ea1051cf342b4f181060f6b810023243114899bd9c44c934a4340c39e8f1763c

Analysis

max time kernel
147s
max time network
125s
platform
windows7_x64
resource
win7-20231020-en
resource tags

arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system
submitted
16/11/2023, 09:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.10dd592e92701dff432f373002c59070.exe
Size

325KB
MD5

10dd592e92701dff432f373002c59070
SHA1

840479e42cba77e8c62a2fb9f532c8bc28391bd1
SHA256

ea1051cf342b4f181060f6b810023243114899bd9c44c934a4340c39e8f1763c
SHA512

f0b09205a179a25901cbf8fac518599bf679edb6044f69ebed078ebe87dff2950cdab406dea8523d747c70328d422f9645acf5dc92dd7deec28bb7e812bfe940
SSDEEP

6144:kNrzTrOEiFjRs+Hsohxd2Quohdbd0zscwIGUKfvUJ43ewmxteZekR+1b/KVC0CL0:khrObLHxdzZdxGwsYIL0

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bhhpeafc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bhhpeafc.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	NEAS.10dd592e92701dff432f373002c59070.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	NEAS.10dd592e92701dff432f373002c59070.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aaloddnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aaloddnn.exe

Executes dropped EXE 3 IoCs

pid	Process
1832	Aaloddnn.exe
2708	Bhhpeafc.exe
2684	Cacacg32.exe

Loads dropped DLL 10 IoCs

pid	Process
2272	NEAS.10dd592e92701dff432f373002c59070.exe
2272	NEAS.10dd592e92701dff432f373002c59070.exe
1832	Aaloddnn.exe
1832	Aaloddnn.exe
2708	Bhhpeafc.exe
2708	Bhhpeafc.exe
2584	WerFault.exe
2584	WerFault.exe
2584	WerFault.exe
2584	WerFault.exe

Drops file in System32 directory 9 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Aaloddnn.exe	NEAS.10dd592e92701dff432f373002c59070.exe
File created	C:\Windows\SysWOW64\Bhhpeafc.exe	Aaloddnn.exe
File created	C:\Windows\SysWOW64\Cacacg32.exe	Bhhpeafc.exe
File created	C:\Windows\SysWOW64\Aaloddnn.exe	NEAS.10dd592e92701dff432f373002c59070.exe
File created	C:\Windows\SysWOW64\Mhpeoj32.dll	NEAS.10dd592e92701dff432f373002c59070.exe
File opened for modification	C:\Windows\SysWOW64\Bhhpeafc.exe	Aaloddnn.exe
File created	C:\Windows\SysWOW64\Jodjlm32.dll	Aaloddnn.exe
File opened for modification	C:\Windows\SysWOW64\Cacacg32.exe	Bhhpeafc.exe
File created	C:\Windows\SysWOW64\Fdlpjk32.dll	Bhhpeafc.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2584	2684	WerFault.exe	30

Modifies registry class 12 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mhpeoj32.dll"	NEAS.10dd592e92701dff432f373002c59070.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	NEAS.10dd592e92701dff432f373002c59070.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jodjlm32.dll"	Aaloddnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aaloddnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdlpjk32.dll"	Bhhpeafc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	NEAS.10dd592e92701dff432f373002c59070.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	NEAS.10dd592e92701dff432f373002c59070.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aaloddnn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bhhpeafc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bhhpeafc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	NEAS.10dd592e92701dff432f373002c59070.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	NEAS.10dd592e92701dff432f373002c59070.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2272 wrote to memory of 1832	2272	NEAS.10dd592e92701dff432f373002c59070.exe	28
PID 2272 wrote to memory of 1832	2272	NEAS.10dd592e92701dff432f373002c59070.exe	28
PID 2272 wrote to memory of 1832	2272	NEAS.10dd592e92701dff432f373002c59070.exe	28
PID 2272 wrote to memory of 1832	2272	NEAS.10dd592e92701dff432f373002c59070.exe	28
PID 1832 wrote to memory of 2708	1832	Aaloddnn.exe	29
PID 1832 wrote to memory of 2708	1832	Aaloddnn.exe	29
PID 1832 wrote to memory of 2708	1832	Aaloddnn.exe	29
PID 1832 wrote to memory of 2708	1832	Aaloddnn.exe	29
PID 2708 wrote to memory of 2684	2708	Bhhpeafc.exe	30
PID 2708 wrote to memory of 2684	2708	Bhhpeafc.exe	30
PID 2708 wrote to memory of 2684	2708	Bhhpeafc.exe	30
PID 2708 wrote to memory of 2684	2708	Bhhpeafc.exe	30
PID 2684 wrote to memory of 2584	2684	Cacacg32.exe	31
PID 2684 wrote to memory of 2584	2684	Cacacg32.exe	31
PID 2684 wrote to memory of 2584	2684	Cacacg32.exe	31
PID 2684 wrote to memory of 2584	2684	Cacacg32.exe	31

C:\Users\Admin\AppData\Local\Temp\NEAS.10dd592e92701dff432f373002c59070.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.10dd592e92701dff432f373002c59070.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2272
- C:\Windows\SysWOW64\Aaloddnn.exe
  C:\Windows\system32\Aaloddnn.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1832
- - C:\Windows\SysWOW64\Bhhpeafc.exe
    C:\Windows\system32\Bhhpeafc.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2708
  - - C:\Windows\SysWOW64\Cacacg32.exe
      C:\Windows\system32\Cacacg32.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:2684
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2684 -s 140
        5⤵
        Loads dropped DLL
        Program crash
        
        PID:2584

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aaloddnn.exe

Filesize
325KB

MD5
2c456f8ac1d57244b7c985b4b508bccb

SHA1
0027ac626e3471e8e8f20cb5f00ca847c6f0a5fb

SHA256
475556504cf68937fbfab9cfd795b68dc8f03b960fda5acb9df67bb070cc1e48

SHA512
b691b67c8d6d55ab06194124238174094fbd74bb96e4a422b6917c49ccfa9e05c938cc84cc4423f3bdc92cd3c59173f99a5135aab46ac942ab16484d493d1d71

Download Submit
C:\Windows\SysWOW64\Aaloddnn.exe

Filesize
325KB

MD5
2c456f8ac1d57244b7c985b4b508bccb

SHA1
0027ac626e3471e8e8f20cb5f00ca847c6f0a5fb

SHA256
475556504cf68937fbfab9cfd795b68dc8f03b960fda5acb9df67bb070cc1e48

SHA512
b691b67c8d6d55ab06194124238174094fbd74bb96e4a422b6917c49ccfa9e05c938cc84cc4423f3bdc92cd3c59173f99a5135aab46ac942ab16484d493d1d71

Download Submit
C:\Windows\SysWOW64\Aaloddnn.exe

Filesize
325KB

MD5
2c456f8ac1d57244b7c985b4b508bccb

SHA1
0027ac626e3471e8e8f20cb5f00ca847c6f0a5fb

SHA256
475556504cf68937fbfab9cfd795b68dc8f03b960fda5acb9df67bb070cc1e48

SHA512
b691b67c8d6d55ab06194124238174094fbd74bb96e4a422b6917c49ccfa9e05c938cc84cc4423f3bdc92cd3c59173f99a5135aab46ac942ab16484d493d1d71

Download Submit
C:\Windows\SysWOW64\Bhhpeafc.exe

Filesize
325KB

MD5
00679ec6a46a5c6733ad0a072b0cb0ec

SHA1
c9c23ff9b230eb21f6da68f520e35865bdf02723

SHA256
52ba31b8699cc9c6713628f0ca1d507af240f3c890257796b2076ea896a36e63

SHA512
7f12a66b3555431beeb53b7966d25a584000d0716e60fe1b64e787e54b65349ccc0615c75aeb940d475997db3056ddae431b10d26fc3625aff05515af0c489be

Download Submit
C:\Windows\SysWOW64\Bhhpeafc.exe

Filesize
325KB

MD5
00679ec6a46a5c6733ad0a072b0cb0ec

SHA1
c9c23ff9b230eb21f6da68f520e35865bdf02723

SHA256
52ba31b8699cc9c6713628f0ca1d507af240f3c890257796b2076ea896a36e63

SHA512
7f12a66b3555431beeb53b7966d25a584000d0716e60fe1b64e787e54b65349ccc0615c75aeb940d475997db3056ddae431b10d26fc3625aff05515af0c489be

Download Submit
C:\Windows\SysWOW64\Bhhpeafc.exe

Filesize
325KB

MD5
00679ec6a46a5c6733ad0a072b0cb0ec

SHA1
c9c23ff9b230eb21f6da68f520e35865bdf02723

SHA256
52ba31b8699cc9c6713628f0ca1d507af240f3c890257796b2076ea896a36e63

SHA512
7f12a66b3555431beeb53b7966d25a584000d0716e60fe1b64e787e54b65349ccc0615c75aeb940d475997db3056ddae431b10d26fc3625aff05515af0c489be

Download Submit
C:\Windows\SysWOW64\Cacacg32.exe

Filesize
325KB

MD5
9d52412499b4efd9aef05d5affde11a8

SHA1
e7216db52350621b00bdb890ee39d3e2e15b47cd

SHA256
d6ec81934199379ec6785227e85160552698e12594c1a098b5f5af51b7b99d61

SHA512
818357ac36f194afd7ec36f4e0ab37b8c08e141ee36262a318708d2f41efe25901f5e8f5d2f6ecb8c72ae742eec8657d81f3b3e13b6f102f9ea286ff3bfd49ed

Download Submit
C:\Windows\SysWOW64\Cacacg32.exe

Filesize
325KB

MD5
9d52412499b4efd9aef05d5affde11a8

SHA1
e7216db52350621b00bdb890ee39d3e2e15b47cd

SHA256
d6ec81934199379ec6785227e85160552698e12594c1a098b5f5af51b7b99d61

SHA512
818357ac36f194afd7ec36f4e0ab37b8c08e141ee36262a318708d2f41efe25901f5e8f5d2f6ecb8c72ae742eec8657d81f3b3e13b6f102f9ea286ff3bfd49ed

Download Submit
\Windows\SysWOW64\Aaloddnn.exe

Filesize
325KB

MD5
2c456f8ac1d57244b7c985b4b508bccb

SHA1
0027ac626e3471e8e8f20cb5f00ca847c6f0a5fb

SHA256
475556504cf68937fbfab9cfd795b68dc8f03b960fda5acb9df67bb070cc1e48

SHA512
b691b67c8d6d55ab06194124238174094fbd74bb96e4a422b6917c49ccfa9e05c938cc84cc4423f3bdc92cd3c59173f99a5135aab46ac942ab16484d493d1d71

Download Submit
\Windows\SysWOW64\Aaloddnn.exe

Filesize
325KB

MD5
2c456f8ac1d57244b7c985b4b508bccb

SHA1
0027ac626e3471e8e8f20cb5f00ca847c6f0a5fb

SHA256
475556504cf68937fbfab9cfd795b68dc8f03b960fda5acb9df67bb070cc1e48

SHA512
b691b67c8d6d55ab06194124238174094fbd74bb96e4a422b6917c49ccfa9e05c938cc84cc4423f3bdc92cd3c59173f99a5135aab46ac942ab16484d493d1d71

Download Submit
\Windows\SysWOW64\Bhhpeafc.exe

Filesize
325KB

MD5
00679ec6a46a5c6733ad0a072b0cb0ec

SHA1
c9c23ff9b230eb21f6da68f520e35865bdf02723

SHA256
52ba31b8699cc9c6713628f0ca1d507af240f3c890257796b2076ea896a36e63

SHA512
7f12a66b3555431beeb53b7966d25a584000d0716e60fe1b64e787e54b65349ccc0615c75aeb940d475997db3056ddae431b10d26fc3625aff05515af0c489be

Download Submit
\Windows\SysWOW64\Bhhpeafc.exe

Filesize
325KB

MD5
00679ec6a46a5c6733ad0a072b0cb0ec

SHA1
c9c23ff9b230eb21f6da68f520e35865bdf02723

SHA256
52ba31b8699cc9c6713628f0ca1d507af240f3c890257796b2076ea896a36e63

SHA512
7f12a66b3555431beeb53b7966d25a584000d0716e60fe1b64e787e54b65349ccc0615c75aeb940d475997db3056ddae431b10d26fc3625aff05515af0c489be

Download Submit
\Windows\SysWOW64\Cacacg32.exe

Filesize
325KB

MD5
9d52412499b4efd9aef05d5affde11a8

SHA1
e7216db52350621b00bdb890ee39d3e2e15b47cd

SHA256
d6ec81934199379ec6785227e85160552698e12594c1a098b5f5af51b7b99d61

SHA512
818357ac36f194afd7ec36f4e0ab37b8c08e141ee36262a318708d2f41efe25901f5e8f5d2f6ecb8c72ae742eec8657d81f3b3e13b6f102f9ea286ff3bfd49ed

Download Submit
\Windows\SysWOW64\Cacacg32.exe

Filesize
325KB

MD5
9d52412499b4efd9aef05d5affde11a8

SHA1
e7216db52350621b00bdb890ee39d3e2e15b47cd

SHA256
d6ec81934199379ec6785227e85160552698e12594c1a098b5f5af51b7b99d61

SHA512
818357ac36f194afd7ec36f4e0ab37b8c08e141ee36262a318708d2f41efe25901f5e8f5d2f6ecb8c72ae742eec8657d81f3b3e13b6f102f9ea286ff3bfd49ed

Download Submit
\Windows\SysWOW64\Cacacg32.exe

Filesize
325KB

MD5
9d52412499b4efd9aef05d5affde11a8

SHA1
e7216db52350621b00bdb890ee39d3e2e15b47cd

SHA256
d6ec81934199379ec6785227e85160552698e12594c1a098b5f5af51b7b99d61

SHA512
818357ac36f194afd7ec36f4e0ab37b8c08e141ee36262a318708d2f41efe25901f5e8f5d2f6ecb8c72ae742eec8657d81f3b3e13b6f102f9ea286ff3bfd49ed

Download Submit
\Windows\SysWOW64\Cacacg32.exe

Filesize
325KB

MD5
9d52412499b4efd9aef05d5affde11a8

SHA1
e7216db52350621b00bdb890ee39d3e2e15b47cd

SHA256
d6ec81934199379ec6785227e85160552698e12594c1a098b5f5af51b7b99d61

SHA512
818357ac36f194afd7ec36f4e0ab37b8c08e141ee36262a318708d2f41efe25901f5e8f5d2f6ecb8c72ae742eec8657d81f3b3e13b6f102f9ea286ff3bfd49ed

Download Submit
\Windows\SysWOW64\Cacacg32.exe

Filesize
325KB

MD5
9d52412499b4efd9aef05d5affde11a8

SHA1
e7216db52350621b00bdb890ee39d3e2e15b47cd

SHA256
d6ec81934199379ec6785227e85160552698e12594c1a098b5f5af51b7b99d61

SHA512
818357ac36f194afd7ec36f4e0ab37b8c08e141ee36262a318708d2f41efe25901f5e8f5d2f6ecb8c72ae742eec8657d81f3b3e13b6f102f9ea286ff3bfd49ed

Download Submit
\Windows\SysWOW64\Cacacg32.exe

Filesize
325KB

MD5
9d52412499b4efd9aef05d5affde11a8

SHA1
e7216db52350621b00bdb890ee39d3e2e15b47cd

SHA256
d6ec81934199379ec6785227e85160552698e12594c1a098b5f5af51b7b99d61

SHA512
818357ac36f194afd7ec36f4e0ab37b8c08e141ee36262a318708d2f41efe25901f5e8f5d2f6ecb8c72ae742eec8657d81f3b3e13b6f102f9ea286ff3bfd49ed

Download Submit
memory/1832-14-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1832-22-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download
memory/1832-48-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2272-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2272-6-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download
memory/2272-13-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download
memory/2272-47-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2684-42-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2708-41-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download
memory/2708-39-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download
memory/2708-49-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads