7e869084cbd66af9da403bddb2901100e142b65d26f7cb30436f9e570e84ef5d

Analysis

max time kernel
145s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
30/12/2023, 18:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

75acf52fe6b2239b88cb57a2885834da.exe
Size

112KB
MD5

75acf52fe6b2239b88cb57a2885834da
SHA1

12e9ae60e27e62328e33b7d7bbde3f92bdab4072
SHA256

7e869084cbd66af9da403bddb2901100e142b65d26f7cb30436f9e570e84ef5d
SHA512

393732c217e4344163db9c5039f1fad376cb645c649a9a83622ed58efa4c10ce4588fb9ced5a603819e5822c9ea6464d3bbc02f4e4d67164ae3d13878efa8168
SSDEEP

1536:wHZdA3mAWaVNZCUbnEYF1b89522LEJ9VqDlzVxyh+CbxMQguz6V34euullnZ+:qZdARnXF2bEJ9IDlRxyhTbhgu+tAcr+

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 26 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndghmo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njcpee32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nbkhfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	75acf52fe6b2239b88cb57a2885834da.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngcgcjnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njacpf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	75acf52fe6b2239b88cb57a2885834da.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nceonl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nklfoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nddkgonp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nbkhfc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncldnkae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncldnkae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nceonl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njogjfoj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nklfoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nbhkac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njcpee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njogjfoj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nafokcol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nafokcol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngcgcjnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nbhkac32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nddkgonp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njacpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndghmo32.exe

Executes dropped EXE 13 IoCs

pid	Process
868	Nceonl32.exe
1448	Nklfoi32.exe
2348	Njogjfoj.exe
1736	Nafokcol.exe
2752	Nddkgonp.exe
2720	Ngcgcjnc.exe
2740	Njacpf32.exe
4236	Nbhkac32.exe
5036	Ndghmo32.exe
4344	Njcpee32.exe
912	Nbkhfc32.exe
4504	Ncldnkae.exe
4384	Nkcmohbg.exe

Drops file in System32 directory 39 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Nklfoi32.exe	Nceonl32.exe
File created	C:\Windows\SysWOW64\Fibjjh32.dll	Nceonl32.exe
File created	C:\Windows\SysWOW64\Ndghmo32.exe	Nbhkac32.exe
File opened for modification	C:\Windows\SysWOW64\Ndghmo32.exe	Nbhkac32.exe
File created	C:\Windows\SysWOW64\Njcpee32.exe	Ndghmo32.exe
File opened for modification	C:\Windows\SysWOW64\Nbkhfc32.exe	Njcpee32.exe
File created	C:\Windows\SysWOW64\Dlddhggk.dll	Nbkhfc32.exe
File created	C:\Windows\SysWOW64\Bdknoa32.dll	Nbhkac32.exe
File created	C:\Windows\SysWOW64\Nbkhfc32.exe	Njcpee32.exe
File created	C:\Windows\SysWOW64\Nceonl32.exe	75acf52fe6b2239b88cb57a2885834da.exe
File opened for modification	C:\Windows\SysWOW64\Nklfoi32.exe	Nceonl32.exe
File opened for modification	C:\Windows\SysWOW64\Njogjfoj.exe	Nklfoi32.exe
File opened for modification	C:\Windows\SysWOW64\Njacpf32.exe	Ngcgcjnc.exe
File created	C:\Windows\SysWOW64\Nbhkac32.exe	Njacpf32.exe
File created	C:\Windows\SysWOW64\Ipkobd32.dll	Njacpf32.exe
File opened for modification	C:\Windows\SysWOW64\Nddkgonp.exe	Nafokcol.exe
File created	C:\Windows\SysWOW64\Majknlkd.dll	Nddkgonp.exe
File created	C:\Windows\SysWOW64\Njacpf32.exe	Ngcgcjnc.exe
File created	C:\Windows\SysWOW64\Lmbnpm32.dll	Ngcgcjnc.exe
File opened for modification	C:\Windows\SysWOW64\Njcpee32.exe	Ndghmo32.exe
File created	C:\Windows\SysWOW64\Nafokcol.exe	Njogjfoj.exe
File opened for modification	C:\Windows\SysWOW64\Nafokcol.exe	Njogjfoj.exe
File created	C:\Windows\SysWOW64\Jlnpomfk.dll	Nafokcol.exe
File created	C:\Windows\SysWOW64\Ngcgcjnc.exe	Nddkgonp.exe
File created	C:\Windows\SysWOW64\Lkfbjdpq.dll	Njcpee32.exe
File opened for modification	C:\Windows\SysWOW64\Nkcmohbg.exe	Ncldnkae.exe
File opened for modification	C:\Windows\SysWOW64\Nceonl32.exe	75acf52fe6b2239b88cb57a2885834da.exe
File created	C:\Windows\SysWOW64\Njogjfoj.exe	Nklfoi32.exe
File created	C:\Windows\SysWOW64\Lfcbokki.dll	Nklfoi32.exe
File opened for modification	C:\Windows\SysWOW64\Ncldnkae.exe	Nbkhfc32.exe
File created	C:\Windows\SysWOW64\Fcdjjo32.dll	75acf52fe6b2239b88cb57a2885834da.exe
File created	C:\Windows\SysWOW64\Jcoegc32.dll	Njogjfoj.exe
File opened for modification	C:\Windows\SysWOW64\Ngcgcjnc.exe	Nddkgonp.exe
File opened for modification	C:\Windows\SysWOW64\Nbhkac32.exe	Njacpf32.exe
File created	C:\Windows\SysWOW64\Ncldnkae.exe	Nbkhfc32.exe
File created	C:\Windows\SysWOW64\Nkcmohbg.exe	Ncldnkae.exe
File created	C:\Windows\SysWOW64\Nddkgonp.exe	Nafokcol.exe
File created	C:\Windows\SysWOW64\Ddpfgd32.dll	Ndghmo32.exe
File created	C:\Windows\SysWOW64\Hnibdpde.dll	Ncldnkae.exe

Program crash 1 IoCs

pid	pid_target	Process
2000	4384	WerFault.exe

Modifies registry class 42 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	75acf52fe6b2239b88cb57a2885834da.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	75acf52fe6b2239b88cb57a2885834da.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nceonl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlnpomfk.dll"	Nafokcol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Njcpee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dlddhggk.dll"	Nbkhfc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ncldnkae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	75acf52fe6b2239b88cb57a2885834da.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Majknlkd.dll"	Nddkgonp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdknoa32.dll"	Nbhkac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nbhkac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nbkhfc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nafokcol.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ndghmo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Njogjfoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Njogjfoj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nddkgonp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nddkgonp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipkobd32.dll"	Njacpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkfbjdpq.dll"	Njcpee32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nbkhfc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nklfoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfcbokki.dll"	Nklfoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcoegc32.dll"	Njogjfoj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ngcgcjnc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	75acf52fe6b2239b88cb57a2885834da.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fibjjh32.dll"	Nceonl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ngcgcjnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fcdjjo32.dll"	75acf52fe6b2239b88cb57a2885834da.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nbhkac32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Njcpee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ncldnkae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nklfoi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nceonl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nafokcol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmbnpm32.dll"	Ngcgcjnc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Njacpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Njacpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ddpfgd32.dll"	Ndghmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ndghmo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	75acf52fe6b2239b88cb57a2885834da.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnibdpde.dll"	Ncldnkae.exe

Suspicious use of WriteProcessMemory 39 IoCs

description	pid	Process	procid_target
PID 3720 wrote to memory of 868	3720	75acf52fe6b2239b88cb57a2885834da.exe	32
PID 3720 wrote to memory of 868	3720	75acf52fe6b2239b88cb57a2885834da.exe	32
PID 3720 wrote to memory of 868	3720	75acf52fe6b2239b88cb57a2885834da.exe	32
PID 868 wrote to memory of 1448	868	Nceonl32.exe	31
PID 868 wrote to memory of 1448	868	Nceonl32.exe	31
PID 868 wrote to memory of 1448	868	Nceonl32.exe	31
PID 1448 wrote to memory of 2348	1448	Nklfoi32.exe	30
PID 1448 wrote to memory of 2348	1448	Nklfoi32.exe	30
PID 1448 wrote to memory of 2348	1448	Nklfoi32.exe	30
PID 2348 wrote to memory of 1736	2348	Njogjfoj.exe	29
PID 2348 wrote to memory of 1736	2348	Njogjfoj.exe	29
PID 2348 wrote to memory of 1736	2348	Njogjfoj.exe	29
PID 1736 wrote to memory of 2752	1736	Nafokcol.exe	28
PID 1736 wrote to memory of 2752	1736	Nafokcol.exe	28
PID 1736 wrote to memory of 2752	1736	Nafokcol.exe	28
PID 2752 wrote to memory of 2720	2752	Nddkgonp.exe	27
PID 2752 wrote to memory of 2720	2752	Nddkgonp.exe	27
PID 2752 wrote to memory of 2720	2752	Nddkgonp.exe	27
PID 2720 wrote to memory of 2740	2720	Ngcgcjnc.exe	26
PID 2720 wrote to memory of 2740	2720	Ngcgcjnc.exe	26
PID 2720 wrote to memory of 2740	2720	Ngcgcjnc.exe	26
PID 2740 wrote to memory of 4236	2740	Njacpf32.exe	25
PID 2740 wrote to memory of 4236	2740	Njacpf32.exe	25
PID 2740 wrote to memory of 4236	2740	Njacpf32.exe	25
PID 4236 wrote to memory of 5036	4236	Nbhkac32.exe	24
PID 4236 wrote to memory of 5036	4236	Nbhkac32.exe	24
PID 4236 wrote to memory of 5036	4236	Nbhkac32.exe	24
PID 5036 wrote to memory of 4344	5036	Ndghmo32.exe	23
PID 5036 wrote to memory of 4344	5036	Ndghmo32.exe	23
PID 5036 wrote to memory of 4344	5036	Ndghmo32.exe	23
PID 4344 wrote to memory of 912	4344	Njcpee32.exe	16
PID 4344 wrote to memory of 912	4344	Njcpee32.exe	16
PID 4344 wrote to memory of 912	4344	Njcpee32.exe	16
PID 912 wrote to memory of 4504	912	Nbkhfc32.exe	22
PID 912 wrote to memory of 4504	912	Nbkhfc32.exe	22
PID 912 wrote to memory of 4504	912	Nbkhfc32.exe	22
PID 4504 wrote to memory of 4384	4504	Ncldnkae.exe	20
PID 4504 wrote to memory of 4384	4504	Ncldnkae.exe	20
PID 4504 wrote to memory of 4384	4504	Ncldnkae.exe	20

C:\Users\Admin\AppData\Local\Temp\75acf52fe6b2239b88cb57a2885834da.exe
"C:\Users\Admin\AppData\Local\Temp\75acf52fe6b2239b88cb57a2885834da.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3720
- C:\Windows\SysWOW64\Nceonl32.exe
  C:\Windows\system32\Nceonl32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:868

C:\Windows\SysWOW64\Nbkhfc32.exe
C:\Windows\system32\Nbkhfc32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:912
- C:\Windows\SysWOW64\Ncldnkae.exe
  C:\Windows\system32\Ncldnkae.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4504

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4384 -ip 4384
1⤵
PID:3848

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4384 -s 400
1⤵
- Program crash
PID:2000

C:\Windows\SysWOW64\Nkcmohbg.exe
C:\Windows\system32\Nkcmohbg.exe
1⤵
- Executes dropped EXE
PID:4384

C:\Windows\SysWOW64\Njcpee32.exe
C:\Windows\system32\Njcpee32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4344

C:\Windows\SysWOW64\Ndghmo32.exe
C:\Windows\system32\Ndghmo32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5036

C:\Windows\SysWOW64\Nbhkac32.exe
C:\Windows\system32\Nbhkac32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4236

C:\Windows\SysWOW64\Njacpf32.exe
C:\Windows\system32\Njacpf32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2740

C:\Windows\SysWOW64\Ngcgcjnc.exe
C:\Windows\system32\Ngcgcjnc.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2720

C:\Windows\SysWOW64\Nddkgonp.exe
C:\Windows\system32\Nddkgonp.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2752

C:\Windows\SysWOW64\Nafokcol.exe
C:\Windows\system32\Nafokcol.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1736

C:\Windows\SysWOW64\Njogjfoj.exe
C:\Windows\system32\Njogjfoj.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2348

C:\Windows\SysWOW64\Nklfoi32.exe
C:\Windows\system32\Nklfoi32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1448

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Nafokcol.exe

Filesize
112KB

MD5
fbb4db6c9f5afe0e815c6f8c816994a9

SHA1
2420ad9fab6090cb8ebee2f225c69ce0cf3bf034

SHA256
36d81f1bb17e48419f9313ba5f9bb9758e50ecfe6018fbff6d867da7bdb2ede5

SHA512
965f2d173a5225128274ede335402c0ea70c6d2977c57225d272dc4de55d4ac4b9753660bd6295209ff137fbb92b470992c35a422f4a77f910e94883b3cccbe3

Download Submit
C:\Windows\SysWOW64\Nbhkac32.exe

Filesize
112KB

MD5
0263b80c629399033dd2f11595ecdbf3

SHA1
5b74480ed31cc2a9bef4f2a9e15f6a63ea1180e2

SHA256
af9df19e78638646a6d14beb4c22d6dff9b67ef1e94b7539b55989406b4a6117

SHA512
d13f050da29b800cc63e5f5ef5787c4bb1f786813e5cfc2b5514c1abf1c5212e2ef0aa40c2c828f9b9830cf216fa7255cd3b5eb12033174523a19500322cec89

Download Submit
C:\Windows\SysWOW64\Nbhkac32.exe

Filesize
112KB

MD5
47598ff23b354292add24e54d62017b6

SHA1
339fe26e50f0bf9e0719debc1b09f024b7fb7335

SHA256
b427b15abc0e00bbfadfa8d431799601fdefa4df5b4715b9f1c0706b43e92385

SHA512
a3da0690942032d81fb54735a1dcd184dd82080addc71f831b64e3e6219622dff4e6467b7386747d4b3ec7678fa79af4a8cca5003ab0af7e719db161f5ced935

Download Submit
C:\Windows\SysWOW64\Nbkhfc32.exe

Filesize
112KB

MD5
52790a4319b4210e76d9f0ab6ba9e3f0

SHA1
4f61c58fd68acc319460d4b7929b68f1d7a6a3b6

SHA256
6d8f82d5d4faeaa5e5e3d15e53f865d506d735c5c4976355d822414eb58a697f

SHA512
3c4db036cfe849e546a012e1587993499aaf1c443d6906dd079c9643f098bc58a628a57b35eb70460c7107d3af0e8e8abe96a2a88794410584a4420509dd9f1f

Download Submit
C:\Windows\SysWOW64\Nceonl32.exe

Filesize
112KB

MD5
619b47051fa0f42c01e1b6f46c42a710

SHA1
640278ccf5259dd36694136321d2cc5436487713

SHA256
1409be129184fb88ce00e2bac39284b6803f941746da3fb360fd7a49b189f1ea

SHA512
4ba7e0f896a3c1d7d4a488151b798a14aa751d969e1d21d5a0ce88adcfe67797ba9b61b320c5e89507c750c8db1c39a91652e60950d3487db6299e974f2ccf0a

Download Submit
C:\Windows\SysWOW64\Ncldnkae.exe

Filesize
112KB

MD5
b902c20a1c1d7854efe5960e9645f42d

SHA1
39ae2112501dd59fdd7e489ac0d32af541dc2e42

SHA256
f2d353bf0411d863704aece1959e41e11b1ee67960ece54d564f4ae1795db926

SHA512
1af9e20419fa48b0f1f929db6e3e9b18067bbd3715dd5a7cc91e227059cf846d561965f9056d11f52ac9b4fdce5309d0ea98b76ec7c55fe7e32753b23ee51a74

Download Submit
C:\Windows\SysWOW64\Ncldnkae.exe

Filesize
92KB

MD5
512a2fe4e75f104f8070d8c0aae890cf

SHA1
add05f42221988c8d810697569a6e9ba92214d60

SHA256
82765a9e95333caee67dee134dd901ada7f390eddeba23ac6f7cf00636e1155a

SHA512
1014e61d36c41ba0d3a43337abab29999f716a7128664b760867dd02f6721fb7db5e21b3bb0923df4e5ba250e43bff52ef87d0d2760dc841f40a7edc1312a06f

Download Submit
C:\Windows\SysWOW64\Nddkgonp.exe

Filesize
112KB

MD5
6116236719c3909b0d075f8554fc6136

SHA1
e37876afc0b648a49354b39d30ea59bd659dd0bb

SHA256
aa9506b7a59cd380fa60505b096c53f160a3139b7020baeebd3f6e7a569ba399

SHA512
a51ecc977b6a51156e1ddcbd3a8bf580681da2337fc2042ecc1669c23d2db439dd5c5252646d378722bafb7583f36bdb656bb5e5e6c1a6c4c115c52ebd521737

Download Submit
C:\Windows\SysWOW64\Nddkgonp.exe

Filesize
97KB

MD5
b33ceeaf87c09850795a7382aeea68d5

SHA1
faf09fa2ea8db47b8081c04ed609f723e616192c

SHA256
8cc53682aeb8561272137c468c4cac26a0be6cde397687094999049ec7aa2bda

SHA512
e653b19fbb32fef817c2d8e19caa2c78d45069f0ee399bc75e26d479a3e3175971dc6dbb70a118c1daa9d0656ff67ba54fc5f2ad24bbeddcd2ad0b89283d0528

Download Submit
C:\Windows\SysWOW64\Ndghmo32.exe

Filesize
112KB

MD5
4852fc352e88da6a80858495c0d04783

SHA1
f1164551c2297d4fdcc6cb777188660bb80c629b

SHA256
623976ae871d94a0661969cf5e49a500276472898000940050eb403eab75b592

SHA512
9bee25bbf5788f448f1ac64d34196f512aaa3e8fbe6c9799be7783f76ab6859e5fec5bc4671924d8a7a49a8cc46635639d7838cfc3f330dd309aba586e166df2

Download Submit
C:\Windows\SysWOW64\Ngcgcjnc.exe

Filesize
112KB

MD5
fc56eb46c367c5b3874fd3ab7da0f84d

SHA1
52080acf2343fd3f8a71a8b3c459c0b27b88786b

SHA256
b7a43a48a9650ca59154e74bf5ae1a0b8ade585d21b43d86fdb91e2408776729

SHA512
35edca30437a74c755ef386e9a1de8052c242e85d195401105ad4a6efed91b8da1cda04fd3ed6b2f52d916e55488d117cb90f5395a4a63e0791c88a4647a13cc

Download Submit
C:\Windows\SysWOW64\Njcpee32.exe

Filesize
112KB

MD5
c36f55776cbebd2ffa0117fb950a1e25

SHA1
f655ed6a2e519a61bf03c50d1c0738d3a2c5b4fe

SHA256
f0910f645b2a847ec6260fd5e387599ae38af16081779f311c80c7cb76894d8a

SHA512
dabae25f972d522645b35198cbb191d5ca13a32024aca39ab90c219e1df502b45f516c4e5d580254b737ef9022fe8a4b172e71de0b98a06e07f31403b64cf557

Download Submit
C:\Windows\SysWOW64\Njogjfoj.exe

Filesize
112KB

MD5
d5d96bac67d31f3dc84bb90a8cd2ecb1

SHA1
fc30a5c2ea7ecfef48195c581d5c4eed829e62ba

SHA256
22dc537c4304b57c3a64d261ccefc3a25af636072f6125e9f7ee488fffcba09b

SHA512
6942f75ad42a658b7cae124b9b5b82e965750d3e3844b12ea8de61147ca7ab830791bc157a89c9d29f45bce18ee62d4599fbc65ca41d24459e84308b0f8985a6

Download Submit
C:\Windows\SysWOW64\Nkcmohbg.exe

Filesize
82KB

MD5
a000c8381834799d5046fdd00609af02

SHA1
1863b3ee4228f8ac8901be1077c40cbf10228a25

SHA256
c06fb119a119cedf32a855c40684fe167e1d711bac21183b414452fdbf51056a

SHA512
52908f450694b805671f54a176c80a54ebdc22f7c75798ef45e1f70f91c015002a3a5836f1bef366d8ec60b10afa48c3e627df6605816de45edc4f85370ed1ec

Download Submit
C:\Windows\SysWOW64\Nkcmohbg.exe

Filesize
74KB

MD5
1a057239aea254ec39a438a9ed627815

SHA1
13408145e0906534c18dab10424761a1fe7f3835

SHA256
9f40b4e38670d5147f0d96a9d3d785440f9a81c84a88453a45e1afd46e79630f

SHA512
59ed94a11e9d41122fb6f50a44d7461caabf2eead22ccada7a61d2b1bb08b8c96ae00daad25f2eaa124029d39279cd319620647299af0104c91a2166db870223

Download Submit
C:\Windows\SysWOW64\Nklfoi32.exe

Filesize
100KB

MD5
7acf04f2ead0b8a5cc967cc2f04c728b

SHA1
09dd5cb02c84aa86e4e0c2d73a15daba8636e443

SHA256
45ac835ca6e96119ecf8159484384a90a9aab014b4dca1eae9ab187c7a585a9e

SHA512
bd8a56a64530e9b0b254df771d6f60fcdb6c53796e45f2f3ac1b9f2c6e997434bdc39d1436af3cfcb14b4c65db297bc44fc1cf2a8650e05b3ad51368e2694b99

Download Submit
C:\Windows\SysWOW64\Nklfoi32.exe

Filesize
112KB

MD5
e38a9a37509671b074881ca0e69d8d0f

SHA1
41b5bede64d134650d0d87c4dbcb4875d83d1963

SHA256
757d845c5d1d7e973d0b3720853f1091c8795e8ece9b73ee4ea0d85a2e55ad1e

SHA512
a8697cb8cbdb3abcb2fbf280b33437ae439432aa88928beb4a2c469a18548be8a1423be6f851775f65e4554994927884eff2684825692c8d0f759468e257c753

Download Submit
memory/868-9-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/868-116-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/912-107-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/912-91-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1448-115-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1448-16-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1736-113-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1736-33-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2348-114-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2348-25-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2720-49-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2720-111-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2740-110-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2740-57-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2752-112-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2752-41-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3720-5-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3720-0-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4236-64-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4236-108-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4344-85-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4384-105-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4504-106-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4504-97-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5036-109-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5036-73-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads