fcc0ef5e5d5f90f95d6d8fa0859c9dbcf58550c970cded790cd86dd3ca152e89

Analysis

max time kernel
121s
max time network
125s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
16/03/2024, 01:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fcc0ef5e5d5f90f95d6d8fa0859c9dbcf58550c970cded790cd86dd3ca152e89.exe
Size

350KB
MD5

f7f20f2411e6879c98cbf52cc3e17c19
SHA1

1ca582320495756dda69fcd507556fab3ede9c9c
SHA256

fcc0ef5e5d5f90f95d6d8fa0859c9dbcf58550c970cded790cd86dd3ca152e89
SHA512

2d7e23cf6f3e7aecb98f5926b88808f20644f683d3e14df1c0fe4930b23d4ce10bbfac667d48145c93fc69fc13e3018ddf09a15c039e54f5db6739569607675f
SSDEEP

6144:Xk3eKPXfoANCH8lStpHVILifyeYVDcfflXpX6LRifyeYVDc:ieKPXfoANiHyefyeYCdXpXZfyeY

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 26 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Knklagmb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kpjhkjde.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ljkomfjl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Moidahcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	fcc0ef5e5d5f90f95d6d8fa0859c9dbcf58550c970cded790cd86dd3ca152e89.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jqlhdo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kocbkk32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngibaj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lanaiahq.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpmapm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Modkfi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Moidahcn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kocbkk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lanaiahq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Modkfi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nmnace32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	fcc0ef5e5d5f90f95d6d8fa0859c9dbcf58550c970cded790cd86dd3ca152e89.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Knklagmb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngibaj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lpjdjmfp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpmapm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nmnace32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jqlhdo32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpjhkjde.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ljkomfjl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpjdjmfp.exe

UPX dump on OEP (original entry point) 14 IoCs

resource	yara_rule
behavioral1/files/0x000e00000001221f-5.dat	UPX
behavioral1/files/0x0031000000015db1-26.dat	UPX
behavioral1/files/0x0031000000015db1-28.dat	UPX
behavioral1/files/0x000700000001622a-40.dat	UPX
behavioral1/files/0x0006000000018b42-53.dat	UPX
behavioral1/files/0x0006000000018b6a-59.dat	UPX
behavioral1/files/0x000d000000015e01-73.dat	UPX
behavioral1/files/0x0006000000018f54-90.dat	UPX
behavioral1/files/0x00050000000192f4-100.dat	UPX
behavioral1/files/0x0005000000019366-112.dat	UPX
behavioral1/files/0x000500000001938b-125.dat	UPX
behavioral1/files/0x000500000001944d-138.dat	UPX
behavioral1/files/0x0005000000019467-152.dat	UPX
behavioral1/files/0x000500000001946b-166.dat	UPX

Executes dropped EXE 13 IoCs

pid	Process
3004	Jqlhdo32.exe
2616	Kocbkk32.exe
3028	Knklagmb.exe
2448	Kpjhkjde.exe
2452	Lanaiahq.exe
2920	Ljkomfjl.exe
588	Lpjdjmfp.exe
2716	Mpmapm32.exe
2788	Modkfi32.exe
1072	Moidahcn.exe
2268	Nmnace32.exe
1956	Ngibaj32.exe
2596	Nlhgoqhh.exe

Loads dropped DLL 26 IoCs

pid	Process
1280	fcc0ef5e5d5f90f95d6d8fa0859c9dbcf58550c970cded790cd86dd3ca152e89.exe
1280	fcc0ef5e5d5f90f95d6d8fa0859c9dbcf58550c970cded790cd86dd3ca152e89.exe
3004	Jqlhdo32.exe
3004	Jqlhdo32.exe
2616	Kocbkk32.exe
2616	Kocbkk32.exe
3028	Knklagmb.exe
3028	Knklagmb.exe
2448	Kpjhkjde.exe
2448	Kpjhkjde.exe
2452	Lanaiahq.exe
2452	Lanaiahq.exe
2920	Ljkomfjl.exe
2920	Ljkomfjl.exe
588	Lpjdjmfp.exe
588	Lpjdjmfp.exe
2716	Mpmapm32.exe
2716	Mpmapm32.exe
2788	Modkfi32.exe
2788	Modkfi32.exe
1072	Moidahcn.exe
1072	Moidahcn.exe
2268	Nmnace32.exe
2268	Nmnace32.exe
1956	Ngibaj32.exe
1956	Ngibaj32.exe

Drops file in System32 directory 39 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Knklagmb.exe	Kocbkk32.exe
File created	C:\Windows\SysWOW64\Modkfi32.exe	Mpmapm32.exe
File created	C:\Windows\SysWOW64\Fibkpd32.dll	Moidahcn.exe
File created	C:\Windows\SysWOW64\Kocbkk32.exe	Jqlhdo32.exe
File created	C:\Windows\SysWOW64\Kpjhkjde.exe	Knklagmb.exe
File created	C:\Windows\SysWOW64\Ngibaj32.exe	Nmnace32.exe
File opened for modification	C:\Windows\SysWOW64\Ngibaj32.exe	Nmnace32.exe
File opened for modification	C:\Windows\SysWOW64\Knklagmb.exe	Kocbkk32.exe
File created	C:\Windows\SysWOW64\Ancjqghh.dll	Knklagmb.exe
File created	C:\Windows\SysWOW64\Lanaiahq.exe	Kpjhkjde.exe
File opened for modification	C:\Windows\SysWOW64\Lanaiahq.exe	Kpjhkjde.exe
File created	C:\Windows\SysWOW64\Moidahcn.exe	Modkfi32.exe
File created	C:\Windows\SysWOW64\Jmbckb32.dll	Nmnace32.exe
File created	C:\Windows\SysWOW64\Nlhgoqhh.exe	Ngibaj32.exe
File opened for modification	C:\Windows\SysWOW64\Jqlhdo32.exe	fcc0ef5e5d5f90f95d6d8fa0859c9dbcf58550c970cded790cd86dd3ca152e89.exe
File created	C:\Windows\SysWOW64\Ciopcmhp.dll	Jqlhdo32.exe
File opened for modification	C:\Windows\SysWOW64\Kpjhkjde.exe	Knklagmb.exe
File created	C:\Windows\SysWOW64\Malllmgi.dll	Kpjhkjde.exe
File created	C:\Windows\SysWOW64\Mpmapm32.exe	Lpjdjmfp.exe
File created	C:\Windows\SysWOW64\Olahaplc.dll	Lpjdjmfp.exe
File opened for modification	C:\Windows\SysWOW64\Kocbkk32.exe	Jqlhdo32.exe
File opened for modification	C:\Windows\SysWOW64\Lpjdjmfp.exe	Ljkomfjl.exe
File opened for modification	C:\Windows\SysWOW64\Nmnace32.exe	Moidahcn.exe
File created	C:\Windows\SysWOW64\Gkcfcoqm.dll	Ljkomfjl.exe
File opened for modification	C:\Windows\SysWOW64\Mpmapm32.exe	Lpjdjmfp.exe
File created	C:\Windows\SysWOW64\Iggbhk32.dll	Mpmapm32.exe
File created	C:\Windows\SysWOW64\Lamajm32.dll	Ngibaj32.exe
File created	C:\Windows\SysWOW64\Qjfhfnim.dll	Kocbkk32.exe
File opened for modification	C:\Windows\SysWOW64\Ljkomfjl.exe	Lanaiahq.exe
File created	C:\Windows\SysWOW64\Ogikcfnb.dll	Lanaiahq.exe
File opened for modification	C:\Windows\SysWOW64\Modkfi32.exe	Mpmapm32.exe
File opened for modification	C:\Windows\SysWOW64\Moidahcn.exe	Modkfi32.exe
File created	C:\Windows\SysWOW64\Nmnace32.exe	Moidahcn.exe
File opened for modification	C:\Windows\SysWOW64\Nlhgoqhh.exe	Ngibaj32.exe
File created	C:\Windows\SysWOW64\Jqlhdo32.exe	fcc0ef5e5d5f90f95d6d8fa0859c9dbcf58550c970cded790cd86dd3ca152e89.exe
File created	C:\Windows\SysWOW64\Bdpoifde.dll	fcc0ef5e5d5f90f95d6d8fa0859c9dbcf58550c970cded790cd86dd3ca152e89.exe
File created	C:\Windows\SysWOW64\Ljkomfjl.exe	Lanaiahq.exe
File created	C:\Windows\SysWOW64\Lpjdjmfp.exe	Ljkomfjl.exe
File created	C:\Windows\SysWOW64\Mjkacaml.dll	Modkfi32.exe

Modifies registry class 42 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kocbkk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kpjhkjde.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mpmapm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jqlhdo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lpjdjmfp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gkcfcoqm.dll"	Ljkomfjl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ljkomfjl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mpmapm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ngibaj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lamajm32.dll"	Ngibaj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jqlhdo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Knklagmb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kocbkk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olahaplc.dll"	Lpjdjmfp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nmnace32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmbckb32.dll"	Nmnace32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ngibaj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	fcc0ef5e5d5f90f95d6d8fa0859c9dbcf58550c970cded790cd86dd3ca152e89.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ciopcmhp.dll"	Jqlhdo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ancjqghh.dll"	Knklagmb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Knklagmb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Malllmgi.dll"	Kpjhkjde.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Modkfi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Modkfi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Moidahcn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	fcc0ef5e5d5f90f95d6d8fa0859c9dbcf58550c970cded790cd86dd3ca152e89.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdpoifde.dll"	fcc0ef5e5d5f90f95d6d8fa0859c9dbcf58550c970cded790cd86dd3ca152e89.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	fcc0ef5e5d5f90f95d6d8fa0859c9dbcf58550c970cded790cd86dd3ca152e89.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kpjhkjde.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	fcc0ef5e5d5f90f95d6d8fa0859c9dbcf58550c970cded790cd86dd3ca152e89.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	fcc0ef5e5d5f90f95d6d8fa0859c9dbcf58550c970cded790cd86dd3ca152e89.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fibkpd32.dll"	Moidahcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nmnace32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogikcfnb.dll"	Lanaiahq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iggbhk32.dll"	Mpmapm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lanaiahq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ljkomfjl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lpjdjmfp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjkacaml.dll"	Modkfi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Moidahcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qjfhfnim.dll"	Kocbkk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lanaiahq.exe

Suspicious use of WriteProcessMemory 52 IoCs

description	pid	Process	procid_target
PID 1280 wrote to memory of 3004	1280	fcc0ef5e5d5f90f95d6d8fa0859c9dbcf58550c970cded790cd86dd3ca152e89.exe	28
PID 1280 wrote to memory of 3004	1280	fcc0ef5e5d5f90f95d6d8fa0859c9dbcf58550c970cded790cd86dd3ca152e89.exe	28
PID 1280 wrote to memory of 3004	1280	fcc0ef5e5d5f90f95d6d8fa0859c9dbcf58550c970cded790cd86dd3ca152e89.exe	28
PID 1280 wrote to memory of 3004	1280	fcc0ef5e5d5f90f95d6d8fa0859c9dbcf58550c970cded790cd86dd3ca152e89.exe	28
PID 3004 wrote to memory of 2616	3004	Jqlhdo32.exe	29
PID 3004 wrote to memory of 2616	3004	Jqlhdo32.exe	29
PID 3004 wrote to memory of 2616	3004	Jqlhdo32.exe	29
PID 3004 wrote to memory of 2616	3004	Jqlhdo32.exe	29
PID 2616 wrote to memory of 3028	2616	Kocbkk32.exe	30
PID 2616 wrote to memory of 3028	2616	Kocbkk32.exe	30
PID 2616 wrote to memory of 3028	2616	Kocbkk32.exe	30
PID 2616 wrote to memory of 3028	2616	Kocbkk32.exe	30
PID 3028 wrote to memory of 2448	3028	Knklagmb.exe	31
PID 3028 wrote to memory of 2448	3028	Knklagmb.exe	31
PID 3028 wrote to memory of 2448	3028	Knklagmb.exe	31
PID 3028 wrote to memory of 2448	3028	Knklagmb.exe	31
PID 2448 wrote to memory of 2452	2448	Kpjhkjde.exe	32
PID 2448 wrote to memory of 2452	2448	Kpjhkjde.exe	32
PID 2448 wrote to memory of 2452	2448	Kpjhkjde.exe	32
PID 2448 wrote to memory of 2452	2448	Kpjhkjde.exe	32
PID 2452 wrote to memory of 2920	2452	Lanaiahq.exe	33
PID 2452 wrote to memory of 2920	2452	Lanaiahq.exe	33
PID 2452 wrote to memory of 2920	2452	Lanaiahq.exe	33
PID 2452 wrote to memory of 2920	2452	Lanaiahq.exe	33
PID 2920 wrote to memory of 588	2920	Ljkomfjl.exe	34
PID 2920 wrote to memory of 588	2920	Ljkomfjl.exe	34
PID 2920 wrote to memory of 588	2920	Ljkomfjl.exe	34
PID 2920 wrote to memory of 588	2920	Ljkomfjl.exe	34
PID 588 wrote to memory of 2716	588	Lpjdjmfp.exe	35
PID 588 wrote to memory of 2716	588	Lpjdjmfp.exe	35
PID 588 wrote to memory of 2716	588	Lpjdjmfp.exe	35
PID 588 wrote to memory of 2716	588	Lpjdjmfp.exe	35
PID 2716 wrote to memory of 2788	2716	Mpmapm32.exe	36
PID 2716 wrote to memory of 2788	2716	Mpmapm32.exe	36
PID 2716 wrote to memory of 2788	2716	Mpmapm32.exe	36
PID 2716 wrote to memory of 2788	2716	Mpmapm32.exe	36
PID 2788 wrote to memory of 1072	2788	Modkfi32.exe	37
PID 2788 wrote to memory of 1072	2788	Modkfi32.exe	37
PID 2788 wrote to memory of 1072	2788	Modkfi32.exe	37
PID 2788 wrote to memory of 1072	2788	Modkfi32.exe	37
PID 1072 wrote to memory of 2268	1072	Moidahcn.exe	38
PID 1072 wrote to memory of 2268	1072	Moidahcn.exe	38
PID 1072 wrote to memory of 2268	1072	Moidahcn.exe	38
PID 1072 wrote to memory of 2268	1072	Moidahcn.exe	38
PID 2268 wrote to memory of 1956	2268	Nmnace32.exe	39
PID 2268 wrote to memory of 1956	2268	Nmnace32.exe	39
PID 2268 wrote to memory of 1956	2268	Nmnace32.exe	39
PID 2268 wrote to memory of 1956	2268	Nmnace32.exe	39
PID 1956 wrote to memory of 2596	1956	Ngibaj32.exe	40
PID 1956 wrote to memory of 2596	1956	Ngibaj32.exe	40
PID 1956 wrote to memory of 2596	1956	Ngibaj32.exe	40
PID 1956 wrote to memory of 2596	1956	Ngibaj32.exe	40

C:\Users\Admin\AppData\Local\Temp\fcc0ef5e5d5f90f95d6d8fa0859c9dbcf58550c970cded790cd86dd3ca152e89.exe
"C:\Users\Admin\AppData\Local\Temp\fcc0ef5e5d5f90f95d6d8fa0859c9dbcf58550c970cded790cd86dd3ca152e89.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1280
- C:\Windows\SysWOW64\Jqlhdo32.exe
  C:\Windows\system32\Jqlhdo32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3004
- - C:\Windows\SysWOW64\Kocbkk32.exe
    C:\Windows\system32\Kocbkk32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2616
  - - C:\Windows\SysWOW64\Knklagmb.exe
      C:\Windows\system32\Knklagmb.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3028
    - - C:\Windows\SysWOW64\Kpjhkjde.exe
        
        C:\Windows\system32\Kpjhkjde.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2448
      - C:\Windows\SysWOW64\Lanaiahq.exe
        
        C:\Windows\system32\Lanaiahq.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2452
        
        C:\Windows\SysWOW64\Ljkomfjl.exe
        
        C:\Windows\system32\Ljkomfjl.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2920
        
        C:\Windows\SysWOW64\Lpjdjmfp.exe
        
        C:\Windows\system32\Lpjdjmfp.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:588
        
        C:\Windows\SysWOW64\Mpmapm32.exe
        
        C:\Windows\system32\Mpmapm32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2716
        
        C:\Windows\SysWOW64\Modkfi32.exe
        
        C:\Windows\system32\Modkfi32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2788
        
        C:\Windows\SysWOW64\Moidahcn.exe
        
        C:\Windows\system32\Moidahcn.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1072
        
        C:\Windows\SysWOW64\Nmnace32.exe
        
        C:\Windows\system32\Nmnace32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2268
        
        C:\Windows\SysWOW64\Ngibaj32.exe
        
        C:\Windows\system32\Ngibaj32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1956
        
        C:\Windows\SysWOW64\Nlhgoqhh.exe
        
        C:\Windows\system32\Nlhgoqhh.exe
        14⤵
        Executes dropped EXE
        
        PID:2596

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Knklagmb.exe

Filesize
350KB

MD5
4a74bb7dbcc6d0f46f448fbc28fc493f

SHA1
2ed629bc4cfa914ee1d157b4393fd99108e16977

SHA256
2c96e8af3005cf94d01f077f906d943646538929341bb2992f85b8ab938424fa

SHA512
45e43ceed28bb43a1a8f9735063ec219f96cfd6695af6d7794738df02d01591916179571cebbc678e839d950ffd22908bfbc3fec768fc1e46ee7d6c01043a5af

Download Submit
C:\Windows\SysWOW64\Kocbkk32.exe

Filesize
350KB

MD5
85781ff476dbec2a752a63e0f93ca14b

SHA1
a188967a0a791b7084bdc20d517119a88004c7f8

SHA256
7eff53393feee1ca495bee68dc65bbb9b8e3a99c6dee25819adbb25c9d74bb56

SHA512
16206fba26e244f0499b2015c6bc1ed7dcc88f830c764efbff17f14593c209941ad5ad42c85a0cdc419d09eb8bec097bf789f2d824e2414ff0362fff03f8a310

Download Submit
C:\Windows\SysWOW64\Kocbkk32.exe

Filesize
121KB

MD5
66a00612b79bc5d5f4e13664c8c56c40

SHA1
fecfd29353e088b7dcf7201c1342ba9e263267c3

SHA256
6f2426daa11cafcedb433af8bdaa0d357ab7256d2cb0b3d16e652b6e1aba89d1

SHA512
d866e3b868c34982ba1127d8b9eecebb2f6ed54083dc4f9265d04eb69e3860798e4dcdad6d2a1d71ce61991c89c964b8b666336d8a7362d172ed3ea27519960e

Download Submit
C:\Windows\SysWOW64\Kpjhkjde.exe

Filesize
350KB

MD5
041fe62e8b7b605a23cf100dd7ca1751

SHA1
8158af63b74cdf5de37f82e7557e5cc462f2857a

SHA256
b1b8d19aa5aa1d9fcdb221dfb79fa2564fc03d8c0185724d425443b8e3f7d85c

SHA512
448463a47c4b511d672f3f904b2e79d0f2ba6ea484f89b9a6bece95816e6648f2ada5006d0d12207e0e261b39da30b6e9a86ce122f129568058d29d054941ff6

Download Submit
C:\Windows\SysWOW64\Lpjdjmfp.exe

Filesize
350KB

MD5
d518ab4a7ece914325f3336222cc11c9

SHA1
043220608b07b18acddcb060e3c96de2a2d73cfd

SHA256
33c5ff41583f834fda4c8437453f8a8abdd224c52bf1e5d3e626fbd30a094cd2

SHA512
6e1fbc148b8c24711f451afd3345d7aa5a3cb95f89d7e1694399ee3feb2635764a84448017ae92b18714ba444b54cfd9ec97d18770d4871f0c478281b1053341

Download Submit
\Windows\SysWOW64\Jqlhdo32.exe

Filesize
350KB

MD5
fd249b8bba1f9d30b1ee5f7e5b726690

SHA1
03334515054932a5e97aec6addcb98377e667f9d

SHA256
c8583dd05bdc24391e028e14d52cf1ce325e54f665936c2b82dafc0b35274d7b

SHA512
ac57d9383be4bd4d5c439e88053b66cacd0faa64393c26503bb0081f602f604b7f62d5dd1742538018afc8f41ee777906ef4e1dd3bc2b34d7007199534ca55ad

Download Submit
\Windows\SysWOW64\Lanaiahq.exe

Filesize
350KB

MD5
95d40fe71c7c4e86f106925a43cc5259

SHA1
166d606a15310073f38048f6d425cdf606649a75

SHA256
898f9f41d7a7b9e88622dcec74b62729e1fff361c16ce5fa20ec76d3aea7c75f

SHA512
34fa86df86bffb3cdec73652a05f961a7a081e913a16703d3136c8da746e9d91cd77bc50521dbeacf8566fc53e6e00680de6e5850d32fa8f383ce41006cfa915

Download Submit
\Windows\SysWOW64\Ljkomfjl.exe

Filesize
350KB

MD5
5b5d4eed5c9729b9009fba7590225288

SHA1
26aebeb3cd4c96660dce00445474c66a92c4d743

SHA256
c0d1ffa579c6141bd2be9c8ef15e68707bf63268e1059d5efa65ccc215b21991

SHA512
8e2815383f642d691b3c16d77661d87c5437678cdd3d1ca03109af9ce3b3c8b93fe6048a0c8d029a9f781af73926901723e8a4169af9105afa20d49ca85258fe

Download Submit
\Windows\SysWOW64\Modkfi32.exe

Filesize
350KB

MD5
2f2cf9981379263d667044fff14de03c

SHA1
aee0685f4179eb86c5a3397e1d25cd74e8d2065b

SHA256
bd7590783685d302eea2adc36da1acd86631f270c224b89156d02a4a48a32f31

SHA512
c49924291efcd9ec94161dfaf597970c5c7a6a1770e2c21e17a17c9f955a66880085625efc3c178dc1da67b16a2154fdc9e43166a4df5277eaaf48b5c5848b9c

Download Submit
\Windows\SysWOW64\Moidahcn.exe

Filesize
350KB

MD5
ffddc8af08454e0e9bedba06ed2e49cf

SHA1
243664c9faa1c51e02749c869425c8562fd4450e

SHA256
89ab1dfe002083c964dbdb03b31ccda0308d73b54ac64540443d0e7d22e6cf45

SHA512
784374fb801dcee4f208a024249ae3fcc98253760e5eb92ae307addbded047c8f080da890ad0f28fd80dd99318795eccfbee1ee0ca819c21561300f6ec2deecd

Download Submit
\Windows\SysWOW64\Mpmapm32.exe

Filesize
350KB

MD5
fba9d3c1e68821e8a0e67276906cc1a1

SHA1
0932325e3311c25f8bfb3f47890d877309c7d4aa

SHA256
5400b2ce3ccc6d9f747c639e4fb43f56ad92c047c28ba460d31dd0f47d6ab0f9

SHA512
20e17c86e4798103b8653df44ed4b20c5480dee3b4524a77e7de3883926cc9a7372e7c0388f3ea070958a14ab452270604bdf46793d2e215cde6dab474efeb6a

Download Submit
\Windows\SysWOW64\Ngibaj32.exe

Filesize
350KB

MD5
cc92d1c8dbc7fe11faf25f811dcf0ff2

SHA1
404cbffdddc7ec24fa5c2b2ab753955d38bf545e

SHA256
9eda1937a7b42a5056962411fc7f838dea0788d06e5e2df59b2ee529b5053c72

SHA512
04944828779baf5469b208c8b873014f7cfcf3fcd193fd81dbb269697914625febd92b9e0537d0059fa2efcc046b11b4b954a1bb862d6286133c54a14156865e

Download Submit
\Windows\SysWOW64\Nlhgoqhh.exe

Filesize
350KB

MD5
deb6e6d678ef094db1756da6f4e34ac0

SHA1
0e96373de142ebe556a732bb53613f74d6bfa239

SHA256
ad0bae18da9b69e37f5ed2c6a034f5d301b7aea3d960196d13c9848bf27bf8d9

SHA512
eb3dc1742f7ace308ba0b70c759011aaa35de434a741e249f44aaf6f7acb97728cb624a23b3af2d4f343a61695ab9e5a1abea7dac6777ed15e7a86b18ca35899

Download Submit
\Windows\SysWOW64\Nmnace32.exe

Filesize
350KB

MD5
4b84d3d06d99876ff6da3ab0e543e66c

SHA1
f0c58dabf2aef7b12fb682290c35a38948e0b3f2

SHA256
bfaefcc3bc744cbd537f913875a8f6a5b19a4a132e357c3220f7c46be25d3197

SHA512
7ae0f9da0a8cb27a2910e6318cb18aa9ff74576ca0da27ab5bb9decb35f5047a42739e429e85788296fd7d624ec311b53f409332493ff6ccf0175d0897218c1c

Download Submit
memory/588-189-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1072-140-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1072-191-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1280-6-0x0000000000220000-0x0000000000279000-memory.dmp

Filesize
356KB

Download
memory/1280-202-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1280-14-0x0000000000220000-0x0000000000279000-memory.dmp

Filesize
356KB

Download
memory/1280-0-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1956-165-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1956-172-0x0000000000230000-0x0000000000289000-memory.dmp

Filesize
356KB

Download
memory/1956-200-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1956-187-0x0000000000230000-0x0000000000289000-memory.dmp

Filesize
356KB

Download
memory/2268-186-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2268-146-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2268-154-0x0000000000270000-0x00000000002C9000-memory.dmp

Filesize
356KB

Download
memory/2448-65-0x0000000000220000-0x0000000000279000-memory.dmp

Filesize
356KB

Download
memory/2448-197-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2452-75-0x0000000001BE0000-0x0000000001C39000-memory.dmp

Filesize
356KB

Download
memory/2452-67-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2452-190-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2596-185-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2616-35-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2616-198-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2716-119-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2716-195-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2788-127-0x00000000002D0000-0x0000000000329000-memory.dmp

Filesize
356KB

Download
memory/2788-194-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2920-193-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2920-93-0x0000000000220000-0x0000000000279000-memory.dmp

Filesize
356KB

Download
memory/2920-82-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/3004-201-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/3004-27-0x0000000001C50000-0x0000000001CA9000-memory.dmp

Filesize
356KB

Download
memory/3004-25-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/3028-192-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/3028-54-0x00000000004D0000-0x0000000000529000-memory.dmp

Filesize
356KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads