Overview

overview

10

Static

static

3

3bdd83c606...85.exe

windows7-x64

10

3bdd83c606...85.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    136s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    17/05/2024, 20:40

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    3bdd83c6068b3a05aae334b9e3877b7b2e5b6a3d3cbefefc4237d18c9e14c285.exe

  • Size

    59KB

  • MD5

    104a78af90aeb91b136549c14ed663e5

  • SHA1

    a2803fe6e4a098322ed1542a675edf4b1892b453

  • SHA256

    3bdd83c6068b3a05aae334b9e3877b7b2e5b6a3d3cbefefc4237d18c9e14c285

  • SHA512

    6745642570bfecd8bbf9b274c2baa2f54abac0e18f5a28605a8b46d030ca062cabb4e526712d51ea6317fe6624d8519f0010e42d238fa59d9c52d0ddccce7e63

  • SSDEEP

    768:8bknhbV9ScpHoP4RIk6frhLt9ydjuNfc48/nR0jJQu6ZZ/1H5v5nf1fZMEBFELv8:jNpIPdkOhmjHZ/R0NQu6RPNCyVso

Score
10/10
persistence

Malware Config

Signatures

  • Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 4 IoCs
    persistence
  • Executes dropped EXE 2 IoCs
  • Drops file in System32 directory 6 IoCs
  • Program crash 1 IoCs
  • Modifies registry class 9 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3bdd83c6068b3a05aae334b9e3877b7b2e5b6a3d3cbefefc4237d18c9e14c285.exe
    "C:\Users\Admin\AppData\Local\Temp\3bdd83c6068b3a05aae334b9e3877b7b2e5b6a3d3cbefefc4237d18c9e14c285.exe"
    1⤵
    • Adds autorun key to be loaded by Explorer.exe on startup
    • Drops file in System32 directory
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:888
    • C:\Windows\SysWOW64\Ncldnkae.exe
      C:\Windows\system32\Ncldnkae.exe
      2⤵
      • Adds autorun key to be loaded by Explorer.exe on startup
      • Executes dropped EXE
      • Drops file in System32 directory
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:5008
      • C:\Windows\SysWOW64\Nkcmohbg.exe
        C:\Windows\system32\Nkcmohbg.exe
        3⤵
        • Executes dropped EXE
        PID:4044
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 4044 -s 400
          4⤵
          • Program crash
          PID:4884
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4044 -ip 4044
    1⤵
      PID:1436

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Windows\SysWOW64\Ncldnkae.exe
      Filesize

      59KB

      MD5

      2412e7816659ddb95f9501267e2b0068

      SHA1

      e5b2e0e25d3c409607c94d620edae439f3ce9099

      SHA256

      a3ea5eb75e5183bb6bc390714507ff48b1a2a76184ba3081a5c41d6a0569d167

      SHA512

      2f3ab27e3161c588df7129afdf4b74294a79ffbc51edd3108ee1e000c7d1737fb22a62e329d48a14c1ae6760f5652f0179a72fd14a0d70163270ca10f0e5361d

      Download Submit

    • C:\Windows\SysWOW64\Nkcmohbg.exe
      Filesize

      59KB

      MD5

      6400b0dc530313a4d6a6e33857573531

      SHA1

      1aeac110adac64c2f3dbffa18eadee228aabf372

      SHA256

      2e17dadc26654d528117bc22ef9c4720c37fd5cf1e70c60def5b1e9a8b61366f

      SHA512

      db781bfd06fac7f9b9e269f3595e3572d68bbd14b97ad3113d86ec72bbdd949035d1024459de657d671868928e8bd569cf6b6bb447c2d7d03f5cfbe427ad831c

      Download Submit

    • memory/888-0-0x0000000000400000-0x000000000043A000-memory.dmp

      Filesize

      232KB

      Download

    • memory/888-19-0x0000000000400000-0x000000000043A000-memory.dmp

      Filesize

      232KB

      Download

    • memory/4044-16-0x0000000000400000-0x000000000043A000-memory.dmp

      Filesize

      232KB

      Download

    • memory/4044-17-0x0000000000400000-0x000000000043A000-memory.dmp

      Filesize

      232KB

      Download

    • memory/5008-13-0x0000000000400000-0x000000000043A000-memory.dmp

      Filesize

      232KB

      Download

    • memory/5008-18-0x0000000000400000-0x000000000043A000-memory.dmp

      Filesize

      232KB

      Download