70359cf325b3a507dec370073dcc4f0ccf4bc5ebaab95b136146da547fc3525e

General

Target

3e11595807b8455de73fa4f715bafc42_JC.exe
Size

362KB
MD5

3e11595807b8455de73fa4f715bafc42
SHA1

4cb35b9bbdc643b2a903a8f7f9f3a26854000fd5
SHA256

70359cf325b3a507dec370073dcc4f0ccf4bc5ebaab95b136146da547fc3525e
SHA512

41f58af3a8a0a54c47f3b18bcadf7eb220e01920df11eec48016ca1f394a6b0b26af2925d43ad7d0850f81cb8e6dddf5eafb8711f5c881cf507130dfac01f891
SSDEEP

6144:RY9Tyq0hX/0h7tGDuMEUrQVad7nG3mbDp2o+SsmiMyhtHEyr5psPc1aj8DOvlvuF:qdZmX/0VtmuMtrQ07nGWxWSsmiMyh95V

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	3e11595807b8455de73fa4f715bafc42_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	3e11595807b8455de73fa4f715bafc42_JC.exe

Executes dropped EXE 1 IoCs

pid	Process
2952	Nlhgoqhh.exe

Loads dropped DLL 6 IoCs

pid	Process
2280	3e11595807b8455de73fa4f715bafc42_JC.exe
2280	3e11595807b8455de73fa4f715bafc42_JC.exe
2116	WerFault.exe
2116	WerFault.exe
2116	WerFault.exe
2116	WerFault.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Nlhgoqhh.exe	3e11595807b8455de73fa4f715bafc42_JC.exe
File opened for modification	C:\Windows\SysWOW64\Nlhgoqhh.exe	3e11595807b8455de73fa4f715bafc42_JC.exe
File created	C:\Windows\SysWOW64\Lamajm32.dll	3e11595807b8455de73fa4f715bafc42_JC.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2116	2952	WerFault.exe	28

Modifies registry class 6 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}	3e11595807b8455de73fa4f715bafc42_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lamajm32.dll"	3e11595807b8455de73fa4f715bafc42_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	3e11595807b8455de73fa4f715bafc42_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	3e11595807b8455de73fa4f715bafc42_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	3e11595807b8455de73fa4f715bafc42_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	3e11595807b8455de73fa4f715bafc42_JC.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2280 wrote to memory of 2952	2280	3e11595807b8455de73fa4f715bafc42_JC.exe	28
PID 2280 wrote to memory of 2952	2280	3e11595807b8455de73fa4f715bafc42_JC.exe	28
PID 2280 wrote to memory of 2952	2280	3e11595807b8455de73fa4f715bafc42_JC.exe	28
PID 2280 wrote to memory of 2952	2280	3e11595807b8455de73fa4f715bafc42_JC.exe	28
PID 2952 wrote to memory of 2116	2952	Nlhgoqhh.exe	29
PID 2952 wrote to memory of 2116	2952	Nlhgoqhh.exe	29
PID 2952 wrote to memory of 2116	2952	Nlhgoqhh.exe	29
PID 2952 wrote to memory of 2116	2952	Nlhgoqhh.exe	29

C:\Users\Admin\AppData\Local\Temp\3e11595807b8455de73fa4f715bafc42_JC.exe
"C:\Users\Admin\AppData\Local\Temp\3e11595807b8455de73fa4f715bafc42_JC.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2280
- C:\Windows\SysWOW64\Nlhgoqhh.exe
  C:\Windows\system32\Nlhgoqhh.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2952
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2952 -s 140
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:2116

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Nlhgoqhh.exe

Filesize
362KB

MD5
c42a6c432bf5a6d0bc7a5778ea9285fa

SHA1
5afe18b71c6a374db0398234f339116b5b423f40

SHA256
a6eec35274256d7fba18058da59d73ef1f743c5db8a5b18a6410af7b502494fe

SHA512
d850f7a650d544e069e9960f850d62eaecca9bb023ff1ee2158399e402a529e0e9afccade6d01e2dfcd99ac63195f03e3e54305cd1ce24c6a548c82ed2322796

Download Submit
C:\Windows\SysWOW64\Nlhgoqhh.exe

Filesize
362KB

MD5
c42a6c432bf5a6d0bc7a5778ea9285fa

SHA1
5afe18b71c6a374db0398234f339116b5b423f40

SHA256
a6eec35274256d7fba18058da59d73ef1f743c5db8a5b18a6410af7b502494fe

SHA512
d850f7a650d544e069e9960f850d62eaecca9bb023ff1ee2158399e402a529e0e9afccade6d01e2dfcd99ac63195f03e3e54305cd1ce24c6a548c82ed2322796

Download Submit
\Windows\SysWOW64\Nlhgoqhh.exe

Filesize
362KB

MD5
c42a6c432bf5a6d0bc7a5778ea9285fa

SHA1
5afe18b71c6a374db0398234f339116b5b423f40

SHA256
a6eec35274256d7fba18058da59d73ef1f743c5db8a5b18a6410af7b502494fe

SHA512
d850f7a650d544e069e9960f850d62eaecca9bb023ff1ee2158399e402a529e0e9afccade6d01e2dfcd99ac63195f03e3e54305cd1ce24c6a548c82ed2322796

Download Submit
\Windows\SysWOW64\Nlhgoqhh.exe

Filesize
362KB

MD5
c42a6c432bf5a6d0bc7a5778ea9285fa

SHA1
5afe18b71c6a374db0398234f339116b5b423f40

SHA256
a6eec35274256d7fba18058da59d73ef1f743c5db8a5b18a6410af7b502494fe

SHA512
d850f7a650d544e069e9960f850d62eaecca9bb023ff1ee2158399e402a529e0e9afccade6d01e2dfcd99ac63195f03e3e54305cd1ce24c6a548c82ed2322796

Download Submit
\Windows\SysWOW64\Nlhgoqhh.exe

Filesize
362KB

MD5
c42a6c432bf5a6d0bc7a5778ea9285fa

SHA1
5afe18b71c6a374db0398234f339116b5b423f40

SHA256
a6eec35274256d7fba18058da59d73ef1f743c5db8a5b18a6410af7b502494fe

SHA512
d850f7a650d544e069e9960f850d62eaecca9bb023ff1ee2158399e402a529e0e9afccade6d01e2dfcd99ac63195f03e3e54305cd1ce24c6a548c82ed2322796

Download Submit
\Windows\SysWOW64\Nlhgoqhh.exe

Filesize
362KB

MD5
c42a6c432bf5a6d0bc7a5778ea9285fa

SHA1
5afe18b71c6a374db0398234f339116b5b423f40

SHA256
a6eec35274256d7fba18058da59d73ef1f743c5db8a5b18a6410af7b502494fe

SHA512
d850f7a650d544e069e9960f850d62eaecca9bb023ff1ee2158399e402a529e0e9afccade6d01e2dfcd99ac63195f03e3e54305cd1ce24c6a548c82ed2322796

Download Submit
\Windows\SysWOW64\Nlhgoqhh.exe

Filesize
362KB

MD5
c42a6c432bf5a6d0bc7a5778ea9285fa

SHA1
5afe18b71c6a374db0398234f339116b5b423f40

SHA256
a6eec35274256d7fba18058da59d73ef1f743c5db8a5b18a6410af7b502494fe

SHA512
d850f7a650d544e069e9960f850d62eaecca9bb023ff1ee2158399e402a529e0e9afccade6d01e2dfcd99ac63195f03e3e54305cd1ce24c6a548c82ed2322796

Download Submit
\Windows\SysWOW64\Nlhgoqhh.exe

Filesize
362KB

MD5
c42a6c432bf5a6d0bc7a5778ea9285fa

SHA1
5afe18b71c6a374db0398234f339116b5b423f40

SHA256
a6eec35274256d7fba18058da59d73ef1f743c5db8a5b18a6410af7b502494fe

SHA512
d850f7a650d544e069e9960f850d62eaecca9bb023ff1ee2158399e402a529e0e9afccade6d01e2dfcd99ac63195f03e3e54305cd1ce24c6a548c82ed2322796

Download Submit
memory/2280-0-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2280-7-0x0000000000450000-0x0000000000491000-memory.dmp

Filesize
260KB

Download
memory/2280-17-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2952-18-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads