30b93799284c6914c27db508d9eea60561779ed558f80026d9ac3c7c663bc83c

Analysis

max time kernel
142s
max time network
134s
platform
windows7_x64
resource
win7-20231020-en
resource tags

arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system
submitted
12/11/2023, 22:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.f8d59df3e109e9acfbb3c923ab6aeeb0.exe
Size

416KB
MD5

f8d59df3e109e9acfbb3c923ab6aeeb0
SHA1

07646e3c9146e82d316ab514b8054227abd95bfd
SHA256

30b93799284c6914c27db508d9eea60561779ed558f80026d9ac3c7c663bc83c
SHA512

97109bc59bce27d6b4e06b36a3cf1dce1f0aa2ec83e791cf120cd694a10300bcd271d98756b04a52f4ad705bb95feef72875705adbe6b9a00b5eaaf0c7f7c35a
SSDEEP

3072:UnG/BBlk8KvBvVAURfE+HAokWmvEie0RFz3yE2ZwVh16Mz7GFD0AlWP:5/BB8BvRs+HLlD0rN2ZwVht740PP

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	NEAS.f8d59df3e109e9acfbb3c923ab6aeeb0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	NEAS.f8d59df3e109e9acfbb3c923ab6aeeb0.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Emkaol32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Emkaol32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Echfaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Echfaf32.exe

Executes dropped EXE 3 IoCs

pid	Process
632	Emkaol32.exe
1564	Echfaf32.exe
2796	Fkckeh32.exe

Loads dropped DLL 10 IoCs

pid	Process
2092	NEAS.f8d59df3e109e9acfbb3c923ab6aeeb0.exe
2092	NEAS.f8d59df3e109e9acfbb3c923ab6aeeb0.exe
632	Emkaol32.exe
632	Emkaol32.exe
1564	Echfaf32.exe
1564	Echfaf32.exe
2748	WerFault.exe
2748	WerFault.exe
2748	WerFault.exe
2748	WerFault.exe

Drops file in System32 directory 9 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Emkaol32.exe	NEAS.f8d59df3e109e9acfbb3c923ab6aeeb0.exe
File created	C:\Windows\SysWOW64\Cgllco32.dll	NEAS.f8d59df3e109e9acfbb3c923ab6aeeb0.exe
File created	C:\Windows\SysWOW64\Echfaf32.exe	Emkaol32.exe
File opened for modification	C:\Windows\SysWOW64\Echfaf32.exe	Emkaol32.exe
File created	C:\Windows\SysWOW64\Najgne32.dll	Emkaol32.exe
File created	C:\Windows\SysWOW64\Fkckeh32.exe	Echfaf32.exe
File opened for modification	C:\Windows\SysWOW64\Emkaol32.exe	NEAS.f8d59df3e109e9acfbb3c923ab6aeeb0.exe
File opened for modification	C:\Windows\SysWOW64\Fkckeh32.exe	Echfaf32.exe
File created	C:\Windows\SysWOW64\Clkmne32.dll	Echfaf32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2748	2796	WerFault.exe	30

Modifies registry class 12 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Emkaol32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Najgne32.dll"	Emkaol32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Emkaol32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	NEAS.f8d59df3e109e9acfbb3c923ab6aeeb0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	NEAS.f8d59df3e109e9acfbb3c923ab6aeeb0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	NEAS.f8d59df3e109e9acfbb3c923ab6aeeb0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cgllco32.dll"	NEAS.f8d59df3e109e9acfbb3c923ab6aeeb0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Echfaf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	NEAS.f8d59df3e109e9acfbb3c923ab6aeeb0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	NEAS.f8d59df3e109e9acfbb3c923ab6aeeb0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Echfaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clkmne32.dll"	Echfaf32.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2092 wrote to memory of 632	2092	NEAS.f8d59df3e109e9acfbb3c923ab6aeeb0.exe	28
PID 2092 wrote to memory of 632	2092	NEAS.f8d59df3e109e9acfbb3c923ab6aeeb0.exe	28
PID 2092 wrote to memory of 632	2092	NEAS.f8d59df3e109e9acfbb3c923ab6aeeb0.exe	28
PID 2092 wrote to memory of 632	2092	NEAS.f8d59df3e109e9acfbb3c923ab6aeeb0.exe	28
PID 632 wrote to memory of 1564	632	Emkaol32.exe	29
PID 632 wrote to memory of 1564	632	Emkaol32.exe	29
PID 632 wrote to memory of 1564	632	Emkaol32.exe	29
PID 632 wrote to memory of 1564	632	Emkaol32.exe	29
PID 1564 wrote to memory of 2796	1564	Echfaf32.exe	30
PID 1564 wrote to memory of 2796	1564	Echfaf32.exe	30
PID 1564 wrote to memory of 2796	1564	Echfaf32.exe	30
PID 1564 wrote to memory of 2796	1564	Echfaf32.exe	30
PID 2796 wrote to memory of 2748	2796	Fkckeh32.exe	31
PID 2796 wrote to memory of 2748	2796	Fkckeh32.exe	31
PID 2796 wrote to memory of 2748	2796	Fkckeh32.exe	31
PID 2796 wrote to memory of 2748	2796	Fkckeh32.exe	31

C:\Users\Admin\AppData\Local\Temp\NEAS.f8d59df3e109e9acfbb3c923ab6aeeb0.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.f8d59df3e109e9acfbb3c923ab6aeeb0.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2092
- C:\Windows\SysWOW64\Emkaol32.exe
  C:\Windows\system32\Emkaol32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:632
- - C:\Windows\SysWOW64\Echfaf32.exe
    C:\Windows\system32\Echfaf32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1564
  - - C:\Windows\SysWOW64\Fkckeh32.exe
      C:\Windows\system32\Fkckeh32.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:2796
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2796 -s 140
        5⤵
        Loads dropped DLL
        Program crash
        
        PID:2748

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Echfaf32.exe

Filesize
416KB

MD5
ed745643a9ba1ee99d1d729c6eaf9c5c

SHA1
ca048754f13c1f33300506fe592d742a806e7435

SHA256
dd777976e8f8abe01d6810b163b957adfb9103447697b1de60e4b2553c6bb1d5

SHA512
d96b2f20edc569c62669e39318329aeac1a7692222173555934dada18eefdf814cb1f82432c34a25d6bc836d91cc3b61b1dc43c0fa8c3d1015a06e05dd3693b6

Download Submit
C:\Windows\SysWOW64\Echfaf32.exe

Filesize
416KB

MD5
ed745643a9ba1ee99d1d729c6eaf9c5c

SHA1
ca048754f13c1f33300506fe592d742a806e7435

SHA256
dd777976e8f8abe01d6810b163b957adfb9103447697b1de60e4b2553c6bb1d5

SHA512
d96b2f20edc569c62669e39318329aeac1a7692222173555934dada18eefdf814cb1f82432c34a25d6bc836d91cc3b61b1dc43c0fa8c3d1015a06e05dd3693b6

Download Submit
C:\Windows\SysWOW64\Echfaf32.exe

Filesize
416KB

MD5
ed745643a9ba1ee99d1d729c6eaf9c5c

SHA1
ca048754f13c1f33300506fe592d742a806e7435

SHA256
dd777976e8f8abe01d6810b163b957adfb9103447697b1de60e4b2553c6bb1d5

SHA512
d96b2f20edc569c62669e39318329aeac1a7692222173555934dada18eefdf814cb1f82432c34a25d6bc836d91cc3b61b1dc43c0fa8c3d1015a06e05dd3693b6

Download Submit
C:\Windows\SysWOW64\Emkaol32.exe

Filesize
416KB

MD5
f6e4bb29ca7e6110ee6cb69b3542f0e8

SHA1
413e280bad0a699d23160e74c9f00c937bb8471a

SHA256
3a4ae9e517fcecb236af05703fb07c5785ef01bd6ed55444dc85e526a8b1b2a2

SHA512
906b1ba7b3a1dd5ed97fe6b1b4531821143a28eb0ddb19bee37211e8ae9e9094ef49deefe4d12001a229341432726ee5292ada5cd0f11d921e24ca913572e8a8

Download Submit
C:\Windows\SysWOW64\Emkaol32.exe

Filesize
416KB

MD5
f6e4bb29ca7e6110ee6cb69b3542f0e8

SHA1
413e280bad0a699d23160e74c9f00c937bb8471a

SHA256
3a4ae9e517fcecb236af05703fb07c5785ef01bd6ed55444dc85e526a8b1b2a2

SHA512
906b1ba7b3a1dd5ed97fe6b1b4531821143a28eb0ddb19bee37211e8ae9e9094ef49deefe4d12001a229341432726ee5292ada5cd0f11d921e24ca913572e8a8

Download Submit
C:\Windows\SysWOW64\Emkaol32.exe

Filesize
416KB

MD5
f6e4bb29ca7e6110ee6cb69b3542f0e8

SHA1
413e280bad0a699d23160e74c9f00c937bb8471a

SHA256
3a4ae9e517fcecb236af05703fb07c5785ef01bd6ed55444dc85e526a8b1b2a2

SHA512
906b1ba7b3a1dd5ed97fe6b1b4531821143a28eb0ddb19bee37211e8ae9e9094ef49deefe4d12001a229341432726ee5292ada5cd0f11d921e24ca913572e8a8

Download Submit
C:\Windows\SysWOW64\Fkckeh32.exe

Filesize
416KB

MD5
ac60fc8b719141c6807402976003d9c3

SHA1
6e79115517f86bdd46b463329ff3b4659cb70e84

SHA256
97c0764ac688fd2934e171aab9e3932f65773f07b9e9f6a35808ae4253de1212

SHA512
394a9736ce4967da6307b6498c141b3e1966fe4aa4acac82eb36574a795ce6bb7a54863dc9aec36a24d8375c7256b650140fb64ce8bf58feb138be2075f0ae93

Download Submit
C:\Windows\SysWOW64\Fkckeh32.exe

Filesize
416KB

MD5
ac60fc8b719141c6807402976003d9c3

SHA1
6e79115517f86bdd46b463329ff3b4659cb70e84

SHA256
97c0764ac688fd2934e171aab9e3932f65773f07b9e9f6a35808ae4253de1212

SHA512
394a9736ce4967da6307b6498c141b3e1966fe4aa4acac82eb36574a795ce6bb7a54863dc9aec36a24d8375c7256b650140fb64ce8bf58feb138be2075f0ae93

Download Submit
\Windows\SysWOW64\Echfaf32.exe

Filesize
416KB

MD5
ed745643a9ba1ee99d1d729c6eaf9c5c

SHA1
ca048754f13c1f33300506fe592d742a806e7435

SHA256
dd777976e8f8abe01d6810b163b957adfb9103447697b1de60e4b2553c6bb1d5

SHA512
d96b2f20edc569c62669e39318329aeac1a7692222173555934dada18eefdf814cb1f82432c34a25d6bc836d91cc3b61b1dc43c0fa8c3d1015a06e05dd3693b6

Download Submit
\Windows\SysWOW64\Echfaf32.exe

Filesize
416KB

MD5
ed745643a9ba1ee99d1d729c6eaf9c5c

SHA1
ca048754f13c1f33300506fe592d742a806e7435

SHA256
dd777976e8f8abe01d6810b163b957adfb9103447697b1de60e4b2553c6bb1d5

SHA512
d96b2f20edc569c62669e39318329aeac1a7692222173555934dada18eefdf814cb1f82432c34a25d6bc836d91cc3b61b1dc43c0fa8c3d1015a06e05dd3693b6

Download Submit
\Windows\SysWOW64\Emkaol32.exe

Filesize
416KB

MD5
f6e4bb29ca7e6110ee6cb69b3542f0e8

SHA1
413e280bad0a699d23160e74c9f00c937bb8471a

SHA256
3a4ae9e517fcecb236af05703fb07c5785ef01bd6ed55444dc85e526a8b1b2a2

SHA512
906b1ba7b3a1dd5ed97fe6b1b4531821143a28eb0ddb19bee37211e8ae9e9094ef49deefe4d12001a229341432726ee5292ada5cd0f11d921e24ca913572e8a8

Download Submit
\Windows\SysWOW64\Emkaol32.exe

Filesize
416KB

MD5
f6e4bb29ca7e6110ee6cb69b3542f0e8

SHA1
413e280bad0a699d23160e74c9f00c937bb8471a

SHA256
3a4ae9e517fcecb236af05703fb07c5785ef01bd6ed55444dc85e526a8b1b2a2

SHA512
906b1ba7b3a1dd5ed97fe6b1b4531821143a28eb0ddb19bee37211e8ae9e9094ef49deefe4d12001a229341432726ee5292ada5cd0f11d921e24ca913572e8a8

Download Submit
\Windows\SysWOW64\Fkckeh32.exe

Filesize
416KB

MD5
ac60fc8b719141c6807402976003d9c3

SHA1
6e79115517f86bdd46b463329ff3b4659cb70e84

SHA256
97c0764ac688fd2934e171aab9e3932f65773f07b9e9f6a35808ae4253de1212

SHA512
394a9736ce4967da6307b6498c141b3e1966fe4aa4acac82eb36574a795ce6bb7a54863dc9aec36a24d8375c7256b650140fb64ce8bf58feb138be2075f0ae93

Download Submit
\Windows\SysWOW64\Fkckeh32.exe

Filesize
416KB

MD5
ac60fc8b719141c6807402976003d9c3

SHA1
6e79115517f86bdd46b463329ff3b4659cb70e84

SHA256
97c0764ac688fd2934e171aab9e3932f65773f07b9e9f6a35808ae4253de1212

SHA512
394a9736ce4967da6307b6498c141b3e1966fe4aa4acac82eb36574a795ce6bb7a54863dc9aec36a24d8375c7256b650140fb64ce8bf58feb138be2075f0ae93

Download Submit
\Windows\SysWOW64\Fkckeh32.exe

Filesize
416KB

MD5
ac60fc8b719141c6807402976003d9c3

SHA1
6e79115517f86bdd46b463329ff3b4659cb70e84

SHA256
97c0764ac688fd2934e171aab9e3932f65773f07b9e9f6a35808ae4253de1212

SHA512
394a9736ce4967da6307b6498c141b3e1966fe4aa4acac82eb36574a795ce6bb7a54863dc9aec36a24d8375c7256b650140fb64ce8bf58feb138be2075f0ae93

Download Submit
\Windows\SysWOW64\Fkckeh32.exe

Filesize
416KB

MD5
ac60fc8b719141c6807402976003d9c3

SHA1
6e79115517f86bdd46b463329ff3b4659cb70e84

SHA256
97c0764ac688fd2934e171aab9e3932f65773f07b9e9f6a35808ae4253de1212

SHA512
394a9736ce4967da6307b6498c141b3e1966fe4aa4acac82eb36574a795ce6bb7a54863dc9aec36a24d8375c7256b650140fb64ce8bf58feb138be2075f0ae93

Download Submit
\Windows\SysWOW64\Fkckeh32.exe

Filesize
416KB

MD5
ac60fc8b719141c6807402976003d9c3

SHA1
6e79115517f86bdd46b463329ff3b4659cb70e84

SHA256
97c0764ac688fd2934e171aab9e3932f65773f07b9e9f6a35808ae4253de1212

SHA512
394a9736ce4967da6307b6498c141b3e1966fe4aa4acac82eb36574a795ce6bb7a54863dc9aec36a24d8375c7256b650140fb64ce8bf58feb138be2075f0ae93

Download Submit
\Windows\SysWOW64\Fkckeh32.exe

Filesize
416KB

MD5
ac60fc8b719141c6807402976003d9c3

SHA1
6e79115517f86bdd46b463329ff3b4659cb70e84

SHA256
97c0764ac688fd2934e171aab9e3932f65773f07b9e9f6a35808ae4253de1212

SHA512
394a9736ce4967da6307b6498c141b3e1966fe4aa4acac82eb36574a795ce6bb7a54863dc9aec36a24d8375c7256b650140fb64ce8bf58feb138be2075f0ae93

Download Submit
memory/632-31-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download
memory/632-24-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download
memory/632-46-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1564-32-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2092-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2092-45-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2092-6-0x0000000000260000-0x0000000000293000-memory.dmp

Filesize
204KB

Download
memory/2796-40-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2796-48-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads