a3d1c245823d031c20bb7dc44f00b80bc45602e6503984d8119f69dcfee47768

Analysis

max time kernel
122s
max time network
133s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
02/01/2024, 15:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

172680b168799ca070ad3d141cfa1979.exe
Size

323KB
MD5

172680b168799ca070ad3d141cfa1979
SHA1

7c8570e7fd7ea9b2b37d95d3394c7b1a7faefe87
SHA256

a3d1c245823d031c20bb7dc44f00b80bc45602e6503984d8119f69dcfee47768
SHA512

6dad6a62afb5a8444aadfc48404b8bfbb5142d799e601bcdae530cec4d41f9bf31477b605b2ffd09e6937fb8c5e26cd9543f344af03882bbfcde50a07c148c75
SSDEEP

6144:sTKZxo/SOH9slljd3rKzwN8Jlljd3njPX9ZAk3fs:s2Zq/rojpKXjtjP9Zt0

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 20 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngfflj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nigome32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kegqdqbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ljmlbfhi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdacop32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kegqdqbl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mponel32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mponel32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Migbnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Migbnb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngdifkpi.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	172680b168799ca070ad3d141cfa1979.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpmapm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpmapm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngdifkpi.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngfflj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nigome32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	172680b168799ca070ad3d141cfa1979.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ljmlbfhi.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdacop32.exe

Executes dropped EXE 10 IoCs

pid	Process
1168	Kegqdqbl.exe
2908	Ljmlbfhi.exe
2340	Mpmapm32.exe
2648	Mponel32.exe
2620	Migbnb32.exe
2172	Mdacop32.exe
2812	Ngdifkpi.exe
2996	Ngfflj32.exe
2044	Nigome32.exe
1892	Nlhgoqhh.exe

Loads dropped DLL 20 IoCs

pid	Process
2272	172680b168799ca070ad3d141cfa1979.exe
2272	172680b168799ca070ad3d141cfa1979.exe
1168	Kegqdqbl.exe
1168	Kegqdqbl.exe
2908	Ljmlbfhi.exe
2908	Ljmlbfhi.exe
2340	Mpmapm32.exe
2340	Mpmapm32.exe
2648	Mponel32.exe
2648	Mponel32.exe
2620	Migbnb32.exe
2620	Migbnb32.exe
2172	Mdacop32.exe
2172	Mdacop32.exe
2812	Ngdifkpi.exe
2812	Ngdifkpi.exe
2996	Ngfflj32.exe
2996	Ngfflj32.exe
2044	Nigome32.exe
2044	Nigome32.exe

Drops file in System32 directory 30 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Ljmlbfhi.exe	Kegqdqbl.exe
File created	C:\Windows\SysWOW64\Fjngcolf.dll	Kegqdqbl.exe
File created	C:\Windows\SysWOW64\Olahaplc.dll	Ljmlbfhi.exe
File created	C:\Windows\SysWOW64\Ngdifkpi.exe	Mdacop32.exe
File opened for modification	C:\Windows\SysWOW64\Ngfflj32.exe	Ngdifkpi.exe
File created	C:\Windows\SysWOW64\Mpmapm32.exe	Ljmlbfhi.exe
File created	C:\Windows\SysWOW64\Nlhgoqhh.exe	Nigome32.exe
File created	C:\Windows\SysWOW64\Lamajm32.dll	Nigome32.exe
File created	C:\Windows\SysWOW64\Mponel32.exe	Mpmapm32.exe
File created	C:\Windows\SysWOW64\Mdacop32.exe	Migbnb32.exe
File opened for modification	C:\Windows\SysWOW64\Mdacop32.exe	Migbnb32.exe
File created	C:\Windows\SysWOW64\Nigome32.exe	Ngfflj32.exe
File opened for modification	C:\Windows\SysWOW64\Migbnb32.exe	Mponel32.exe
File opened for modification	C:\Windows\SysWOW64\Nlhgoqhh.exe	Nigome32.exe
File created	C:\Windows\SysWOW64\Kegqdqbl.exe	172680b168799ca070ad3d141cfa1979.exe
File opened for modification	C:\Windows\SysWOW64\Kegqdqbl.exe	172680b168799ca070ad3d141cfa1979.exe
File created	C:\Windows\SysWOW64\Ihlfca32.dll	172680b168799ca070ad3d141cfa1979.exe
File opened for modification	C:\Windows\SysWOW64\Mpmapm32.exe	Ljmlbfhi.exe
File created	C:\Windows\SysWOW64\Pdlbongd.dll	Migbnb32.exe
File created	C:\Windows\SysWOW64\Fbpljhnf.dll	Mdacop32.exe
File created	C:\Windows\SysWOW64\Ngfflj32.exe	Ngdifkpi.exe
File opened for modification	C:\Windows\SysWOW64\Nigome32.exe	Ngfflj32.exe
File opened for modification	C:\Windows\SysWOW64\Mponel32.exe	Mpmapm32.exe
File created	C:\Windows\SysWOW64\Migbnb32.exe	Mponel32.exe
File created	C:\Windows\SysWOW64\Hljdna32.dll	Ngdifkpi.exe
File opened for modification	C:\Windows\SysWOW64\Ljmlbfhi.exe	Kegqdqbl.exe
File created	C:\Windows\SysWOW64\Effqclic.dll	Mpmapm32.exe
File created	C:\Windows\SysWOW64\Cpbplnnk.dll	Mponel32.exe
File opened for modification	C:\Windows\SysWOW64\Ngdifkpi.exe	Mdacop32.exe
File created	C:\Windows\SysWOW64\Oqaedifk.dll	Ngfflj32.exe

Modifies registry class 33 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Effqclic.dll"	Mpmapm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mponel32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ljmlbfhi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mpmapm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mponel32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ngdifkpi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ngfflj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nigome32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	172680b168799ca070ad3d141cfa1979.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fjngcolf.dll"	Kegqdqbl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ljmlbfhi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpbplnnk.dll"	Mponel32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Migbnb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mdacop32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oqaedifk.dll"	Ngfflj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	172680b168799ca070ad3d141cfa1979.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihlfca32.dll"	172680b168799ca070ad3d141cfa1979.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olahaplc.dll"	Ljmlbfhi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	172680b168799ca070ad3d141cfa1979.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kegqdqbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbpljhnf.dll"	Mdacop32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ngdifkpi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nigome32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lamajm32.dll"	Nigome32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mpmapm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdlbongd.dll"	Migbnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Migbnb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kegqdqbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mdacop32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ngfflj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	172680b168799ca070ad3d141cfa1979.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	172680b168799ca070ad3d141cfa1979.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hljdna32.dll"	Ngdifkpi.exe

Suspicious use of WriteProcessMemory 40 IoCs

description	pid	Process	procid_target
PID 2272 wrote to memory of 1168	2272	172680b168799ca070ad3d141cfa1979.exe	28
PID 2272 wrote to memory of 1168	2272	172680b168799ca070ad3d141cfa1979.exe	28
PID 2272 wrote to memory of 1168	2272	172680b168799ca070ad3d141cfa1979.exe	28
PID 2272 wrote to memory of 1168	2272	172680b168799ca070ad3d141cfa1979.exe	28
PID 1168 wrote to memory of 2908	1168	Kegqdqbl.exe	29
PID 1168 wrote to memory of 2908	1168	Kegqdqbl.exe	29
PID 1168 wrote to memory of 2908	1168	Kegqdqbl.exe	29
PID 1168 wrote to memory of 2908	1168	Kegqdqbl.exe	29
PID 2908 wrote to memory of 2340	2908	Ljmlbfhi.exe	30
PID 2908 wrote to memory of 2340	2908	Ljmlbfhi.exe	30
PID 2908 wrote to memory of 2340	2908	Ljmlbfhi.exe	30
PID 2908 wrote to memory of 2340	2908	Ljmlbfhi.exe	30
PID 2340 wrote to memory of 2648	2340	Mpmapm32.exe	33
PID 2340 wrote to memory of 2648	2340	Mpmapm32.exe	33
PID 2340 wrote to memory of 2648	2340	Mpmapm32.exe	33
PID 2340 wrote to memory of 2648	2340	Mpmapm32.exe	33
PID 2648 wrote to memory of 2620	2648	Mponel32.exe	31
PID 2648 wrote to memory of 2620	2648	Mponel32.exe	31
PID 2648 wrote to memory of 2620	2648	Mponel32.exe	31
PID 2648 wrote to memory of 2620	2648	Mponel32.exe	31
PID 2620 wrote to memory of 2172	2620	Migbnb32.exe	32
PID 2620 wrote to memory of 2172	2620	Migbnb32.exe	32
PID 2620 wrote to memory of 2172	2620	Migbnb32.exe	32
PID 2620 wrote to memory of 2172	2620	Migbnb32.exe	32
PID 2172 wrote to memory of 2812	2172	Mdacop32.exe	34
PID 2172 wrote to memory of 2812	2172	Mdacop32.exe	34
PID 2172 wrote to memory of 2812	2172	Mdacop32.exe	34
PID 2172 wrote to memory of 2812	2172	Mdacop32.exe	34
PID 2812 wrote to memory of 2996	2812	Ngdifkpi.exe	35
PID 2812 wrote to memory of 2996	2812	Ngdifkpi.exe	35
PID 2812 wrote to memory of 2996	2812	Ngdifkpi.exe	35
PID 2812 wrote to memory of 2996	2812	Ngdifkpi.exe	35
PID 2996 wrote to memory of 2044	2996	Ngfflj32.exe	37
PID 2996 wrote to memory of 2044	2996	Ngfflj32.exe	37
PID 2996 wrote to memory of 2044	2996	Ngfflj32.exe	37
PID 2996 wrote to memory of 2044	2996	Ngfflj32.exe	37
PID 2044 wrote to memory of 1892	2044	Nigome32.exe	36
PID 2044 wrote to memory of 1892	2044	Nigome32.exe	36
PID 2044 wrote to memory of 1892	2044	Nigome32.exe	36
PID 2044 wrote to memory of 1892	2044	Nigome32.exe	36

C:\Users\Admin\AppData\Local\Temp\172680b168799ca070ad3d141cfa1979.exe
"C:\Users\Admin\AppData\Local\Temp\172680b168799ca070ad3d141cfa1979.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2272
- C:\Windows\SysWOW64\Kegqdqbl.exe
  C:\Windows\system32\Kegqdqbl.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1168
- - C:\Windows\SysWOW64\Ljmlbfhi.exe
    C:\Windows\system32\Ljmlbfhi.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2908
  - - C:\Windows\SysWOW64\Mpmapm32.exe
      C:\Windows\system32\Mpmapm32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2340
    - - C:\Windows\SysWOW64\Mponel32.exe
        
        C:\Windows\system32\Mponel32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2648

C:\Windows\SysWOW64\Migbnb32.exe
C:\Windows\system32\Migbnb32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2620
- C:\Windows\SysWOW64\Mdacop32.exe
  C:\Windows\system32\Mdacop32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2172
- - C:\Windows\SysWOW64\Ngdifkpi.exe
    C:\Windows\system32\Ngdifkpi.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2812
  - - C:\Windows\SysWOW64\Ngfflj32.exe
      C:\Windows\system32\Ngfflj32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2996
    - - C:\Windows\SysWOW64\Nigome32.exe
        
        C:\Windows\system32\Nigome32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2044

C:\Windows\SysWOW64\Nlhgoqhh.exe
C:\Windows\system32\Nlhgoqhh.exe
1⤵
- Executes dropped EXE
PID:1892

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Mdacop32.exe

Filesize
323KB

MD5
f1841a7b5592130192207766db59f87f

SHA1
3dae59c6adc2f26edbae15c29de4ac55bd99c742

SHA256
416646d44dcdd600cd7a1e68877174111310acf0148cfda2f06930fb7ba55917

SHA512
e14919b51b844379b9a4cc05a0fc969c6fe39c28a7e314549d4d28d8a3553349e60065220fae39acbaa19e615d25022b865e41513675f75be8f123d8ffe99094

Download Submit
C:\Windows\SysWOW64\Mdacop32.exe

Filesize
186KB

MD5
4b095532a227585024c8ce11c86df7ec

SHA1
3b0dcabf6020df009e5206f08cfea9e93edbd8ee

SHA256
4d9135beeb2cb3116670392a9542fc6ce504396117803abaaa84aeffd46fb19f

SHA512
e4c8f403f565ce9c2582bef76108ba6b8dad478b829fb6f8ec28750b78bfd60ea4dd0e770e5f75c9e00987f74b3feff277e2506f28c94e9376af36e105b5a82d

Download Submit
C:\Windows\SysWOW64\Mdacop32.exe

Filesize
72KB

MD5
fde2d2d58bece90625adeeeb234482c6

SHA1
c74b7c0ffa289eb84f48d7830bc27a471e07ef16

SHA256
a440eb1211a0c3523a9f9f4abc74026a56f930605941037fff8fd28633c80649

SHA512
576ea1689451229a5180661603dfe9403865cb558356596d4952b1991311df04a799b72e2525398932b2ddcc6edfdf2c48ca558b0050033a07c3308a51e98c58

Download Submit
C:\Windows\SysWOW64\Migbnb32.exe

Filesize
156KB

MD5
bce50d41166d09d5eb50de928b9f6317

SHA1
f6a592d4fb341f396ff6ece5d3d28a8d4994abcd

SHA256
5864f6a265d02f1c308ec9308c0874489147b7ee3dc413ced69e5bde8eec59b6

SHA512
e2009c9835759e7807cbd0246099f918b582c4d14860fe4f3270f67f263fe6ad3cffe2017a3410c6f900b968817e40080549c57ba98fc92fc10d505451787c5b

Download Submit
C:\Windows\SysWOW64\Migbnb32.exe

Filesize
56KB

MD5
518bff017fe7609dd5e7bb9684ed68f3

SHA1
d49f0fdc19bf48704203899f44fae17e12773bfb

SHA256
36517dceebf404175175b5beab57eedd6727fcd0a938a09e63929b097e567f13

SHA512
5a3130e0b26b347970b6727b7dfbfdb3040f52f2a03ffe1aed21aba09b2cb65823f13a890416be5c73495599760153505d95624e4627798830cee70affbe84c5

Download Submit
C:\Windows\SysWOW64\Migbnb32.exe

Filesize
38KB

MD5
0d70b3208c0021efc80fcbf2f0c23188

SHA1
0c630d6ec07c5c6aa7b97251c16333cbd906194e

SHA256
3bd00e4549afa998b96935ed22e002383aa545e1e630870c9398990c1c523e36

SHA512
465f3e6053f1fbb7ad5c6f1b4a8ce63989c7d430d665edca434b6be27a79063392d65ee7fa638a6fcbcb9ac4fb327d16bcc7706ce05e9b7237c4f3a8205a35c0

Download Submit
C:\Windows\SysWOW64\Mpmapm32.exe

Filesize
306KB

MD5
cbf340312a95ca9b66c6b38c0e457b51

SHA1
2c9fff6430a69282f99dfd38aee11bddfe24f743

SHA256
4c7054e31c0d3b11c5b623bbe46eb8eb74cd50a3a0579277605abff25dfcebc9

SHA512
a5ad3a944684daf8a0ab1acba7a93a52b0ba8b1b01d3524e7251a8053b7e73ab6f7cb8e8c9e2f66e4e9f66b3e56dae18f567f0bcb9d57c5d9f8670b14002b449

Download Submit
C:\Windows\SysWOW64\Mponel32.exe

Filesize
249KB

MD5
ecdb918707cb1661ff28ccf806b225f9

SHA1
92b9631e01f44bbc9b70322c3a90e58ab8eeb4e7

SHA256
5b3a86d769fc5a6a92910d019a43ace3aa842ab3f629455988a416537c095181

SHA512
0a8d57bc9def52194db2cc80565b9ba4fc5c96a093c7dfaca6e41a97a2888e55813bffd23f1a0844fbc69439e47fffe30887f72252faa25533984a6b50daf744

Download Submit
C:\Windows\SysWOW64\Mponel32.exe

Filesize
186KB

MD5
53c11696e08a0def80b2800fadf6ca18

SHA1
aab74ca76e6202bbf5c11530b99121eb972f31a3

SHA256
964175ef161a53399bf96a070e26aba54dddd55dc7c6f1e0d0bd8af03e79939d

SHA512
6f5146ba04f139cf9c8d88eae3f066e39fed95982ca4a95de3d09edb709472074eb4cb97ddbe4ca64135fd573b9f373de4962adb040c877ac7185d1068028c16

Download Submit
C:\Windows\SysWOW64\Mponel32.exe

Filesize
69KB

MD5
1889016ba89a9a97e88c44c9686f1ff1

SHA1
7235f15c1682be0c63e5c2e0791f226ab89b7aa0

SHA256
e458a17c6e1d13ed3e7221b5b70b3e04496e2b9bf6ebcb5eb1bd05a25cbfd3c8

SHA512
5a4270d59c77f46b93344f39d81aa26624d3e5137a8f2559784641202f9c856474b75bb5dc6339af4156098d61606e3f3662ae00f676ca965eb0e3cc3f9ffa63

Download Submit
C:\Windows\SysWOW64\Ngdifkpi.exe

Filesize
323KB

MD5
e3ee5c2b38a8588702f0592f1d2375b9

SHA1
7551534e90b6a19b9d268ecc92f6df947a5780b2

SHA256
29ddc291e429cc712e239a8e2cf83209ee3e59d61a1780cd279185a0f1992393

SHA512
e29426b4f2f4acf20f0e7258e949480a6c2e91cc2507d13891328ef1f1ca9ec43e6abe1a57d11ea1a7b607a775cef6b5ca7b13875a9084aa7660d7ba96c8e947

Download Submit
C:\Windows\SysWOW64\Ngdifkpi.exe

Filesize
315KB

MD5
bf12cf971d1dbb21d74dca4d796c130c

SHA1
6ea3a28c36cdabc071c26895d50dfa305ae8419b

SHA256
24bb58a5cb0d813699dabe823f45aeb4c860b65861212e4456c6f51f53a0f3e9

SHA512
47c0c212129476ec5ee7a56f816fe9397543a665dc08eafa8f5daabb2d1b90c0f9f7cf9b70e2a2cd6d030275b3a376ad2f0218a7b876dc12f91afc04949f5b91

Download Submit
C:\Windows\SysWOW64\Ngdifkpi.exe

Filesize
179KB

MD5
b7f0972249a205d2e1aaad71f37b9980

SHA1
ce37347b88718c40969a979a2cf257e9f4e57f01

SHA256
c42370dbc9ef7aec5719f4de857d64ac7e76e66a122903c0b69554b40f7fae1e

SHA512
258e7bc086d9ea6db790355d1b535cf3c23e8b8be50e28b227e3e88983a83cb89b92b96cb28e0e8f011ccaf121e91a4cf87edf92560480bc84a6d78c823fb99d

Download Submit
C:\Windows\SysWOW64\Ngfflj32.exe

Filesize
167KB

MD5
52905205b68c6e3044dadfd44d7543ab

SHA1
372fd135fe747990a2cbd0e96f164dedd5c63790

SHA256
9acb5c5ed5e82c8d386d42b137e81819f3a29f8c9d194cf57d7dff59956d0c24

SHA512
17416d9dba67b9e3f57c5ecc2a5d64d0b47ddb38d60c0a1c77101fe3ae8d96a069b55ae84b34966274746bbbef47ec2a80004bc499b5423b04c257fc83181208

Download Submit
C:\Windows\SysWOW64\Ngfflj32.exe

Filesize
145KB

MD5
0935e927d89b29a0d12c7f61dfcf76b3

SHA1
fc7839f78bc64e97b0db383c013aa320383db92d

SHA256
31799c122999a612966bcb0aad79dd09752e33e9b21fad1a59a9f0c0edbeb120

SHA512
0bc7aa5c2c8a13e1a688a94ccbc07869406762cbd4c7e6184fd5aeb75aa53b270bb8c5c5200b71c3ef11a29b59261444184f0b05b1268dea85783090e6cfa617

Download Submit
C:\Windows\SysWOW64\Ngfflj32.exe

Filesize
213KB

MD5
04a78334dfeb6bfa73d9a7e55a420eb2

SHA1
e61c260acc5ccc6c069c02ca65bde51726212ce5

SHA256
3834b1adaee69a06a8bb5a63f0df49ef2aaba8af6ce7db4566a80973fbed2b02

SHA512
a528bec6c9c6b2890e57c530f90f5b3fd02f8a3b2248c078dbcd25fb4c216b66a5cde98f2185e120398c117b209f5580e005fea29ea1d7e6f0f867e924e630dd

Download Submit
C:\Windows\SysWOW64\Nigome32.exe

Filesize
323KB

MD5
dbc87995f4fd92bad246144b3c206052

SHA1
0ba22e7c79d73834684fd5fc3ac3a8e4cfc14050

SHA256
09682fadf616a079e64f69370d0cc2876b519a86b71a30a33fbd1a54aa621c98

SHA512
97f8bb667c95ca4866f9a3b7100e88c43f3bd3682a49ccc7540fdafe5698ea1aeff6dd191e9537f72071b09501ce3eb16707f46b1c777c6bae5ce21e7f04d576

Download Submit
C:\Windows\SysWOW64\Nigome32.exe

Filesize
141KB

MD5
9640d2adef6a9c33cc5482a2c1afc51e

SHA1
432cd766f0bdb2bd811089731365a1013fce520d

SHA256
4538a4f0886b85141d0e4ccb0d0b9d9211be5ccb7420b961db2403ba666731e0

SHA512
3970b038b1bd087669d630840bdb1ea52f31a27d1c675fa99e85f7d9e7fd42a24113c785dc8241c86178e7cd655314e52a54016bc94309a4f1ef300a8a599922

Download Submit
C:\Windows\SysWOW64\Nlhgoqhh.exe

Filesize
123KB

MD5
c9035d0095e7eae20686923309e75c02

SHA1
33329fcf0cac163485f51fb5fc5e1451b7e47772

SHA256
899b20d4cb7f70157e34636367ebfc1f66c773a32b7b91cb98033d7bc6da8079

SHA512
c14410f1545fefd9db1946eb5fe8906fadba6e57b4e311019c8c254ed275219da80da1e96cc6f683cb433fbab32fdbf5194beac0fbd6f5c3070ef4121d91db0e

Download Submit
C:\Windows\SysWOW64\Nlhgoqhh.exe

Filesize
107KB

MD5
2ca1bab6940821050f220726ab95c81d

SHA1
5749d351ffd3f9bed0ab9257256a697a5fa1485f

SHA256
832a3ea4803da9458930fae9c12915b84e6a137d2a7199e2e3e4ba744e506363

SHA512
9a3bb7b59a1ebdc025f405fcf0a9c737c5dbb600f29c0e431aad275182510796fafba691f803517e53d0ac7c92f6de53e9b56c03f607faf608f0b1ba72277dca

Download Submit
\Windows\SysWOW64\Kegqdqbl.exe

Filesize
323KB

MD5
c593f0f78719af238fd9c7fa204155a3

SHA1
dbae69c7fa06db810283be966db0d8580e09b580

SHA256
c54d555d3c5c2d3c333ca80584fa0e0bacb186172ec94b45eed750602bbb6a14

SHA512
f1a0be65d6d17a52268fdd94c5d12b8583d3d9bdc55e9076f5e908cc2074f8abf6e681be33363ced99e21d2f795991dd9581f5a2ac289e428c3e7626fd4c3270

Download Submit
\Windows\SysWOW64\Ljmlbfhi.exe

Filesize
323KB

MD5
a49ed3123f79d01983d26d5f41bfd80e

SHA1
7fcb1e52d3f71b1ef9b88efaf9f5bfb1a884ef25

SHA256
339215b59de94b92ccf86a601ef72d7476b46b1be0937766f3ddd887c9c83202

SHA512
b736f42d1fb4b9d92a30500a3c546a9ab5023f45c957d80c5487d2ba4c9b6746debe09f9138d1abecb6821b0941358ceef529c6bfed5d39b4f46ac2fec97d6e0

Download Submit
\Windows\SysWOW64\Mdacop32.exe

Filesize
55KB

MD5
462bf3f59e9b3e4047037413b9ad5519

SHA1
5f393a051426aadb5b755fab5a8714eb11f86e39

SHA256
5de4ede7e03c786c35ce299fd8e075952e6fd747bbc4864af2f6dad264d6acc0

SHA512
0accaf5ee1f84a68f546e8f6b6a5d5e8967f8675b73daab9e09ea916472d4cff398cfffc49ce721a88c0160a083d3e83ef5c86acc5a0500ea1731b60b94475a6

Download Submit
\Windows\SysWOW64\Migbnb32.exe

Filesize
114KB

MD5
3ec0392770737a05b2324b020123f491

SHA1
920629c8717b5fa5bd83888d378372f4abd13bff

SHA256
782d888dfa473d6129f9b0c0c5a44bdcf5d2ae3d0b528d661938bd5f447bc39d

SHA512
547d29ea4c283777aea4511780c680b89b240e76f7d9e26f253d0975a687bc980bfa695efff3cc68d12daea19951e7efdb0f51eb352e614665320c765a76db96

Download Submit
\Windows\SysWOW64\Migbnb32.exe

Filesize
92KB

MD5
0eafb9d48e037d9d692b80cf55cea5ae

SHA1
07f2b2a319fd017b905712edf434ededc2432d13

SHA256
e93c8b1e21b9f9c321d91ced30834e2fa55d6fd67ec1e62ae5ec1e5086ecb56b

SHA512
2a865d6c050c76bde44c95fe26d593b62fd295f1bda91dbcf786e3ab10f1d740b12bba8783055fc4a2c3dfa215480581ed8d8c901a812ec4e2fa46200031a6cc

Download Submit
\Windows\SysWOW64\Mpmapm32.exe

Filesize
323KB

MD5
8682c59df4563c5b5aada6f8a7ff02f9

SHA1
3085a8793e37917a79dadb6f7df1cc5c96e7e494

SHA256
ca47062d895221f14d26d6015a6460121d724ccd3fe65d320e9484e8c6d30eb2

SHA512
9dce628aac22af2cc591465b5eb9c004546305f9732a2fa83bf687005710482a91ee490e4a48f540cf6f13f8d5d466e119adf311de92be85493d2f783f88d17b

Download Submit
\Windows\SysWOW64\Mponel32.exe

Filesize
190KB

MD5
b7a19d80ad977f273fd5c58b03142ae6

SHA1
28233fb332ee8431d862f97c833396465889b562

SHA256
ca8b14ea1b87589ab040b2431cce7f2bcbbc5eec15c152540a5b739f7b98ece6

SHA512
67fd1b581b25707cad4fcdde4f8c06dfefb1158536cdf1d17239d7c92d1e9d7df0e8fb234b262a542739766e2409814caa8c722d11d4eb8261fdfa24d437b742

Download Submit
\Windows\SysWOW64\Mponel32.exe

Filesize
233KB

MD5
eb83fd721955b5fd8b57f5c71ef927ad

SHA1
94f92a12c7429d5676cf9c4c2bf086c6a16d6711

SHA256
bf1c34998a8f41555394a820119ec1ea412085ae8f2866ab40c7b24200c7ec02

SHA512
c5af345635ac8509d7d0d008fb2424faf8fe6fad21ee60acbe264f7c5b5d9994734994b9e173c39f245a49299daa4a1e20fee3074626d5fab7d1c159a25b274d

Download Submit
\Windows\SysWOW64\Ngfflj32.exe

Filesize
174KB

MD5
fdf664239758f16e26fd803642610e64

SHA1
a19c236d009a1ec0f9f00f99db156bb81275d06c

SHA256
c3f534e91d31447bb90d778294fd82e56589ad69e4a0d3cf9a71986d55bbb724

SHA512
c7b49906bed0a3208960ff9de2069083447a3a12fe1269e9a6ab48b7e59d0e204e8b59b2ca6b05512c78f1fbbcaa43a8276c5f67176bb397faa1c67416637d95

Download Submit
\Windows\SysWOW64\Ngfflj32.exe

Filesize
289KB

MD5
08a61d453a270b521ff8e2ae87ceed65

SHA1
db1c8c847c24416b3300f3787eeeaf160286394a

SHA256
f5bb90a1749aa452a441b76f93df7b7f2912152fcf7b7e546bfeb795c2e2c576

SHA512
3d757c2aa9bae77f18dc6f1db564f5546398a973566c33e9a42b6733897cb34cbc0070870efa71ff83cd8b387e5061f859073e0ffa2515e41e80369efc52425a

Download Submit
\Windows\SysWOW64\Nlhgoqhh.exe

Filesize
323KB

MD5
f32dd33d6d296c7f4e74755cf67d4358

SHA1
5844bf6fac45db8f50288c97eddfae17477b3530

SHA256
9e1105af158d39f05ddd64064fefc1dab92f31069e60a4a90ea5b2ee1668c634

SHA512
18cb40d33108f75775d8d6ca096baa38cbeb8e6ece5a9acc8138894ee1468001e2ed854ef4202fd7d78ab9c6e1c986bb70fd63bf7b1f28a3637015103a831c71

Download Submit
memory/1168-19-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1168-41-0x00000000002B0000-0x00000000002E3000-memory.dmp

Filesize
204KB

Download
memory/1168-26-0x00000000002B0000-0x00000000002E3000-memory.dmp

Filesize
204KB

Download
memory/1892-140-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2044-126-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2044-134-0x00000000002A0000-0x00000000002D3000-memory.dmp

Filesize
204KB

Download
memory/2044-141-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2172-144-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2172-99-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download
memory/2172-84-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2272-13-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download
memory/2272-6-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download
memory/2272-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2272-149-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2340-48-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2620-82-0x0000000000440000-0x0000000000473000-memory.dmp

Filesize
204KB

Download
memory/2620-145-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2620-97-0x0000000000440000-0x0000000000473000-memory.dmp

Filesize
204KB

Download
memory/2620-74-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2648-146-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2648-56-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2648-69-0x00000000003C0000-0x00000000003F3000-memory.dmp

Filesize
204KB

Download
memory/2812-143-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2812-107-0x0000000000230000-0x0000000000263000-memory.dmp

Filesize
204KB

Download
memory/2812-100-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2908-147-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2908-33-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2908-47-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download
memory/2996-142-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2996-120-0x00000000003C0000-0x00000000003F3000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads