0480bb64c210973f2d76f8d51922e50758d074183ddf670d022386125049435f

Analysis

max time kernel
121s
max time network
124s
platform
windows7_x64
resource
win7-20231020-en
resource tags

arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system
submitted
16/11/2023, 18:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.07cba9992ea9b50748a53fe0dbba4b35.exe
Size

176KB
MD5

07cba9992ea9b50748a53fe0dbba4b35
SHA1

d4063bab2da744cb9c6c778d149e8776b3211189
SHA256

0480bb64c210973f2d76f8d51922e50758d074183ddf670d022386125049435f
SHA512

f36790cf91b12ac4925f80f13e1d6e5d539a2b1740c296f630d936fde26cf6fcf5e84af01268f974b2f30de5e5a0f5938d7d32cd4617d766484adbef2dbbd816
SSDEEP

3072:VtXmDyxaJ36se/nIcqIOOJF4EISi/i4gG4nTxGkIs6:Vk+QJ3de/Icl4yjTAkO

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	NEAS.07cba9992ea9b50748a53fe0dbba4b35.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	NEAS.07cba9992ea9b50748a53fe0dbba4b35.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Enhacojl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Enhacojl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Echfaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Echfaf32.exe

Executes dropped EXE 3 IoCs

pid	Process
2628	Enhacojl.exe
1736	Echfaf32.exe
2700	Fkckeh32.exe

Loads dropped DLL 10 IoCs

pid	Process
2468	NEAS.07cba9992ea9b50748a53fe0dbba4b35.exe
2468	NEAS.07cba9992ea9b50748a53fe0dbba4b35.exe
2628	Enhacojl.exe
2628	Enhacojl.exe
1736	Echfaf32.exe
1736	Echfaf32.exe
2896	WerFault.exe
2896	WerFault.exe
2896	WerFault.exe
2896	WerFault.exe

Drops file in System32 directory 9 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Echfaf32.exe	Enhacojl.exe
File created	C:\Windows\SysWOW64\Najgne32.dll	Enhacojl.exe
File created	C:\Windows\SysWOW64\Fkckeh32.exe	Echfaf32.exe
File opened for modification	C:\Windows\SysWOW64\Fkckeh32.exe	Echfaf32.exe
File created	C:\Windows\SysWOW64\Clkmne32.dll	Echfaf32.exe
File opened for modification	C:\Windows\SysWOW64\Enhacojl.exe	NEAS.07cba9992ea9b50748a53fe0dbba4b35.exe
File created	C:\Windows\SysWOW64\Ampehe32.dll	NEAS.07cba9992ea9b50748a53fe0dbba4b35.exe
File created	C:\Windows\SysWOW64\Echfaf32.exe	Enhacojl.exe
File created	C:\Windows\SysWOW64\Enhacojl.exe	NEAS.07cba9992ea9b50748a53fe0dbba4b35.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2896	2700	WerFault.exe	30

Modifies registry class 12 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	NEAS.07cba9992ea9b50748a53fe0dbba4b35.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ampehe32.dll"	NEAS.07cba9992ea9b50748a53fe0dbba4b35.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Enhacojl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Najgne32.dll"	Enhacojl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Echfaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clkmne32.dll"	Echfaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Echfaf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	NEAS.07cba9992ea9b50748a53fe0dbba4b35.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	NEAS.07cba9992ea9b50748a53fe0dbba4b35.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	NEAS.07cba9992ea9b50748a53fe0dbba4b35.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	NEAS.07cba9992ea9b50748a53fe0dbba4b35.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Enhacojl.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2468 wrote to memory of 2628	2468	NEAS.07cba9992ea9b50748a53fe0dbba4b35.exe	28
PID 2468 wrote to memory of 2628	2468	NEAS.07cba9992ea9b50748a53fe0dbba4b35.exe	28
PID 2468 wrote to memory of 2628	2468	NEAS.07cba9992ea9b50748a53fe0dbba4b35.exe	28
PID 2468 wrote to memory of 2628	2468	NEAS.07cba9992ea9b50748a53fe0dbba4b35.exe	28
PID 2628 wrote to memory of 1736	2628	Enhacojl.exe	29
PID 2628 wrote to memory of 1736	2628	Enhacojl.exe	29
PID 2628 wrote to memory of 1736	2628	Enhacojl.exe	29
PID 2628 wrote to memory of 1736	2628	Enhacojl.exe	29
PID 1736 wrote to memory of 2700	1736	Echfaf32.exe	30
PID 1736 wrote to memory of 2700	1736	Echfaf32.exe	30
PID 1736 wrote to memory of 2700	1736	Echfaf32.exe	30
PID 1736 wrote to memory of 2700	1736	Echfaf32.exe	30
PID 2700 wrote to memory of 2896	2700	Fkckeh32.exe	31
PID 2700 wrote to memory of 2896	2700	Fkckeh32.exe	31
PID 2700 wrote to memory of 2896	2700	Fkckeh32.exe	31
PID 2700 wrote to memory of 2896	2700	Fkckeh32.exe	31

C:\Users\Admin\AppData\Local\Temp\NEAS.07cba9992ea9b50748a53fe0dbba4b35.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.07cba9992ea9b50748a53fe0dbba4b35.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2468
- C:\Windows\SysWOW64\Enhacojl.exe
  C:\Windows\system32\Enhacojl.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2628
- - C:\Windows\SysWOW64\Echfaf32.exe
    C:\Windows\system32\Echfaf32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1736
  - - C:\Windows\SysWOW64\Fkckeh32.exe
      C:\Windows\system32\Fkckeh32.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:2700
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2700 -s 140
        5⤵
        Loads dropped DLL
        Program crash
        
        PID:2896

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Echfaf32.exe

Filesize
176KB

MD5
89339180fb9d12b297c6f2e8ee6cb36c

SHA1
8a7e019e2e120a47a9b7e3e256774bd18f6c18ef

SHA256
f2234d48309856722c80be15c98d1a49f6530730630459e494873dcf250c756c

SHA512
338784b26fa3885a752966b9b638b38d0d03c048d948cc48b1771628ca2400599966b6e322c019afb316b6da0e6d4fade2822885c2ff6e0f5fa6569b6ebddc2c

Download Submit
C:\Windows\SysWOW64\Echfaf32.exe

Filesize
176KB

MD5
89339180fb9d12b297c6f2e8ee6cb36c

SHA1
8a7e019e2e120a47a9b7e3e256774bd18f6c18ef

SHA256
f2234d48309856722c80be15c98d1a49f6530730630459e494873dcf250c756c

SHA512
338784b26fa3885a752966b9b638b38d0d03c048d948cc48b1771628ca2400599966b6e322c019afb316b6da0e6d4fade2822885c2ff6e0f5fa6569b6ebddc2c

Download Submit
C:\Windows\SysWOW64\Echfaf32.exe

Filesize
176KB

MD5
89339180fb9d12b297c6f2e8ee6cb36c

SHA1
8a7e019e2e120a47a9b7e3e256774bd18f6c18ef

SHA256
f2234d48309856722c80be15c98d1a49f6530730630459e494873dcf250c756c

SHA512
338784b26fa3885a752966b9b638b38d0d03c048d948cc48b1771628ca2400599966b6e322c019afb316b6da0e6d4fade2822885c2ff6e0f5fa6569b6ebddc2c

Download Submit
C:\Windows\SysWOW64\Enhacojl.exe

Filesize
176KB

MD5
c7416df6ed6b7e3ac15ae7a5d36dc496

SHA1
015707eb973e1c651a81960dc2d46e0a1ea57f7f

SHA256
aabfb756242864c2f27fa288003626f1de5e751645f5db576d3805f474da46b4

SHA512
52be78c5d87006a48c3f4b60d9c351d1f27e237cd78306e784561173bc233f4cdef82ffb9828f7cb8c3100c258a223905372e5b3130c54f3e270326e0bd47a42

Download Submit
C:\Windows\SysWOW64\Enhacojl.exe

Filesize
176KB

MD5
c7416df6ed6b7e3ac15ae7a5d36dc496

SHA1
015707eb973e1c651a81960dc2d46e0a1ea57f7f

SHA256
aabfb756242864c2f27fa288003626f1de5e751645f5db576d3805f474da46b4

SHA512
52be78c5d87006a48c3f4b60d9c351d1f27e237cd78306e784561173bc233f4cdef82ffb9828f7cb8c3100c258a223905372e5b3130c54f3e270326e0bd47a42

Download Submit
C:\Windows\SysWOW64\Enhacojl.exe

Filesize
176KB

MD5
c7416df6ed6b7e3ac15ae7a5d36dc496

SHA1
015707eb973e1c651a81960dc2d46e0a1ea57f7f

SHA256
aabfb756242864c2f27fa288003626f1de5e751645f5db576d3805f474da46b4

SHA512
52be78c5d87006a48c3f4b60d9c351d1f27e237cd78306e784561173bc233f4cdef82ffb9828f7cb8c3100c258a223905372e5b3130c54f3e270326e0bd47a42

Download Submit
C:\Windows\SysWOW64\Fkckeh32.exe

Filesize
176KB

MD5
05cc1ad15940d0331eb70939541da10e

SHA1
d73e904476b6f2e3ddc8d3125660d6c0ec69b1a5

SHA256
41813d9622f09c019ada1f375b34350167d93ec7a51c1381bf3209b9936ebdff

SHA512
057962623109fbc3108c2d5e548cac9f165f3b11fed68fbee6f693126ab9a11299f8794774d2a5e8ca9fa3dc47596455f8520e38777dcec53f07285f93b7ed1b

Download Submit
C:\Windows\SysWOW64\Fkckeh32.exe

Filesize
176KB

MD5
05cc1ad15940d0331eb70939541da10e

SHA1
d73e904476b6f2e3ddc8d3125660d6c0ec69b1a5

SHA256
41813d9622f09c019ada1f375b34350167d93ec7a51c1381bf3209b9936ebdff

SHA512
057962623109fbc3108c2d5e548cac9f165f3b11fed68fbee6f693126ab9a11299f8794774d2a5e8ca9fa3dc47596455f8520e38777dcec53f07285f93b7ed1b

Download Submit
\Windows\SysWOW64\Echfaf32.exe

Filesize
176KB

MD5
89339180fb9d12b297c6f2e8ee6cb36c

SHA1
8a7e019e2e120a47a9b7e3e256774bd18f6c18ef

SHA256
f2234d48309856722c80be15c98d1a49f6530730630459e494873dcf250c756c

SHA512
338784b26fa3885a752966b9b638b38d0d03c048d948cc48b1771628ca2400599966b6e322c019afb316b6da0e6d4fade2822885c2ff6e0f5fa6569b6ebddc2c

Download Submit
\Windows\SysWOW64\Echfaf32.exe

Filesize
176KB

MD5
89339180fb9d12b297c6f2e8ee6cb36c

SHA1
8a7e019e2e120a47a9b7e3e256774bd18f6c18ef

SHA256
f2234d48309856722c80be15c98d1a49f6530730630459e494873dcf250c756c

SHA512
338784b26fa3885a752966b9b638b38d0d03c048d948cc48b1771628ca2400599966b6e322c019afb316b6da0e6d4fade2822885c2ff6e0f5fa6569b6ebddc2c

Download Submit
\Windows\SysWOW64\Enhacojl.exe

Filesize
176KB

MD5
c7416df6ed6b7e3ac15ae7a5d36dc496

SHA1
015707eb973e1c651a81960dc2d46e0a1ea57f7f

SHA256
aabfb756242864c2f27fa288003626f1de5e751645f5db576d3805f474da46b4

SHA512
52be78c5d87006a48c3f4b60d9c351d1f27e237cd78306e784561173bc233f4cdef82ffb9828f7cb8c3100c258a223905372e5b3130c54f3e270326e0bd47a42

Download Submit
\Windows\SysWOW64\Enhacojl.exe

Filesize
176KB

MD5
c7416df6ed6b7e3ac15ae7a5d36dc496

SHA1
015707eb973e1c651a81960dc2d46e0a1ea57f7f

SHA256
aabfb756242864c2f27fa288003626f1de5e751645f5db576d3805f474da46b4

SHA512
52be78c5d87006a48c3f4b60d9c351d1f27e237cd78306e784561173bc233f4cdef82ffb9828f7cb8c3100c258a223905372e5b3130c54f3e270326e0bd47a42

Download Submit
\Windows\SysWOW64\Fkckeh32.exe

Filesize
176KB

MD5
05cc1ad15940d0331eb70939541da10e

SHA1
d73e904476b6f2e3ddc8d3125660d6c0ec69b1a5

SHA256
41813d9622f09c019ada1f375b34350167d93ec7a51c1381bf3209b9936ebdff

SHA512
057962623109fbc3108c2d5e548cac9f165f3b11fed68fbee6f693126ab9a11299f8794774d2a5e8ca9fa3dc47596455f8520e38777dcec53f07285f93b7ed1b

Download Submit
\Windows\SysWOW64\Fkckeh32.exe

Filesize
176KB

MD5
05cc1ad15940d0331eb70939541da10e

SHA1
d73e904476b6f2e3ddc8d3125660d6c0ec69b1a5

SHA256
41813d9622f09c019ada1f375b34350167d93ec7a51c1381bf3209b9936ebdff

SHA512
057962623109fbc3108c2d5e548cac9f165f3b11fed68fbee6f693126ab9a11299f8794774d2a5e8ca9fa3dc47596455f8520e38777dcec53f07285f93b7ed1b

Download Submit
\Windows\SysWOW64\Fkckeh32.exe

Filesize
176KB

MD5
05cc1ad15940d0331eb70939541da10e

SHA1
d73e904476b6f2e3ddc8d3125660d6c0ec69b1a5

SHA256
41813d9622f09c019ada1f375b34350167d93ec7a51c1381bf3209b9936ebdff

SHA512
057962623109fbc3108c2d5e548cac9f165f3b11fed68fbee6f693126ab9a11299f8794774d2a5e8ca9fa3dc47596455f8520e38777dcec53f07285f93b7ed1b

Download Submit
\Windows\SysWOW64\Fkckeh32.exe

Filesize
176KB

MD5
05cc1ad15940d0331eb70939541da10e

SHA1
d73e904476b6f2e3ddc8d3125660d6c0ec69b1a5

SHA256
41813d9622f09c019ada1f375b34350167d93ec7a51c1381bf3209b9936ebdff

SHA512
057962623109fbc3108c2d5e548cac9f165f3b11fed68fbee6f693126ab9a11299f8794774d2a5e8ca9fa3dc47596455f8520e38777dcec53f07285f93b7ed1b

Download Submit
\Windows\SysWOW64\Fkckeh32.exe

Filesize
176KB

MD5
05cc1ad15940d0331eb70939541da10e

SHA1
d73e904476b6f2e3ddc8d3125660d6c0ec69b1a5

SHA256
41813d9622f09c019ada1f375b34350167d93ec7a51c1381bf3209b9936ebdff

SHA512
057962623109fbc3108c2d5e548cac9f165f3b11fed68fbee6f693126ab9a11299f8794774d2a5e8ca9fa3dc47596455f8520e38777dcec53f07285f93b7ed1b

Download Submit
\Windows\SysWOW64\Fkckeh32.exe

Filesize
176KB

MD5
05cc1ad15940d0331eb70939541da10e

SHA1
d73e904476b6f2e3ddc8d3125660d6c0ec69b1a5

SHA256
41813d9622f09c019ada1f375b34350167d93ec7a51c1381bf3209b9936ebdff

SHA512
057962623109fbc3108c2d5e548cac9f165f3b11fed68fbee6f693126ab9a11299f8794774d2a5e8ca9fa3dc47596455f8520e38777dcec53f07285f93b7ed1b

Download Submit
memory/1736-40-0x0000000000220000-0x000000000025C000-memory.dmp

Filesize
240KB

Download
memory/1736-31-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2468-0-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2468-6-0x0000000000220000-0x000000000025C000-memory.dmp

Filesize
240KB

Download
memory/2468-45-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2628-24-0x0000000000220000-0x000000000025C000-memory.dmp

Filesize
240KB

Download
memory/2628-46-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2700-39-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads