Analysis

  • max time kernel
    121s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    02/06/2024, 01:08

General

  • Target

    a954fa18abd78171b62683f3925dca64742f112981d62bf12b012b4e148df9fe.exe

  • Size

    80KB

  • MD5

    371ba6f286b21e1ad8696a844f0e9a68

  • SHA1

    e7865d960f6f011a87b65ef94a829d905d794f25

  • SHA256

    a954fa18abd78171b62683f3925dca64742f112981d62bf12b012b4e148df9fe

  • SHA512

    cf0afb4eee8ef05e7bd06ece904a88a59427d10634fa6f4992ed017cbf9a0d6ecd16d88f65fc6922800d43e169cf425f8b91c46ae09ce55330862b51de208acf

  • SSDEEP

    1536:kcSsngPO+fifu8UCeztSzjpH1B9z/2LxS5DUHRbPa9b6i+sIk:kZTf+UavV1B9AxS5DSCopsIk

Score
10/10

Malware Config

Signatures

  • Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 14 IoCs
  • Executes dropped EXE 7 IoCs
  • Loads dropped DLL 14 IoCs
  • Drops file in System32 directory 21 IoCs
  • Modifies registry class 24 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a954fa18abd78171b62683f3925dca64742f112981d62bf12b012b4e148df9fe.exe
    "C:\Users\Admin\AppData\Local\Temp\a954fa18abd78171b62683f3925dca64742f112981d62bf12b012b4e148df9fe.exe"
    1⤵
    • Adds autorun key to be loaded by Explorer.exe on startup
    • Loads dropped DLL
    • Drops file in System32 directory
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:2992
    • C:\Windows\SysWOW64\Nlekia32.exe
      C:\Windows\system32\Nlekia32.exe
      2⤵
      • Adds autorun key to be loaded by Explorer.exe on startup
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in System32 directory
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:2876
      • C:\Windows\SysWOW64\Nodgel32.exe
        C:\Windows\system32\Nodgel32.exe
        3⤵
        • Adds autorun key to be loaded by Explorer.exe on startup
        • Executes dropped EXE
        • Loads dropped DLL
        • Drops file in System32 directory
        • Modifies registry class
        • Suspicious use of WriteProcessMemory
        PID:848
        • C:\Windows\SysWOW64\Ncpcfkbg.exe
          C:\Windows\system32\Ncpcfkbg.exe
          4⤵
          • Adds autorun key to be loaded by Explorer.exe on startup
          • Executes dropped EXE
          • Loads dropped DLL
          • Drops file in System32 directory
          • Modifies registry class
          • Suspicious use of WriteProcessMemory
          PID:2692
          • C:\Windows\SysWOW64\Ngkogj32.exe
            C:\Windows\system32\Ngkogj32.exe
            5⤵
            • Adds autorun key to be loaded by Explorer.exe on startup
            • Executes dropped EXE
            • Loads dropped DLL
            • Drops file in System32 directory
            • Modifies registry class
            • Suspicious use of WriteProcessMemory
            PID:2584
            • C:\Windows\SysWOW64\Niikceid.exe
              C:\Windows\system32\Niikceid.exe
              6⤵
              • Adds autorun key to be loaded by Explorer.exe on startup
              • Executes dropped EXE
              • Loads dropped DLL
              • Drops file in System32 directory
              • Modifies registry class
              • Suspicious use of WriteProcessMemory
              PID:2508
              • C:\Windows\SysWOW64\Nhllob32.exe
                C:\Windows\system32\Nhllob32.exe
                7⤵
                • Adds autorun key to be loaded by Explorer.exe on startup
                • Executes dropped EXE
                • Loads dropped DLL
                • Drops file in System32 directory
                • Modifies registry class
                • Suspicious use of WriteProcessMemory
                PID:2480
                • C:\Windows\SysWOW64\Nlhgoqhh.exe
                  C:\Windows\system32\Nlhgoqhh.exe
                  8⤵
                  • Executes dropped EXE
                  PID:2964

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Windows\SysWOW64\Ncpcfkbg.exe

          Filesize

          80KB

          MD5

          2fac0044410f73850df5a80abeb51bef

          SHA1

          0d0d0c2d22a32786417fd90772d7ff25b14479b7

          SHA256

          dd8eddd7250129215c130ea75d72c0d46d52f71c0a4207a21c3231ba4f8226fe

          SHA512

          9be9cd02b8564f26a8866a0b25f72c900d675166b376e817a578469ac7efabdc7662cdec6a56c0b9768ea2d09bd6bc47444fe5d102f3fec3911f39fa6da8a38e

        • C:\Windows\SysWOW64\Niikceid.exe

          Filesize

          80KB

          MD5

          313ecfbc8891794c01ac09564474cb3e

          SHA1

          db4daab38fcd4156e83aa284d7e040ca62229fe4

          SHA256

          b38a8a1f1b1ccabbb8aab90132d0d3fe46eb47e6fd5f0643bacaf4487966bb57

          SHA512

          9e16e8d43c89bb0a8e94675e17952e2d590395bffb0b75350f890be7eb552733717b8a12e626324858d1c85560bf95d094cf95daa9f4f5b2d523adab93704658

        • C:\Windows\SysWOW64\Nlekia32.exe

          Filesize

          80KB

          MD5

          fb958fd5e0d70591ab337766b1ccbf27

          SHA1

          c1fc4a53a4bbed71d831d855c6c4ba3583ea42b4

          SHA256

          adad858729ec4ba02934b41331f58cba9d1dde47eba74f8f4bb4fe7cb16913c2

          SHA512

          c74497cfe63b4012a8e3e0790a8331effd2bff4130b1ec6a2b6a10e92934a8766cc32b968e3070c32d7a0e4060aa9d1ba49dc2dc9ff9a78ff06222c390601e3d

        • C:\Windows\SysWOW64\Nlhgoqhh.exe

          Filesize

          80KB

          MD5

          a6fd53db9dad319e7a0029d9a68c12c5

          SHA1

          4dc19c9626ddf7ea507c88114b800edd84139b22

          SHA256

          61b1eeb77be5dc023c547fd74d71f6cd4143b20fb5812640194dd49a2be43b4b

          SHA512

          fc2a0430308d23069b1ff462d8500b66124e381825bb42e74af4408b4ba3010db1c7c192246a5167104d0335d7e3baa828178ad70ef65076c2ece3fdc16dbfaa

        • \Windows\SysWOW64\Ngkogj32.exe

          Filesize

          80KB

          MD5

          627ae0e635f5efcf0105d65730eb16ff

          SHA1

          433d9757ebbdbc4dd961599a706519baabb40289

          SHA256

          a2977ea75041b120160591452308545311d78d0accb2216f64f2203dd69399a1

          SHA512

          5a2b5f18c8b598e87c2f08d57bb57c285a50718925acd30779f15a1afbb47bc4d0e337cd2b447d4583079e47449f9ae64cbbd546597d6c01b7508f85bb7c9899

        • \Windows\SysWOW64\Nhllob32.exe

          Filesize

          80KB

          MD5

          5f2d37b0a442f6ce8384b9f6b03c4eb4

          SHA1

          6fa3386579678b078d44a5d675f6ba41f6e98cbf

          SHA256

          fe823c5b88dace51c40237d0e7755b87593bcf1dc2bed01f575788271526b3ee

          SHA512

          a0525bb127c8f06972530d4299d29e552c59424073b94af2dff8772c4f3f325ba67aa6859585897650de586bb2123baef27280d5d694ff034f37bef95f45c8b8

        • \Windows\SysWOW64\Nodgel32.exe

          Filesize

          80KB

          MD5

          60823e63a894a08b43b742f56367d95a

          SHA1

          19f766f5c0b15a107799a5ccaa6f8bc02425edcd

          SHA256

          c8ff502b6d39ce674d6ff3d623b1ecc0ccac40627a5999cbe5b68e71e6f8c488

          SHA512

          ef180c19edb42bd519f64afac9eb04a476b3b5a0f9597cf37349b58c695b493813e4a16889bbca56b8fa8fc1dde7ca4934cb37185749fd8abe32924e3676cace

        • memory/848-98-0x0000000000400000-0x000000000043E000-memory.dmp

          Filesize

          248KB

        • memory/848-27-0x0000000000400000-0x000000000043E000-memory.dmp

          Filesize

          248KB

        • memory/2480-84-0x0000000000400000-0x000000000043E000-memory.dmp

          Filesize

          248KB

        • memory/2480-87-0x00000000002E0000-0x000000000031E000-memory.dmp

          Filesize

          248KB

        • memory/2508-96-0x0000000000400000-0x000000000043E000-memory.dmp

          Filesize

          248KB

        • memory/2508-66-0x0000000000400000-0x000000000043E000-memory.dmp

          Filesize

          248KB

        • memory/2584-58-0x0000000000400000-0x000000000043E000-memory.dmp

          Filesize

          248KB

        • memory/2584-94-0x0000000000400000-0x000000000043E000-memory.dmp

          Filesize

          248KB

        • memory/2692-45-0x0000000000400000-0x000000000043E000-memory.dmp

          Filesize

          248KB

        • memory/2876-99-0x0000000000400000-0x000000000043E000-memory.dmp

          Filesize

          248KB

        • memory/2876-14-0x0000000000400000-0x000000000043E000-memory.dmp

          Filesize

          248KB

        • memory/2964-93-0x0000000000400000-0x000000000043E000-memory.dmp

          Filesize

          248KB

        • memory/2964-95-0x0000000000400000-0x000000000043E000-memory.dmp

          Filesize

          248KB

        • memory/2992-97-0x0000000000400000-0x000000000043E000-memory.dmp

          Filesize

          248KB

        • memory/2992-13-0x0000000000250000-0x000000000028E000-memory.dmp

          Filesize

          248KB

        • memory/2992-6-0x0000000000250000-0x000000000028E000-memory.dmp

          Filesize

          248KB

        • memory/2992-0-0x0000000000400000-0x000000000043E000-memory.dmp

          Filesize

          248KB