Analysis
-
max time kernel
121s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
02/06/2024, 01:08
Static task
static1
Behavioral task
behavioral1
Sample
a954fa18abd78171b62683f3925dca64742f112981d62bf12b012b4e148df9fe.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
a954fa18abd78171b62683f3925dca64742f112981d62bf12b012b4e148df9fe.exe
Resource
win10v2004-20240426-en
General
-
Target
a954fa18abd78171b62683f3925dca64742f112981d62bf12b012b4e148df9fe.exe
-
Size
80KB
-
MD5
371ba6f286b21e1ad8696a844f0e9a68
-
SHA1
e7865d960f6f011a87b65ef94a829d905d794f25
-
SHA256
a954fa18abd78171b62683f3925dca64742f112981d62bf12b012b4e148df9fe
-
SHA512
cf0afb4eee8ef05e7bd06ece904a88a59427d10634fa6f4992ed017cbf9a0d6ecd16d88f65fc6922800d43e169cf425f8b91c46ae09ce55330862b51de208acf
-
SSDEEP
1536:kcSsngPO+fifu8UCeztSzjpH1B9z/2LxS5DUHRbPa9b6i+sIk:kZTf+UavV1B9AxS5DSCopsIk
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 14 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" a954fa18abd78171b62683f3925dca64742f112981d62bf12b012b4e148df9fe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nodgel32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ngkogj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nlekia32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nodgel32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ngkogj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad a954fa18abd78171b62683f3925dca64742f112981d62bf12b012b4e148df9fe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ncpcfkbg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Niikceid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Niikceid.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nhllob32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nhllob32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nlekia32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ncpcfkbg.exe -
Executes dropped EXE 7 IoCs
pid Process 2876 Nlekia32.exe 848 Nodgel32.exe 2692 Ncpcfkbg.exe 2584 Ngkogj32.exe 2508 Niikceid.exe 2480 Nhllob32.exe 2964 Nlhgoqhh.exe -
Loads dropped DLL 14 IoCs
pid Process 2992 a954fa18abd78171b62683f3925dca64742f112981d62bf12b012b4e148df9fe.exe 2992 a954fa18abd78171b62683f3925dca64742f112981d62bf12b012b4e148df9fe.exe 2876 Nlekia32.exe 2876 Nlekia32.exe 848 Nodgel32.exe 848 Nodgel32.exe 2692 Ncpcfkbg.exe 2692 Ncpcfkbg.exe 2584 Ngkogj32.exe 2584 Ngkogj32.exe 2508 Niikceid.exe 2508 Niikceid.exe 2480 Nhllob32.exe 2480 Nhllob32.exe -
Drops file in System32 directory 21 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Nodgel32.exe Nlekia32.exe File created C:\Windows\SysWOW64\Ncpcfkbg.exe Nodgel32.exe File created C:\Windows\SysWOW64\Ngkogj32.exe Ncpcfkbg.exe File created C:\Windows\SysWOW64\Nlhgoqhh.exe Nhllob32.exe File created C:\Windows\SysWOW64\Phmkjbfe.dll a954fa18abd78171b62683f3925dca64742f112981d62bf12b012b4e148df9fe.exe File created C:\Windows\SysWOW64\Niikceid.exe Ngkogj32.exe File opened for modification C:\Windows\SysWOW64\Niikceid.exe Ngkogj32.exe File created C:\Windows\SysWOW64\Fhhiii32.dll Niikceid.exe File created C:\Windows\SysWOW64\Lamajm32.dll Nhllob32.exe File created C:\Windows\SysWOW64\Pfdmil32.dll Nodgel32.exe File opened for modification C:\Windows\SysWOW64\Ngkogj32.exe Ncpcfkbg.exe File created C:\Windows\SysWOW64\Kklcab32.dll Ncpcfkbg.exe File created C:\Windows\SysWOW64\Nlekia32.exe a954fa18abd78171b62683f3925dca64742f112981d62bf12b012b4e148df9fe.exe File opened for modification C:\Windows\SysWOW64\Nlekia32.exe a954fa18abd78171b62683f3925dca64742f112981d62bf12b012b4e148df9fe.exe File created C:\Windows\SysWOW64\Nodgel32.exe Nlekia32.exe File created C:\Windows\SysWOW64\Cnjgia32.dll Nlekia32.exe File opened for modification C:\Windows\SysWOW64\Ncpcfkbg.exe Nodgel32.exe File created C:\Windows\SysWOW64\Nhllob32.exe Niikceid.exe File created C:\Windows\SysWOW64\Dnlbnp32.dll Ngkogj32.exe File opened for modification C:\Windows\SysWOW64\Nhllob32.exe Niikceid.exe File opened for modification C:\Windows\SysWOW64\Nlhgoqhh.exe Nhllob32.exe -
Modifies registry class 24 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhhiii32.dll" Niikceid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Phmkjbfe.dll" a954fa18abd78171b62683f3925dca64742f112981d62bf12b012b4e148df9fe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" a954fa18abd78171b62683f3925dca64742f112981d62bf12b012b4e148df9fe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nlekia32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nlekia32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnlbnp32.dll" Ngkogj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nhllob32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nhllob32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID a954fa18abd78171b62683f3925dca64742f112981d62bf12b012b4e148df9fe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pfdmil32.dll" Nodgel32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nodgel32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ngkogj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Niikceid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ncpcfkbg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lamajm32.dll" Nhllob32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node a954fa18abd78171b62683f3925dca64742f112981d62bf12b012b4e148df9fe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738} a954fa18abd78171b62683f3925dca64742f112981d62bf12b012b4e148df9fe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cnjgia32.dll" Nlekia32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nodgel32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kklcab32.dll" Ncpcfkbg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 a954fa18abd78171b62683f3925dca64742f112981d62bf12b012b4e148df9fe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ncpcfkbg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ngkogj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Niikceid.exe -
Suspicious use of WriteProcessMemory 28 IoCs
description pid Process procid_target PID 2992 wrote to memory of 2876 2992 a954fa18abd78171b62683f3925dca64742f112981d62bf12b012b4e148df9fe.exe 28 PID 2992 wrote to memory of 2876 2992 a954fa18abd78171b62683f3925dca64742f112981d62bf12b012b4e148df9fe.exe 28 PID 2992 wrote to memory of 2876 2992 a954fa18abd78171b62683f3925dca64742f112981d62bf12b012b4e148df9fe.exe 28 PID 2992 wrote to memory of 2876 2992 a954fa18abd78171b62683f3925dca64742f112981d62bf12b012b4e148df9fe.exe 28 PID 2876 wrote to memory of 848 2876 Nlekia32.exe 29 PID 2876 wrote to memory of 848 2876 Nlekia32.exe 29 PID 2876 wrote to memory of 848 2876 Nlekia32.exe 29 PID 2876 wrote to memory of 848 2876 Nlekia32.exe 29 PID 848 wrote to memory of 2692 848 Nodgel32.exe 30 PID 848 wrote to memory of 2692 848 Nodgel32.exe 30 PID 848 wrote to memory of 2692 848 Nodgel32.exe 30 PID 848 wrote to memory of 2692 848 Nodgel32.exe 30 PID 2692 wrote to memory of 2584 2692 Ncpcfkbg.exe 31 PID 2692 wrote to memory of 2584 2692 Ncpcfkbg.exe 31 PID 2692 wrote to memory of 2584 2692 Ncpcfkbg.exe 31 PID 2692 wrote to memory of 2584 2692 Ncpcfkbg.exe 31 PID 2584 wrote to memory of 2508 2584 Ngkogj32.exe 32 PID 2584 wrote to memory of 2508 2584 Ngkogj32.exe 32 PID 2584 wrote to memory of 2508 2584 Ngkogj32.exe 32 PID 2584 wrote to memory of 2508 2584 Ngkogj32.exe 32 PID 2508 wrote to memory of 2480 2508 Niikceid.exe 33 PID 2508 wrote to memory of 2480 2508 Niikceid.exe 33 PID 2508 wrote to memory of 2480 2508 Niikceid.exe 33 PID 2508 wrote to memory of 2480 2508 Niikceid.exe 33 PID 2480 wrote to memory of 2964 2480 Nhllob32.exe 34 PID 2480 wrote to memory of 2964 2480 Nhllob32.exe 34 PID 2480 wrote to memory of 2964 2480 Nhllob32.exe 34 PID 2480 wrote to memory of 2964 2480 Nhllob32.exe 34
Processes
-
C:\Users\Admin\AppData\Local\Temp\a954fa18abd78171b62683f3925dca64742f112981d62bf12b012b4e148df9fe.exe"C:\Users\Admin\AppData\Local\Temp\a954fa18abd78171b62683f3925dca64742f112981d62bf12b012b4e148df9fe.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2992 -
C:\Windows\SysWOW64\Nlekia32.exeC:\Windows\system32\Nlekia32.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2876 -
C:\Windows\SysWOW64\Nodgel32.exeC:\Windows\system32\Nodgel32.exe3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:848 -
C:\Windows\SysWOW64\Ncpcfkbg.exeC:\Windows\system32\Ncpcfkbg.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2692 -
C:\Windows\SysWOW64\Ngkogj32.exeC:\Windows\system32\Ngkogj32.exe5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2584 -
C:\Windows\SysWOW64\Niikceid.exeC:\Windows\system32\Niikceid.exe6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2508 -
C:\Windows\SysWOW64\Nhllob32.exeC:\Windows\system32\Nhllob32.exe7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2480 -
C:\Windows\SysWOW64\Nlhgoqhh.exeC:\Windows\system32\Nlhgoqhh.exe8⤵
- Executes dropped EXE
PID:2964
-
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
80KB
MD52fac0044410f73850df5a80abeb51bef
SHA10d0d0c2d22a32786417fd90772d7ff25b14479b7
SHA256dd8eddd7250129215c130ea75d72c0d46d52f71c0a4207a21c3231ba4f8226fe
SHA5129be9cd02b8564f26a8866a0b25f72c900d675166b376e817a578469ac7efabdc7662cdec6a56c0b9768ea2d09bd6bc47444fe5d102f3fec3911f39fa6da8a38e
-
Filesize
80KB
MD5313ecfbc8891794c01ac09564474cb3e
SHA1db4daab38fcd4156e83aa284d7e040ca62229fe4
SHA256b38a8a1f1b1ccabbb8aab90132d0d3fe46eb47e6fd5f0643bacaf4487966bb57
SHA5129e16e8d43c89bb0a8e94675e17952e2d590395bffb0b75350f890be7eb552733717b8a12e626324858d1c85560bf95d094cf95daa9f4f5b2d523adab93704658
-
Filesize
80KB
MD5fb958fd5e0d70591ab337766b1ccbf27
SHA1c1fc4a53a4bbed71d831d855c6c4ba3583ea42b4
SHA256adad858729ec4ba02934b41331f58cba9d1dde47eba74f8f4bb4fe7cb16913c2
SHA512c74497cfe63b4012a8e3e0790a8331effd2bff4130b1ec6a2b6a10e92934a8766cc32b968e3070c32d7a0e4060aa9d1ba49dc2dc9ff9a78ff06222c390601e3d
-
Filesize
80KB
MD5a6fd53db9dad319e7a0029d9a68c12c5
SHA14dc19c9626ddf7ea507c88114b800edd84139b22
SHA25661b1eeb77be5dc023c547fd74d71f6cd4143b20fb5812640194dd49a2be43b4b
SHA512fc2a0430308d23069b1ff462d8500b66124e381825bb42e74af4408b4ba3010db1c7c192246a5167104d0335d7e3baa828178ad70ef65076c2ece3fdc16dbfaa
-
Filesize
80KB
MD5627ae0e635f5efcf0105d65730eb16ff
SHA1433d9757ebbdbc4dd961599a706519baabb40289
SHA256a2977ea75041b120160591452308545311d78d0accb2216f64f2203dd69399a1
SHA5125a2b5f18c8b598e87c2f08d57bb57c285a50718925acd30779f15a1afbb47bc4d0e337cd2b447d4583079e47449f9ae64cbbd546597d6c01b7508f85bb7c9899
-
Filesize
80KB
MD55f2d37b0a442f6ce8384b9f6b03c4eb4
SHA16fa3386579678b078d44a5d675f6ba41f6e98cbf
SHA256fe823c5b88dace51c40237d0e7755b87593bcf1dc2bed01f575788271526b3ee
SHA512a0525bb127c8f06972530d4299d29e552c59424073b94af2dff8772c4f3f325ba67aa6859585897650de586bb2123baef27280d5d694ff034f37bef95f45c8b8
-
Filesize
80KB
MD560823e63a894a08b43b742f56367d95a
SHA119f766f5c0b15a107799a5ccaa6f8bc02425edcd
SHA256c8ff502b6d39ce674d6ff3d623b1ecc0ccac40627a5999cbe5b68e71e6f8c488
SHA512ef180c19edb42bd519f64afac9eb04a476b3b5a0f9597cf37349b58c695b493813e4a16889bbca56b8fa8fc1dde7ca4934cb37185749fd8abe32924e3676cace