2484f414e608b586dfc92adeb580ad2011591d6f1af3ef3dae63f70c041a280d

General

Target

2484f414e608b586dfc92adeb580ad2011591d6f1af3ef3dae63f70c041a280d.exe
Size

136KB
MD5

27287a7d0a733309ec22b5fe3f24fe67
SHA1

f263e00708c442f00a278658249660680f7e3ac2
SHA256

2484f414e608b586dfc92adeb580ad2011591d6f1af3ef3dae63f70c041a280d
SHA512

8029bf850ef0d6055d9940f067349b3c54ad04e5ea221de85aa1f80262c7a67954cffe5f1981cc5ff8d281e9a61c13fa4b0579b8b0d3862e3d76f01f228d6761
SSDEEP

3072:Re0H4hxVDyQ5ovGuw1Pfo11pz7dgWKsi/mjRrz3OT:vYhxVDsvw1Pfo1rHyRsi/GOT

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nenobfak.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	2484f414e608b586dfc92adeb580ad2011591d6f1af3ef3dae63f70c041a280d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	2484f414e608b586dfc92adeb580ad2011591d6f1af3ef3dae63f70c041a280d.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nenobfak.exe

UPX dump on OEP (original entry point) 2 IoCs

resource	yara_rule
behavioral1/files/0x000c00000001220d-5.dat	UPX
behavioral1/files/0x0009000000015f01-19.dat	UPX

Executes dropped EXE 2 IoCs

pid	Process
2924	Nenobfak.exe
2848	Nlhgoqhh.exe

Loads dropped DLL 8 IoCs

pid	Process
3004	2484f414e608b586dfc92adeb580ad2011591d6f1af3ef3dae63f70c041a280d.exe
3004	2484f414e608b586dfc92adeb580ad2011591d6f1af3ef3dae63f70c041a280d.exe
2924	Nenobfak.exe
2924	Nenobfak.exe
2672	WerFault.exe
2672	WerFault.exe
2672	WerFault.exe
2672	WerFault.exe

Drops file in System32 directory 6 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Nenobfak.exe	2484f414e608b586dfc92adeb580ad2011591d6f1af3ef3dae63f70c041a280d.exe
File opened for modification	C:\Windows\SysWOW64\Nenobfak.exe	2484f414e608b586dfc92adeb580ad2011591d6f1af3ef3dae63f70c041a280d.exe
File created	C:\Windows\SysWOW64\Mehjml32.dll	2484f414e608b586dfc92adeb580ad2011591d6f1af3ef3dae63f70c041a280d.exe
File created	C:\Windows\SysWOW64\Nlhgoqhh.exe	Nenobfak.exe
File opened for modification	C:\Windows\SysWOW64\Nlhgoqhh.exe	Nenobfak.exe
File created	C:\Windows\SysWOW64\Lamajm32.dll	Nenobfak.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2672	2848	WerFault.exe	29

Modifies registry class 9 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	2484f414e608b586dfc92adeb580ad2011591d6f1af3ef3dae63f70c041a280d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	2484f414e608b586dfc92adeb580ad2011591d6f1af3ef3dae63f70c041a280d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	2484f414e608b586dfc92adeb580ad2011591d6f1af3ef3dae63f70c041a280d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nenobfak.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nenobfak.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	2484f414e608b586dfc92adeb580ad2011591d6f1af3ef3dae63f70c041a280d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mehjml32.dll"	2484f414e608b586dfc92adeb580ad2011591d6f1af3ef3dae63f70c041a280d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lamajm32.dll"	Nenobfak.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}	2484f414e608b586dfc92adeb580ad2011591d6f1af3ef3dae63f70c041a280d.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3004 wrote to memory of 2924	3004	2484f414e608b586dfc92adeb580ad2011591d6f1af3ef3dae63f70c041a280d.exe	28
PID 3004 wrote to memory of 2924	3004	2484f414e608b586dfc92adeb580ad2011591d6f1af3ef3dae63f70c041a280d.exe	28
PID 3004 wrote to memory of 2924	3004	2484f414e608b586dfc92adeb580ad2011591d6f1af3ef3dae63f70c041a280d.exe	28
PID 3004 wrote to memory of 2924	3004	2484f414e608b586dfc92adeb580ad2011591d6f1af3ef3dae63f70c041a280d.exe	28
PID 2924 wrote to memory of 2848	2924	Nenobfak.exe	29
PID 2924 wrote to memory of 2848	2924	Nenobfak.exe	29
PID 2924 wrote to memory of 2848	2924	Nenobfak.exe	29
PID 2924 wrote to memory of 2848	2924	Nenobfak.exe	29
PID 2848 wrote to memory of 2672	2848	Nlhgoqhh.exe	30
PID 2848 wrote to memory of 2672	2848	Nlhgoqhh.exe	30
PID 2848 wrote to memory of 2672	2848	Nlhgoqhh.exe	30
PID 2848 wrote to memory of 2672	2848	Nlhgoqhh.exe	30

C:\Users\Admin\AppData\Local\Temp\2484f414e608b586dfc92adeb580ad2011591d6f1af3ef3dae63f70c041a280d.exe
"C:\Users\Admin\AppData\Local\Temp\2484f414e608b586dfc92adeb580ad2011591d6f1af3ef3dae63f70c041a280d.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3004
- C:\Windows\SysWOW64\Nenobfak.exe
  C:\Windows\system32\Nenobfak.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2924
- - C:\Windows\SysWOW64\Nlhgoqhh.exe
    C:\Windows\system32\Nlhgoqhh.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2848
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2848 -s 140
      4⤵
      Loads dropped DLL
      Program crash
      PID:2672

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Windows\SysWOW64\Nenobfak.exe

Filesize
136KB

MD5
a77da612ca2f55a824d6d90114ae6126

SHA1
2b10d605b61f7b90e7c49bbf2a8c1f53ea003172

SHA256
76d4df43696798069d319c60ea89eb08099c22f23cb037dac82e528886255001

SHA512
0535780e904e635c1c7e0c87736b772c19c4e171d3ab1a6cd6c35b73f8b8725cc475c0eee3e6d92df6f58921eb344322d0a7c071bdf85afb8717b4253021d5fc

Download Submit
\Windows\SysWOW64\Nlhgoqhh.exe

Filesize
136KB

MD5
8a8559d983c692bf4df15d495ff28db5

SHA1
ba5a726f14c403d828d5cc03c8ff7225b7970c29

SHA256
6ab182bacd9cea49a4d404fa5f1ad3c663d3ad5b3ebb1f216c8cba5994d74574

SHA512
792768e1c32913cfb102a6a179aec050efbeccb828c86d959a19513856dc0ee7475de5fe4d92390cda81463fc30453ebf1fcd757eccfa659a7f29a1212f75dc3

Download Submit
memory/2848-26-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2924-13-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2924-32-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3004-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3004-11-0x0000000000440000-0x0000000000474000-memory.dmp

Filesize
208KB

Download
memory/3004-31-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads