0ad3267f33ad0e5d348669ec23e892563c9fe4a63ac3a7cfa4bcab658afb3e7a

General

Target

db1efaeaa6cadeacf79d827220690e83.exe
Size

80KB
MD5

db1efaeaa6cadeacf79d827220690e83
SHA1

3a651ec88a7bf3445c89027ed8be66291639d2e8
SHA256

0ad3267f33ad0e5d348669ec23e892563c9fe4a63ac3a7cfa4bcab658afb3e7a
SHA512

b2bd68568ad497d2112353a373c8dc7fcc6573866026827434fd39eb8e4705f571bc891e5529cf430b3155a0f470ec9e6cc27bb674aafe02eda17d6cf02692cc
SSDEEP

1536:HUInQtpy40P5HKgK81NAIqf/mv2LExS5DUHRbPa9b6i+sIk:HUIn0pszK81NAIau0US5DSCopsIk

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 10 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	db1efaeaa6cadeacf79d827220690e83.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnolfdcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnolfdcn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqmhbpba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nqmhbpba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncldnkae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	db1efaeaa6cadeacf79d827220690e83.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndidbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndidbn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncldnkae.exe

Executes dropped EXE 5 IoCs

pid	Process
872	Nnolfdcn.exe
2704	Nqmhbpba.exe
3240	Ndidbn32.exe
1376	Ncldnkae.exe
2096	Nkcmohbg.exe

Drops file in System32 directory 15 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Cknpkhch.dll	db1efaeaa6cadeacf79d827220690e83.exe
File created	C:\Windows\SysWOW64\Nqmhbpba.exe	Nnolfdcn.exe
File created	C:\Windows\SysWOW64\Ndidbn32.exe	Nqmhbpba.exe
File opened for modification	C:\Windows\SysWOW64\Ncldnkae.exe	Ndidbn32.exe
File created	C:\Windows\SysWOW64\Hnibdpde.dll	Ncldnkae.exe
File created	C:\Windows\SysWOW64\Nnolfdcn.exe	db1efaeaa6cadeacf79d827220690e83.exe
File opened for modification	C:\Windows\SysWOW64\Nqmhbpba.exe	Nnolfdcn.exe
File created	C:\Windows\SysWOW64\Bghhihab.dll	Nnolfdcn.exe
File created	C:\Windows\SysWOW64\Ncldnkae.exe	Ndidbn32.exe
File opened for modification	C:\Windows\SysWOW64\Nkcmohbg.exe	Ncldnkae.exe
File opened for modification	C:\Windows\SysWOW64\Nnolfdcn.exe	db1efaeaa6cadeacf79d827220690e83.exe
File created	C:\Windows\SysWOW64\Dlddhggk.dll	Ndidbn32.exe
File created	C:\Windows\SysWOW64\Nkcmohbg.exe	Ncldnkae.exe
File created	C:\Windows\SysWOW64\Opbnic32.dll	Nqmhbpba.exe
File opened for modification	C:\Windows\SysWOW64\Ndidbn32.exe	Nqmhbpba.exe

Program crash 1 IoCs

pid	pid_target	Process
1856	2096	WerFault.exe

Modifies registry class 18 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opbnic32.dll"	Nqmhbpba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nqmhbpba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnibdpde.dll"	Ncldnkae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	db1efaeaa6cadeacf79d827220690e83.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	db1efaeaa6cadeacf79d827220690e83.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ncldnkae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	db1efaeaa6cadeacf79d827220690e83.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	db1efaeaa6cadeacf79d827220690e83.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cknpkhch.dll"	db1efaeaa6cadeacf79d827220690e83.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nqmhbpba.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ndidbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ndidbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ncldnkae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	db1efaeaa6cadeacf79d827220690e83.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nnolfdcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bghhihab.dll"	Nnolfdcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nnolfdcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dlddhggk.dll"	Ndidbn32.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2904 wrote to memory of 872	2904	db1efaeaa6cadeacf79d827220690e83.exe	27
PID 2904 wrote to memory of 872	2904	db1efaeaa6cadeacf79d827220690e83.exe	27
PID 2904 wrote to memory of 872	2904	db1efaeaa6cadeacf79d827220690e83.exe	27
PID 872 wrote to memory of 2704	872	Nnolfdcn.exe	26
PID 872 wrote to memory of 2704	872	Nnolfdcn.exe	26
PID 872 wrote to memory of 2704	872	Nnolfdcn.exe	26
PID 2704 wrote to memory of 3240	2704	Nqmhbpba.exe	25
PID 2704 wrote to memory of 3240	2704	Nqmhbpba.exe	25
PID 2704 wrote to memory of 3240	2704	Nqmhbpba.exe	25
PID 3240 wrote to memory of 1376	3240	Ndidbn32.exe	24
PID 3240 wrote to memory of 1376	3240	Ndidbn32.exe	24
PID 3240 wrote to memory of 1376	3240	Ndidbn32.exe	24
PID 1376 wrote to memory of 2096	1376	Ncldnkae.exe	23
PID 1376 wrote to memory of 2096	1376	Ncldnkae.exe	23
PID 1376 wrote to memory of 2096	1376	Ncldnkae.exe	23

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 188 -p 2096 -ip 2096
1⤵
PID:1280

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2096 -s 400
1⤵
- Program crash
PID:1856

C:\Windows\SysWOW64\Nkcmohbg.exe
C:\Windows\system32\Nkcmohbg.exe
1⤵
- Executes dropped EXE
PID:2096

C:\Windows\SysWOW64\Ncldnkae.exe
C:\Windows\system32\Ncldnkae.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1376

C:\Windows\SysWOW64\Ndidbn32.exe
C:\Windows\system32\Ndidbn32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3240

C:\Windows\SysWOW64\Nqmhbpba.exe
C:\Windows\system32\Nqmhbpba.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2704

C:\Windows\SysWOW64\Nnolfdcn.exe
C:\Windows\system32\Nnolfdcn.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:872

C:\Users\Admin\AppData\Local\Temp\db1efaeaa6cadeacf79d827220690e83.exe
"C:\Users\Admin\AppData\Local\Temp\db1efaeaa6cadeacf79d827220690e83.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2904

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Ncldnkae.exe

Filesize
66KB

MD5
5af653d6bcae35bec56ae427e566649f

SHA1
7adfb6e8ef6705d17eab8016b72d1e774b477296

SHA256
062be854c4a2c0bba158e012178ad6e975e4b34fcc328eed47c69fff70ab8913

SHA512
5d98543061764e494d6094df32fa622f7f652df5167b86875e564c5fb7cdfc57bc41abcfafe23f3fdea335e87b8b14219d016c847fab8082a24099e7492f6603

Download Submit
C:\Windows\SysWOW64\Ncldnkae.exe

Filesize
80KB

MD5
794da6859aac50b4cd47ee2f064c3749

SHA1
e6341de840c1346f101fe14b000e78b88e9d6e35

SHA256
121cb92c47a404426fb0906da3e487e1bf1f2c4d60008b95b65b7420859cd1fb

SHA512
d4b0b2ae58c5e3cb130741d9a6abd77aba08bd48e665cea8105488d74b46982e51941f85c122d6c261a70758db0da768b0afd05a7deb134dbf61fb44c8c7a173

Download Submit
C:\Windows\SysWOW64\Ndidbn32.exe

Filesize
80KB

MD5
a476be7a124cf701e69e37de862b1701

SHA1
3e580ed83f2dcf33f2bacec2cb385103e7348ecd

SHA256
0e00b7751e818d6ef299e638302cced20015f4451a4b8188359c736c21b4ec0f

SHA512
50501b6e7505c8fc4ed35fe14402a0e66c28a89b98823e31dec751a1291e5791c0de55a21cdcbbe09ba70565b84bb4037fc78ea0f2968eb7685f7a398977fbf7

Download Submit
C:\Windows\SysWOW64\Nkcmohbg.exe

Filesize
31KB

MD5
3e6d50aa9cf6630f4423ea1da7d419f5

SHA1
67103cba3d7d4ab0e8cb286975ee1d1a4a74a3fc

SHA256
110f27881838fb707ab39ea3dd53a8003108bc98bd92f0f0d297f09cd12dd9ec

SHA512
51e2935613afb5aab4015825db0b9f4b8700fa4922e478cf62866721667b7b27f7119e1a68cfda955ff5f38d5a79dacbf044def7b60a3172ab6bc606f9fe96ce

Download Submit
C:\Windows\SysWOW64\Nkcmohbg.exe

Filesize
57KB

MD5
91ad5a41c628f7499f470cb40335f609

SHA1
1bf33bfafa4bccc8ac91a27dda900913903c8850

SHA256
992cfb1b87a234eb1ff6a263824f836daa537445a0ca7d2b6b5e8f368def324a

SHA512
6843aaecc0432325ee3f404a4f1afcd3755080f8f61d5d213ebd209d3a177f2183f1ef8d223bd182ecd8f001f6ea9fa7a0c9967c4c6d8dfb376080b07350dc88

Download Submit
C:\Windows\SysWOW64\Nnolfdcn.exe

Filesize
80KB

MD5
132c0af3e31f1b33b68eb1a6530f431c

SHA1
86f81e422ba8eee791322d4ed54d364df654946e

SHA256
cfeb3f525415939664efce31238f09c8d0fae95f45c2274b3d3da0e55cd7999e

SHA512
b7849b5b0ea640393ea17a10ccefc0d0e608c4d32968280aecb87efbd7f6bf10ac5bf8d8cc97b5e6dde68c724298de2f55d389e236bfcb672e85cfb581e9483b

Download Submit
C:\Windows\SysWOW64\Nqmhbpba.exe

Filesize
80KB

MD5
96c365f768c7493ce212d161850529e4

SHA1
b4610c0f021e1f492b28edfdb274ef4db5cff1bf

SHA256
af444ca226953bdc0f1a0276e7c387570b5ca7762fe068b5a666cbda056cf118

SHA512
9b20472a767dbec61a301b825262b684a855428a661abea5eb87ce8a2946d21760a3f4739a0a7c84105855d464936cab471c94415726b5df8e42433385a7bf88

Download Submit
memory/872-45-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/872-9-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1376-42-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1376-33-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2096-41-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2704-17-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2704-44-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2904-0-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2904-46-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2904-1-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3240-43-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3240-29-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads