6624bd06266926f2c0edd899bcc7bc32afa9253a4811b72fcaecb1e87c11c2af

General

Target

bbc2ca16564d303949095dcfd6fd0eab.exe
Size

595KB
MD5

bbc2ca16564d303949095dcfd6fd0eab
SHA1

10b1f3c28e22daf7dbe573ddebb51f033d702fbf
SHA256

6624bd06266926f2c0edd899bcc7bc32afa9253a4811b72fcaecb1e87c11c2af
SHA512

c7ff90104b9aeeb6240e96b85206b89d8fb7381ea995658437231d3e2406cb0a11717cacf5f4baa1d8c10eb34fb3fba9fa7cb2a5edf2ef79491b19074d9f28a9
SSDEEP

12288:oJH3yHKujpV6yYPoBVgsPpV6yYPHGlElipV6yYPoBVgsPpV6yYPHGlm:o53yJWSPWHTiWSPWH5

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ngdifkpi.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Npagjpcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Npagjpcd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	bbc2ca16564d303949095dcfd6fd0eab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	bbc2ca16564d303949095dcfd6fd0eab.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Moidahcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Moidahcn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngdifkpi.exe

Executes dropped EXE 4 IoCs

pid	Process
2192	Moidahcn.exe
2720	Ngdifkpi.exe
2644	Npagjpcd.exe
2560	Nlhgoqhh.exe

Loads dropped DLL 12 IoCs

pid	Process
1740	bbc2ca16564d303949095dcfd6fd0eab.exe
1740	bbc2ca16564d303949095dcfd6fd0eab.exe
2192	Moidahcn.exe
2192	Moidahcn.exe
2720	Ngdifkpi.exe
2720	Ngdifkpi.exe
2644	Npagjpcd.exe
2644	Npagjpcd.exe
2444	WerFault.exe
2444	WerFault.exe
2444	WerFault.exe
2444	WerFault.exe

Drops file in System32 directory 12 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Ngdifkpi.exe	Moidahcn.exe
File created	C:\Windows\SysWOW64\Fbpljhnf.dll	Moidahcn.exe
File opened for modification	C:\Windows\SysWOW64\Nlhgoqhh.exe	Npagjpcd.exe
File created	C:\Windows\SysWOW64\Lamajm32.dll	Npagjpcd.exe
File created	C:\Windows\SysWOW64\Mahqjm32.dll	Ngdifkpi.exe
File created	C:\Windows\SysWOW64\Nlhgoqhh.exe	Npagjpcd.exe
File created	C:\Windows\SysWOW64\Moidahcn.exe	bbc2ca16564d303949095dcfd6fd0eab.exe
File opened for modification	C:\Windows\SysWOW64\Moidahcn.exe	bbc2ca16564d303949095dcfd6fd0eab.exe
File created	C:\Windows\SysWOW64\Mjkacaml.dll	bbc2ca16564d303949095dcfd6fd0eab.exe
File created	C:\Windows\SysWOW64\Ngdifkpi.exe	Moidahcn.exe
File created	C:\Windows\SysWOW64\Npagjpcd.exe	Ngdifkpi.exe
File opened for modification	C:\Windows\SysWOW64\Npagjpcd.exe	Ngdifkpi.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2444	2560	WerFault.exe	31

Modifies registry class 15 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Moidahcn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	bbc2ca16564d303949095dcfd6fd0eab.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}	bbc2ca16564d303949095dcfd6fd0eab.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Moidahcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mahqjm32.dll"	Ngdifkpi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Npagjpcd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	bbc2ca16564d303949095dcfd6fd0eab.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ngdifkpi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	bbc2ca16564d303949095dcfd6fd0eab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbpljhnf.dll"	Moidahcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ngdifkpi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lamajm32.dll"	Npagjpcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Npagjpcd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	bbc2ca16564d303949095dcfd6fd0eab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjkacaml.dll"	bbc2ca16564d303949095dcfd6fd0eab.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 1740 wrote to memory of 2192	1740	bbc2ca16564d303949095dcfd6fd0eab.exe	28
PID 1740 wrote to memory of 2192	1740	bbc2ca16564d303949095dcfd6fd0eab.exe	28
PID 1740 wrote to memory of 2192	1740	bbc2ca16564d303949095dcfd6fd0eab.exe	28
PID 1740 wrote to memory of 2192	1740	bbc2ca16564d303949095dcfd6fd0eab.exe	28
PID 2192 wrote to memory of 2720	2192	Moidahcn.exe	29
PID 2192 wrote to memory of 2720	2192	Moidahcn.exe	29
PID 2192 wrote to memory of 2720	2192	Moidahcn.exe	29
PID 2192 wrote to memory of 2720	2192	Moidahcn.exe	29
PID 2720 wrote to memory of 2644	2720	Ngdifkpi.exe	30
PID 2720 wrote to memory of 2644	2720	Ngdifkpi.exe	30
PID 2720 wrote to memory of 2644	2720	Ngdifkpi.exe	30
PID 2720 wrote to memory of 2644	2720	Ngdifkpi.exe	30
PID 2644 wrote to memory of 2560	2644	Npagjpcd.exe	31
PID 2644 wrote to memory of 2560	2644	Npagjpcd.exe	31
PID 2644 wrote to memory of 2560	2644	Npagjpcd.exe	31
PID 2644 wrote to memory of 2560	2644	Npagjpcd.exe	31
PID 2560 wrote to memory of 2444	2560	Nlhgoqhh.exe	32
PID 2560 wrote to memory of 2444	2560	Nlhgoqhh.exe	32
PID 2560 wrote to memory of 2444	2560	Nlhgoqhh.exe	32
PID 2560 wrote to memory of 2444	2560	Nlhgoqhh.exe	32

C:\Users\Admin\AppData\Local\Temp\bbc2ca16564d303949095dcfd6fd0eab.exe
"C:\Users\Admin\AppData\Local\Temp\bbc2ca16564d303949095dcfd6fd0eab.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1740
- C:\Windows\SysWOW64\Moidahcn.exe
  C:\Windows\system32\Moidahcn.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2192
- - C:\Windows\SysWOW64\Ngdifkpi.exe
    C:\Windows\system32\Ngdifkpi.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2720
  - - C:\Windows\SysWOW64\Npagjpcd.exe
      C:\Windows\system32\Npagjpcd.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2644
    - - C:\Windows\SysWOW64\Nlhgoqhh.exe
        
        C:\Windows\system32\Nlhgoqhh.exe
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2560
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2560 -s 140
        6⤵
        Loads dropped DLL
        Program crash
        
        PID:2444

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Ngdifkpi.exe

Filesize
595KB

MD5
135167728e6d27b446479a7750ea97a9

SHA1
fa5fa21d76c3b7d91e87bce6bb2ff24a7be16b0c

SHA256
7504cf9efcf5c379881115130cf06aa02f0d36dde1b75ced4c3890d059966531

SHA512
6029263a0b25e2765874caa9fc62308ec6573e1bd3ec39a4d24f3a69413b47390d7c9dbb3d1445779f07958a09410e26d10429cf251e7813e13da4c2f1ff8647

Download Submit
C:\Windows\SysWOW64\Nlhgoqhh.exe

Filesize
595KB

MD5
1e98b848e51d0ab4ff555f88a4491330

SHA1
8e42276848a15967934f9a8673a16784308c14bd

SHA256
8082b97130234418609cadb74f9c22a8b0e8a80dddb4e8d0c0e8d483ccdb9ad4

SHA512
f946a43e00cf53cf401b589a12c2b00b421f04ce88af97b659026ad3f13498a4deb445b14c525a2ef77bab79843f4a0612e8c87d807bb32ee316dc67e74f6174

Download Submit
C:\Windows\SysWOW64\Npagjpcd.exe

Filesize
595KB

MD5
584985106688d7a758f57273771f1674

SHA1
089cfa0531f2529b068c284a7f18352a700a3b91

SHA256
b39c578bb0ea6ab62d6306894482c9ee73e767fedc06dc4e1052acbc210fb78a

SHA512
badcadad91ac052681e0b77ae14349227f341c06d245e9e114a409023c148c1aa623a9b6737470039ccdc7c61d1c370d58be8ea988faf49d7e9531364f787570

Download Submit
\Windows\SysWOW64\Moidahcn.exe

Filesize
595KB

MD5
82352fe91bb8519474c6fbf54adfdf70

SHA1
8a37b4f254948929f7986b8689349fb76d366ece

SHA256
87ae867ff01018cd91de3de7020f725bfc7734ec2574d084b8ecbe1bce6170d3

SHA512
061245ff8de77d51b65d91b9a031b2243ecdf3efb5d018b3f97cc97002d08ea3833fa4b4f9f5d647ea223dcfcce87465c57d1c91392124445c206393daa7dc8b

Download Submit
memory/1740-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1740-18-0x00000000002E0000-0x0000000000313000-memory.dmp

Filesize
204KB

Download
memory/1740-6-0x00000000002E0000-0x0000000000313000-memory.dmp

Filesize
204KB

Download
memory/1740-55-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2192-41-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download
memory/2192-56-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2644-58-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2720-57-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads