30b187e9c8b2dd514d1cdcf5a35f8d72fe6b4918e088811f4c03d33fea2b07c6

Analysis

max time kernel
150s
max time network
128s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
10-04-2024 20:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

30b187e9c8b2dd514d1cdcf5a35f8d72fe6b4918e088811f4c03d33fea2b07c6.exe
Size

141KB
MD5

1a8c351d87f4441d13f53e0bbe322ec6
SHA1

f104a78d537c917931c9852664aa558893695d80
SHA256

30b187e9c8b2dd514d1cdcf5a35f8d72fe6b4918e088811f4c03d33fea2b07c6
SHA512

8b0fde557afdb022a2b58c03b8c9c826b62750b3ec9785555aef5a346f8506e3454da751b033603ca6b18cd8b933f79ae1b620a67c27ad8fe58932caa4de76be
SSDEEP

3072:TnEe6aEXUyKVu3Tjz6FQwQ9bGCmBJFWpoPSkGFj/p7sW0l:T36UDYmFQN9bGCKJFtE/JK

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Modkfi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpjqiq32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lmgocb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lccdel32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mapjmehi.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Modkfi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpjdjmfp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lpjdjmfp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nmpnhdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mapjmehi.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Maedhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nmbknddp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lmgocb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lccdel32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mbkmlh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mbkmlh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nmpnhdfc.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nmbknddp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	30b187e9c8b2dd514d1cdcf5a35f8d72fe6b4918e088811f4c03d33fea2b07c6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	30b187e9c8b2dd514d1cdcf5a35f8d72fe6b4918e088811f4c03d33fea2b07c6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Maedhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpjqiq32.exe

Executes dropped EXE 11 IoCs

pid	Process
1092	Lmgocb32.exe
2520	Lccdel32.exe
2564	Lpjdjmfp.exe
2708	Mbkmlh32.exe
2548	Mapjmehi.exe
1896	Modkfi32.exe
2720	Maedhd32.exe
2724	Mpjqiq32.exe
1060	Nmpnhdfc.exe
1784	Nmbknddp.exe
860	Nlhgoqhh.exe

Loads dropped DLL 22 IoCs

pid	Process
2216	30b187e9c8b2dd514d1cdcf5a35f8d72fe6b4918e088811f4c03d33fea2b07c6.exe
2216	30b187e9c8b2dd514d1cdcf5a35f8d72fe6b4918e088811f4c03d33fea2b07c6.exe
1092	Lmgocb32.exe
1092	Lmgocb32.exe
2520	Lccdel32.exe
2520	Lccdel32.exe
2564	Lpjdjmfp.exe
2564	Lpjdjmfp.exe
2708	Mbkmlh32.exe
2708	Mbkmlh32.exe
2548	Mapjmehi.exe
2548	Mapjmehi.exe
1896	Modkfi32.exe
1896	Modkfi32.exe
2720	Maedhd32.exe
2720	Maedhd32.exe
2724	Mpjqiq32.exe
2724	Mpjqiq32.exe
1060	Nmpnhdfc.exe
1060	Nmpnhdfc.exe
1784	Nmbknddp.exe
1784	Nmbknddp.exe

Drops file in System32 directory 33 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Maedhd32.exe	Modkfi32.exe
File opened for modification	C:\Windows\SysWOW64\Nmpnhdfc.exe	Mpjqiq32.exe
File created	C:\Windows\SysWOW64\Nlhgoqhh.exe	Nmbknddp.exe
File opened for modification	C:\Windows\SysWOW64\Mapjmehi.exe	Mbkmlh32.exe
File created	C:\Windows\SysWOW64\Ecfmdf32.dll	Mbkmlh32.exe
File created	C:\Windows\SysWOW64\Dlfdghbq.dll	30b187e9c8b2dd514d1cdcf5a35f8d72fe6b4918e088811f4c03d33fea2b07c6.exe
File created	C:\Windows\SysWOW64\Iggbhk32.dll	Mapjmehi.exe
File opened for modification	C:\Windows\SysWOW64\Mpjqiq32.exe	Maedhd32.exe
File created	C:\Windows\SysWOW64\Nmpnhdfc.exe	Mpjqiq32.exe
File created	C:\Windows\SysWOW64\Ngoohnkj.dll	Nmpnhdfc.exe
File opened for modification	C:\Windows\SysWOW64\Lpjdjmfp.exe	Lccdel32.exe
File created	C:\Windows\SysWOW64\Mpjqiq32.exe	Maedhd32.exe
File opened for modification	C:\Windows\SysWOW64\Mbkmlh32.exe	Lpjdjmfp.exe
File created	C:\Windows\SysWOW64\Lamajm32.dll	Nmbknddp.exe
File created	C:\Windows\SysWOW64\Modkfi32.exe	Mapjmehi.exe
File created	C:\Windows\SysWOW64\Lmnppf32.dll	Mpjqiq32.exe
File created	C:\Windows\SysWOW64\Nmbknddp.exe	Nmpnhdfc.exe
File opened for modification	C:\Windows\SysWOW64\Lmgocb32.exe	30b187e9c8b2dd514d1cdcf5a35f8d72fe6b4918e088811f4c03d33fea2b07c6.exe
File created	C:\Windows\SysWOW64\Lpjdjmfp.exe	Lccdel32.exe
File created	C:\Windows\SysWOW64\Lmgocb32.exe	30b187e9c8b2dd514d1cdcf5a35f8d72fe6b4918e088811f4c03d33fea2b07c6.exe
File created	C:\Windows\SysWOW64\Mbkmlh32.exe	Lpjdjmfp.exe
File created	C:\Windows\SysWOW64\Gkcfcoqm.dll	Lccdel32.exe
File created	C:\Windows\SysWOW64\Almjnp32.dll	Lpjdjmfp.exe
File created	C:\Windows\SysWOW64\Mapjmehi.exe	Mbkmlh32.exe
File created	C:\Windows\SysWOW64\Maedhd32.exe	Modkfi32.exe
File opened for modification	C:\Windows\SysWOW64\Nlhgoqhh.exe	Nmbknddp.exe
File opened for modification	C:\Windows\SysWOW64\Lccdel32.exe	Lmgocb32.exe
File created	C:\Windows\SysWOW64\Fdbnmk32.dll	Lmgocb32.exe
File created	C:\Windows\SysWOW64\Macalohk.dll	Modkfi32.exe
File created	C:\Windows\SysWOW64\Gfkdmglc.dll	Maedhd32.exe
File opened for modification	C:\Windows\SysWOW64\Nmbknddp.exe	Nmpnhdfc.exe
File created	C:\Windows\SysWOW64\Lccdel32.exe	Lmgocb32.exe
File opened for modification	C:\Windows\SysWOW64\Modkfi32.exe	Mapjmehi.exe

Modifies registry class 36 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Modkfi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nmpnhdfc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lpjdjmfp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Modkfi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	30b187e9c8b2dd514d1cdcf5a35f8d72fe6b4918e088811f4c03d33fea2b07c6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfkdmglc.dll"	Maedhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iggbhk32.dll"	Mapjmehi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mapjmehi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dlfdghbq.dll"	30b187e9c8b2dd514d1cdcf5a35f8d72fe6b4918e088811f4c03d33fea2b07c6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ecfmdf32.dll"	Mbkmlh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mbkmlh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Maedhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmnppf32.dll"	Mpjqiq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lamajm32.dll"	Nmbknddp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lccdel32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mbkmlh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mapjmehi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nmpnhdfc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	30b187e9c8b2dd514d1cdcf5a35f8d72fe6b4918e088811f4c03d33fea2b07c6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lmgocb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lmgocb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdbnmk32.dll"	Lmgocb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lccdel32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gkcfcoqm.dll"	Lccdel32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Macalohk.dll"	Modkfi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mpjqiq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	30b187e9c8b2dd514d1cdcf5a35f8d72fe6b4918e088811f4c03d33fea2b07c6.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	30b187e9c8b2dd514d1cdcf5a35f8d72fe6b4918e088811f4c03d33fea2b07c6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nmbknddp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ngoohnkj.dll"	Nmpnhdfc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nmbknddp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lpjdjmfp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Maedhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mpjqiq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	30b187e9c8b2dd514d1cdcf5a35f8d72fe6b4918e088811f4c03d33fea2b07c6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Almjnp32.dll"	Lpjdjmfp.exe

Suspicious use of WriteProcessMemory 44 IoCs

description	pid	Process	procid_target
PID 2216 wrote to memory of 1092	2216	30b187e9c8b2dd514d1cdcf5a35f8d72fe6b4918e088811f4c03d33fea2b07c6.exe	28
PID 2216 wrote to memory of 1092	2216	30b187e9c8b2dd514d1cdcf5a35f8d72fe6b4918e088811f4c03d33fea2b07c6.exe	28
PID 2216 wrote to memory of 1092	2216	30b187e9c8b2dd514d1cdcf5a35f8d72fe6b4918e088811f4c03d33fea2b07c6.exe	28
PID 2216 wrote to memory of 1092	2216	30b187e9c8b2dd514d1cdcf5a35f8d72fe6b4918e088811f4c03d33fea2b07c6.exe	28
PID 1092 wrote to memory of 2520	1092	Lmgocb32.exe	29
PID 1092 wrote to memory of 2520	1092	Lmgocb32.exe	29
PID 1092 wrote to memory of 2520	1092	Lmgocb32.exe	29
PID 1092 wrote to memory of 2520	1092	Lmgocb32.exe	29
PID 2520 wrote to memory of 2564	2520	Lccdel32.exe	30
PID 2520 wrote to memory of 2564	2520	Lccdel32.exe	30
PID 2520 wrote to memory of 2564	2520	Lccdel32.exe	30
PID 2520 wrote to memory of 2564	2520	Lccdel32.exe	30
PID 2564 wrote to memory of 2708	2564	Lpjdjmfp.exe	31
PID 2564 wrote to memory of 2708	2564	Lpjdjmfp.exe	31
PID 2564 wrote to memory of 2708	2564	Lpjdjmfp.exe	31
PID 2564 wrote to memory of 2708	2564	Lpjdjmfp.exe	31
PID 2708 wrote to memory of 2548	2708	Mbkmlh32.exe	32
PID 2708 wrote to memory of 2548	2708	Mbkmlh32.exe	32
PID 2708 wrote to memory of 2548	2708	Mbkmlh32.exe	32
PID 2708 wrote to memory of 2548	2708	Mbkmlh32.exe	32
PID 2548 wrote to memory of 1896	2548	Mapjmehi.exe	33
PID 2548 wrote to memory of 1896	2548	Mapjmehi.exe	33
PID 2548 wrote to memory of 1896	2548	Mapjmehi.exe	33
PID 2548 wrote to memory of 1896	2548	Mapjmehi.exe	33
PID 1896 wrote to memory of 2720	1896	Modkfi32.exe	34
PID 1896 wrote to memory of 2720	1896	Modkfi32.exe	34
PID 1896 wrote to memory of 2720	1896	Modkfi32.exe	34
PID 1896 wrote to memory of 2720	1896	Modkfi32.exe	34
PID 2720 wrote to memory of 2724	2720	Maedhd32.exe	35
PID 2720 wrote to memory of 2724	2720	Maedhd32.exe	35
PID 2720 wrote to memory of 2724	2720	Maedhd32.exe	35
PID 2720 wrote to memory of 2724	2720	Maedhd32.exe	35
PID 2724 wrote to memory of 1060	2724	Mpjqiq32.exe	36
PID 2724 wrote to memory of 1060	2724	Mpjqiq32.exe	36
PID 2724 wrote to memory of 1060	2724	Mpjqiq32.exe	36
PID 2724 wrote to memory of 1060	2724	Mpjqiq32.exe	36
PID 1060 wrote to memory of 1784	1060	Nmpnhdfc.exe	37
PID 1060 wrote to memory of 1784	1060	Nmpnhdfc.exe	37
PID 1060 wrote to memory of 1784	1060	Nmpnhdfc.exe	37
PID 1060 wrote to memory of 1784	1060	Nmpnhdfc.exe	37
PID 1784 wrote to memory of 860	1784	Nmbknddp.exe	38
PID 1784 wrote to memory of 860	1784	Nmbknddp.exe	38
PID 1784 wrote to memory of 860	1784	Nmbknddp.exe	38
PID 1784 wrote to memory of 860	1784	Nmbknddp.exe	38

C:\Users\Admin\AppData\Local\Temp\30b187e9c8b2dd514d1cdcf5a35f8d72fe6b4918e088811f4c03d33fea2b07c6.exe
"C:\Users\Admin\AppData\Local\Temp\30b187e9c8b2dd514d1cdcf5a35f8d72fe6b4918e088811f4c03d33fea2b07c6.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2216
- C:\Windows\SysWOW64\Lmgocb32.exe
  C:\Windows\system32\Lmgocb32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1092
- - C:\Windows\SysWOW64\Lccdel32.exe
    C:\Windows\system32\Lccdel32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2520
  - - C:\Windows\SysWOW64\Lpjdjmfp.exe
      C:\Windows\system32\Lpjdjmfp.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2564
    - - C:\Windows\SysWOW64\Mbkmlh32.exe
        
        C:\Windows\system32\Mbkmlh32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2708
      - C:\Windows\SysWOW64\Mapjmehi.exe
        
        C:\Windows\system32\Mapjmehi.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2548
        
        C:\Windows\SysWOW64\Modkfi32.exe
        
        C:\Windows\system32\Modkfi32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1896
        
        C:\Windows\SysWOW64\Maedhd32.exe
        
        C:\Windows\system32\Maedhd32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2720
        
        C:\Windows\SysWOW64\Mpjqiq32.exe
        
        C:\Windows\system32\Mpjqiq32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2724
        
        C:\Windows\SysWOW64\Nmpnhdfc.exe
        
        C:\Windows\system32\Nmpnhdfc.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1060
        
        C:\Windows\SysWOW64\Nmbknddp.exe
        
        C:\Windows\system32\Nmbknddp.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1784
        
        C:\Windows\SysWOW64\Nlhgoqhh.exe
        
        C:\Windows\system32\Nlhgoqhh.exe
        12⤵
        Executes dropped EXE
        
        PID:860

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Mapjmehi.exe

Filesize
141KB

MD5
34e4716027081250c40fe452b20aab98

SHA1
0c1f477d3b75a0161569dd3e6472928488bbcb50

SHA256
3d614d8b2a8e5d20dec632928bb816e0efe25265a99235207794c7729836d818

SHA512
a85417f7cdb08b796f2cd1348735bada190fdcb010f252f36ae5feaaaea7acc8f6d181b59ab3c5bbd467838e0fd7faa9147e7db4338b3b5dd398fc29463e4608

Download Submit
C:\Windows\SysWOW64\Mbkmlh32.exe

Filesize
141KB

MD5
720d9dc5f8708687370d4868d97cea68

SHA1
a12a89f9024e763c5decedbbed97a2c3cce06f77

SHA256
be36e32e2dd8b1617f2194eb3f2c6994cf4c1e0dc891f1feeb8a4e29f99a2322

SHA512
244432b7757e4897cead86457e04038dcb6245b332870fa4d8d1b0df30be1923b7bbb8277cfddc87021c6514322cab43ed8863df47d339ec898f1c1699a2fb9b

Download Submit
C:\Windows\SysWOW64\Nlhgoqhh.exe

Filesize
141KB

MD5
d85979e892b67f7e61b8478c81517d4b

SHA1
b293eeb86135d286a6d23e553e56e7afd57bf08c

SHA256
75732a58e7fd541bf8a194480c3bfd22dde676b56d1839a3478120f25b7e9684

SHA512
93b91417489fb2f5636cdc66d3491ad5a464b5ff732f959f16ea64f926924defda9db58f4348e555bace9e3864a8a5c602fbee6db614ed9daff53f0ac05ccf72

Download Submit
\Windows\SysWOW64\Lccdel32.exe

Filesize
141KB

MD5
0bd4669f894049abe368a2e6f7485409

SHA1
d4eb7a180448ff8a968be248d1973f8c989332f6

SHA256
09f186c21e29bb34906cfd79a7886e5d9f065f02cdf16203249476bb84c924e5

SHA512
4a072b82944cf03f68000a7a587b997f655ece4d3b2913412424fa5412424095e3bd8cab24abf5aee31830159f843f6ac518aa3f7086315d6fa1670b2d5e25b0

Download Submit
\Windows\SysWOW64\Lmgocb32.exe

Filesize
141KB

MD5
71f293f6dd15844d55b9ff561c074efe

SHA1
198f4d0f216b5ef4d8c8b3a6a7e7eb69e0c69dc1

SHA256
616a67ab639901caecc2b56c5e4d0d597bb8a7fafbbc18520351310ce1be0590

SHA512
d687acd5ededf94f23a46c8cf9c5e39d909fccf6152da91c037156f36f7aa00f25499286bfb56d723365f4afd94b74ec9391e6f80905f09d8929f8df40140568

Download Submit
\Windows\SysWOW64\Lpjdjmfp.exe

Filesize
141KB

MD5
5ea162197da420b8f29ee11b82da32e3

SHA1
ace2198a134cdc67cb4edae88e48dc6de8f11a39

SHA256
62524d29540e59648171bd56f070340d84a807cdebbf8373e0dd2664f0639f29

SHA512
5b963bdd7cfd8b3074c6daf9b91cb4515cd2170207c1347dbc80d6acf438d582bf97e6bb7f0ec9f5372deaef0b559e3db679d04ffdd71eb70201b38c6c8443c2

Download Submit
\Windows\SysWOW64\Maedhd32.exe

Filesize
141KB

MD5
002cb23ec6f31279ac053515b5632a03

SHA1
cb83570ed5c34a0c7be7eff5373d1740721af432

SHA256
7b3ad218887c8f0b57d4a5dcbe35ff1d95e5f909908d820baf8810698116c861

SHA512
01989b7579c0b27941ce285b877e7ea5f43487d0973855cdc7440e415dfdeec12b508b0c470c49ae18500ea95a1f800117a50c4c8b573128a2e3123048b77d72

Download Submit
\Windows\SysWOW64\Modkfi32.exe

Filesize
141KB

MD5
107533e28a115ff5db4b6408e342c557

SHA1
c5d4dfca298cf0bf4b061aa39d3242b0f100387e

SHA256
7d5d6f0b515ae46f9cf12ac8bbc3c0a9c68a83314b9a3b8687a791239b04d400

SHA512
006ff7117ee29bf58e337303fcc1e5806e988b489984d4aa580a2c36be29860657388b5aeab6a18beae7c50602c9f9b92e8661ef270e80883e1bf77fe0dcab4f

Download Submit
\Windows\SysWOW64\Mpjqiq32.exe

Filesize
141KB

MD5
c70ab734101c0ec1584c5c71292eefd9

SHA1
59adf9a97fb72e260cf2e59a31ffc90f3dc6da6c

SHA256
5e1143a6f90891e6fed01ba4603fe6fa62de7ec000c089fc39a269700156256e

SHA512
7924849059f2cdd48b9b236519ac727bb887075487f403260396390acb186388241498f7284f43eaa17ae88ef909e95af8e00a04fa6bd190e92775cc0e13ba8a

Download Submit
\Windows\SysWOW64\Nmbknddp.exe

Filesize
141KB

MD5
51997e447c48b01e60053b8e7f230cfc

SHA1
472e3e210a4ecb966d8a423e825fc12e90cdaaab

SHA256
472bb4a213e64aa841c8e433db00a5924b85b221400c744ba4ee7939e8285089

SHA512
61e0ed590624dae028a67009c8a4d070636a6b682b56490324b8daf1151b9c5e05a616a7ee5dd2f46c2260e9af1d7af728e37cd62c1da155e7bcd78a79e42ee6

Download Submit
\Windows\SysWOW64\Nmpnhdfc.exe

Filesize
141KB

MD5
d496d0a4b82c6063badfb9b9675372d2

SHA1
3f3828fd4a9356d950890b7bceabdb5b0fcecec1

SHA256
e5b56ce7a06f29d058555e67f2f83ab1b6de36dc9ba1d239c6704f9b0236ab72

SHA512
d637a1e54d0670b570c7d79af46dd392bf7d10838182fa6582403a83d882ced68dc485398f00cc6f24103b8bcc9b0143c8202e6ad02070306c2c49103f80b924

Download Submit
memory/860-145-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1060-131-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1092-153-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1092-24-0x0000000000450000-0x0000000000493000-memory.dmp

Filesize
268KB

Download
memory/1784-133-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1896-79-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1896-148-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2216-152-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2216-6-0x0000000000220000-0x0000000000263000-memory.dmp

Filesize
268KB

Download
memory/2216-0-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2520-34-0x00000000003A0000-0x00000000003E3000-memory.dmp

Filesize
268KB

Download
memory/2520-31-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2548-149-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2548-67-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2564-151-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2708-150-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2708-52-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2708-64-0x00000000002D0000-0x0000000000313000-memory.dmp

Filesize
268KB

Download
memory/2720-100-0x00000000002B0000-0x00000000002F3000-memory.dmp

Filesize
268KB

Download
memory/2720-147-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2720-92-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2724-113-0x00000000003A0000-0x00000000003E3000-memory.dmp

Filesize
268KB

Download
memory/2724-146-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads