353e26eb4e46ece2b08c89f702b2dea62d11bdf737f40a6daec9ce18f8da08d9

Analysis

max time kernel
0s
max time network
100s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
05/01/2024, 14:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c234c2f9bcc9ba24f6a1f077ef4f9667.exe
Size

304KB
MD5

c234c2f9bcc9ba24f6a1f077ef4f9667
SHA1

aa2360930f8264677619ed6484f170b18f0bd010
SHA256

353e26eb4e46ece2b08c89f702b2dea62d11bdf737f40a6daec9ce18f8da08d9
SHA512

f90a34430a89fbf975f3e32cc2210d98112a6f16f55b493f345fb780ae9f61d2e05c138f25bff5492eb59970885684a3a68daf58d554e032aba6b7fb743ea258
SSDEEP

3072:26gYZ3LVSaVT8kijeJXwDOOeIejz+k5rD0LZSnulc0VP7SnHjg:26tRJVTCehKuIEKIrD0Lu

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 20 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nkjjij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnhfee32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nacbfdao.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngpjnkpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	c234c2f9bcc9ba24f6a1f077ef4f9667.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nnhfee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nacbfdao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Njogjfoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mdpalp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndbnboqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ndbnboqb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njogjfoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ncgkcl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	c234c2f9bcc9ba24f6a1f077ef4f9667.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkjjij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ngpjnkpf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nafokcol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nafokcol.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncgkcl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdpalp32.exe

Executes dropped EXE 10 IoCs

pid	Process
3716	Mdpalp32.exe
1632	Nkjjij32.exe
4360	Nnhfee32.exe
4456	Nacbfdao.exe
2752	Ndbnboqb.exe
688	Ngpjnkpf.exe
4940	Njogjfoj.exe
1120	Nafokcol.exe
3152	Ncgkcl32.exe
4064	Nkncdifl.exe

Drops file in System32 directory 30 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Nkjjij32.exe	Mdpalp32.exe
File opened for modification	C:\Windows\SysWOW64\Nnhfee32.exe	Nkjjij32.exe
File opened for modification	C:\Windows\SysWOW64\Ndbnboqb.exe	Nacbfdao.exe
File opened for modification	C:\Windows\SysWOW64\Njogjfoj.exe	Ngpjnkpf.exe
File opened for modification	C:\Windows\SysWOW64\Nafokcol.exe	Njogjfoj.exe
File created	C:\Windows\SysWOW64\Ncgkcl32.exe	Nafokcol.exe
File created	C:\Windows\SysWOW64\Fhpdhp32.dll	c234c2f9bcc9ba24f6a1f077ef4f9667.exe
File created	C:\Windows\SysWOW64\Dihcoe32.dll	Nacbfdao.exe
File created	C:\Windows\SysWOW64\Njogjfoj.exe	Ngpjnkpf.exe
File created	C:\Windows\SysWOW64\Nkncdifl.exe	Ncgkcl32.exe
File created	C:\Windows\SysWOW64\Nkjjij32.exe	Mdpalp32.exe
File created	C:\Windows\SysWOW64\Ndbnboqb.exe	Nacbfdao.exe
File opened for modification	C:\Windows\SysWOW64\Ngpjnkpf.exe	Ndbnboqb.exe
File created	C:\Windows\SysWOW64\Mlhblb32.dll	Ndbnboqb.exe
File created	C:\Windows\SysWOW64\Jkeang32.dll	Ncgkcl32.exe
File opened for modification	C:\Windows\SysWOW64\Mdpalp32.exe	c234c2f9bcc9ba24f6a1f077ef4f9667.exe
File created	C:\Windows\SysWOW64\Ngpjnkpf.exe	Ndbnboqb.exe
File created	C:\Windows\SysWOW64\Pipfna32.dll	Nafokcol.exe
File created	C:\Windows\SysWOW64\Nacbfdao.exe	Nnhfee32.exe
File opened for modification	C:\Windows\SysWOW64\Ncgkcl32.exe	Nafokcol.exe
File created	C:\Windows\SysWOW64\Legdcg32.dll	Nnhfee32.exe
File opened for modification	C:\Windows\SysWOW64\Nkncdifl.exe	Ncgkcl32.exe
File created	C:\Windows\SysWOW64\Mdpalp32.exe	c234c2f9bcc9ba24f6a1f077ef4f9667.exe
File created	C:\Windows\SysWOW64\Egqcbapl.dll	Mdpalp32.exe
File created	C:\Windows\SysWOW64\Nafokcol.exe	Njogjfoj.exe
File created	C:\Windows\SysWOW64\Jcoegc32.dll	Njogjfoj.exe
File created	C:\Windows\SysWOW64\Nnhfee32.exe	Nkjjij32.exe
File created	C:\Windows\SysWOW64\Hlmobp32.dll	Nkjjij32.exe
File opened for modification	C:\Windows\SysWOW64\Nacbfdao.exe	Nnhfee32.exe
File created	C:\Windows\SysWOW64\Lfcbokki.dll	Ngpjnkpf.exe

Program crash 1 IoCs

pid	pid_target	Process
1256	3044	WerFault.exe

Modifies registry class 33 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ndbnboqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfcbokki.dll"	Ngpjnkpf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nkjjij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nafokcol.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	c234c2f9bcc9ba24f6a1f077ef4f9667.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhpdhp32.dll"	c234c2f9bcc9ba24f6a1f077ef4f9667.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ngpjnkpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mdpalp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dihcoe32.dll"	Nacbfdao.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ncgkcl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}	c234c2f9bcc9ba24f6a1f077ef4f9667.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egqcbapl.dll"	Mdpalp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nkjjij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Legdcg32.dll"	Nnhfee32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nacbfdao.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ndbnboqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlhblb32.dll"	Ndbnboqb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	c234c2f9bcc9ba24f6a1f077ef4f9667.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlmobp32.dll"	Nkjjij32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nnhfee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ngpjnkpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Njogjfoj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	c234c2f9bcc9ba24f6a1f077ef4f9667.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pipfna32.dll"	Nafokcol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	c234c2f9bcc9ba24f6a1f077ef4f9667.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mdpalp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nnhfee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nacbfdao.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Njogjfoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcoegc32.dll"	Njogjfoj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nafokcol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkeang32.dll"	Ncgkcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ncgkcl32.exe

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 4640 wrote to memory of 3716	4640	c234c2f9bcc9ba24f6a1f077ef4f9667.exe	35
PID 4640 wrote to memory of 3716	4640	c234c2f9bcc9ba24f6a1f077ef4f9667.exe	35
PID 4640 wrote to memory of 3716	4640	c234c2f9bcc9ba24f6a1f077ef4f9667.exe	35
PID 3716 wrote to memory of 1632	3716	Mdpalp32.exe	34
PID 3716 wrote to memory of 1632	3716	Mdpalp32.exe	34
PID 3716 wrote to memory of 1632	3716	Mdpalp32.exe	34
PID 1632 wrote to memory of 4360	1632	Nkjjij32.exe	33
PID 1632 wrote to memory of 4360	1632	Nkjjij32.exe	33
PID 1632 wrote to memory of 4360	1632	Nkjjij32.exe	33
PID 4360 wrote to memory of 4456	4360	Nnhfee32.exe	32
PID 4360 wrote to memory of 4456	4360	Nnhfee32.exe	32
PID 4360 wrote to memory of 4456	4360	Nnhfee32.exe	32
PID 4456 wrote to memory of 2752	4456	Nacbfdao.exe	31
PID 4456 wrote to memory of 2752	4456	Nacbfdao.exe	31
PID 4456 wrote to memory of 2752	4456	Nacbfdao.exe	31
PID 2752 wrote to memory of 688	2752	Ndbnboqb.exe	15
PID 2752 wrote to memory of 688	2752	Ndbnboqb.exe	15
PID 2752 wrote to memory of 688	2752	Ndbnboqb.exe	15
PID 688 wrote to memory of 4940	688	Ngpjnkpf.exe	16
PID 688 wrote to memory of 4940	688	Ngpjnkpf.exe	16
PID 688 wrote to memory of 4940	688	Ngpjnkpf.exe	16
PID 4940 wrote to memory of 1120	4940	Njogjfoj.exe	30
PID 4940 wrote to memory of 1120	4940	Njogjfoj.exe	30
PID 4940 wrote to memory of 1120	4940	Njogjfoj.exe	30
PID 1120 wrote to memory of 3152	1120	Nafokcol.exe	29
PID 1120 wrote to memory of 3152	1120	Nafokcol.exe	29
PID 1120 wrote to memory of 3152	1120	Nafokcol.exe	29
PID 3152 wrote to memory of 4064	3152	Ncgkcl32.exe	28
PID 3152 wrote to memory of 4064	3152	Ncgkcl32.exe	28
PID 3152 wrote to memory of 4064	3152	Ncgkcl32.exe	28

C:\Users\Admin\AppData\Local\Temp\c234c2f9bcc9ba24f6a1f077ef4f9667.exe
"C:\Users\Admin\AppData\Local\Temp\c234c2f9bcc9ba24f6a1f077ef4f9667.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4640
- C:\Windows\SysWOW64\Mdpalp32.exe
  C:\Windows\system32\Mdpalp32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3716

C:\Windows\SysWOW64\Ngpjnkpf.exe
C:\Windows\system32\Ngpjnkpf.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:688
- C:\Windows\SysWOW64\Njogjfoj.exe
  C:\Windows\system32\Njogjfoj.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4940
- - C:\Windows\SysWOW64\Nafokcol.exe
    C:\Windows\system32\Nafokcol.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1120

C:\Windows\SysWOW64\Njcpee32.exe
C:\Windows\system32\Njcpee32.exe
1⤵
PID:116
- C:\Windows\SysWOW64\Nqmhbpba.exe
  C:\Windows\system32\Nqmhbpba.exe
  2⤵
  PID:3624

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 3044 -ip 3044
1⤵
PID:4752

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3044 -s 412
1⤵
- Program crash
PID:1256

C:\Windows\SysWOW64\Nkcmohbg.exe
C:\Windows\system32\Nkcmohbg.exe
1⤵
PID:3044

C:\Windows\SysWOW64\Ncldnkae.exe
C:\Windows\system32\Ncldnkae.exe
1⤵
PID:4908

C:\Windows\SysWOW64\Ngedij32.exe
C:\Windows\system32\Ngedij32.exe
1⤵
PID:2536

C:\Windows\SysWOW64\Ndghmo32.exe
C:\Windows\system32\Ndghmo32.exe
1⤵
PID:5080

C:\Windows\SysWOW64\Nnmopdep.exe
C:\Windows\system32\Nnmopdep.exe
1⤵
PID:4524

C:\Windows\SysWOW64\Nkncdifl.exe
C:\Windows\system32\Nkncdifl.exe
1⤵
- Executes dropped EXE
PID:4064

C:\Windows\SysWOW64\Ncgkcl32.exe
C:\Windows\system32\Ncgkcl32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3152

C:\Windows\SysWOW64\Ndbnboqb.exe
C:\Windows\system32\Ndbnboqb.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2752

C:\Windows\SysWOW64\Nacbfdao.exe
C:\Windows\system32\Nacbfdao.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4456

C:\Windows\SysWOW64\Nnhfee32.exe
C:\Windows\system32\Nnhfee32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4360

C:\Windows\SysWOW64\Nkjjij32.exe
C:\Windows\system32\Nkjjij32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1632

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Mdpalp32.exe

Filesize
304KB

MD5
bc99fa392b360b7d72f0153adf752d2b

SHA1
ef757e85d17e4a31f87568d3a5da719d76b4d907

SHA256
c0f40b4c9524e1f558968f67018997262154cf75d0cc6ef526fe53b0726a3456

SHA512
4dfbce11791a02737325ddcb5f682159a6c6281f58118dd75a62916179487daadbc908e58b1b9e5a919fde34400a713fd5d23a09c6f02e8d3dee3e9a754086f6

Download Submit
C:\Windows\SysWOW64\Mdpalp32.exe

Filesize
92KB

MD5
99c0590adf4ceb0490c60a8049e21b35

SHA1
b4a114f0bd0b2b45955a571502d4de1e44a5aa2f

SHA256
d9ce896d04412fb3c49f3111e6c1aa94f0fae3fc1cb712e863a324cc8003aba4

SHA512
b8b0c80280273da6b12e66a1d0228546308616205f4ab9bea55fe16ede0709cc182e8387cf7deac6685a1b8fce08b3626e25cac8a6898933080f219de5e685f3

Download Submit
C:\Windows\SysWOW64\Nafokcol.exe

Filesize
304KB

MD5
0978e91a95f9abb7da8260abd3c0e3a8

SHA1
51a37537a88aec38b0236de151ed419441081db1

SHA256
dc84b7aed1623fcde9e3c965c6fb767fb33aa553ce091bed92d13d2452f36cbd

SHA512
e6a5a3fe0f5da40667959ccac656cd3ae65a83f9cbf9673bd09649b52a6b5a7ab7a3e90c083f52ac214a575aa01bf1e61aaaa016cb681ef5d66cda5838c6ece8

Download Submit
C:\Windows\SysWOW64\Ncgkcl32.exe

Filesize
304KB

MD5
910b4a9c6c73716f17777c0a85de9f22

SHA1
b6ccfbce09120f81559863d34e75aefaf64472b4

SHA256
86213f08afb17bda50fa1e3877d77c2c668b6be1f2dc1583108364950493d2e3

SHA512
cce407f35db47abfc50d805bd753c07e091103b191760f0e39782c2788e4d48d85263cac38ceb65680b455d06006c60d72627a284965e48f0c176f76891e2d7b

Download Submit
C:\Windows\SysWOW64\Ncldnkae.exe

Filesize
304KB

MD5
7b2ec01a6e980bfc3ff1cf71de08dd48

SHA1
cd3dc3a77f899a799109c7d57d9ad7610d71aa0e

SHA256
7a837cd408be30c9254c9a1bcce0a67a2b4a5030ae4d186df70866eab06f1619

SHA512
9767da3a168ca091edb5eac49a11c6f61f52a4f5589e1629f8493129c99479baacbc7c3229aeb4e2a572ba38893368b49359a1005215574a98cffca6063e8e4a

Download Submit
C:\Windows\SysWOW64\Ndbnboqb.exe

Filesize
304KB

MD5
5fd4c7cb93d15e7721099506f761f944

SHA1
4a6d273ae080aa50ba8af8238ec0dbe1f73e4c62

SHA256
9a586db92d4017e6322ec3c45d51dd8271ba41ea4612b6314a93493c9e473d72

SHA512
a808cf34cee2d4955e01e8a1847a7d2baaa29321911eae9b3efad7956d160c03d24eaedea34deb148f71223ec8051cf607d0c65f795e42c9cae152d7f7c69a18

Download Submit
C:\Windows\SysWOW64\Ngedij32.exe

Filesize
304KB

MD5
81f6392c46a76eb2ab485670673b9b86

SHA1
f08ae0436fdb684166a600a6201353ba49dedce2

SHA256
e72ba09730a8e283568a612caa5d97bb50e403c9e5be54abdfcb506bb457426d

SHA512
1f9951a6eeb0d3855d69a52c8f91dc91bd7321726c417115b16a8f21764cd3d0be7ceb46870ff1fec04a020a2c620db4447134380038a57f1850bffb5b9257be

Download Submit
C:\Windows\SysWOW64\Ngpjnkpf.exe

Filesize
304KB

MD5
779fe168c744c8e499194b4465f438d4

SHA1
b9d2c9b40bcb1f5ca8bca85bfc198eeb00fa17b4

SHA256
7cae284e92cf9e11571223e03995f19bdd54eb8f1b5a10a45d92862c8f0c185e

SHA512
dd3fc74e99a5e0218662ec27915f23d15f39308010cb42c953042f4bcf6ebbaba10ae1ed1d86f91983a1d6957a6c9e4ca3e51d87daa8d0df8e80b5488c28eaed

Download Submit
C:\Windows\SysWOW64\Njcpee32.exe

Filesize
304KB

MD5
66301483628b771585b606e8f0210bc5

SHA1
bd9d4d5bd3fe8d9f9b53c67a86cb90523354db2f

SHA256
40527fb9cd8fb48c7e491f74988f1b5299bb19a7ae0d1fabff07a2863cf47177

SHA512
b62494d6f847ad367f1a6d98ce289fa6b406c526f7fd6a77ea40a3c425ba0ac1a46ce7ad8c0e4a5e79854c653fcdf0326fc658fea0e24126cd4a950a66c1e3c3

Download Submit
C:\Windows\SysWOW64\Njogjfoj.exe

Filesize
304KB

MD5
805435af483044c550aa7f1a93f687ed

SHA1
4d94b370c72153f1dfd1e26a9bc8cbfe24ff8bbc

SHA256
85f00a50a05cf9c438644d8c378c4e61daf058fc82eea64f429a8041bb753be7

SHA512
46b092bf71ac168d967b3e315daba8b78d4b7ea2311df052f6f3932cdfdb1a8975c5f301cf2b6f751fc1a93970789e0d3fdab352e27764477d3369b72fdf4715

Download Submit
C:\Windows\SysWOW64\Nkcmohbg.exe

Filesize
304KB

MD5
21b727058199e4e387abc25bf2190d63

SHA1
88ebc5a5718166575cecb98d2828a0afc7b27f7d

SHA256
32ab37dbc5972df92db0caaaec9e4ef03cc6d62f195d7948b33ab1ef8ecba762

SHA512
05502dc48dabc1ef20e84b4284dd7504a98182ce5377a6949cd6adf176128b935451d38d05c28753e148cbe685d8777d4e26414e878bc049f9f040989ffb56af

Download Submit
C:\Windows\SysWOW64\Nkjjij32.exe

Filesize
92KB

MD5
9171975bc066e47e984f36f4f5bd7910

SHA1
556511a0b7728b9950e496d37d556b46d415547a

SHA256
a7152e051b7d1158f60c7e317267710c72f7b9a788cefa486eeae22b3a2ebe41

SHA512
80518e374ea11377b4c6e5c440251a0eea95a9ed4943876696fc56cffec23120cd5d1c99149f236d16edf35d30bfdaa149c0bb1df2ee82ba80c71bc786ac6a29

Download Submit
C:\Windows\SysWOW64\Nkncdifl.exe

Filesize
304KB

MD5
c224387edf01c4092fdcb87b3c6ee82f

SHA1
bd45caea65b7b23e29d62514de51c2e51bad51c2

SHA256
2c1473767946faa5492c3806b6b61553f0be804e7fa90be42e5994978438fb63

SHA512
23a34a857f2cc81c475efbebfb5115ddfd190f32677c11a8768a0e37c10f5ddefcad7656ef05575664cfddfc52f6fe5ee3bb57c4f87ed1e72ad5af64683b5be5

Download Submit
C:\Windows\SysWOW64\Nnmopdep.exe

Filesize
304KB

MD5
d6874d76b417ec25302fe86f74012720

SHA1
e7591d80dd3dcea6e8b1a8a49e8578fd4d1255c5

SHA256
68894ee9d47854ab82d3cbb2d9c87275fa7994ba6042788d98cf3e7d5eeacc28

SHA512
6c4e86bbfac2159ca74e41366c44a0fe12388b99f7cddf4298d1b84970e138fbf32ac275bec5d95e46334959141b3901ec6451eb344666821bbccca9fbb6ea45

Download Submit
C:\Windows\SysWOW64\Nqmhbpba.exe

Filesize
304KB

MD5
30ee17854bfd563972ce03bf1c0ebf09

SHA1
b67167334205807a307d401d293b05db6aaba529

SHA256
a1f9027b23b9a1fb8441e25f77d1adbf58150669f4e3f1bb808a997ffd6bdeb0

SHA512
36c2ee07b0788f9b8f84670197b8428f6b235da7e60ed87242fa820e35579d9229c2dcf437f8b2c6f11a544ae7bec430c86459b0c0662bf2424e82e3e2aeb6bf

Download Submit
memory/116-116-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/688-48-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/688-148-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1120-64-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1120-146-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1632-152-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1632-16-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2536-103-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2536-141-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2752-40-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2752-149-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3044-137-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3044-136-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3152-145-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3152-71-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3624-139-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3624-120-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3716-8-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3716-153-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4064-144-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4064-80-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4360-151-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4360-23-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4456-36-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4524-143-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4524-88-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4640-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4640-154-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4908-138-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4908-128-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4940-60-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4940-147-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5080-142-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5080-96-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads