakng.exe
File created	C:\Windows\SysWOW64\Eocmgd32.dll	Gkalbj32.exe
File opened for modification	C:\Windows\SysWOW64\Gbmadd32.exe	Gclafmej.exe
File created	C:\Windows\SysWOW64\Hjmgbm32.dll	Gclafmej.exe
File opened for modification	C:\Windows\SysWOW64\Fkjfakng.exe	NEAS.04c6213298de319e2161728651593ef0.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3780	5092	WerFault.exe	95

Modifies registry class 15 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gkalbj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gclafmej.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	NEAS.04c6213298de319e2161728651593ef0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	NEAS.04c6213298de319e2161728651593ef0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eocmgd32.dll"	Gkalbj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fofobm32.dll"	NEAS.04c6213298de319e2161728651593ef0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fkjfakng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gclafmej.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	NEAS.04c6213298de319e2161728651593ef0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	NEAS.04c6213298de319e2161728651593ef0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	NEAS.04c6213298de319e2161728651593ef0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fkjfakng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Apocmn32.dll"	Fkjfakng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gkalbj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjmgbm32.dll"	Gclafmej.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1084 wrote to memory of 4120	1084	NEAS.04c6213298de319e2161728651593ef0.exe	92
PID 1084 wrote to memory of 4120	1084	NEAS.04c6213298de319e2161728651593ef0.exe	92
PID 1084 wrote to memory of 4120	1084	NEAS.04c6213298de319e2161728651593ef0.exe	92
PID 4120 wrote to memory of 4684	4120	Fkjfakng.exe	93
PID 4120 wrote to memory of 4684	4120	Fkjfakng.exe	93
PID 4120 wrote to memory of 4684	4120	Fkjfakng.exe	93
PID 4684 wrote to memory of 4884	4684	Gkalbj32.exe	94
PID 4684 wrote to memory of 4884	4684	Gkalbj32.exe	94
PID 4684 wrote to memory of 4884	4684	Gkalbj32.exe	94
PID 4884 wrote to memory of 5092	4884	Gclafmej.exe	95
PID 4884 wrote to memory of 5092	4884	Gclafmej.exe	95
PID 4884 wrote to memory of 5092	4884	Gclafmej.exe	95

C:\Users\Admin\AppData\Local\Temp\NEAS.04c6213298de319e2161728651593ef0.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.04c6213298de319e2161728651593ef0.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1084
- C:\Windows\SysWOW64\Fkjfakng.exe
  C:\Windows\system32\Fkjfakng.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4120
- - C:\Windows\SysWOW64\Gkalbj32.exe
    C:\Windows\system32\Gkalbj32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4684
  - - C:\Windows\SysWOW64\Gclafmej.exe
      C:\Windows\system32\Gclafmej.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4884
    - - C:\Windows\SysWOW64\Gbmadd32.exe
        
        C:\Windows\system32\Gbmadd32.exe
        5⤵
        Executes dropped EXE
        
        PID:5092
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5092 -s 400
        6⤵
        Program crash
        
        PID:3780

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 5092 -ip 5092
1⤵
PID:1840

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Fkjfakng.exe

Filesize
194KB

MD5
60b25a440959b59e4d00301594852df1

SHA1
61c7ea9d208a6c773c3a65819ac595f1b4f328f2

SHA256
04bb02731ebd8ad888a1483b093c8e013448cbf32de410e131dec97ffb13aae6

SHA512
89863362aa35c2f16c920a471a805502a5849b5f478f4841e29f18a8da5d42e87cd5eddb3988992a765dd0cad9feb0a92c4bb6dbd4d06b8b927728b9d6c590ce

Download Submit
C:\Windows\SysWOW64\Fkjfakng.exe

Filesize
194KB

MD5
60b25a440959b59e4d00301594852df1

SHA1
61c7ea9d208a6c773c3a65819ac595f1b4f328f2

SHA256
04bb02731ebd8ad888a1483b093c8e013448cbf32de410e131dec97ffb13aae6

SHA512
89863362aa35c2f16c920a471a805502a5849b5f478f4841e29f18a8da5d42e87cd5eddb3988992a765dd0cad9feb0a92c4bb6dbd4d06b8b927728b9d6c590ce

Download Submit
C:\Windows\SysWOW64\Gbmadd32.exe

Filesize
194KB

MD5
790236ca24a91937812239217486b570

SHA1
dde11a8c6972f5b5f7d25192fa32088f78ab4527

SHA256
6ba826f0ecc983b09e20acb2f5c0b3c3436972706fa712877ed9ebb2215f5edb

SHA512
af1867f110cd06ed8aad5a4203bfe5d420090f0a722990317aa884bc74cc2558fc6cf3abe811b0fc3d58f33e7aa4fae0dea22997d098bf035aab0fcf5734f52a

Download Submit
C:\Windows\SysWOW64\Gbmadd32.exe

Filesize
194KB

MD5
790236ca24a91937812239217486b570

SHA1
dde11a8c6972f5b5f7d25192fa32088f78ab4527

SHA256
6ba826f0ecc983b09e20acb2f5c0b3c3436972706fa712877ed9ebb2215f5edb

SHA512
af1867f110cd06ed8aad5a4203bfe5d420090f0a722990317aa884bc74cc2558fc6cf3abe811b0fc3d58f33e7aa4fae0dea22997d098bf035aab0fcf5734f52a

Download Submit
C:\Windows\SysWOW64\Gclafmej.exe

Filesize
194KB

MD5
a06b132310bad46b994171d22fb6f885

SHA1
262033482d3e00b714d4c5271855b0c611fe2b79

SHA256
017ef43b3161e124669856ec7c496877fcdc5fdc85844c9fcf45fbf751a720ae

SHA512
6261142c445d494ece5ba08d914bb2deb96258c3bb9d50a0479d499f156e09a7abc1bb86bb2886d03a12faf9b8bb04612132ed821599d75e1a9769f573d88d0f

Download Submit
C:\Windows\SysWOW64\Gclafmej.exe

Filesize
194KB

MD5
a06b132310bad46b994171d22fb6f885

SHA1
262033482d3e00b714d4c5271855b0c611fe2b79

SHA256
017ef43b3161e124669856ec7c496877fcdc5fdc85844c9fcf45fbf751a720ae

SHA512
6261142c445d494ece5ba08d914bb2deb96258c3bb9d50a0479d499f156e09a7abc1bb86bb2886d03a12faf9b8bb04612132ed821599d75e1a9769f573d88d0f

Download Submit
C:\Windows\SysWOW64\Gkalbj32.exe

Filesize
194KB

MD5
9e0add0708178390993521f8ea659405

SHA1
4641da70412ab5313a5215cfbbf637f79bfb4021

SHA256
72bfb7a89255842ae8c454eb85c9bc7c68a94e83aa63e909a0cb485f115bab7a

SHA512
5a326a797b1da881f51da2302db6b177a860b1d10bea976639907b6e2ff6b8a401295e83a29da3036ea52a1b2e199d0d8dc5bfc6af93f1fdf2b2bcef7cf71c1e

Download Submit
C:\Windows\SysWOW64\Gkalbj32.exe

Filesize
194KB

MD5
9e0add0708178390993521f8ea659405

SHA1
4641da70412ab5313a5215cfbbf637f79bfb4021

SHA256
72bfb7a89255842ae8c454eb85c9bc7c68a94e83aa63e909a0cb485f115bab7a

SHA512
5a326a797b1da881f51da2302db6b177a860b1d10bea976639907b6e2ff6b8a401295e83a29da3036ea52a1b2e199d0d8dc5bfc6af93f1fdf2b2bcef7cf71c1e

Download Submit
memory/1084-0-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1084-43-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/4120-7-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/4120-42-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/4684-16-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/4684-40-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/4884-23-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/4884-37-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/5092-38-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/5092-32-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads