c1fd7bf1a9c541a79c00ea5f3901b475416eb6081a047a8003c18aaaad6821e2

General

Target

0f0c423193711763e1930de65f1eb030.exe
Size

243KB
MD5

0f0c423193711763e1930de65f1eb030
SHA1

5ca9e6ce4a0a4016e13a940e0b5d4aa87101fb8d
SHA256

c1fd7bf1a9c541a79c00ea5f3901b475416eb6081a047a8003c18aaaad6821e2
SHA512

658e0fbcfaea5e26a9c90c2976e931270eb7e0b14a9cf2248c66202deeb4b332a9bdfb7a89f597505964f52cd0b0d4fcbd37a60f884eb9c5cb6fc80a6cdf3776
SSDEEP

3072:xe9Kk2L7cqFP+cRopaRifKz8lHXtlU2Nhluy78nwTxyIvXQWBaolfC4VJ62Q:fifKzwdlU2zlNgwTnAWtlhjQ

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 14 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njcpee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njcpee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nkqpjidj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndidbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndidbn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnolfdcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nqmhbpba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	0f0c423193711763e1930de65f1eb030.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkqpjidj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnolfdcn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqmhbpba.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncldnkae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncldnkae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	0f0c423193711763e1930de65f1eb030.exe

Executes dropped EXE 7 IoCs

pid	Process
3700	Nkqpjidj.exe
2568	Njcpee32.exe
4484	Nnolfdcn.exe
3188	Nqmhbpba.exe
2268	Ndidbn32.exe
4536	Ncldnkae.exe
4612	Nkcmohbg.exe

Drops file in System32 directory 21 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Ogpnaafp.dll	0f0c423193711763e1930de65f1eb030.exe
File created	C:\Windows\SysWOW64\Njcpee32.exe	Nkqpjidj.exe
File created	C:\Windows\SysWOW64\Nqmhbpba.exe	Nnolfdcn.exe
File created	C:\Windows\SysWOW64\Ncldnkae.exe	Ndidbn32.exe
File created	C:\Windows\SysWOW64\Hnibdpde.dll	Ncldnkae.exe
File created	C:\Windows\SysWOW64\Nkqpjidj.exe	0f0c423193711763e1930de65f1eb030.exe
File opened for modification	C:\Windows\SysWOW64\Nkqpjidj.exe	0f0c423193711763e1930de65f1eb030.exe
File opened for modification	C:\Windows\SysWOW64\Nqmhbpba.exe	Nnolfdcn.exe
File created	C:\Windows\SysWOW64\Ndidbn32.exe	Nqmhbpba.exe
File created	C:\Windows\SysWOW64\Dlddhggk.dll	Ndidbn32.exe
File created	C:\Windows\SysWOW64\Nkcmohbg.exe	Ncldnkae.exe
File opened for modification	C:\Windows\SysWOW64\Njcpee32.exe	Nkqpjidj.exe
File created	C:\Windows\SysWOW64\Nnolfdcn.exe	Njcpee32.exe
File created	C:\Windows\SysWOW64\Cknpkhch.dll	Njcpee32.exe
File created	C:\Windows\SysWOW64\Bghhihab.dll	Nnolfdcn.exe
File opened for modification	C:\Windows\SysWOW64\Ndidbn32.exe	Nqmhbpba.exe
File opened for modification	C:\Windows\SysWOW64\Ncldnkae.exe	Ndidbn32.exe
File created	C:\Windows\SysWOW64\Ddpfgd32.dll	Nkqpjidj.exe
File opened for modification	C:\Windows\SysWOW64\Nnolfdcn.exe	Njcpee32.exe
File created	C:\Windows\SysWOW64\Opbnic32.dll	Nqmhbpba.exe
File opened for modification	C:\Windows\SysWOW64\Nkcmohbg.exe	Ncldnkae.exe

Program crash 1 IoCs

pid	pid_target	Process
4804	4612	WerFault.exe

Modifies registry class 24 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nqmhbpba.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nkqpjidj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nkqpjidj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Njcpee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bghhihab.dll"	Nnolfdcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nnolfdcn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ncldnkae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnibdpde.dll"	Ncldnkae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	0f0c423193711763e1930de65f1eb030.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	0f0c423193711763e1930de65f1eb030.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogpnaafp.dll"	0f0c423193711763e1930de65f1eb030.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Njcpee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opbnic32.dll"	Nqmhbpba.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	0f0c423193711763e1930de65f1eb030.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ddpfgd32.dll"	Nkqpjidj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cknpkhch.dll"	Njcpee32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nnolfdcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dlddhggk.dll"	Ndidbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ndidbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ncldnkae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	0f0c423193711763e1930de65f1eb030.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	0f0c423193711763e1930de65f1eb030.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nqmhbpba.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ndidbn32.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 3788 wrote to memory of 3700	3788	0f0c423193711763e1930de65f1eb030.exe	30
PID 3788 wrote to memory of 3700	3788	0f0c423193711763e1930de65f1eb030.exe	30
PID 3788 wrote to memory of 3700	3788	0f0c423193711763e1930de65f1eb030.exe	30
PID 3700 wrote to memory of 2568	3700	Nkqpjidj.exe	29
PID 3700 wrote to memory of 2568	3700	Nkqpjidj.exe	29
PID 3700 wrote to memory of 2568	3700	Nkqpjidj.exe	29
PID 2568 wrote to memory of 4484	2568	Njcpee32.exe	28
PID 2568 wrote to memory of 4484	2568	Njcpee32.exe	28
PID 2568 wrote to memory of 4484	2568	Njcpee32.exe	28
PID 4484 wrote to memory of 3188	4484	Nnolfdcn.exe	26
PID 4484 wrote to memory of 3188	4484	Nnolfdcn.exe	26
PID 4484 wrote to memory of 3188	4484	Nnolfdcn.exe	26
PID 3188 wrote to memory of 2268	3188	Nqmhbpba.exe	25
PID 3188 wrote to memory of 2268	3188	Nqmhbpba.exe	25
PID 3188 wrote to memory of 2268	3188	Nqmhbpba.exe	25
PID 2268 wrote to memory of 4536	2268	Ndidbn32.exe	24
PID 2268 wrote to memory of 4536	2268	Ndidbn32.exe	24
PID 2268 wrote to memory of 4536	2268	Ndidbn32.exe	24
PID 4536 wrote to memory of 4612	4536	Ncldnkae.exe	23
PID 4536 wrote to memory of 4612	4536	Ncldnkae.exe	23
PID 4536 wrote to memory of 4612	4536	Ncldnkae.exe	23

C:\Users\Admin\AppData\Local\Temp\0f0c423193711763e1930de65f1eb030.exe
"C:\Users\Admin\AppData\Local\Temp\0f0c423193711763e1930de65f1eb030.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3788
- C:\Windows\SysWOW64\Nkqpjidj.exe
  C:\Windows\system32\Nkqpjidj.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3700

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4612 -ip 4612
1⤵
PID:3176

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4612 -s 400
1⤵
- Program crash
PID:4804

C:\Windows\SysWOW64\Nkcmohbg.exe
C:\Windows\system32\Nkcmohbg.exe
1⤵
- Executes dropped EXE
PID:4612

C:\Windows\SysWOW64\Ncldnkae.exe
C:\Windows\system32\Ncldnkae.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4536

C:\Windows\SysWOW64\Ndidbn32.exe
C:\Windows\system32\Ndidbn32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2268

C:\Windows\SysWOW64\Nqmhbpba.exe
C:\Windows\system32\Nqmhbpba.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3188

C:\Windows\SysWOW64\Nnolfdcn.exe
C:\Windows\system32\Nnolfdcn.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4484

C:\Windows\SysWOW64\Njcpee32.exe
C:\Windows\system32\Njcpee32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2568

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Ncldnkae.exe

Filesize
243KB

MD5
f1df522de0f2babec3a296a4889e5ad2

SHA1
8819a50b398a3007a91d627d4d8bed41c8a4624c

SHA256
7cb95d99b5379d2d831b0b56e06fe8d10997ab304439840090ee72762e675f8e

SHA512
f9542ed545f9914271c3ac4fa945ab2e2facd45231779aa7325cc3da6f2cb8ce1a824530171e05793c0e6335b6c2e6749a55d1c9f28c27ad49fc569e80780c40

Download Submit
C:\Windows\SysWOW64\Ndidbn32.exe

Filesize
243KB

MD5
7d9e0e46becb0465943bbd08e496cc84

SHA1
48ad200c9fc19f3416ab134cd11e5f4a6db3261a

SHA256
8548e742170a92e45f2e1e3086b4229ab2c3882035ec56493ec202a43f9ba5df

SHA512
f9e55418b0ceff833ef556f5a7000eb0a8646c26ce67564a9f2cda6e0c17fe33e4cd3ed113cd5b93d7d0d498743869c13895a8dea0721f96192a380291ff2926

Download Submit
C:\Windows\SysWOW64\Njcpee32.exe

Filesize
243KB

MD5
ac21f291bc8730c75083f87b8073cbd4

SHA1
cbb412af15265b2c147437516cff79f5f424a7c7

SHA256
f5ea64857296693a5d4b1c4c8f92ce112cc5f545fc8b57d7746279ae3ec551fd

SHA512
97b140bf4455a324f845ca6d4969f5a26fe72f560d960d135088ef57b675ee9cc4981d3e9d4625f2a434688556dde08aaebef5ce82955f876eaf26c83e607e76

Download Submit
C:\Windows\SysWOW64\Nkcmohbg.exe

Filesize
243KB

MD5
df2d3ec0beb272f3c9faa3710f458b23

SHA1
f7ebe8d97e12459ca94d2371eff409a8432b8c3d

SHA256
ff475943eb6ac85e36dd8323ed7a83b9c609e333a93070d63e7d53d7ee1f3aaf

SHA512
1eb4f0c211a23c9e05ac60d91770a24520f5c9e64b2fc9f816ee1d2a764fbef254542e2840907c042914dc127d4e51562d530d14f360fe51450a3b9c8f09e840

Download Submit
C:\Windows\SysWOW64\Nkqpjidj.exe

Filesize
243KB

MD5
923642b5a27d4d2ec322ad18a110b3e9

SHA1
ca1c43cbfbf59eab6de23786eea5db5c09f0a29c

SHA256
784b894d5c7df62cef4d6852d484022393e3e871416f99ca3f17aff18fc6f694

SHA512
98150baa91ea671d996367dd6f658b0bf094ac0c75e5f30514a74db72fdd5a9c045325bf3bf820aff15e8c8a01637c7a89216923466c4d30d3fb04b85450e572

Download Submit
C:\Windows\SysWOW64\Nnolfdcn.exe

Filesize
243KB

MD5
2762cf413e1db3a797392bf4f6910ecc

SHA1
6941443ab6ece3976dfaf8237504e178f7aa4bdf

SHA256
cecbb82b0cc734fd2d7da360230d55eba7d7969b21fb20e3cea4170124a0d19a

SHA512
8eec5c4364eae80af0440d9e8c0018254e0e983892075a02fbdc1120e09a94b752559a7105fc0c220e4d23fcc6920086869afa013832b61d120a5a689835f6d4

Download Submit
C:\Windows\SysWOW64\Nqmhbpba.exe

Filesize
243KB

MD5
3bbae3cfbfad36b9f1fcdf7a0d45ad6b

SHA1
987a62fc5a122833a4e0eae3af9bca29a6894994

SHA256
ce60a7200d517f94c6fe88c492e1e5adf4cea4aad1cea927204fbac1d249a451

SHA512
e3cf56234b352664cdfebf07915aa88514d282ecf32aea5edd6ef03a9e89fece9f883c8dafccc6024f70fc8c74926069b6fcbe15d22eb787288da3eb164927a6

Download Submit
memory/2268-41-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2268-64-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2568-21-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2568-69-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/3188-66-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/3188-33-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/3700-72-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/3700-13-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/3788-0-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/3788-73-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/3788-1-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4484-29-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4484-68-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4536-62-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4536-49-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4612-60-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4612-57-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads