f702dcd856b75d087ad1bcba12a8f284cb80134a4eaa921a58a0031893187627

General

Target

00483001f0100616636d6788569185b2.exe
Size

963KB
MD5

00483001f0100616636d6788569185b2
SHA1

1bbabd362f320ce82de402c4a5c4294d8fedbac9
SHA256

f702dcd856b75d087ad1bcba12a8f284cb80134a4eaa921a58a0031893187627
SHA512

afa1ff79f39442c8f1f7bb35b23f249fad146c1907282fc6e7b65f3319c5bedbc20460d73a7648d842d5a23e4f77714d918152699505f76a94ff40819380693e
SSDEEP

12288:qn2AiABm/+zrWAI5KFum/+zrWAIAqWim/+zrWAI5KFHTP7rXFr/+zrWAI5KFum/l:gWm0BmmvFimm0MTP7hm0BmmvFimm0G

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 10 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nconfh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	00483001f0100616636d6788569185b2.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mohbjkgp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nheqnpjk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nheqnpjk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ookhfigk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	00483001f0100616636d6788569185b2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mohbjkgp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nconfh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ookhfigk.exe

Executes dropped EXE 5 IoCs

pid	Process
4192	Mohbjkgp.exe
4720	Nheqnpjk.exe
2876	Nconfh32.exe
4944	Ookhfigk.exe
1924	Amhdmi32.exe

Drops file in System32 directory 15 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Ookhfigk.exe	Nconfh32.exe
File created	C:\Windows\SysWOW64\Fkekkccb.dll	00483001f0100616636d6788569185b2.exe
File opened for modification	C:\Windows\SysWOW64\Nconfh32.exe	Nheqnpjk.exe
File created	C:\Windows\SysWOW64\Omclnn32.dll	Nheqnpjk.exe
File created	C:\Windows\SysWOW64\Amhdmi32.exe	Ookhfigk.exe
File created	C:\Windows\SysWOW64\Fmfbakio.dll	Mohbjkgp.exe
File created	C:\Windows\SysWOW64\Gjbpbd32.dll	Nconfh32.exe
File created	C:\Windows\SysWOW64\Ejcdfahd.dll	Ookhfigk.exe
File created	C:\Windows\SysWOW64\Nconfh32.exe	Nheqnpjk.exe
File created	C:\Windows\SysWOW64\Ookhfigk.exe	Nconfh32.exe
File opened for modification	C:\Windows\SysWOW64\Amhdmi32.exe	Ookhfigk.exe
File created	C:\Windows\SysWOW64\Mohbjkgp.exe	00483001f0100616636d6788569185b2.exe
File opened for modification	C:\Windows\SysWOW64\Mohbjkgp.exe	00483001f0100616636d6788569185b2.exe
File created	C:\Windows\SysWOW64\Nheqnpjk.exe	Mohbjkgp.exe
File opened for modification	C:\Windows\SysWOW64\Nheqnpjk.exe	Mohbjkgp.exe

Modifies registry class 18 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nconfh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}	00483001f0100616636d6788569185b2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fkekkccb.dll"	00483001f0100616636d6788569185b2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ookhfigk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fmfbakio.dll"	Mohbjkgp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mohbjkgp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nheqnpjk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nheqnpjk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejcdfahd.dll"	Ookhfigk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	00483001f0100616636d6788569185b2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	00483001f0100616636d6788569185b2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mohbjkgp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Omclnn32.dll"	Nheqnpjk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nconfh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjbpbd32.dll"	Nconfh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ookhfigk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	00483001f0100616636d6788569185b2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	00483001f0100616636d6788569185b2.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 4308 wrote to memory of 4192	4308	00483001f0100616636d6788569185b2.exe	89
PID 4308 wrote to memory of 4192	4308	00483001f0100616636d6788569185b2.exe	89
PID 4308 wrote to memory of 4192	4308	00483001f0100616636d6788569185b2.exe	89
PID 4192 wrote to memory of 4720	4192	Mohbjkgp.exe	91
PID 4192 wrote to memory of 4720	4192	Mohbjkgp.exe	91
PID 4192 wrote to memory of 4720	4192	Mohbjkgp.exe	91
PID 4720 wrote to memory of 2876	4720	Nheqnpjk.exe	92
PID 4720 wrote to memory of 2876	4720	Nheqnpjk.exe	92
PID 4720 wrote to memory of 2876	4720	Nheqnpjk.exe	92
PID 2876 wrote to memory of 4944	2876	Nconfh32.exe	93
PID 2876 wrote to memory of 4944	2876	Nconfh32.exe	93
PID 2876 wrote to memory of 4944	2876	Nconfh32.exe	93
PID 4944 wrote to memory of 1924	4944	Ookhfigk.exe	94
PID 4944 wrote to memory of 1924	4944	Ookhfigk.exe	94
PID 4944 wrote to memory of 1924	4944	Ookhfigk.exe	94

C:\Users\Admin\AppData\Local\Temp\00483001f0100616636d6788569185b2.exe
"C:\Users\Admin\AppData\Local\Temp\00483001f0100616636d6788569185b2.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4308
- C:\Windows\SysWOW64\Mohbjkgp.exe
  C:\Windows\system32\Mohbjkgp.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4192
- - C:\Windows\SysWOW64\Nheqnpjk.exe
    C:\Windows\system32\Nheqnpjk.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4720
  - - C:\Windows\SysWOW64\Nconfh32.exe
      C:\Windows\system32\Nconfh32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2876
    - - C:\Windows\SysWOW64\Ookhfigk.exe
        
        C:\Windows\system32\Ookhfigk.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4944
      - C:\Windows\SysWOW64\Amhdmi32.exe
        
        C:\Windows\system32\Amhdmi32.exe
        6⤵
        Executes dropped EXE
        
        PID:1924

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Amhdmi32.exe

Filesize
963KB

MD5
ec68fd575ab59e35355ee2339560ff42

SHA1
56e203cfdfd5eff50f67bec2a308977a6921046d

SHA256
b4aa6c3a708a72f9ca5a61ba05abe75e673a821dc3bf1207a956e065c1f5d85d

SHA512
564d3ca138ba86f8c162786ddb3acb03afd0d033b59d17f2f2845919e4ddf99cce286b49ef722ee9b4187e48e4d4f6107fdfe00284e483cf096c0c88cd52bce3

Download Submit
C:\Windows\SysWOW64\Ejcdfahd.dll

Filesize
7KB

MD5
22f3dc2422922af36ca6db82f752fe53

SHA1
feaf111bdc6b4a6e5e0aebd749630d8c6e54356a

SHA256
c450fb949d862e15d50e0cbabcdede69e675323862697c0c098ab0b4480ff283

SHA512
37668c3237df9bac4a11f0e25694a2bb0efac306889d8b5aa9f94b05d38c4636a4ae52c66fcc1dcfe31d4e9b43bfbbb90a1858b9357922a5817c5fd8058b92e0

Download Submit
C:\Windows\SysWOW64\Mohbjkgp.exe

Filesize
963KB

MD5
c6fd5e1a7a593d550e6567f5c36403cd

SHA1
1e9a93c33dbf2c3a81dc45be7bcf970720993835

SHA256
0b7c0097a0613672facf7b10d6f91ce5ebc3d242ee00f17f71cae8b51c5841fc

SHA512
57a20867854703f32d9f848e5b5238ede654012c1239147c35cd72086714d98ff866f47340130b5e8a27abe10109b97368965ba6a3bd6c49c3f47307a28f5ff3

Download Submit
C:\Windows\SysWOW64\Nconfh32.exe

Filesize
963KB

MD5
4de5b97cef06f006d6c8bf25fe4a429e

SHA1
fee92c1b26ca4db30068192d374510fd7897e6a4

SHA256
ee8d1e329753ac855b712d6cc5800cffd15b18ec5e11714efc89dce3adc8728c

SHA512
deb18c85d2d94310ff8c879d3062f2ca470b57883037b7ae9295369200202e6c43fdcb9820ff3df8b97dd372821b0686658b74cba73e98f498174e35f7d01bd4

Download Submit
C:\Windows\SysWOW64\Nheqnpjk.exe

Filesize
963KB

MD5
c73894a8f28ad77ac53071e97b9e897d

SHA1
82dc07f25a695eeccdbcf8e0ac0a6be78e79a2b9

SHA256
6c9abbad73d39a978e750a31adcacac3c772813f34bdbd064493850663492d27

SHA512
e9e04c16c71dee0bdc2a5c69334a02e1d3dc2a5f6d738c6bd78e0b93dfd792acb4a19640bd7270a20007b3c5f09102a29c1d2b8b3e557613327270f6d571aad9

Download Submit
C:\Windows\SysWOW64\Ookhfigk.exe

Filesize
963KB

MD5
9d529e750486f45797271a5380b9f382

SHA1
bcdb71ab25ffa78a15dace4ec466e1061927ae46

SHA256
1d7ce67844908cf5e47e078a51c7a261893c6caa6fef9a2304b18bbe7b9a1325

SHA512
7af81f9f5b8e924418e87e0705a57ec87325b474cd9508865c0ddcd262e1557a1d14523d1d5c913094330d2d15971362d4edaeca003b83d75b88f89561ead939

Download Submit
memory/1924-52-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1924-40-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1924-46-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2876-24-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2876-44-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4192-12-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4192-42-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4308-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4308-41-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4720-16-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4720-43-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4944-45-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4944-31-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads