808ecddb06fbb66bbe179f371ee3ada02129e717ed917c3227b49870fc6b21d1

Analysis

max time kernel
0s
max time network
61s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
06-01-2024 20:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

da1375b6b40ecac7da1251a052e84c69.exe
Size

112KB
MD5

da1375b6b40ecac7da1251a052e84c69
SHA1

915dc218768094421d242f2de5a28d2e727549ac
SHA256

808ecddb06fbb66bbe179f371ee3ada02129e717ed917c3227b49870fc6b21d1
SHA512

6a90709f1f3aa0ba617ff5041d07c5ba0fd7e15bcb8664c5e76ef116f460083d2b93a4edd3411a17eb3be8deebbd601a7087e0d1aec755af3b2c09306eba0b79
SSDEEP

3072:U0RDPNH1CuAhld1FfJ9IDlRxyhTbhgu+tAcr+:7P5cuOld1FfsDshsra

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 20 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcbahlip.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mncmjfmk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcbahlip.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjhqjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjhqjg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpaifalo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcpebmkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcpebmkb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Maaepd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	da1375b6b40ecac7da1251a052e84c69.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	da1375b6b40ecac7da1251a052e84c69.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjjmog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Maaepd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mnapdf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcnhmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mncmjfmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpaifalo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjjmog32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnapdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcnhmm32.exe

Executes dropped EXE 10 IoCs

pid	Process
4452	Mnapdf32.exe
3236	Mcnhmm32.exe
1200	Mjhqjg32.exe
2080	Mncmjfmk.exe
4224	Mpaifalo.exe
516	Mcpebmkb.exe
4752	Mjjmog32.exe
1180	Maaepd32.exe
4888	Mcbahlip.exe
668	Njljefql.exe

Drops file in System32 directory 30 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Mcnhmm32.exe	Mnapdf32.exe
File created	C:\Windows\SysWOW64\Ciiqgjgg.dll	Mjhqjg32.exe
File opened for modification	C:\Windows\SysWOW64\Mpaifalo.exe	Mncmjfmk.exe
File created	C:\Windows\SysWOW64\Geegicjl.dll	Mcpebmkb.exe
File created	C:\Windows\SysWOW64\Njljefql.exe	Mcbahlip.exe
File created	C:\Windows\SysWOW64\Mcnhmm32.exe	Mnapdf32.exe
File created	C:\Windows\SysWOW64\Mjhqjg32.exe	Mcnhmm32.exe
File opened for modification	C:\Windows\SysWOW64\Mjhqjg32.exe	Mcnhmm32.exe
File opened for modification	C:\Windows\SysWOW64\Mcpebmkb.exe	Mpaifalo.exe
File created	C:\Windows\SysWOW64\Hhapkbgi.dll	Mpaifalo.exe
File opened for modification	C:\Windows\SysWOW64\Maaepd32.exe	Mjjmog32.exe
File created	C:\Windows\SysWOW64\Mcbahlip.exe	Maaepd32.exe
File created	C:\Windows\SysWOW64\Pdgdjjem.dll	da1375b6b40ecac7da1251a052e84c69.exe
File opened for modification	C:\Windows\SysWOW64\Mncmjfmk.exe	Mjhqjg32.exe
File opened for modification	C:\Windows\SysWOW64\Mjjmog32.exe	Mcpebmkb.exe
File created	C:\Windows\SysWOW64\Lelgbkio.dll	Maaepd32.exe
File opened for modification	C:\Windows\SysWOW64\Njljefql.exe	Mcbahlip.exe
File created	C:\Windows\SysWOW64\Mnapdf32.exe	da1375b6b40ecac7da1251a052e84c69.exe
File created	C:\Windows\SysWOW64\Mjjmog32.exe	Mcpebmkb.exe
File created	C:\Windows\SysWOW64\Dgcifj32.dll	Mnapdf32.exe
File created	C:\Windows\SysWOW64\Kcbibebo.dll	Mcbahlip.exe
File opened for modification	C:\Windows\SysWOW64\Mcbahlip.exe	Maaepd32.exe
File created	C:\Windows\SysWOW64\Fnelfilp.dll	Mncmjfmk.exe
File created	C:\Windows\SysWOW64\Maaepd32.exe	Mjjmog32.exe
File created	C:\Windows\SysWOW64\Mncmjfmk.exe	Mjhqjg32.exe
File created	C:\Windows\SysWOW64\Gpnkgo32.dll	Mcnhmm32.exe
File created	C:\Windows\SysWOW64\Mpaifalo.exe	Mncmjfmk.exe
File created	C:\Windows\SysWOW64\Mcpebmkb.exe	Mpaifalo.exe
File created	C:\Windows\SysWOW64\Bebboiqi.dll	Mjjmog32.exe
File opened for modification	C:\Windows\SysWOW64\Mnapdf32.exe	da1375b6b40ecac7da1251a052e84c69.exe

Program crash 1 IoCs

pid	pid_target	Process
4992	3100	WerFault.exe

Modifies registry class 33 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	da1375b6b40ecac7da1251a052e84c69.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdgdjjem.dll"	da1375b6b40ecac7da1251a052e84c69.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ciiqgjgg.dll"	Mjhqjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mcbahlip.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mnapdf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mcnhmm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mpaifalo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bebboiqi.dll"	Mjjmog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lelgbkio.dll"	Maaepd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgcifj32.dll"	Mnapdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mnapdf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mncmjfmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mjjmog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Maaepd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpnkgo32.dll"	Mcnhmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mjhqjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhapkbgi.dll"	Mpaifalo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mcpebmkb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mcbahlip.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	da1375b6b40ecac7da1251a052e84c69.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnelfilp.dll"	Mncmjfmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mncmjfmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mpaifalo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mjjmog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Geegicjl.dll"	Mcpebmkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mcpebmkb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Maaepd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	da1375b6b40ecac7da1251a052e84c69.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	da1375b6b40ecac7da1251a052e84c69.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	da1375b6b40ecac7da1251a052e84c69.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mcnhmm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mjhqjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kcbibebo.dll"	Mcbahlip.exe

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 1660 wrote to memory of 4452	1660	da1375b6b40ecac7da1251a052e84c69.exe	48
PID 1660 wrote to memory of 4452	1660	da1375b6b40ecac7da1251a052e84c69.exe	48
PID 1660 wrote to memory of 4452	1660	da1375b6b40ecac7da1251a052e84c69.exe	48
PID 4452 wrote to memory of 3236	4452	Mnapdf32.exe	45
PID 4452 wrote to memory of 3236	4452	Mnapdf32.exe	45
PID 4452 wrote to memory of 3236	4452	Mnapdf32.exe	45
PID 3236 wrote to memory of 1200	3236	Mcnhmm32.exe	44
PID 3236 wrote to memory of 1200	3236	Mcnhmm32.exe	44
PID 3236 wrote to memory of 1200	3236	Mcnhmm32.exe	44
PID 1200 wrote to memory of 2080	1200	Mjhqjg32.exe	43
PID 1200 wrote to memory of 2080	1200	Mjhqjg32.exe	43
PID 1200 wrote to memory of 2080	1200	Mjhqjg32.exe	43
PID 2080 wrote to memory of 4224	2080	Mncmjfmk.exe	16
PID 2080 wrote to memory of 4224	2080	Mncmjfmk.exe	16
PID 2080 wrote to memory of 4224	2080	Mncmjfmk.exe	16
PID 4224 wrote to memory of 516	4224	Mpaifalo.exe	42
PID 4224 wrote to memory of 516	4224	Mpaifalo.exe	42
PID 4224 wrote to memory of 516	4224	Mpaifalo.exe	42
PID 516 wrote to memory of 4752	516	Mcpebmkb.exe	17
PID 516 wrote to memory of 4752	516	Mcpebmkb.exe	17
PID 516 wrote to memory of 4752	516	Mcpebmkb.exe	17
PID 4752 wrote to memory of 1180	4752	Mjjmog32.exe	39
PID 4752 wrote to memory of 1180	4752	Mjjmog32.exe	39
PID 4752 wrote to memory of 1180	4752	Mjjmog32.exe	39
PID 1180 wrote to memory of 4888	1180	Maaepd32.exe	38
PID 1180 wrote to memory of 4888	1180	Maaepd32.exe	38
PID 1180 wrote to memory of 4888	1180	Maaepd32.exe	38
PID 4888 wrote to memory of 668	4888	Mcbahlip.exe	37
PID 4888 wrote to memory of 668	4888	Mcbahlip.exe	37
PID 4888 wrote to memory of 668	4888	Mcbahlip.exe	37

C:\Users\Admin\AppData\Local\Temp\da1375b6b40ecac7da1251a052e84c69.exe
"C:\Users\Admin\AppData\Local\Temp\da1375b6b40ecac7da1251a052e84c69.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1660
- C:\Windows\SysWOW64\Mnapdf32.exe
  C:\Windows\system32\Mnapdf32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4452

C:\Windows\SysWOW64\Mpaifalo.exe
C:\Windows\system32\Mpaifalo.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4224
- C:\Windows\SysWOW64\Mcpebmkb.exe
  C:\Windows\system32\Mcpebmkb.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:516

C:\Windows\SysWOW64\Mjjmog32.exe
C:\Windows\system32\Mjjmog32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4752
- C:\Windows\SysWOW64\Maaepd32.exe
  C:\Windows\system32\Maaepd32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1180

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 3100 -ip 3100
1⤵
PID:812

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3100 -s 408
1⤵
- Program crash
PID:4992

C:\Windows\SysWOW64\Nkcmohbg.exe
C:\Windows\system32\Nkcmohbg.exe
1⤵
PID:3100

C:\Windows\SysWOW64\Ndidbn32.exe
C:\Windows\system32\Ndidbn32.exe
1⤵
PID:4724

C:\Windows\SysWOW64\Nqmhbpba.exe
C:\Windows\system32\Nqmhbpba.exe
1⤵
PID:3980

C:\Windows\SysWOW64\Nnolfdcn.exe
C:\Windows\system32\Nnolfdcn.exe
1⤵
PID:3532

C:\Windows\SysWOW64\Nkqpjidj.exe
C:\Windows\system32\Nkqpjidj.exe
1⤵
PID:4068

C:\Windows\SysWOW64\Ncihikcg.exe
C:\Windows\system32\Ncihikcg.exe
1⤵
PID:2260

C:\Windows\SysWOW64\Nnmopdep.exe
C:\Windows\system32\Nnmopdep.exe
1⤵
PID:2396

C:\Windows\SysWOW64\Nkncdifl.exe
C:\Windows\system32\Nkncdifl.exe
1⤵
PID:4700

C:\Windows\SysWOW64\Nqiogp32.exe
C:\Windows\system32\Nqiogp32.exe
1⤵
PID:3664

C:\Windows\SysWOW64\Nnjbke32.exe
C:\Windows\system32\Nnjbke32.exe
1⤵
PID:4972

C:\Windows\SysWOW64\Nklfoi32.exe
C:\Windows\system32\Nklfoi32.exe
1⤵
PID:4760

C:\Windows\SysWOW64\Nceonl32.exe
C:\Windows\system32\Nceonl32.exe
1⤵
PID:4008

C:\Windows\SysWOW64\Nacbfdao.exe
C:\Windows\system32\Nacbfdao.exe
1⤵
PID:1052

C:\Windows\SysWOW64\Njljefql.exe
C:\Windows\system32\Njljefql.exe
1⤵
- Executes dropped EXE
PID:668

C:\Windows\SysWOW64\Mcbahlip.exe
C:\Windows\system32\Mcbahlip.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4888

C:\Windows\SysWOW64\Mncmjfmk.exe
C:\Windows\system32\Mncmjfmk.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2080

C:\Windows\SysWOW64\Mjhqjg32.exe
C:\Windows\system32\Mjhqjg32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1200

C:\Windows\SysWOW64\Mcnhmm32.exe
C:\Windows\system32\Mcnhmm32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3236

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Maaepd32.exe

Filesize
112KB

MD5
fb24ad9bbc6b485a736b041072e5487d

SHA1
c9b18b68def1a891bbe7e8957a99301db7ab35f4

SHA256
3f54a325a098c960fe006b006adf66ad569d280fc0cf6c3eb3b89a4e4c80302a

SHA512
1c0c9431a970acfabd2cde298a67e7a37115388da7f0bebef787ff2befc7b15311b491b629d49dfe41db92a06dadd08e400e325adf3f186567e019ac4796c1cc

Download Submit
C:\Windows\SysWOW64\Mcbahlip.exe

Filesize
112KB

MD5
b19ae96eec02f66f2fb96bb7aca6c927

SHA1
04e58d885980e811388e795ef7ec2d48d6e518da

SHA256
f0931dcf81699d0a27f9c73c59dc483118dbd07b70ca12ca676e33e744aef384

SHA512
140dac5dfc201b5d81523edebaa2be597b0de19bdd5229ee0b43b53d403727e113f1d788039636e17338ea4635ef78a7e8d1b8faa99dfa98b0de1d932b8570a5

Download Submit
C:\Windows\SysWOW64\Mcnhmm32.exe

Filesize
112KB

MD5
4c9bdc307416dcfd54ad63b4ee948d03

SHA1
6b948105ffeca5192e280135ed3984cc930d81c0

SHA256
7fda55c26327b96fa527fafc5c89b77c3a2c2788c37d34749eb906bb23835e2c

SHA512
2bdf4b88366e585f22e9c3d21db24fdded7831069e097042141e539cf016ee2b1e638d490fe79585d738fe2ae24929a7c0b5820434639494213f9a651005a2d8

Download Submit
C:\Windows\SysWOW64\Mcpebmkb.exe

Filesize
112KB

MD5
b18a578418844bcb4104075c0ec0177d

SHA1
5e7469a0faeaecf4ab737a4de0fc7226e7503324

SHA256
f8c241a25b44526d61095588d7a3d5d30915d99a55bd3d8cdd38b64a187cd5d9

SHA512
4c1c9787f6a910c8a5758ba037df1d6f64ee3e05229a7013edfcbb9dcad773dee3e1d994306acc204dab1d10315889354aeb4399101c3c26c0f74a411a6799d8

Download Submit
C:\Windows\SysWOW64\Mjhqjg32.exe

Filesize
112KB

MD5
5e38de19c2bdb1052841a76071718071

SHA1
48f5a761c7ae36ab5e953c88e839c5b8e5985cb5

SHA256
daef4049e221adf513b120307b49f90a817f4928c31223f2166bcb48823e52ac

SHA512
d1cd181c461354c0e375d999f4a02f0a4ab1b72f49000867fc5b602dfc41d603560cc758884e649442dc5f71d0f653953d180cc69153e2d63260e1e8341dd445

Download Submit
C:\Windows\SysWOW64\Mjjmog32.exe

Filesize
112KB

MD5
eb726989aefc5c16a0552cd175496779

SHA1
20540e141e2eba42c99468f622a15343380d868b

SHA256
7460b23a67caa1a2d3df93314f3610b85f99c5675786cc3a117c111e96883518

SHA512
da61d85e137812324878ecb35375c522260ce1af5d14f641dc3869537c89f47204893596f9ee60f0204e2c6d94ab2256d2a04c5b27e6f8b2e96a76ec766d182e

Download Submit
C:\Windows\SysWOW64\Mncmjfmk.exe

Filesize
112KB

MD5
f3acc999d3c36b92122806e93f216938

SHA1
3baf14fa476fcbf545238e4fba9d05777f86d66b

SHA256
bcdfff615792b20286abc133b877e099ab72c4261889af26e9e377e61a1ab0f6

SHA512
f3c7beb5bc4d1543938beb032317f90b209678ca1e8b83710e95e76b37f157ef5bd470fee4038f33ae03ae94b9c6c81f36934000995948431da026c8321c5362

Download Submit
C:\Windows\SysWOW64\Mpaifalo.exe

Filesize
112KB

MD5
1a98e5e8160fc9b875e2a6c44391c2d2

SHA1
91d00cb1d2c5cd4103f3622e9272801065c3c3aa

SHA256
62f6198bf179af449f22897a4ac104fecb63112d44ba9ab284ad0f49370ee629

SHA512
0cc87ac9f5f94d24ce29beb53ad39375998f910236afc7984ab7b843c93574b83f4176737045440749ae6af0ed8155a5a199c42942b77426332ad4886464d06b

Download Submit
C:\Windows\SysWOW64\Nacbfdao.exe

Filesize
92KB

MD5
2600685597d1ced8013d64abdd2d118d

SHA1
d2969206f97778ac7a6a0d34963b2c7f1acb3bc1

SHA256
6cdca17150d2cedbc9fec0d2f4170722efba2e0717bc6ba36fe9e369f984f74f

SHA512
db03a48102dddf2d414b54050dc224fee4cfef1a9793f20b01b2712d3d4e4d697be14d246a026c1c6ec9cb44f7b0d3180e73c2fef9b51e3fd92d7528c265a17e

Download Submit
C:\Windows\SysWOW64\Nacbfdao.exe

Filesize
112KB

MD5
16292353ccc17a474e9bf8d08128ccf4

SHA1
f9a2b02c203166329a304cdaed1c52a38a5174aa

SHA256
db00897b33725b15e3b9f031ce685c3a77300903b52e5f7ffe393b3d2285ae05

SHA512
facb824359b4b2a5ee1203615797b41412d4f3b47ebdb35e0f88a6584a911379a13bedbe7dd113ecade014f81979ed31779b535eb37882aa2ca483fcb3000194

Download Submit
C:\Windows\SysWOW64\Nceonl32.exe

Filesize
112KB

MD5
c9a661bd92c13f12bad2fd018590915c

SHA1
5b12ac9a7c53c278cd33cf0fcc53c88c7b6b4993

SHA256
fc9d69a1952e484dc70cb31774af78a3a4cd19cddd41af01155cca7ea0878440

SHA512
3b441363a35428b902836954f94bfee3062625857e7059bff29bb9570ca06adf1865ff762855759d31a59deceb4e165e950a7270e48b4831fc5e6fe27665ef4b

Download Submit
C:\Windows\SysWOW64\Ncihikcg.exe

Filesize
112KB

MD5
962255b2aeac9a570086fb2d6f00cb9f

SHA1
2cdee5ff636e37bbcd9cfeb87b6b78cfc0aab8c4

SHA256
66baaa4b7e1d914b382e6e3a3c4d90342fc083eb62b207362ce1db094660b2a4

SHA512
40df78dc1ce15e6d181361b9d254de8dafb7caed3bfdee52a3501d10fcc6019203b66211ee11817a877188a6852c7920787be0e9bf7b33d717231e742f361ac6

Download Submit
C:\Windows\SysWOW64\Ndidbn32.exe

Filesize
112KB

MD5
d9f4fdab016e11c75f68375594662bb6

SHA1
1b13fff6bf435e63d4ec4ce229b7e9dd7e632249

SHA256
8a0d6a894f4073b2ee6eb4dd55de27079c58d1d2d11988c21a1f301d84866e33

SHA512
2f435d7550ae6828da5859bae624c36a343d29ea9bfd9c2782e59c63dd4ff57d1da17bbb52de865f3b0437e9bcf11c81277d18ece52b6ba9a112228e5a0a9aa9

Download Submit
C:\Windows\SysWOW64\Njljefql.exe

Filesize
112KB

MD5
6809fff3709cd0fc4d6da048e4904916

SHA1
0ca045123960012652f1f7ece3d88cd3777b1beb

SHA256
aca2d397f6e7de1bb7a238e90236ee02924ec39d6a987cab37797d6a390ff624

SHA512
5f7e771a207c23c845d3b15cbe4ea98e39457ffc087781d0b53bc76e29e07311c5751f75b9fc6fa918abb43749dc3c3a854c3d8bdfa71b4deecce0a078650053

Download Submit
C:\Windows\SysWOW64\Nkcmohbg.exe

Filesize
112KB

MD5
9413ca8021387a09e8f5a04ea4f8dec2

SHA1
59ba7e943d13eca369d069a5e5d4abf0533e0cad

SHA256
d95681d5b491621d1bd96ff0bc8deaa109fa03d0110f54afc3ba1e1c4c7cc29f

SHA512
5fb4a64dbc6ff194513f149411865d48642270fb93eec9330704e75d49a00e60734ddded826d2fbda05e970f0ecc7d2db5077a22cdfa30088527e4f55597468b

Download Submit
C:\Windows\SysWOW64\Nklfoi32.exe

Filesize
112KB

MD5
e38a9a37509671b074881ca0e69d8d0f

SHA1
41b5bede64d134650d0d87c4dbcb4875d83d1963

SHA256
757d845c5d1d7e973d0b3720853f1091c8795e8ece9b73ee4ea0d85a2e55ad1e

SHA512
a8697cb8cbdb3abcb2fbf280b33437ae439432aa88928beb4a2c469a18548be8a1423be6f851775f65e4554994927884eff2684825692c8d0f759468e257c753

Download Submit
C:\Windows\SysWOW64\Nkncdifl.exe

Filesize
5KB

MD5
f03b6bea2a502a203f25d978f798c31a

SHA1
39a87dbe352743c6649b6d659df41a3fe4fe38f4

SHA256
62223c86bfd8228b8a17354dea26f0315f547e2e81b2d8d4e3825c63181a5010

SHA512
9a505eb7e7707708d86b7ff46b08908287063d2a55f52f350efcf12bddc1b9e9e5300e5118dad85297a270c1993c5392c8742d5f48ce760743ea8cab2a6c6308

Download Submit
C:\Windows\SysWOW64\Nkncdifl.exe

Filesize
112KB

MD5
1a6abf340d4276417985a37818dae087

SHA1
2a3a6a29afeed1773481e24a4eadb295787d8133

SHA256
dba12ef71a4e788260dd0c9cfd7547b34c37c8ecba7094969c2b3887e987a84a

SHA512
54da96cd5f46925e43b1dd5a077f01f33446912194413b9d8a137ff2c9065981e30dabb285a84b444d114d0a3c0ae13797603a8b70b256177d7e4c86b0a8b2ea

Download Submit
C:\Windows\SysWOW64\Nkqpjidj.exe

Filesize
112KB

MD5
f301b9a126907e20f0639f552690ff5b

SHA1
b49c57693677b1b58f5354ef4191755bf695f1e2

SHA256
ef396c4c21e93df565c97a24e3f5fae82b743fa7a022098876cb4e5656b5bf1d

SHA512
cd1c5dc3cd86f0ddfe2eee408a2ecd41ecd81555c4d6bb0225b21f298b07d5c311c0829c7ef21752875970d32b6118ac006eae6f5b22ec5e7391499439e5b4e8

Download Submit
C:\Windows\SysWOW64\Nnjbke32.exe

Filesize
112KB

MD5
59e2873093e4913e704919bad61507fb

SHA1
2394171e056183ca3a1c2c73e50fc13599ec99f7

SHA256
c249eabbc5702cb093ecb04d904e39c45ccf4fa7f0d2c6bdb8628c44bc53ff30

SHA512
5e79359e91bb08caac0c9647dd2d54252000caf1b4626b1c106af1719e66b30f8f6849c886ed5ef2c4b2a6008b410b5b6d63f4cf8ba01f96a673c72e7e1aab7a

Download Submit
C:\Windows\SysWOW64\Nnmopdep.exe

Filesize
112KB

MD5
3d83b3b6eeae605367bdd18b110badd7

SHA1
935e94ebde4b8c995ef91ab831f13992a1e3f0ea

SHA256
d12015cfdb0660096c0e14148ccc9c001eaa2a7c1ee9e6c9771109c2204f02cf

SHA512
877a2a3a247741c9e9026193828e3be7708077147162158942ce07fdad42b051fc847d39cc7fbde50cfcd37dbca32b04bd420d587cd1307f14bbadcf01090853

Download Submit
C:\Windows\SysWOW64\Nnolfdcn.exe

Filesize
92KB

MD5
e4d86ede1425ec41bc6a4520021572ac

SHA1
634f4795ebb93e0a15544023ff99148d43fdcf6e

SHA256
f55d120a1b92e075cdab48070a437bca6f7fa57234b24be5fcebf190e3a82b9a

SHA512
14bce9e6e1a0397d1aa077fd0111d420a71cad0494e9ee6945d35cafdf3c7925c0c05c71442662f3c9e3ff97a9ebbdf66d9176596c9f7a50fbf9dc80705b3388

Download Submit
C:\Windows\SysWOW64\Nnolfdcn.exe

Filesize
112KB

MD5
dcbce1286602f3aac5ca51a2b29a7077

SHA1
0ef379e6fe2456ba651aca641ca66a609f476779

SHA256
3c31e22813d511d4f9b37ac4f1a5031cdacca8cef9655a90a3d2f3005e74f7bf

SHA512
8323e613a5f66807dd0bd611e2d566058497f2c4865f84a0ab6d574b13e17fe691a8f973740f1dadd5ad1c4097c52cac60fce7f8f124489cf7db51ac2a816904

Download Submit
C:\Windows\SysWOW64\Nqiogp32.exe

Filesize
112KB

MD5
b029310b78a43fc66c3f8c6d9117507c

SHA1
461d629c9fb8b3c3bf53f0e5702c160539fae2f4

SHA256
aee35222dac1ddbfc0544ebefb4b2a2bc956cfe737763dcc66fbd79358f7619d

SHA512
a2146025cabf0f4213a63c88171116046590a492757a338da390b9b45ba18e05f2083fa273379c7ae973af373c9e7bece12d2e3bf0c5d47effb51bcfe5887ea7

Download Submit
C:\Windows\SysWOW64\Nqmhbpba.exe

Filesize
112KB

MD5
bdbd445f0b6dc9915c3367d1af9a6e71

SHA1
1c6f536803e07728f02f1f38e95773a2fb96612c

SHA256
5a89e8d27298dd1fed7e39c14cdf18612c5bccd8e9a6f54e47d1da31a8731894

SHA512
cfa42898bc5e320ef3a8ad47f4537ca24ccc7c8a8cef53320597b50126cffe1d903a0a53e8c13c2ce9ee552bac6ef0603bd3af1e5639a359c8372b2fbf91e8af

Download Submit
memory/516-202-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/516-49-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/668-89-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1052-95-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1180-200-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1180-65-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1200-29-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1660-1-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1660-86-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1660-0-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2080-33-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2080-204-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2260-146-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2260-192-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2396-193-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2396-138-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3100-186-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3100-187-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3236-17-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3236-205-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3532-190-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3532-166-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3664-195-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3664-121-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3980-170-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3980-189-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4008-198-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4008-97-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4068-153-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4068-191-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4224-41-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4224-203-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4452-9-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4452-206-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4700-129-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4700-194-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4724-178-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4724-188-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4752-201-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4752-57-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4760-106-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4760-197-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4888-199-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4888-73-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4972-114-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4972-196-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads