7c05f5cec42a27784ef7fe64f837a8be79b3461e314c04f0d753a37e60389443

General

Target

7c05f5cec42a27784ef7fe64f837a8be79b3461e314c04f0d753a37e60389443.exe
Size

176KB
MD5

d1d29ff06bb0d00da92f5d9c5cd223fc
SHA1

1011e103a689090415e43dfa45c7fa12d19cec6a
SHA256

7c05f5cec42a27784ef7fe64f837a8be79b3461e314c04f0d753a37e60389443
SHA512

40e053352531bc9b711dcf7c210d4e2cc88c417a20222541c743c371f2c0ec12a5051fd88fa5c0c755d1cbc2f8b854bd46822260c3a4f4e74c17fd156d272890
SSDEEP

3072://EBkA6jUooBPhnKW91cjENRZ9wmAOIayGsOOJF4EISi/i4gG4npAjmA39QQIcka://EGA6jUooBPZz91nTZ9EaUn4yjK99Qq

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 10 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	7c05f5cec42a27784ef7fe64f837a8be79b3461e314c04f0d753a37e60389443.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njacpf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndghmo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nbkhfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nbkhfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	7c05f5cec42a27784ef7fe64f837a8be79b3461e314c04f0d753a37e60389443.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njacpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndghmo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njcpee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njcpee32.exe

Executes dropped EXE 5 IoCs

pid	Process
2072	Njacpf32.exe
4788	Ndghmo32.exe
3564	Njcpee32.exe
4104	Nbkhfc32.exe
4684	Nkcmohbg.exe

Drops file in System32 directory 15 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Nkcmohbg.exe	Nbkhfc32.exe
File opened for modification	C:\Windows\SysWOW64\Nbkhfc32.exe	Njcpee32.exe
File opened for modification	C:\Windows\SysWOW64\Njacpf32.exe	7c05f5cec42a27784ef7fe64f837a8be79b3461e314c04f0d753a37e60389443.exe
File created	C:\Windows\SysWOW64\Lmbnpm32.dll	7c05f5cec42a27784ef7fe64f837a8be79b3461e314c04f0d753a37e60389443.exe
File created	C:\Windows\SysWOW64\Ndghmo32.exe	Njacpf32.exe
File opened for modification	C:\Windows\SysWOW64\Ndghmo32.exe	Njacpf32.exe
File created	C:\Windows\SysWOW64\Bdknoa32.dll	Njacpf32.exe
File created	C:\Windows\SysWOW64\Nbkhfc32.exe	Njcpee32.exe
File created	C:\Windows\SysWOW64\Njacpf32.exe	7c05f5cec42a27784ef7fe64f837a8be79b3461e314c04f0d753a37e60389443.exe
File opened for modification	C:\Windows\SysWOW64\Njcpee32.exe	Ndghmo32.exe
File created	C:\Windows\SysWOW64\Ddpfgd32.dll	Ndghmo32.exe
File created	C:\Windows\SysWOW64\Hnibdpde.dll	Nbkhfc32.exe
File created	C:\Windows\SysWOW64\Njcpee32.exe	Ndghmo32.exe
File created	C:\Windows\SysWOW64\Nkcmohbg.exe	Nbkhfc32.exe
File created	C:\Windows\SysWOW64\Lkfbjdpq.dll	Njcpee32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3612	4684	WerFault.exe	86

Modifies registry class 18 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	7c05f5cec42a27784ef7fe64f837a8be79b3461e314c04f0d753a37e60389443.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdknoa32.dll"	Njacpf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ndghmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ddpfgd32.dll"	Ndghmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nbkhfc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	7c05f5cec42a27784ef7fe64f837a8be79b3461e314c04f0d753a37e60389443.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	7c05f5cec42a27784ef7fe64f837a8be79b3461e314c04f0d753a37e60389443.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Njacpf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Njcpee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	7c05f5cec42a27784ef7fe64f837a8be79b3461e314c04f0d753a37e60389443.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Njacpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnibdpde.dll"	Nbkhfc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	7c05f5cec42a27784ef7fe64f837a8be79b3461e314c04f0d753a37e60389443.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmbnpm32.dll"	7c05f5cec42a27784ef7fe64f837a8be79b3461e314c04f0d753a37e60389443.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ndghmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkfbjdpq.dll"	Njcpee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Njcpee32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nbkhfc32.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 1100 wrote to memory of 2072	1100	7c05f5cec42a27784ef7fe64f837a8be79b3461e314c04f0d753a37e60389443.exe	82
PID 1100 wrote to memory of 2072	1100	7c05f5cec42a27784ef7fe64f837a8be79b3461e314c04f0d753a37e60389443.exe	82
PID 1100 wrote to memory of 2072	1100	7c05f5cec42a27784ef7fe64f837a8be79b3461e314c04f0d753a37e60389443.exe	82
PID 2072 wrote to memory of 4788	2072	Njacpf32.exe	83
PID 2072 wrote to memory of 4788	2072	Njacpf32.exe	83
PID 2072 wrote to memory of 4788	2072	Njacpf32.exe	83
PID 4788 wrote to memory of 3564	4788	Ndghmo32.exe	84
PID 4788 wrote to memory of 3564	4788	Ndghmo32.exe	84
PID 4788 wrote to memory of 3564	4788	Ndghmo32.exe	84
PID 3564 wrote to memory of 4104	3564	Njcpee32.exe	85
PID 3564 wrote to memory of 4104	3564	Njcpee32.exe	85
PID 3564 wrote to memory of 4104	3564	Njcpee32.exe	85
PID 4104 wrote to memory of 4684	4104	Nbkhfc32.exe	86
PID 4104 wrote to memory of 4684	4104	Nbkhfc32.exe	86
PID 4104 wrote to memory of 4684	4104	Nbkhfc32.exe	86

C:\Users\Admin\AppData\Local\Temp\7c05f5cec42a27784ef7fe64f837a8be79b3461e314c04f0d753a37e60389443.exe
"C:\Users\Admin\AppData\Local\Temp\7c05f5cec42a27784ef7fe64f837a8be79b3461e314c04f0d753a37e60389443.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1100
- C:\Windows\SysWOW64\Njacpf32.exe
  C:\Windows\system32\Njacpf32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2072
- - C:\Windows\SysWOW64\Ndghmo32.exe
    C:\Windows\system32\Ndghmo32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4788
  - - C:\Windows\SysWOW64\Njcpee32.exe
      C:\Windows\system32\Njcpee32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3564
    - - C:\Windows\SysWOW64\Nbkhfc32.exe
        
        C:\Windows\system32\Nbkhfc32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4104
      - C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        6⤵
        Executes dropped EXE
        
        PID:4684
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4684 -s 408
        7⤵
        Program crash
        
        PID:3612

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4684 -ip 4684
1⤵
PID:1372

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Nbkhfc32.exe

Filesize
176KB

MD5
a5167b1a89dcd169b79137ed2bfd33b6

SHA1
26c610785ffedb2d27de6bd15bef41872b40b28f

SHA256
c47ea436293299e921e05790bbe6512af3ac5ce624c1bba318d3d7e7bff733ea

SHA512
39bfd02c9c282288341d68b72b76a4fefb6be55de3ad094f66055deadfc5d04ad348f012885354283f0743874ab6938def8c95da52402d3c8e31f02135b8efd4

Download Submit
C:\Windows\SysWOW64\Ndghmo32.exe

Filesize
176KB

MD5
3f61702ced45d29ecce4abc1683da584

SHA1
d8a268cab9fbec4e800a5b4e95761ea7f4531754

SHA256
096cf1d32f4e933d46fd1a6d1a8c2d01cc92716de9bf1a3f34142afa374c2e4a

SHA512
3b534c3b572b207add8bd8f64a13ebbc2d65ab38bdca74a33d80cfc6e957d90de0fb6c7f2ec2a9398d27a2aa712eecfd8d1db34fa39dba44f8f495d417259a34

Download Submit
C:\Windows\SysWOW64\Njacpf32.exe

Filesize
176KB

MD5
e361cb8be17967afb9c3603829237e5c

SHA1
b8b18f64853fc86aa0406944d870a77d05979924

SHA256
b596380ccae051bb9d08c51b8e902d9d3b8d36ac1dee02d76bb002117e72770c

SHA512
351e933f80e0df08f2b66a48beaa4a7c31b65a02e93faa11ce4fc4d92e0b510e39de0bb3064fda61adf4e835ccda990d01a9c9c188594f504a9018f7f1153c9b

Download Submit
C:\Windows\SysWOW64\Njcpee32.exe

Filesize
176KB

MD5
c212bbdd4359a3337bb38cdaff5ca883

SHA1
089b7e1398279010121690e2435088cd09a0b9d1

SHA256
4e6228d5639df96279b5ab09c08a273a3d8c4a9cde1e7f73a9489ee130d61996

SHA512
d139cb31f2c92aa4753938d957d18937696a09af898149d14a673c8ddcbb4113b80d60d5ae6d61ceb772a25af95dc6d58787b14b6e658fbd556fad8f05d19c93

Download Submit
C:\Windows\SysWOW64\Nkcmohbg.exe

Filesize
176KB

MD5
2d9d88a595a87dbfba04e5b020da1ba7

SHA1
c85552f5313db392e7b52258572a0ff4ceb8d41b

SHA256
686f09073bd010760d0581e9c460f2ab59c78aca8052914844c8475761095c75

SHA512
7458ec0ffdccc745ddd7e2a697aa0f82aff989cc208e2444b99c783e5dfff24b62738be803b6df287065053ecbbac55ff3b692acc2dce177f720b4622c9288a7

Download Submit
memory/1100-0-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1100-46-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2072-7-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2072-45-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3564-24-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3564-43-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4104-42-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4104-31-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4684-39-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4684-41-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4788-16-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4788-44-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads