239530780b5162e0d62dcfc250a2b83c8ec763cfd494ee5ea59eb68b5d538a03

Analysis

max time kernel
139s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20231023-en
resource tags

arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
submitted
12/11/2023, 23:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.7a280c2a62f9967a5edeb8f1877feef0.exe
Size

59KB
MD5

7a280c2a62f9967a5edeb8f1877feef0
SHA1

220844fc40f0f2353db3a53f2de64a3b393586d3
SHA256

239530780b5162e0d62dcfc250a2b83c8ec763cfd494ee5ea59eb68b5d538a03
SHA512

bcbcd372bcc51f468e6c49c40bb5a89a4e2e582d2e7d8e4b9790033102d81b3a6a6aa5c8db2a61cc7c2894460d5eab483adef31251dbf9ad6ad4ce445ec98e7b
SSDEEP

768:eSDqPU8Synp+3ajtkBOeafPntEU94dl0QcMLuyYZ/1H5rD5nf1fZMEBFELvkVgFa:eSAUfync3a7jPth6LKhtNCyVso

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 10 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dgcihgaj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dpkmal32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cacckp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cklhcfle.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dgcihgaj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cklhcfle.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dpkmal32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	NEAS.7a280c2a62f9967a5edeb8f1877feef0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	NEAS.7a280c2a62f9967a5edeb8f1877feef0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cacckp32.exe

Executes dropped EXE 5 IoCs

pid	Process
756	Cacckp32.exe
260	Cklhcfle.exe
2168	Dgcihgaj.exe
4276	Dpkmal32.exe
1352	Dkqaoe32.exe

Drops file in System32 directory 15 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Dgcihgaj.exe	Cklhcfle.exe
File created	C:\Windows\SysWOW64\Dpkmal32.exe	Dgcihgaj.exe
File created	C:\Windows\SysWOW64\Omjbpn32.dll	Dgcihgaj.exe
File created	C:\Windows\SysWOW64\Biafno32.dll	Cacckp32.exe
File opened for modification	C:\Windows\SysWOW64\Dgcihgaj.exe	Cklhcfle.exe
File created	C:\Windows\SysWOW64\Gelfeh32.dll	Cklhcfle.exe
File opened for modification	C:\Windows\SysWOW64\Dpkmal32.exe	Dgcihgaj.exe
File opened for modification	C:\Windows\SysWOW64\Dkqaoe32.exe	Dpkmal32.exe
File created	C:\Windows\SysWOW64\Aamebb32.dll	NEAS.7a280c2a62f9967a5edeb8f1877feef0.exe
File created	C:\Windows\SysWOW64\Dkqaoe32.exe	Dpkmal32.exe
File created	C:\Windows\SysWOW64\Cacckp32.exe	NEAS.7a280c2a62f9967a5edeb8f1877feef0.exe
File created	C:\Windows\SysWOW64\Cklhcfle.exe	Cacckp32.exe
File opened for modification	C:\Windows\SysWOW64\Cklhcfle.exe	Cacckp32.exe
File created	C:\Windows\SysWOW64\Glfdiedd.dll	Dpkmal32.exe
File opened for modification	C:\Windows\SysWOW64\Cacckp32.exe	NEAS.7a280c2a62f9967a5edeb8f1877feef0.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5044	1352	WerFault.exe	88

Modifies registry class 18 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Biafno32.dll"	Cacckp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cklhcfle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dgcihgaj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dpkmal32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	NEAS.7a280c2a62f9967a5edeb8f1877feef0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aamebb32.dll"	NEAS.7a280c2a62f9967a5edeb8f1877feef0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gelfeh32.dll"	Cklhcfle.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dgcihgaj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Omjbpn32.dll"	Dgcihgaj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cacckp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cklhcfle.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	NEAS.7a280c2a62f9967a5edeb8f1877feef0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	NEAS.7a280c2a62f9967a5edeb8f1877feef0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cacckp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dpkmal32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Glfdiedd.dll"	Dpkmal32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	NEAS.7a280c2a62f9967a5edeb8f1877feef0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	NEAS.7a280c2a62f9967a5edeb8f1877feef0.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 4624 wrote to memory of 756	4624	NEAS.7a280c2a62f9967a5edeb8f1877feef0.exe	84
PID 4624 wrote to memory of 756	4624	NEAS.7a280c2a62f9967a5edeb8f1877feef0.exe	84
PID 4624 wrote to memory of 756	4624	NEAS.7a280c2a62f9967a5edeb8f1877feef0.exe	84
PID 756 wrote to memory of 260	756	Cacckp32.exe	85
PID 756 wrote to memory of 260	756	Cacckp32.exe	85
PID 756 wrote to memory of 260	756	Cacckp32.exe	85
PID 260 wrote to memory of 2168	260	Cklhcfle.exe	86
PID 260 wrote to memory of 2168	260	Cklhcfle.exe	86
PID 260 wrote to memory of 2168	260	Cklhcfle.exe	86
PID 2168 wrote to memory of 4276	2168	Dgcihgaj.exe	87
PID 2168 wrote to memory of 4276	2168	Dgcihgaj.exe	87
PID 2168 wrote to memory of 4276	2168	Dgcihgaj.exe	87
PID 4276 wrote to memory of 1352	4276	Dpkmal32.exe	88
PID 4276 wrote to memory of 1352	4276	Dpkmal32.exe	88
PID 4276 wrote to memory of 1352	4276	Dpkmal32.exe	88

C:\Users\Admin\AppData\Local\Temp\NEAS.7a280c2a62f9967a5edeb8f1877feef0.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.7a280c2a62f9967a5edeb8f1877feef0.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4624
- C:\Windows\SysWOW64\Cacckp32.exe
  C:\Windows\system32\Cacckp32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:756
- - C:\Windows\SysWOW64\Cklhcfle.exe
    C:\Windows\system32\Cklhcfle.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:260
  - - C:\Windows\SysWOW64\Dgcihgaj.exe
      C:\Windows\system32\Dgcihgaj.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2168
    - - C:\Windows\SysWOW64\Dpkmal32.exe
        
        C:\Windows\system32\Dpkmal32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4276
      - C:\Windows\SysWOW64\Dkqaoe32.exe
        
        C:\Windows\system32\Dkqaoe32.exe
        6⤵
        Executes dropped EXE
        
        PID:1352
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1352 -s 400
        7⤵
        Program crash
        
        PID:5044

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1352 -ip 1352
1⤵
PID:4088

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Cacckp32.exe

Filesize
59KB

MD5
3f85f25f78fcbe275843589c4eb23070

SHA1
e120291c9566bad3bd2e075a188e11f8348c3331

SHA256
b251d21c825fe49bef9ee3ef5d0c2f673a64bb5a2778bbe333726011f1c9edf9

SHA512
55e4dfc07d71bd08693a0a2593ed902f6f4d961e3ad1e9522753f2b5a9147615f8ca26984de9dd17c4811f60a8356d027b0fe8546470b4bde1da673cfe2af94a

Download Submit
C:\Windows\SysWOW64\Cacckp32.exe

Filesize
59KB

MD5
3f85f25f78fcbe275843589c4eb23070

SHA1
e120291c9566bad3bd2e075a188e11f8348c3331

SHA256
b251d21c825fe49bef9ee3ef5d0c2f673a64bb5a2778bbe333726011f1c9edf9

SHA512
55e4dfc07d71bd08693a0a2593ed902f6f4d961e3ad1e9522753f2b5a9147615f8ca26984de9dd17c4811f60a8356d027b0fe8546470b4bde1da673cfe2af94a

Download Submit
C:\Windows\SysWOW64\Cklhcfle.exe

Filesize
59KB

MD5
a7df57050ba8c5baabb14d0b4fb922bf

SHA1
51a599b028d9692dc17cc99240ba64ed395fe9db

SHA256
99c09d8e391de81f6376693d816dd49265e4407b6349fc62f698934768aa64cb

SHA512
0cf84e65de74973e8f8dc4d767601fd6bff38b814207ef09462e42702c1f8c6405e0e47aee37dfc80c01f6f6becd7bb2bb61c516c9fd4aea1ac958a895039f84

Download Submit
C:\Windows\SysWOW64\Cklhcfle.exe

Filesize
59KB

MD5
a7df57050ba8c5baabb14d0b4fb922bf

SHA1
51a599b028d9692dc17cc99240ba64ed395fe9db

SHA256
99c09d8e391de81f6376693d816dd49265e4407b6349fc62f698934768aa64cb

SHA512
0cf84e65de74973e8f8dc4d767601fd6bff38b814207ef09462e42702c1f8c6405e0e47aee37dfc80c01f6f6becd7bb2bb61c516c9fd4aea1ac958a895039f84

Download Submit
C:\Windows\SysWOW64\Cklhcfle.exe

Filesize
59KB

MD5
a7df57050ba8c5baabb14d0b4fb922bf

SHA1
51a599b028d9692dc17cc99240ba64ed395fe9db

SHA256
99c09d8e391de81f6376693d816dd49265e4407b6349fc62f698934768aa64cb

SHA512
0cf84e65de74973e8f8dc4d767601fd6bff38b814207ef09462e42702c1f8c6405e0e47aee37dfc80c01f6f6becd7bb2bb61c516c9fd4aea1ac958a895039f84

Download Submit
C:\Windows\SysWOW64\Dgcihgaj.exe

Filesize
59KB

MD5
f8065e24eb54e207bcf4aadad0b1d055

SHA1
834b9d5973b72ee1adb23f5a40b266bb022a03d5

SHA256
784852032bbbcdfc8f45c01f063fc1aa1d18f818d74e54445d22a93537cc827e

SHA512
57866e07b220257f1f46faa2b075f0aa04a39cce0f0610159c36a0e42f63a949518142a576f977579898dce1bf951e0943d046e7dd8a8194c936bebaddb14d21

Download Submit
C:\Windows\SysWOW64\Dgcihgaj.exe

Filesize
59KB

MD5
f8065e24eb54e207bcf4aadad0b1d055

SHA1
834b9d5973b72ee1adb23f5a40b266bb022a03d5

SHA256
784852032bbbcdfc8f45c01f063fc1aa1d18f818d74e54445d22a93537cc827e

SHA512
57866e07b220257f1f46faa2b075f0aa04a39cce0f0610159c36a0e42f63a949518142a576f977579898dce1bf951e0943d046e7dd8a8194c936bebaddb14d21

Download Submit
C:\Windows\SysWOW64\Dkqaoe32.exe

Filesize
59KB

MD5
c535cce198a43adbabd62cc809837a00

SHA1
6ecc72a7225311defd19d5459555eb23d13929a6

SHA256
dad8c2a9ce7e0472b54358bc2976cec7ce46b00239afebc9680cdfb4048751d8

SHA512
0c4ed0a95fc2d2012473d4045e38aca81b7739dc8a5fdb74f5fd8ba3da03f4827acf6a31da8c5078d0aeed03e4bcb0b4f63cb8ba042ec122c9827b5e24fb89c4

Download Submit
C:\Windows\SysWOW64\Dkqaoe32.exe

Filesize
59KB

MD5
c535cce198a43adbabd62cc809837a00

SHA1
6ecc72a7225311defd19d5459555eb23d13929a6

SHA256
dad8c2a9ce7e0472b54358bc2976cec7ce46b00239afebc9680cdfb4048751d8

SHA512
0c4ed0a95fc2d2012473d4045e38aca81b7739dc8a5fdb74f5fd8ba3da03f4827acf6a31da8c5078d0aeed03e4bcb0b4f63cb8ba042ec122c9827b5e24fb89c4

Download Submit
C:\Windows\SysWOW64\Dpkmal32.exe

Filesize
59KB

MD5
5356c6444c0ea0a496bd14a4dc13aeb0

SHA1
1617a88a5402860afed00e5d6aa15d8ae89f0b9d

SHA256
f73d0896b82b1a3c824a01e3dba5c01401f295e0932fabc41998444a0c884f15

SHA512
5ef51dadb302b2f783cbc01da4e85e845b1588d5eca790ec1e864eebb1ca0731927804485a0bae6f7a0e24ed64dec0e71356d1cd7154eb7c54e2245be6731436

Download Submit
C:\Windows\SysWOW64\Dpkmal32.exe

Filesize
59KB

MD5
5356c6444c0ea0a496bd14a4dc13aeb0

SHA1
1617a88a5402860afed00e5d6aa15d8ae89f0b9d

SHA256
f73d0896b82b1a3c824a01e3dba5c01401f295e0932fabc41998444a0c884f15

SHA512
5ef51dadb302b2f783cbc01da4e85e845b1588d5eca790ec1e864eebb1ca0731927804485a0bae6f7a0e24ed64dec0e71356d1cd7154eb7c54e2245be6731436

Download Submit
C:\Windows\SysWOW64\Dpkmal32.exe

Filesize
59KB

MD5
5356c6444c0ea0a496bd14a4dc13aeb0

SHA1
1617a88a5402860afed00e5d6aa15d8ae89f0b9d

SHA256
f73d0896b82b1a3c824a01e3dba5c01401f295e0932fabc41998444a0c884f15

SHA512
5ef51dadb302b2f783cbc01da4e85e845b1588d5eca790ec1e864eebb1ca0731927804485a0bae6f7a0e24ed64dec0e71356d1cd7154eb7c54e2245be6731436

Download Submit
memory/260-15-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/260-44-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/756-7-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/756-45-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1352-40-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1352-41-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2168-23-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2168-43-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4276-32-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4276-42-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4624-0-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4624-46-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads