0e772e937a7efa7f25b720aedbec95e2f900c0fd665e6f893a659f90394582a7

Analysis

max time kernel
0s
max time network
96s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
06/01/2024, 20:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1428227820d18b7a6ffdf1237779b3a1.exe
Size

107KB
MD5

1428227820d18b7a6ffdf1237779b3a1
SHA1

de3cb2b01ae00c24bae3b6fde83df55fcd39f305
SHA256

0e772e937a7efa7f25b720aedbec95e2f900c0fd665e6f893a659f90394582a7
SHA512

69e6bd143421404b4a92f7e5ff35da0b16c948fecb810efc9963f854ee937ee43f314836f6f157d51110c3f4dc1c28cd6ab5f61c0ae23a4981cbddb8a5e61946
SSDEEP

1536:AMe6sQs4goqRGcoh+n7xjmMD2LGaIZTJ+7LhkiB0MPiKeEAgHD/Chx3y:AMe69JhO6+nd4GaMU7uihJ5233y

Score

10^/10

backdoor dropper persistence trojan

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncgkcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnmopdep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nbhkac32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njcpee32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnolfdcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngcgcjnc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnmopdep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncihikcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngedij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nbhkac32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqklmpdd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncihikcg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngedij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	1428227820d18b7a6ffdf1237779b3a1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncgkcl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngcgcjnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nkncdifl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njcpee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnolfdcn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	1428227820d18b7a6ffdf1237779b3a1.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkncdifl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nqklmpdd.exe

Malware Dropper & Backdoor - Berbew 13 IoCs

Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.

backdoor trojan dropper

resource	yara_rule
behavioral2/files/0x0006000000023217-31.dat	family_berbew
behavioral2/files/0x000600000002321c-47.dat	family_berbew
behavioral2/files/0x0006000000023220-64.dat	family_berbew
behavioral2/files/0x0006000000023224-79.dat	family_berbew
behavioral2/files/0x0006000000023228-96.dat	family_berbew
behavioral2/files/0x000600000002322c-114.dat	family_berbew
behavioral2/files/0x000600000002322a-105.dat	family_berbew
behavioral2/files/0x0006000000023226-88.dat	family_berbew
behavioral2/files/0x0006000000023222-72.dat	family_berbew
behavioral2/files/0x000600000002321e-56.dat	family_berbew
behavioral2/files/0x000600000002321a-40.dat	family_berbew
behavioral2/files/0x0006000000023215-24.dat	family_berbew
behavioral2/files/0x000300000001e982-6.dat	family_berbew

Executes dropped EXE 11 IoCs

pid	Process
1892	Ncgkcl32.exe
4224	Ngcgcjnc.exe
3968	Nkncdifl.exe
3312	Nnmopdep.exe
1532	Nbhkac32.exe
3796	Nqklmpdd.exe
4664	Ncihikcg.exe
4980	Ngedij32.exe
4944	Njcpee32.exe
4764	Nnolfdcn.exe
3268	Nqmhbpba.exe

Drops file in System32 directory 33 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Jkeang32.dll	Ngcgcjnc.exe
File created	C:\Windows\SysWOW64\Ncihikcg.exe	Nqklmpdd.exe
File created	C:\Windows\SysWOW64\Nnolfdcn.exe	Njcpee32.exe
File opened for modification	C:\Windows\SysWOW64\Ncgkcl32.exe	1428227820d18b7a6ffdf1237779b3a1.exe
File created	C:\Windows\SysWOW64\Ngcgcjnc.exe	Ncgkcl32.exe
File opened for modification	C:\Windows\SysWOW64\Njcpee32.exe	Ngedij32.exe
File created	C:\Windows\SysWOW64\Nqmhbpba.exe	Nnolfdcn.exe
File created	C:\Windows\SysWOW64\Nnmopdep.exe	Nkncdifl.exe
File created	C:\Windows\SysWOW64\Ipkobd32.dll	Nnmopdep.exe
File opened for modification	C:\Windows\SysWOW64\Ncihikcg.exe	Nqklmpdd.exe
File opened for modification	C:\Windows\SysWOW64\Ngedij32.exe	Ncihikcg.exe
File opened for modification	C:\Windows\SysWOW64\Nnolfdcn.exe	Njcpee32.exe
File created	C:\Windows\SysWOW64\Bghhihab.dll	Nnolfdcn.exe
File opened for modification	C:\Windows\SysWOW64\Ngcgcjnc.exe	Ncgkcl32.exe
File created	C:\Windows\SysWOW64\Nkncdifl.exe	Ngcgcjnc.exe
File opened for modification	C:\Windows\SysWOW64\Nqmhbpba.exe	Nnolfdcn.exe
File opened for modification	C:\Windows\SysWOW64\Nqklmpdd.exe	Nbhkac32.exe
File created	C:\Windows\SysWOW64\Njcpee32.exe	Ngedij32.exe
File opened for modification	C:\Windows\SysWOW64\Nnmopdep.exe	Nkncdifl.exe
File created	C:\Windows\SysWOW64\Ngedij32.exe	Ncihikcg.exe
File created	C:\Windows\SysWOW64\Paadnmaq.dll	Ncihikcg.exe
File created	C:\Windows\SysWOW64\Cgfgaq32.dll	Nkncdifl.exe
File created	C:\Windows\SysWOW64\Pkckjila.dll	Nqklmpdd.exe
File opened for modification	C:\Windows\SysWOW64\Nbhkac32.exe	Nnmopdep.exe
File created	C:\Windows\SysWOW64\Nqklmpdd.exe	Nbhkac32.exe
File created	C:\Windows\SysWOW64\Ljfemn32.dll	Nbhkac32.exe
File created	C:\Windows\SysWOW64\Ncgkcl32.exe	1428227820d18b7a6ffdf1237779b3a1.exe
File created	C:\Windows\SysWOW64\Nbhkac32.exe	Nnmopdep.exe
File opened for modification	C:\Windows\SysWOW64\Nkncdifl.exe	Ngcgcjnc.exe
File created	C:\Windows\SysWOW64\Ddpfgd32.dll	Ngedij32.exe
File created	C:\Windows\SysWOW64\Cknpkhch.dll	Njcpee32.exe
File created	C:\Windows\SysWOW64\Pipfna32.dll	1428227820d18b7a6ffdf1237779b3a1.exe
File created	C:\Windows\SysWOW64\Majknlkd.dll	Ncgkcl32.exe

Program crash 1 IoCs

pid	pid_target	Process
2736	3316	WerFault.exe

Modifies registry class 36 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	1428227820d18b7a6ffdf1237779b3a1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	1428227820d18b7a6ffdf1237779b3a1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nkncdifl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bghhihab.dll"	Nnolfdcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nnolfdcn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	1428227820d18b7a6ffdf1237779b3a1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cgfgaq32.dll"	Nkncdifl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cknpkhch.dll"	Njcpee32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nnolfdcn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nbhkac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ddpfgd32.dll"	Ngedij32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ngcgcjnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkeang32.dll"	Ngcgcjnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ncihikcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Paadnmaq.dll"	Ncihikcg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Njcpee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nkncdifl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nnmopdep.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ngedij32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ncgkcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ngcgcjnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipkobd32.dll"	Nnmopdep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nbhkac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nqklmpdd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nqklmpdd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	1428227820d18b7a6ffdf1237779b3a1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pipfna32.dll"	1428227820d18b7a6ffdf1237779b3a1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	1428227820d18b7a6ffdf1237779b3a1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Majknlkd.dll"	Ncgkcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ncgkcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nnmopdep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljfemn32.dll"	Nbhkac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkckjila.dll"	Nqklmpdd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ncihikcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ngedij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Njcpee32.exe

Suspicious use of WriteProcessMemory 33 IoCs

description	pid	Process	procid_target
PID 2696 wrote to memory of 1892	2696	1428227820d18b7a6ffdf1237779b3a1.exe	36
PID 2696 wrote to memory of 1892	2696	1428227820d18b7a6ffdf1237779b3a1.exe	36
PID 2696 wrote to memory of 1892	2696	1428227820d18b7a6ffdf1237779b3a1.exe	36
PID 1892 wrote to memory of 4224	1892	Ncgkcl32.exe	35
PID 1892 wrote to memory of 4224	1892	Ncgkcl32.exe	35
PID 1892 wrote to memory of 4224	1892	Ncgkcl32.exe	35
PID 4224 wrote to memory of 3968	4224	Ngcgcjnc.exe	34
PID 4224 wrote to memory of 3968	4224	Ngcgcjnc.exe	34
PID 4224 wrote to memory of 3968	4224	Ngcgcjnc.exe	34
PID 3968 wrote to memory of 3312	3968	Nkncdifl.exe	31
PID 3968 wrote to memory of 3312	3968	Nkncdifl.exe	31
PID 3968 wrote to memory of 3312	3968	Nkncdifl.exe	31
PID 3312 wrote to memory of 1532	3312	Nnmopdep.exe	30
PID 3312 wrote to memory of 1532	3312	Nnmopdep.exe	30
PID 3312 wrote to memory of 1532	3312	Nnmopdep.exe	30
PID 1532 wrote to memory of 3796	1532	Nbhkac32.exe	29
PID 1532 wrote to memory of 3796	1532	Nbhkac32.exe	29
PID 1532 wrote to memory of 3796	1532	Nbhkac32.exe	29
PID 3796 wrote to memory of 4664	3796	Nqklmpdd.exe	28
PID 3796 wrote to memory of 4664	3796	Nqklmpdd.exe	28
PID 3796 wrote to memory of 4664	3796	Nqklmpdd.exe	28
PID 4664 wrote to memory of 4980	4664	Ncihikcg.exe	27
PID 4664 wrote to memory of 4980	4664	Ncihikcg.exe	27
PID 4664 wrote to memory of 4980	4664	Ncihikcg.exe	27
PID 4980 wrote to memory of 4944	4980	Ngedij32.exe	26
PID 4980 wrote to memory of 4944	4980	Ngedij32.exe	26
PID 4980 wrote to memory of 4944	4980	Ngedij32.exe	26
PID 4944 wrote to memory of 4764	4944	Njcpee32.exe	24
PID 4944 wrote to memory of 4764	4944	Njcpee32.exe	24
PID 4944 wrote to memory of 4764	4944	Njcpee32.exe	24
PID 4764 wrote to memory of 3268	4764	Nnolfdcn.exe	23
PID 4764 wrote to memory of 3268	4764	Nnolfdcn.exe	23
PID 4764 wrote to memory of 3268	4764	Nnolfdcn.exe	23

C:\Users\Admin\AppData\Local\Temp\1428227820d18b7a6ffdf1237779b3a1.exe
"C:\Users\Admin\AppData\Local\Temp\1428227820d18b7a6ffdf1237779b3a1.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2696
- C:\Windows\SysWOW64\Ncgkcl32.exe
  C:\Windows\system32\Ncgkcl32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1892

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 3316 -ip 3316
1⤵
PID:4772

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3316 -s 404
1⤵
- Program crash
PID:2736

C:\Windows\SysWOW64\Nkcmohbg.exe
C:\Windows\system32\Nkcmohbg.exe
1⤵
PID:3316

C:\Windows\SysWOW64\Ncldnkae.exe
C:\Windows\system32\Ncldnkae.exe
1⤵
PID:3520

C:\Windows\SysWOW64\Ndidbn32.exe
C:\Windows\system32\Ndidbn32.exe
1⤵
PID:312

C:\Windows\SysWOW64\Nqmhbpba.exe
C:\Windows\system32\Nqmhbpba.exe
1⤵
- Executes dropped EXE
PID:3268

C:\Windows\SysWOW64\Nnolfdcn.exe
C:\Windows\system32\Nnolfdcn.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4764

C:\Windows\SysWOW64\Njcpee32.exe
C:\Windows\system32\Njcpee32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4944

C:\Windows\SysWOW64\Ngedij32.exe
C:\Windows\system32\Ngedij32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4980

C:\Windows\SysWOW64\Ncihikcg.exe
C:\Windows\system32\Ncihikcg.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4664

C:\Windows\SysWOW64\Nqklmpdd.exe
C:\Windows\system32\Nqklmpdd.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3796

C:\Windows\SysWOW64\Nbhkac32.exe
C:\Windows\system32\Nbhkac32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1532

C:\Windows\SysWOW64\Nnmopdep.exe
C:\Windows\system32\Nnmopdep.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3312

C:\Windows\SysWOW64\Nkncdifl.exe
C:\Windows\system32\Nkncdifl.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3968

C:\Windows\SysWOW64\Ngcgcjnc.exe
C:\Windows\system32\Ngcgcjnc.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4224

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Nbhkac32.exe

Filesize
107KB

MD5
b3d5db05ef62671da414b056478344c3

SHA1
b694fb434aa600479a20ca7aec492b541ddab589

SHA256
28b4c7891c71f5e4f9927230a9759538381d3025d6a12f0315fd2255364dbbb4

SHA512
60d9d6e580aa21135061f408c6deb9d33b4c5ad597c4d100f10c593fbd8ca9868afd6ad1d696529e285c62d9e17870eeb0ad4986f2d86300060f936d0e3917fa

Download Submit
C:\Windows\SysWOW64\Ncgkcl32.exe

Filesize
98KB

MD5
16fdb35fb502e6ad9c6e86ba32de5b98

SHA1
06af6e5da7d771c2786b5b3b2eeb41a150176ffc

SHA256
654e859989dd2d9fa269581ae4a62b77b75a2cd8aefb40e877361009b88aa827

SHA512
a94bf0c374734a38c71deb6d7c201b6caccbf4541d51b8ea2ac6f4f8808673da90a3e117cb49c28e43118f971e76fe387729429e6bd9b4ffb2a48058d1618cb2

Download Submit
C:\Windows\SysWOW64\Ncihikcg.exe

Filesize
107KB

MD5
26cd506db3c1d72ca1bb9393a5237f22

SHA1
7d5344c453708f957d44e4195fa2367f23296588

SHA256
daf9ed36c0b16b483083c5b26fd2791713cab8e8956a0d0bd5ea558ce50b01b6

SHA512
0d797c96c4fe42b29c3165db5993f5bbffabef644ff8794a92e15f6f086f73afd5662c15566d459f80e57316a7bdeb5cc8e3b91206e41dd9215b507b6d785e6b

Download Submit
C:\Windows\SysWOW64\Ncldnkae.exe

Filesize
107KB

MD5
3b681caecae35043113c1b3084d905f1

SHA1
880e3573981388ba6a1807f9d152a83209cf666f

SHA256
ec137c4963a5bff507fd71ce0839cf6a56f434f31af0e548fccb33c3a9db8cfc

SHA512
350a3c706169f34ffd57d79fa3b4bec6a84275c5cdd7429d6ded514977b2dd1330ee53032d06d3d93a4b93122759c622c48edfde7e46d50291270470c21aef1c

Download Submit
C:\Windows\SysWOW64\Ndidbn32.exe

Filesize
107KB

MD5
d5089eb22dec213015c19fd9ebe2618c

SHA1
2411dae8dbdb690b69ef8fefaafda2d2ae00e037

SHA256
c05e9e0634476689ed5eee26eae2e9256041af965085390ec5e886da44b3a60d

SHA512
4b90535b44e2b49dd177c019b74388055bbc8fa7797e7008c9f86ec7a4bb4f11703264e99c734bc22947799cb8f307f67c673d409e495ab9585f9f030901fa7b

Download Submit
C:\Windows\SysWOW64\Ngedij32.exe

Filesize
107KB

MD5
9969917c23b5bc82459fadb18f7a7aeb

SHA1
a219deb6579557fa1bc6ba7ae6dd56623acae026

SHA256
3d45455e118df89a000d6b072509145ff341d59076fa2dc18c5a77fca81389f0

SHA512
4997817f199e700e6be491252827fed2130aa1f35ce84a6965a74c29127f717ccf8bc259167e1339c7d175ace6adf80b70ef208367a99c9e783e6b143aa59305

Download Submit
C:\Windows\SysWOW64\Njcpee32.exe

Filesize
107KB

MD5
453e393ed9460eb73186926c66fe58f7

SHA1
8b94cbb2b37ac8ff624c3c0a073c418bd003c12f

SHA256
86cf5170c292cabf537749c8b6ec05889ac5bfa274769f3c6e7c77221cc926c6

SHA512
76ba39352a66c5b4b32a971b4d45a5e5178078b800148b36f10315de12d4b8fe605c7c671fc5ebfaef9a1849b9779acdb5df0ca1b8a7bb216277d69d90533197

Download Submit
C:\Windows\SysWOW64\Nkcmohbg.exe

Filesize
107KB

MD5
341d2c9d99eb8e00689032c28db6f54d

SHA1
d729ec664e98766da09d77c20b406e27394bffb1

SHA256
05e47f5ce21ac80aba92f01a44ac630b01cd860e7eaf021c416e3a1efe4958d0

SHA512
8cf91991d86b151dab0fbaa6e6598c5d04eba1bc1693474d28214f9b26f6889dc67ff16bd0ea117acfefa880ac810391a0c0b314a7509c6b90942909d57ba1c5

Download Submit
C:\Windows\SysWOW64\Nkncdifl.exe

Filesize
107KB

MD5
4f51468d4e8a575848b1969af0633171

SHA1
7387c2680940d0cf49b7b18ce66c1950e463b652

SHA256
755a75683131ed12f61a7f23596fa1f79e656bc999f7d51aa50926806bb88bc0

SHA512
f19e63b9c010031f0b7789b4823dbddc92d7ec72c9a70e621dd51d9170ff93508867e435feaa86b0664fa9e8ff9343b2e1809ad2b7ff8eca5eaac70f11480cdc

Download Submit
C:\Windows\SysWOW64\Nnmopdep.exe

Filesize
107KB

MD5
e5079a4d55c6e4c6e22b1e629fd881cf

SHA1
e779d7b1e609d8b2df4fad916577cadae0c77772

SHA256
078a5cd3521c7e9745ef386b3bd9c6690e3b6f0bca920cde902def13fa2d79c4

SHA512
f737576847e5eae6be63bcaab9c8d97c33d27ff7d8a3889a9de78aea79951d47c8c7ad354b8906edf8c0f68ed759733dab5dbf01eedfd7eb16a741506b8fc251

Download Submit
C:\Windows\SysWOW64\Nnolfdcn.exe

Filesize
107KB

MD5
6539b18f27c8e031d3fc5cf309cb9ebf

SHA1
b363bcf85e243dbeced37fce5eace985c44df9e1

SHA256
1b05b4bb0344749e5faa6fd8608bdf6888016d4b4403895325999e7245bb2653

SHA512
82d4c245cbf69f4111735ddbffc7ebe2894cf35b6d360de51b2efa7f0aadae996cd0b4b4579d9c4ebde4db181aee3a406d36d046e60098a7c9bbd9cafedb13b2

Download Submit
C:\Windows\SysWOW64\Nqklmpdd.exe

Filesize
107KB

MD5
b9e920ffad8c92343b1d8e981cefd20b

SHA1
28124cbe1aae7ef7df4e54c988127a2681c70070

SHA256
3dc98223144ea888540a3adaa74bfadfb34d488d90dd2f43878e1764977ed451

SHA512
e4dd0d45148daeac56baf3a131c064254a1a890ebbf4d848605523c876eae7d4383264847b9137e3195e03203c2394bef868f565aef16aa9c24528802f0ec63e

Download Submit
C:\Windows\SysWOW64\Nqmhbpba.exe

Filesize
107KB

MD5
23165afc96d1a60c94284f40e1fa718a

SHA1
dd1f82272c0a922eb520bf3bf502fd199886c2fe

SHA256
fedd1ed902e24e8a984900448db7cb99894aff404d6b186749326437726bf4af

SHA512
e2bea4be3aebb3da8808e87b0438df99a4a5c3eacc548222793ebae70d8813b36cf9bcd6cfd1c37b5ae4f171081c4dd524e415e8fa4e26dfe6d35cf2def540c6

Download Submit
memory/312-102-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1532-45-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1892-89-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1892-9-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2696-7-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2696-0-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3268-118-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3268-90-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3312-33-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3312-115-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3316-116-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3520-107-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3520-117-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3796-49-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3796-122-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3968-29-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3968-106-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4224-21-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4664-61-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4764-119-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4764-81-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4944-121-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4944-73-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4980-120-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4980-65-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads