f749c6f352a2d93a4698bd1607e1a6a873563596ce442c518215e1f4ffc1fcc3

Analysis

max time kernel
122s
max time network
124s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
19/03/2024, 10:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f749c6f352a2d93a4698bd1607e1a6a873563596ce442c518215e1f4ffc1fcc3.exe
Size

380KB
MD5

4747049816e4e8b4a29d8b936558a2f0
SHA1

db96d3642624b458cd3d6ae4d99a6925046eaf66
SHA256

f749c6f352a2d93a4698bd1607e1a6a873563596ce442c518215e1f4ffc1fcc3
SHA512

1b6917d25ba28d3c5c8a5f5ec2c688d8f1b4469036c948c57030fbab800e8629b7479fe241db706a10f37c7152a7b98dc6bd3a4eb5319e0af8b8f8566e2d348f
SSDEEP

6144:Pdfuk03DNCN9Otopg5tTDUZNSN58VU5tTvnVn5tTDUZNSN58Vh:PdfWAOtoq5t6NSN6G5tbt5t6NSN6T

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 18 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mlhkpm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Magqncba.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nmpnhdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nodgel32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Labkdack.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lfbpag32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Meijhc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Melfncqb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Magqncba.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	f749c6f352a2d93a4698bd1607e1a6a873563596ce442c518215e1f4ffc1fcc3.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Labkdack.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lfbpag32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nmpnhdfc.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nodgel32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	f749c6f352a2d93a4698bd1607e1a6a873563596ce442c518215e1f4ffc1fcc3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Meijhc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Melfncqb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mlhkpm32.exe

Executes dropped EXE 9 IoCs

pid	Process
2316	Labkdack.exe
2596	Lfbpag32.exe
2664	Meijhc32.exe
2836	Melfncqb.exe
2512	Mlhkpm32.exe
2424	Magqncba.exe
1308	Nmpnhdfc.exe
528	Nodgel32.exe
2724	Nlhgoqhh.exe

Loads dropped DLL 22 IoCs

pid	Process
1688	f749c6f352a2d93a4698bd1607e1a6a873563596ce442c518215e1f4ffc1fcc3.exe
1688	f749c6f352a2d93a4698bd1607e1a6a873563596ce442c518215e1f4ffc1fcc3.exe
2316	Labkdack.exe
2316	Labkdack.exe
2596	Lfbpag32.exe
2596	Lfbpag32.exe
2664	Meijhc32.exe
2664	Meijhc32.exe
2836	Melfncqb.exe
2836	Melfncqb.exe
2512	Mlhkpm32.exe
2512	Mlhkpm32.exe
2424	Magqncba.exe
2424	Magqncba.exe
1308	Nmpnhdfc.exe
1308	Nmpnhdfc.exe
528	Nodgel32.exe
528	Nodgel32.exe
2480	WerFault.exe
2480	WerFault.exe
2480	WerFault.exe
2480	WerFault.exe

Drops file in System32 directory 27 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Nlhgoqhh.exe	Nodgel32.exe
File created	C:\Windows\SysWOW64\Daifmohp.dll	Lfbpag32.exe
File created	C:\Windows\SysWOW64\Cnjgia32.dll	Nmpnhdfc.exe
File created	C:\Windows\SysWOW64\Elonamqm.dll	Mlhkpm32.exe
File created	C:\Windows\SysWOW64\Djdfhjik.dll	Meijhc32.exe
File created	C:\Windows\SysWOW64\Magqncba.exe	Mlhkpm32.exe
File opened for modification	C:\Windows\SysWOW64\Nmpnhdfc.exe	Magqncba.exe
File created	C:\Windows\SysWOW64\Melfncqb.exe	Meijhc32.exe
File created	C:\Windows\SysWOW64\Khqpfa32.dll	Labkdack.exe
File opened for modification	C:\Windows\SysWOW64\Meijhc32.exe	Lfbpag32.exe
File created	C:\Windows\SysWOW64\Nmpnhdfc.exe	Magqncba.exe
File created	C:\Windows\SysWOW64\Lmnppf32.dll	Magqncba.exe
File opened for modification	C:\Windows\SysWOW64\Nodgel32.exe	Nmpnhdfc.exe
File created	C:\Windows\SysWOW64\Labkdack.exe	f749c6f352a2d93a4698bd1607e1a6a873563596ce442c518215e1f4ffc1fcc3.exe
File created	C:\Windows\SysWOW64\Lfbpag32.exe	Labkdack.exe
File created	C:\Windows\SysWOW64\Meijhc32.exe	Lfbpag32.exe
File opened for modification	C:\Windows\SysWOW64\Mlhkpm32.exe	Melfncqb.exe
File opened for modification	C:\Windows\SysWOW64\Magqncba.exe	Mlhkpm32.exe
File created	C:\Windows\SysWOW64\Nodgel32.exe	Nmpnhdfc.exe
File opened for modification	C:\Windows\SysWOW64\Labkdack.exe	f749c6f352a2d93a4698bd1607e1a6a873563596ce442c518215e1f4ffc1fcc3.exe
File opened for modification	C:\Windows\SysWOW64\Melfncqb.exe	Meijhc32.exe
File created	C:\Windows\SysWOW64\Mgecadnb.dll	Melfncqb.exe
File created	C:\Windows\SysWOW64\Lamajm32.dll	Nodgel32.exe
File opened for modification	C:\Windows\SysWOW64\Lfbpag32.exe	Labkdack.exe
File created	C:\Windows\SysWOW64\Mlhkpm32.exe	Melfncqb.exe
File created	C:\Windows\SysWOW64\Nlhgoqhh.exe	Nodgel32.exe
File created	C:\Windows\SysWOW64\Aepjgc32.dll	f749c6f352a2d93a4698bd1607e1a6a873563596ce442c518215e1f4ffc1fcc3.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2480	2724	WerFault.exe	36

Modifies registry class 30 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aepjgc32.dll"	f749c6f352a2d93a4698bd1607e1a6a873563596ce442c518215e1f4ffc1fcc3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mlhkpm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nmpnhdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lamajm32.dll"	Nodgel32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nodgel32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	f749c6f352a2d93a4698bd1607e1a6a873563596ce442c518215e1f4ffc1fcc3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Daifmohp.dll"	Lfbpag32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Magqncba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	f749c6f352a2d93a4698bd1607e1a6a873563596ce442c518215e1f4ffc1fcc3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Meijhc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Melfncqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Melfncqb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Magqncba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmnppf32.dll"	Magqncba.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Labkdack.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lfbpag32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Meijhc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cnjgia32.dll"	Nmpnhdfc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nodgel32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khqpfa32.dll"	Labkdack.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Labkdack.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgecadnb.dll"	Melfncqb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mlhkpm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elonamqm.dll"	Mlhkpm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nmpnhdfc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	f749c6f352a2d93a4698bd1607e1a6a873563596ce442c518215e1f4ffc1fcc3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	f749c6f352a2d93a4698bd1607e1a6a873563596ce442c518215e1f4ffc1fcc3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Djdfhjik.dll"	Meijhc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	f749c6f352a2d93a4698bd1607e1a6a873563596ce442c518215e1f4ffc1fcc3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lfbpag32.exe

Suspicious use of WriteProcessMemory 40 IoCs

description	pid	Process	procid_target
PID 1688 wrote to memory of 2316	1688	f749c6f352a2d93a4698bd1607e1a6a873563596ce442c518215e1f4ffc1fcc3.exe	28
PID 1688 wrote to memory of 2316	1688	f749c6f352a2d93a4698bd1607e1a6a873563596ce442c518215e1f4ffc1fcc3.exe	28
PID 1688 wrote to memory of 2316	1688	f749c6f352a2d93a4698bd1607e1a6a873563596ce442c518215e1f4ffc1fcc3.exe	28
PID 1688 wrote to memory of 2316	1688	f749c6f352a2d93a4698bd1607e1a6a873563596ce442c518215e1f4ffc1fcc3.exe	28
PID 2316 wrote to memory of 2596	2316	Labkdack.exe	29
PID 2316 wrote to memory of 2596	2316	Labkdack.exe	29
PID 2316 wrote to memory of 2596	2316	Labkdack.exe	29
PID 2316 wrote to memory of 2596	2316	Labkdack.exe	29
PID 2596 wrote to memory of 2664	2596	Lfbpag32.exe	30
PID 2596 wrote to memory of 2664	2596	Lfbpag32.exe	30
PID 2596 wrote to memory of 2664	2596	Lfbpag32.exe	30
PID 2596 wrote to memory of 2664	2596	Lfbpag32.exe	30
PID 2664 wrote to memory of 2836	2664	Meijhc32.exe	31
PID 2664 wrote to memory of 2836	2664	Meijhc32.exe	31
PID 2664 wrote to memory of 2836	2664	Meijhc32.exe	31
PID 2664 wrote to memory of 2836	2664	Meijhc32.exe	31
PID 2836 wrote to memory of 2512	2836	Melfncqb.exe	32
PID 2836 wrote to memory of 2512	2836	Melfncqb.exe	32
PID 2836 wrote to memory of 2512	2836	Melfncqb.exe	32
PID 2836 wrote to memory of 2512	2836	Melfncqb.exe	32
PID 2512 wrote to memory of 2424	2512	Mlhkpm32.exe	33
PID 2512 wrote to memory of 2424	2512	Mlhkpm32.exe	33
PID 2512 wrote to memory of 2424	2512	Mlhkpm32.exe	33
PID 2512 wrote to memory of 2424	2512	Mlhkpm32.exe	33
PID 2424 wrote to memory of 1308	2424	Magqncba.exe	34
PID 2424 wrote to memory of 1308	2424	Magqncba.exe	34
PID 2424 wrote to memory of 1308	2424	Magqncba.exe	34
PID 2424 wrote to memory of 1308	2424	Magqncba.exe	34
PID 1308 wrote to memory of 528	1308	Nmpnhdfc.exe	35
PID 1308 wrote to memory of 528	1308	Nmpnhdfc.exe	35
PID 1308 wrote to memory of 528	1308	Nmpnhdfc.exe	35
PID 1308 wrote to memory of 528	1308	Nmpnhdfc.exe	35
PID 528 wrote to memory of 2724	528	Nodgel32.exe	36
PID 528 wrote to memory of 2724	528	Nodgel32.exe	36
PID 528 wrote to memory of 2724	528	Nodgel32.exe	36
PID 528 wrote to memory of 2724	528	Nodgel32.exe	36
PID 2724 wrote to memory of 2480	2724	Nlhgoqhh.exe	37
PID 2724 wrote to memory of 2480	2724	Nlhgoqhh.exe	37
PID 2724 wrote to memory of 2480	2724	Nlhgoqhh.exe	37
PID 2724 wrote to memory of 2480	2724	Nlhgoqhh.exe	37

C:\Users\Admin\AppData\Local\Temp\f749c6f352a2d93a4698bd1607e1a6a873563596ce442c518215e1f4ffc1fcc3.exe
"C:\Users\Admin\AppData\Local\Temp\f749c6f352a2d93a4698bd1607e1a6a873563596ce442c518215e1f4ffc1fcc3.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1688
- C:\Windows\SysWOW64\Labkdack.exe
  C:\Windows\system32\Labkdack.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2316
- - C:\Windows\SysWOW64\Lfbpag32.exe
    C:\Windows\system32\Lfbpag32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2596
  - - C:\Windows\SysWOW64\Meijhc32.exe
      C:\Windows\system32\Meijhc32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2664
    - - C:\Windows\SysWOW64\Melfncqb.exe
        
        C:\Windows\system32\Melfncqb.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2836
      - C:\Windows\SysWOW64\Mlhkpm32.exe
        
        C:\Windows\system32\Mlhkpm32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2512
        
        C:\Windows\SysWOW64\Magqncba.exe
        
        C:\Windows\system32\Magqncba.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2424
        
        C:\Windows\SysWOW64\Nmpnhdfc.exe
        
        C:\Windows\system32\Nmpnhdfc.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1308
        
        C:\Windows\SysWOW64\Nodgel32.exe
        
        C:\Windows\system32\Nodgel32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:528
        
        C:\Windows\SysWOW64\Nlhgoqhh.exe
        
        C:\Windows\system32\Nlhgoqhh.exe
        10⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2724
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2724 -s 140
        11⤵
        Loads dropped DLL
        Program crash
        
        PID:2480

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Lfbpag32.exe

Filesize
380KB

MD5
d00d5540e09cdef63695abf1261e1400

SHA1
e6dadd3d7eabfa352eec74e15f9b5047b7a99758

SHA256
fdef482896c105e86c2d440ee323fc7f04eb059a0758c34ad32c23a2cce7a97a

SHA512
4047ecbde6d86c52ea00d8912f1f9abf70db915f3fd337d1493ec1f0e88f08f504fed303370063a61305189502a7d777615811ce30211f35f811f884f17c5e60

Download Submit
C:\Windows\SysWOW64\Nodgel32.exe

Filesize
380KB

MD5
2196de2e2f38af5bfb360b0e2d46effb

SHA1
e6128eddf810e7f3f191bab9c9aec3b79b0b0e1f

SHA256
667da4e983c443d357fbebe7e665d00153fe2d491994e20e56754fc37076f820

SHA512
25c8e2a22641b4fb03c627c825c4236311dcb0f993ecbdbde62fdca7fb0b099a8c04edb3aaa0c2f530a66318f4609ce104b1471ebe43af986cda715ac1738c00

Download Submit
\Windows\SysWOW64\Labkdack.exe

Filesize
380KB

MD5
7748449c2b14b4b85157670d5570cef9

SHA1
637d8a0e1d00992a63bba7f302c8d9078e6728b4

SHA256
851429de8f6a6fcb571adace9bc9f2ff7b8fa8acb40fb8755bf38c678af0fd8b

SHA512
8e7ca48cf54f0324eca6dd962394a16776487b8046b6034072e7524e5cc492053693d26afc325ef6475127196702d52ee79544bd15fc998a8395f449e390e8fb

Download Submit
\Windows\SysWOW64\Magqncba.exe

Filesize
380KB

MD5
e11987c409bf4924c1ea6254f154283a

SHA1
89e5b2e3830a5ce0f0f161a1f4b49803a06c82b6

SHA256
8dd6029351c687a2a022135be23275e790cd008a0a5a144554c43ae9376aebb9

SHA512
723aa42110366da122866d0b96b85455d8ad3d60f30a8e45b5ada04582228df6e9efb9906c00eb6d66cf568e48f0874fa994e14faaeb65ed73c357c1f8d172ca

Download Submit
\Windows\SysWOW64\Meijhc32.exe

Filesize
380KB

MD5
283c1e339d76e18eebea85d9bcc79aba

SHA1
8f1a81cca56d5a2de8ad4961b5eca042c3e61ea2

SHA256
c096527d540019d72ab845d442355fc561bfd8e92a6adcde659a5aa618ef38eb

SHA512
9060f093b2b49a0fb5f29228fa08685b242d9a7bf73f6b83fd87566180591f0b82b9a2d8a78b7abbeb75b140ca6c7b9b70615ec8b4f16d4a29392e1e2215ba84

Download Submit
\Windows\SysWOW64\Melfncqb.exe

Filesize
380KB

MD5
139c18710324bda1b1c4498f883c9869

SHA1
0109a2a46eb74a3863f78bb8df161060ff6cde92

SHA256
74090192560be2d4fc1283b2452e517a4472155dbcedba4c3545ccd6281b0172

SHA512
e00cd6a2cdb3a6f0bddc0849be0c6d737f6f500fb11aeea25d32f9843b16ace4300df6101f1825d0616b03693717fc3f884b290a86566d87e61386a0ae7cec4c

Download Submit
\Windows\SysWOW64\Mlhkpm32.exe

Filesize
380KB

MD5
b2b44149b41cdbf33d5161850c8dcf7e

SHA1
01eee5fe03d1084c92b9456cde749b64a78c3a84

SHA256
260a0731c00a72877c2d95a215ebebaba2426730bcb19b52c2dbece3fb8fb0ea

SHA512
844db9ef4f9d2c919d5f91e2e997f81cce106dbe7e7120a69b5d1d224f448eca564802d78cf97eeecb70884a5c6fa82d1dd29b192b436ab74f3968c4e3061aec

Download Submit
\Windows\SysWOW64\Nlhgoqhh.exe

Filesize
380KB

MD5
26f1e39752dfc622fc8aad0c85281f08

SHA1
25ccad767500be6e5d6ba697e0fecbf993f094d9

SHA256
d1dcea883a53b6eab96167d7a45b6d2d60743f4dfb17a92d018a4347ba6a55d4

SHA512
ce2544dd9d74640b1759121743e94374798d54a67f99513771031c15d505e7416000ebe367d2908d41427457b0a796d482a28a1f826f9cd0366d16e39ed7b6f5

Download Submit
\Windows\SysWOW64\Nmpnhdfc.exe

Filesize
380KB

MD5
cf444264ba1d87253387405953cae6c7

SHA1
148ac8d563b20c8a1593e6c85b87269bca659aa7

SHA256
4bae495b7d1cffadf6b1bca60b84ebd809a8be1b5d82074fdc262ff52be4aac8

SHA512
409648416eb24ab0d7b0bdcecfbcb593199f6e0525d978b7054ae7d3e3a428b7c7926008983e86e7ddd1a6e9f5d4b56900190370e87420fd0305ef5ad4f870aa

Download Submit
memory/528-133-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/528-108-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1308-132-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1308-100-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1688-126-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1688-0-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1688-6-0x0000000000220000-0x000000000025F000-memory.dmp

Filesize
252KB

Download
memory/2316-18-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2316-32-0x00000000003C0000-0x00000000003FF000-memory.dmp

Filesize
252KB

Download
memory/2316-127-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2424-87-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2512-131-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2512-68-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2512-76-0x0000000000220000-0x000000000025F000-memory.dmp

Filesize
252KB

Download
memory/2596-128-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2596-26-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2596-34-0x00000000002A0000-0x00000000002DF000-memory.dmp

Filesize
252KB

Download
memory/2664-41-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2664-129-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2724-121-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2836-130-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2836-54-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2836-62-0x00000000002B0000-0x00000000002EF000-memory.dmp

Filesize
252KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads