82b8b0fe0ac17ae8a9d8cf1f315da0e58e9da9956438e64bad2a4290f24e4ed9

General

Target

82b8b0fe0ac17ae8a9d8cf1f315da0e58e9da9956438e64bad2a4290f24e4ed9.exe
Size

2.7MB
MD5

b0eb3f26f41114392edf5e42892ef115
SHA1

407543af0ed42132d1d6f28d1a80c37070ec0ff5
SHA256

82b8b0fe0ac17ae8a9d8cf1f315da0e58e9da9956438e64bad2a4290f24e4ed9
SHA512

0d927c2598c331aa1825065f96f3fcce5388b036f4cbc2fdaa1894478b3968223dce265f1085aadc6d60832a5402414d3fb979b93292cea70c28fd699d59433c
SSDEEP

12288:fzHMDlp35vzDVqvQqpCtRwKA5p8Wgx+gWVBmLnWrOxNuxC7:jM795hqEfAL8WJm8MoC7

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	82b8b0fe0ac17ae8a9d8cf1f315da0e58e9da9956438e64bad2a4290f24e4ed9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	82b8b0fe0ac17ae8a9d8cf1f315da0e58e9da9956438e64bad2a4290f24e4ed9.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndidbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndidbn32.exe

Executes dropped EXE 2 IoCs

pid	Process
1504	Ndidbn32.exe
3512	Nkcmohbg.exe

Drops file in System32 directory 6 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Nkcmohbg.exe	Ndidbn32.exe
File opened for modification	C:\Windows\SysWOW64\Nkcmohbg.exe	Ndidbn32.exe
File created	C:\Windows\SysWOW64\Hnibdpde.dll	Ndidbn32.exe
File created	C:\Windows\SysWOW64\Ndidbn32.exe	82b8b0fe0ac17ae8a9d8cf1f315da0e58e9da9956438e64bad2a4290f24e4ed9.exe
File opened for modification	C:\Windows\SysWOW64\Ndidbn32.exe	82b8b0fe0ac17ae8a9d8cf1f315da0e58e9da9956438e64bad2a4290f24e4ed9.exe
File created	C:\Windows\SysWOW64\Opbnic32.dll	82b8b0fe0ac17ae8a9d8cf1f315da0e58e9da9956438e64bad2a4290f24e4ed9.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1676	3512	WerFault.exe	82

Modifies registry class 9 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	82b8b0fe0ac17ae8a9d8cf1f315da0e58e9da9956438e64bad2a4290f24e4ed9.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	82b8b0fe0ac17ae8a9d8cf1f315da0e58e9da9956438e64bad2a4290f24e4ed9.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	82b8b0fe0ac17ae8a9d8cf1f315da0e58e9da9956438e64bad2a4290f24e4ed9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	82b8b0fe0ac17ae8a9d8cf1f315da0e58e9da9956438e64bad2a4290f24e4ed9.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ndidbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnibdpde.dll"	Ndidbn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	82b8b0fe0ac17ae8a9d8cf1f315da0e58e9da9956438e64bad2a4290f24e4ed9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opbnic32.dll"	82b8b0fe0ac17ae8a9d8cf1f315da0e58e9da9956438e64bad2a4290f24e4ed9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ndidbn32.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2548 wrote to memory of 1504	2548	82b8b0fe0ac17ae8a9d8cf1f315da0e58e9da9956438e64bad2a4290f24e4ed9.exe	81
PID 2548 wrote to memory of 1504	2548	82b8b0fe0ac17ae8a9d8cf1f315da0e58e9da9956438e64bad2a4290f24e4ed9.exe	81
PID 2548 wrote to memory of 1504	2548	82b8b0fe0ac17ae8a9d8cf1f315da0e58e9da9956438e64bad2a4290f24e4ed9.exe	81
PID 1504 wrote to memory of 3512	1504	Ndidbn32.exe	82
PID 1504 wrote to memory of 3512	1504	Ndidbn32.exe	82
PID 1504 wrote to memory of 3512	1504	Ndidbn32.exe	82

C:\Users\Admin\AppData\Local\Temp\82b8b0fe0ac17ae8a9d8cf1f315da0e58e9da9956438e64bad2a4290f24e4ed9.exe
"C:\Users\Admin\AppData\Local\Temp\82b8b0fe0ac17ae8a9d8cf1f315da0e58e9da9956438e64bad2a4290f24e4ed9.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2548
- C:\Windows\SysWOW64\Ndidbn32.exe
  C:\Windows\system32\Ndidbn32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1504
- - C:\Windows\SysWOW64\Nkcmohbg.exe
    C:\Windows\system32\Nkcmohbg.exe
    3⤵
    - Executes dropped EXE
    PID:3512
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3512 -s 400
      4⤵
      Program crash
      PID:1676

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3512 -ip 3512
1⤵
PID:2360

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Ndidbn32.exe

Filesize
2.7MB

MD5
8de5aeb9b408dbdb50175b020daf83c1

SHA1
9c11846f2e199e7378eb82f6aa11e98a5e2a8972

SHA256
6c39f98d72d0e0f948a6b6eb4a9a9cd844bd9f996e7319cf9acc4edfb647365a

SHA512
8b0197040729e3c2638442a96a22dddf656853d7d460366969626f3fd3845f1675bfd11fd228f3084f5a91d011496e950115110887882437fbc08be36b6a8d9e

Download Submit
C:\Windows\SysWOW64\Nkcmohbg.exe

Filesize
2.7MB

MD5
1cf3490b0367d2477fc20956ddbc295d

SHA1
893d4fb4b2648aa5529fcc121920b53acddf3b71

SHA256
b8f5fb8640eaaa7c4f5add48f7f3a607acb7ad8f1e07842cc41109f3802eefcb

SHA512
802ee1ff08539319d5fdbaef0d2b70a9dbefc249e987903d8e61bed2dd421165e5405721e4b85094cd0403a9986eaad53c6d69987f48bebf478dd026c50460f5

Download Submit
memory/1504-13-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2548-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2548-5-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/2548-21-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3512-17-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads