0d5703d0b4b4473b4bef1981e6f9d0071d88f685ef43477f331cd8abf1a646d1

Analysis

max time kernel
0s
max time network
106s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
30/12/2023, 18:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c797054c278c6fb8d4e0d3fe77231faa.exe
Size

141KB
MD5

c797054c278c6fb8d4e0d3fe77231faa
SHA1

09c40e9e23f59e1826b182f33eccd1cfb3191ea8
SHA256

0d5703d0b4b4473b4bef1981e6f9d0071d88f685ef43477f331cd8abf1a646d1
SHA512

1e954b10656edcd891873b991d1df0266e6b3103079a46301cb319e6edff5df895e1fbd3b5bd0bd9d911ede8c3e20fcb3ec61dbeba4c9a1482983e6148eb7343
SSDEEP

3072:D+DAN0hj6VKV8yBumFuwQ9bGCmBJFWpoPSkGFj/p7sW0l:D+K0hjSK+yZFuN9bGCKJFtE/JK

Score

10^/10

backdoor dropper persistence trojan

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nceonl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nklfoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nqiogp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngcgcjnc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	c797054c278c6fb8d4e0d3fe77231faa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nceonl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngcgcjnc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkncdifl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnmopdep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	c797054c278c6fb8d4e0d3fe77231faa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nddkgonp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nkncdifl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnmopdep.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqiogp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nddkgonp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqklmpdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nklfoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njogjfoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njogjfoj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnjbke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnjbke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nqklmpdd.exe

Malware Dropper & Backdoor - Berbew 12 IoCs

Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.

backdoor trojan dropper

resource	yara_rule
behavioral2/files/0x0006000000023231-105.dat	family_berbew
behavioral2/files/0x0006000000023239-137.dat	family_berbew
behavioral2/files/0x0006000000023237-129.dat	family_berbew
behavioral2/files/0x0006000000023235-122.dat	family_berbew
behavioral2/files/0x0006000000023233-113.dat	family_berbew
behavioral2/files/0x0007000000023210-39.dat	family_berbew
behavioral2/files/0x0007000000023206-32.dat	family_berbew
behavioral2/files/0x0007000000023206-31.dat	family_berbew
behavioral2/files/0x0007000000023201-24.dat	family_berbew
behavioral2/files/0x0007000000023201-23.dat	family_berbew
behavioral2/files/0x0007000000023201-17.dat	family_berbew
behavioral2/files/0x000300000001e982-8.dat	family_berbew

Executes dropped EXE 11 IoCs

pid	Process
2716	Nceonl32.exe
1768	Nklfoi32.exe
3452	Njogjfoj.exe
744	Nnjbke32.exe
1092	Nqiogp32.exe
4692	Nddkgonp.exe
4772	Ngcgcjnc.exe
4408	Nkncdifl.exe
2636	Nnmopdep.exe
2876	Nqklmpdd.exe
5020	Ncihikcg.exe

Drops file in System32 directory 33 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Nnjbke32.exe	Njogjfoj.exe
File opened for modification	C:\Windows\SysWOW64\Nddkgonp.exe	Nqiogp32.exe
File opened for modification	C:\Windows\SysWOW64\Ncihikcg.exe	Nqklmpdd.exe
File created	C:\Windows\SysWOW64\Jlnpomfk.dll	Nqiogp32.exe
File opened for modification	C:\Windows\SysWOW64\Ngcgcjnc.exe	Nddkgonp.exe
File opened for modification	C:\Windows\SysWOW64\Nqklmpdd.exe	Nnmopdep.exe
File created	C:\Windows\SysWOW64\Ljfemn32.dll	Nnmopdep.exe
File created	C:\Windows\SysWOW64\Nceonl32.exe	c797054c278c6fb8d4e0d3fe77231faa.exe
File created	C:\Windows\SysWOW64\Nklfoi32.exe	Nceonl32.exe
File created	C:\Windows\SysWOW64\Majknlkd.dll	Nddkgonp.exe
File opened for modification	C:\Windows\SysWOW64\Nkncdifl.exe	Ngcgcjnc.exe
File opened for modification	C:\Windows\SysWOW64\Nnmopdep.exe	Nkncdifl.exe
File created	C:\Windows\SysWOW64\Fcdjjo32.dll	c797054c278c6fb8d4e0d3fe77231faa.exe
File opened for modification	C:\Windows\SysWOW64\Njogjfoj.exe	Nklfoi32.exe
File created	C:\Windows\SysWOW64\Lfcbokki.dll	Nklfoi32.exe
File opened for modification	C:\Windows\SysWOW64\Nnjbke32.exe	Njogjfoj.exe
File created	C:\Windows\SysWOW64\Pponmema.dll	Nnjbke32.exe
File created	C:\Windows\SysWOW64\Ngcgcjnc.exe	Nddkgonp.exe
File created	C:\Windows\SysWOW64\Fibjjh32.dll	Nceonl32.exe
File created	C:\Windows\SysWOW64\Kmalco32.dll	Njogjfoj.exe
File created	C:\Windows\SysWOW64\Nddkgonp.exe	Nqiogp32.exe
File created	C:\Windows\SysWOW64\Nkncdifl.exe	Ngcgcjnc.exe
File created	C:\Windows\SysWOW64\Nqklmpdd.exe	Nnmopdep.exe
File created	C:\Windows\SysWOW64\Ncihikcg.exe	Nqklmpdd.exe
File created	C:\Windows\SysWOW64\Cgfgaq32.dll	Nkncdifl.exe
File opened for modification	C:\Windows\SysWOW64\Nceonl32.exe	c797054c278c6fb8d4e0d3fe77231faa.exe
File opened for modification	C:\Windows\SysWOW64\Nklfoi32.exe	Nceonl32.exe
File created	C:\Windows\SysWOW64\Jkeang32.dll	Ngcgcjnc.exe
File created	C:\Windows\SysWOW64\Pkckjila.dll	Nqklmpdd.exe
File created	C:\Windows\SysWOW64\Njogjfoj.exe	Nklfoi32.exe
File created	C:\Windows\SysWOW64\Nqiogp32.exe	Nnjbke32.exe
File opened for modification	C:\Windows\SysWOW64\Nqiogp32.exe	Nnjbke32.exe
File created	C:\Windows\SysWOW64\Nnmopdep.exe	Nkncdifl.exe

Program crash 1 IoCs

pid	pid_target	Process
3792	760	WerFault.exe

Modifies registry class 36 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ngcgcjnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ngcgcjnc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nkncdifl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljfemn32.dll"	Nnmopdep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fcdjjo32.dll"	c797054c278c6fb8d4e0d3fe77231faa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nceonl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nnjbke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Majknlkd.dll"	Nddkgonp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nnmopdep.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	c797054c278c6fb8d4e0d3fe77231faa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nceonl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmalco32.dll"	Njogjfoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlnpomfk.dll"	Nqiogp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cgfgaq32.dll"	Nkncdifl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	c797054c278c6fb8d4e0d3fe77231faa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	c797054c278c6fb8d4e0d3fe77231faa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nnjbke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nddkgonp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkeang32.dll"	Ngcgcjnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nnmopdep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nqklmpdd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nklfoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfcbokki.dll"	Nklfoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nklfoi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nqklmpdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkckjila.dll"	Nqklmpdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	c797054c278c6fb8d4e0d3fe77231faa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Njogjfoj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nqiogp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nqiogp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nddkgonp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	c797054c278c6fb8d4e0d3fe77231faa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fibjjh32.dll"	Nceonl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Njogjfoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pponmema.dll"	Nnjbke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nkncdifl.exe

Suspicious use of WriteProcessMemory 33 IoCs

description	pid	Process	procid_target
PID 4660 wrote to memory of 2716	4660	c797054c278c6fb8d4e0d3fe77231faa.exe	37
PID 4660 wrote to memory of 2716	4660	c797054c278c6fb8d4e0d3fe77231faa.exe	37
PID 4660 wrote to memory of 2716	4660	c797054c278c6fb8d4e0d3fe77231faa.exe	37
PID 2716 wrote to memory of 1768	2716	Nceonl32.exe	36
PID 2716 wrote to memory of 1768	2716	Nceonl32.exe	36
PID 2716 wrote to memory of 1768	2716	Nceonl32.exe	36
PID 1768 wrote to memory of 3452	1768	Nklfoi32.exe	35
PID 1768 wrote to memory of 3452	1768	Nklfoi32.exe	35
PID 1768 wrote to memory of 3452	1768	Nklfoi32.exe	35
PID 3452 wrote to memory of 744	3452	Njogjfoj.exe	15
PID 3452 wrote to memory of 744	3452	Njogjfoj.exe	15
PID 3452 wrote to memory of 744	3452	Njogjfoj.exe	15
PID 744 wrote to memory of 1092	744	Nnjbke32.exe	34
PID 744 wrote to memory of 1092	744	Nnjbke32.exe	34
PID 744 wrote to memory of 1092	744	Nnjbke32.exe	34
PID 1092 wrote to memory of 4692	1092	Nqiogp32.exe	16
PID 1092 wrote to memory of 4692	1092	Nqiogp32.exe	16
PID 1092 wrote to memory of 4692	1092	Nqiogp32.exe	16
PID 4692 wrote to memory of 4772	4692	Nddkgonp.exe	33
PID 4692 wrote to memory of 4772	4692	Nddkgonp.exe	33
PID 4692 wrote to memory of 4772	4692	Nddkgonp.exe	33
PID 4772 wrote to memory of 4408	4772	Ngcgcjnc.exe	32
PID 4772 wrote to memory of 4408	4772	Ngcgcjnc.exe	32
PID 4772 wrote to memory of 4408	4772	Ngcgcjnc.exe	32
PID 4408 wrote to memory of 2636	4408	Nkncdifl.exe	31
PID 4408 wrote to memory of 2636	4408	Nkncdifl.exe	31
PID 4408 wrote to memory of 2636	4408	Nkncdifl.exe	31
PID 2636 wrote to memory of 2876	2636	Nnmopdep.exe	30
PID 2636 wrote to memory of 2876	2636	Nnmopdep.exe	30
PID 2636 wrote to memory of 2876	2636	Nnmopdep.exe	30
PID 2876 wrote to memory of 5020	2876	Nqklmpdd.exe	29
PID 2876 wrote to memory of 5020	2876	Nqklmpdd.exe	29
PID 2876 wrote to memory of 5020	2876	Nqklmpdd.exe	29

C:\Users\Admin\AppData\Local\Temp\c797054c278c6fb8d4e0d3fe77231faa.exe
"C:\Users\Admin\AppData\Local\Temp\c797054c278c6fb8d4e0d3fe77231faa.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4660
- C:\Windows\SysWOW64\Nceonl32.exe
  C:\Windows\system32\Nceonl32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2716

C:\Windows\SysWOW64\Nnjbke32.exe
C:\Windows\system32\Nnjbke32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:744
- C:\Windows\SysWOW64\Nqiogp32.exe
  C:\Windows\system32\Nqiogp32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1092

C:\Windows\SysWOW64\Nddkgonp.exe
C:\Windows\system32\Nddkgonp.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4692
- C:\Windows\SysWOW64\Ngcgcjnc.exe
  C:\Windows\system32\Ngcgcjnc.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4772

C:\Windows\SysWOW64\Ngedij32.exe
C:\Windows\system32\Ngedij32.exe
1⤵
PID:3272
- C:\Windows\SysWOW64\Njcpee32.exe
  C:\Windows\system32\Njcpee32.exe
  2⤵
  PID:4056

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 760 -ip 760
1⤵
PID:2952

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 760 -s 400
1⤵
- Program crash
PID:3792

C:\Windows\SysWOW64\Nkcmohbg.exe
C:\Windows\system32\Nkcmohbg.exe
1⤵
PID:760

C:\Windows\SysWOW64\Ncldnkae.exe
C:\Windows\system32\Ncldnkae.exe
1⤵
PID:1900

C:\Windows\SysWOW64\Nqmhbpba.exe
C:\Windows\system32\Nqmhbpba.exe
1⤵
PID:4388

C:\Windows\SysWOW64\Nbkhfc32.exe
C:\Windows\system32\Nbkhfc32.exe
1⤵
PID:2676

C:\Windows\SysWOW64\Ncihikcg.exe
C:\Windows\system32\Ncihikcg.exe
1⤵
- Executes dropped EXE
PID:5020

C:\Windows\SysWOW64\Nqklmpdd.exe
C:\Windows\system32\Nqklmpdd.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2876

C:\Windows\SysWOW64\Nnmopdep.exe
C:\Windows\system32\Nnmopdep.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2636

C:\Windows\SysWOW64\Nkncdifl.exe
C:\Windows\system32\Nkncdifl.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4408

C:\Windows\SysWOW64\Njogjfoj.exe
C:\Windows\system32\Njogjfoj.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3452

C:\Windows\SysWOW64\Nklfoi32.exe
C:\Windows\system32\Nklfoi32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1768

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Nbkhfc32.exe

Filesize
141KB

MD5
8f344c0b1e26d352ac7d2a1fe29458f7

SHA1
86575553e134b4e875d261dee378c6d103e0e879

SHA256
94656a9bcb20a56b3c3a919cb8972f3698ff1fd4cff03fa7fe59841f763e5a17

SHA512
5a3bd769a7371e4f1f749035862d9d07e5bc1480e098b5528a0569525bfcbb4f007cd5da0faef6275107d632d0fc2d860c02ad6b69d35ee9032ed2264c8dbd9a

Download Submit
C:\Windows\SysWOW64\Nceonl32.exe

Filesize
141KB

MD5
403bff0abacaa59af6ae933d089b937c

SHA1
5998500307c36427dae6562371c7a055968b0998

SHA256
45aec634bc036b3e86f58e33f19af87c329263cdcf2dd69fb01dfdd6bda0a8b2

SHA512
d15ff4c4872fa80ef709c592f07253f8b2b08c1c2b45b0121f3b211d12672591fc12b8ae96b44b134f129b05fd462903babdd89da53619ec529bce9db86e8329

Download Submit
C:\Windows\SysWOW64\Ncldnkae.exe

Filesize
141KB

MD5
1797b4d3129bfe2557074a92778f4f65

SHA1
d57b11f98f0969928263fe598e34dd3e3e59ed75

SHA256
1ab5cce1506bc9828d041084fcc6cf8f21eab6f93477478e880775b696223655

SHA512
3ad7eca4b89adc913a56f7e60b9c4af9409527f61461c362c798ba3c5e17520cb6585207f9d17d1cd7b8ab828f1c578bda4ec9aa0bf4afd5c918b4fec97f6157

Download Submit
C:\Windows\SysWOW64\Njcpee32.exe

Filesize
141KB

MD5
3f3c7314d462d890a0efe2da350e9a0a

SHA1
9d7e3c2ae897dc600f4db27f21d7f9e52a6024a6

SHA256
981214087d83fcd8c3013d2aa15fef154ba8ac14c99b6053edd66557b17ec370

SHA512
8a9a88a96d1a76e16051d5334dda1e380c45d81892aab736e771df2d44a977188abff7482009bfadf9cdddf64e7122a96446eca7248acdeff4411f88b5f47138

Download Submit
C:\Windows\SysWOW64\Njogjfoj.exe

Filesize
141KB

MD5
72ac76fde2cc6a1da7f403d57249d7c6

SHA1
6fec3003d09542cc59a3eba77f7c83ff6101402b

SHA256
1e40e2071ae9fa9ecee03d95425c0361fa7bb89bb85bba334fa9fddc279fe1ba

SHA512
6df49a9ea2c35c783950a3efdcef57a068137cbf97a0b43f367b574c51f3124ab38924badbab8d6960f07e5ecc699d7ef76f0fcfe56f009e1d8cd7e65349809b

Download Submit
C:\Windows\SysWOW64\Njogjfoj.exe

Filesize
141KB

MD5
48a9bc9bd420f2a9fa02ce8d04a3f9f6

SHA1
e865fc880dde10b9f3783bddb3754a3b88488dc4

SHA256
f590f1d6e17b0a0d3abcb5d7f1fbd6b11d9e90d23c67c8c433f47bd7c17aa05c

SHA512
0374ac6be4e5855e940d241c5dd59b6fc6098fb469b35724252c24d9ea189a4be600db0f1891e2cbb43d77fb1de17e63324b83e213f8620bd0a208812183770f

Download Submit
C:\Windows\SysWOW64\Njogjfoj.exe

Filesize
96KB

MD5
016e9eb56ba7673afbda29bfa8647a7e

SHA1
8264ffac64c4e458b9bec548a129c04687f46c10

SHA256
3d0181afdc06fe175f9e8830c93abfa3198378a5883b213b334838994672241f

SHA512
2badb1b0fd3859338cb7ec62dd3cc4ca38aaaa9771eac60d53e37d0697b4fc5153b5949ca83581aff7c3b7d7a770f0d89ccfcc852cc67ae41502bb8b1069457e

Download Submit
C:\Windows\SysWOW64\Nkcmohbg.exe

Filesize
141KB

MD5
cc93ff2b7d272c8bc009e29fad64f8fa

SHA1
339dcf35bad35ac08afe1ffe9cf77854cfa236fd

SHA256
fa9aa3252a07fee01ee7107e32db3ed434b9b1a9a02295f56c89dde8734c2541

SHA512
128169195df56c04591783a3071288d623480294abc91ab1c8b5eb943718eec7defa96568a29faf4191e8c590db1d39493870b8ff4e9f8553c9b4c083c9945a2

Download Submit
C:\Windows\SysWOW64\Nnjbke32.exe

Filesize
94KB

MD5
b8aae227040c1d9c4ae1a24c5efd59db

SHA1
0484c79c355dc40a2e38560881efd4a89a23fd4b

SHA256
fc046c29b55cb8f436f957f6fb81925d6d7fcd2126a3dbc579e1b4f279f2f7b1

SHA512
b70071625c43f53fbb1f8e5069d1bc20007cea88a7725dfef687d686eba07cd410ea6d3db6d9fca5625ea8c4d305e7a63e24e42dac212455dc1cdb20bc09b610

Download Submit
C:\Windows\SysWOW64\Nnjbke32.exe

Filesize
141KB

MD5
97f4a1fdd36ff3d48566aaa5717c00ac

SHA1
a49522180f3bcdbd51a18466973d57fe58b51e01

SHA256
38c8a989d1cc28eff574d13f7a576a90eb421adebb7de80986015bd2214d4895

SHA512
49535140e7ddc62ff54102ad3edcd308b0155d45003c1bce1b8cf3c02e6b9e14a1bfdc222326c8b3dda76fac740d25e094afdbf8ebc0644c4f301579367ab388

Download Submit
C:\Windows\SysWOW64\Nqiogp32.exe

Filesize
141KB

MD5
53544aa672d27e5a47dac254ccc51d49

SHA1
0359d23ff78821c7d817566dbeb47d713a7d9d3f

SHA256
b093852a3b59e5718e8a9e653d8026045f2a0a8c5a3e37281eb08489300e725b

SHA512
df7649f6156afc3a1352cb8d12ccbc9af32d63426bff52d5812806769d37933ce0c5daceb53057bcc499e7d4ec8ff50d8504fc3f3b8d0b4e0a2b1ec6b7b4ad0d

Download Submit
C:\Windows\SysWOW64\Nqmhbpba.exe

Filesize
141KB

MD5
701aa77b9ebde69005a41c243f94bad1

SHA1
a9fdcfe53adfd8e53c23319fb4b2a981e7294404

SHA256
48e5c84aa409f9091841bba98f1deea26d9c72320c212af75e1d619109b5c782

SHA512
3a7b8e61dd480060bafd3e24ecb29c8363ec6875397bc638411e369927694d23860a18aa512cb55f283033cd9e8375c24b615b02a24c12bd04d64d7701536536

Download Submit
memory/744-151-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/744-33-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/760-138-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1092-150-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1092-41-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1768-21-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1900-139-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1900-130-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2636-147-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2636-73-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2676-114-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2676-141-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2716-153-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2716-9-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2876-145-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2876-86-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3272-143-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3272-98-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3452-29-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3452-152-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4056-106-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4056-142-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4388-121-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4388-140-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4408-65-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4408-146-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4660-0-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4660-4-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4660-81-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4692-53-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4692-149-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4772-148-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4772-57-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5020-144-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5020-90-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads