950b4a84776ead19c3b3c63ff57f203f9027aa8bf6e55360137827e8be144eac

Analysis

max time kernel
51s
max time network
51s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
14/06/2024, 23:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

950b4a84776ead19c3b3c63ff57f203f9027aa8bf6e55360137827e8be144eac.exe
Size

456KB
MD5

566fcd538341902ddc5ff37fbe321536
SHA1

748006825c3c4b2b624f386fbe3c6f552e6cd677
SHA256

950b4a84776ead19c3b3c63ff57f203f9027aa8bf6e55360137827e8be144eac
SHA512

aee8e07f023793e6b107992457171aee6d88616691daf2d0abd12543b5ed2244364d16850312e39da30daa589108dcddc3e856470f3f5a1d7def46f65c7863ea
SSDEEP

12288:M5Mt5YYwIKfDy/phgeczlqczZd7LFB3oFHoGnFjVZnykJGvpHGdm:+MtzwFfDy/phgeczlqczZd7LFB3oFHop

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnolfdcn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nbkhfc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	950b4a84776ead19c3b3c63ff57f203f9027aa8bf6e55360137827e8be144eac.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcbahlip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njogjfoj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkncdifl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqklmpdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nqklmpdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nbkhfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nggqoj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndbnboqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nkncdifl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnolfdcn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncldnkae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncldnkae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nggqoj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	950b4a84776ead19c3b3c63ff57f203f9027aa8bf6e55360137827e8be144eac.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcbahlip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndbnboqb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngedij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkqpjidj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nkqpjidj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njogjfoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngedij32.exe

Executes dropped EXE 12 IoCs

pid	Process
4896	Mcbahlip.exe
4932	Ndbnboqb.exe
4540	Njogjfoj.exe
4444	Nkncdifl.exe
4276	Nqklmpdd.exe
116	Ngedij32.exe
4888	Nkqpjidj.exe
1092	Nnolfdcn.exe
4416	Nbkhfc32.exe
2100	Ncldnkae.exe
1180	Nggqoj32.exe
3452	Nkcmohbg.exe

Drops file in System32 directory 36 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Lfcbokki.dll	Ndbnboqb.exe
File created	C:\Windows\SysWOW64\Nkqpjidj.exe	Ngedij32.exe
File created	C:\Windows\SysWOW64\Nkcmohbg.exe	Nggqoj32.exe
File opened for modification	C:\Windows\SysWOW64\Ndbnboqb.exe	Mcbahlip.exe
File created	C:\Windows\SysWOW64\Ngedij32.exe	Nqklmpdd.exe
File opened for modification	C:\Windows\SysWOW64\Nkcmohbg.exe	Nggqoj32.exe
File created	C:\Windows\SysWOW64\Mcbahlip.exe	950b4a84776ead19c3b3c63ff57f203f9027aa8bf6e55360137827e8be144eac.exe
File created	C:\Windows\SysWOW64\Nggqoj32.exe	Ncldnkae.exe
File created	C:\Windows\SysWOW64\Dihcoe32.dll	Mcbahlip.exe
File opened for modification	C:\Windows\SysWOW64\Njogjfoj.exe	Ndbnboqb.exe
File opened for modification	C:\Windows\SysWOW64\Ngedij32.exe	Nqklmpdd.exe
File created	C:\Windows\SysWOW64\Paadnmaq.dll	Nqklmpdd.exe
File created	C:\Windows\SysWOW64\Lelgbkio.dll	950b4a84776ead19c3b3c63ff57f203f9027aa8bf6e55360137827e8be144eac.exe
File created	C:\Windows\SysWOW64\Ndbnboqb.exe	Mcbahlip.exe
File opened for modification	C:\Windows\SysWOW64\Nkncdifl.exe	Njogjfoj.exe
File created	C:\Windows\SysWOW64\Ogpnaafp.dll	Ngedij32.exe
File created	C:\Windows\SysWOW64\Nnolfdcn.exe	Nkqpjidj.exe
File opened for modification	C:\Windows\SysWOW64\Nnolfdcn.exe	Nkqpjidj.exe
File created	C:\Windows\SysWOW64\Njogjfoj.exe	Ndbnboqb.exe
File opened for modification	C:\Windows\SysWOW64\Nkqpjidj.exe	Ngedij32.exe
File created	C:\Windows\SysWOW64\Cknpkhch.dll	Nkqpjidj.exe
File created	C:\Windows\SysWOW64\Nbkhfc32.exe	Nnolfdcn.exe
File created	C:\Windows\SysWOW64\Ncldnkae.exe	Nbkhfc32.exe
File opened for modification	C:\Windows\SysWOW64\Nggqoj32.exe	Ncldnkae.exe
File created	C:\Windows\SysWOW64\Hnibdpde.dll	Nggqoj32.exe
File opened for modification	C:\Windows\SysWOW64\Mcbahlip.exe	950b4a84776ead19c3b3c63ff57f203f9027aa8bf6e55360137827e8be144eac.exe
File created	C:\Windows\SysWOW64\Nkncdifl.exe	Njogjfoj.exe
File created	C:\Windows\SysWOW64\Jkeang32.dll	Njogjfoj.exe
File created	C:\Windows\SysWOW64\Nqklmpdd.exe	Nkncdifl.exe
File created	C:\Windows\SysWOW64\Dlddhggk.dll	Nbkhfc32.exe
File created	C:\Windows\SysWOW64\Addjcmqn.dll	Ncldnkae.exe
File opened for modification	C:\Windows\SysWOW64\Nqklmpdd.exe	Nkncdifl.exe
File created	C:\Windows\SysWOW64\Ljfemn32.dll	Nkncdifl.exe
File opened for modification	C:\Windows\SysWOW64\Nbkhfc32.exe	Nnolfdcn.exe
File created	C:\Windows\SysWOW64\Lkfbjdpq.dll	Nnolfdcn.exe
File opened for modification	C:\Windows\SysWOW64\Ncldnkae.exe	Nbkhfc32.exe

Program crash 1 IoCs

pid	pid_target	Process
844	3452	WerFault.exe

Modifies registry class 39 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nkqpjidj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nnolfdcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mcbahlip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ndbnboqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Paadnmaq.dll"	Nqklmpdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnibdpde.dll"	Nggqoj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ncldnkae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	950b4a84776ead19c3b3c63ff57f203f9027aa8bf6e55360137827e8be144eac.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nkncdifl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljfemn32.dll"	Nkncdifl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dlddhggk.dll"	Nbkhfc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ngedij32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nbkhfc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	950b4a84776ead19c3b3c63ff57f203f9027aa8bf6e55360137827e8be144eac.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	950b4a84776ead19c3b3c63ff57f203f9027aa8bf6e55360137827e8be144eac.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lelgbkio.dll"	950b4a84776ead19c3b3c63ff57f203f9027aa8bf6e55360137827e8be144eac.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkeang32.dll"	Njogjfoj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nqklmpdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nqklmpdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogpnaafp.dll"	Ngedij32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	950b4a84776ead19c3b3c63ff57f203f9027aa8bf6e55360137827e8be144eac.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mcbahlip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfcbokki.dll"	Ndbnboqb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Njogjfoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ncldnkae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nkncdifl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ngedij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cknpkhch.dll"	Nkqpjidj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nbkhfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nnolfdcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nggqoj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	950b4a84776ead19c3b3c63ff57f203f9027aa8bf6e55360137827e8be144eac.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dihcoe32.dll"	Mcbahlip.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ndbnboqb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nkqpjidj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Njogjfoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkfbjdpq.dll"	Nnolfdcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Addjcmqn.dll"	Ncldnkae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nggqoj32.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 3912 wrote to memory of 4896	3912	950b4a84776ead19c3b3c63ff57f203f9027aa8bf6e55360137827e8be144eac.exe	81
PID 3912 wrote to memory of 4896	3912	950b4a84776ead19c3b3c63ff57f203f9027aa8bf6e55360137827e8be144eac.exe	81
PID 3912 wrote to memory of 4896	3912	950b4a84776ead19c3b3c63ff57f203f9027aa8bf6e55360137827e8be144eac.exe	81
PID 4896 wrote to memory of 4932	4896	Mcbahlip.exe	82
PID 4896 wrote to memory of 4932	4896	Mcbahlip.exe	82
PID 4896 wrote to memory of 4932	4896	Mcbahlip.exe	82
PID 4932 wrote to memory of 4540	4932	Ndbnboqb.exe	83
PID 4932 wrote to memory of 4540	4932	Ndbnboqb.exe	83
PID 4932 wrote to memory of 4540	4932	Ndbnboqb.exe	83
PID 4540 wrote to memory of 4444	4540	Njogjfoj.exe	84
PID 4540 wrote to memory of 4444	4540	Njogjfoj.exe	84
PID 4540 wrote to memory of 4444	4540	Njogjfoj.exe	84
PID 4444 wrote to memory of 4276	4444	Nkncdifl.exe	85
PID 4444 wrote to memory of 4276	4444	Nkncdifl.exe	85
PID 4444 wrote to memory of 4276	4444	Nkncdifl.exe	85
PID 4276 wrote to memory of 116	4276	Nqklmpdd.exe	86
PID 4276 wrote to memory of 116	4276	Nqklmpdd.exe	86
PID 4276 wrote to memory of 116	4276	Nqklmpdd.exe	86
PID 116 wrote to memory of 4888	116	Ngedij32.exe	87
PID 116 wrote to memory of 4888	116	Ngedij32.exe	87
PID 116 wrote to memory of 4888	116	Ngedij32.exe	87
PID 4888 wrote to memory of 1092	4888	Nkqpjidj.exe	88
PID 4888 wrote to memory of 1092	4888	Nkqpjidj.exe	88
PID 4888 wrote to memory of 1092	4888	Nkqpjidj.exe	88
PID 1092 wrote to memory of 4416	1092	Nnolfdcn.exe	90
PID 1092 wrote to memory of 4416	1092	Nnolfdcn.exe	90
PID 1092 wrote to memory of 4416	1092	Nnolfdcn.exe	90
PID 4416 wrote to memory of 2100	4416	Nbkhfc32.exe	91
PID 4416 wrote to memory of 2100	4416	Nbkhfc32.exe	91
PID 4416 wrote to memory of 2100	4416	Nbkhfc32.exe	91
PID 2100 wrote to memory of 1180	2100	Ncldnkae.exe	92
PID 2100 wrote to memory of 1180	2100	Ncldnkae.exe	92
PID 2100 wrote to memory of 1180	2100	Ncldnkae.exe	92
PID 1180 wrote to memory of 3452	1180	Nggqoj32.exe	93
PID 1180 wrote to memory of 3452	1180	Nggqoj32.exe	93
PID 1180 wrote to memory of 3452	1180	Nggqoj32.exe	93

C:\Users\Admin\AppData\Local\Temp\950b4a84776ead19c3b3c63ff57f203f9027aa8bf6e55360137827e8be144eac.exe
"C:\Users\Admin\AppData\Local\Temp\950b4a84776ead19c3b3c63ff57f203f9027aa8bf6e55360137827e8be144eac.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3912
- C:\Windows\SysWOW64\Mcbahlip.exe
  C:\Windows\system32\Mcbahlip.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4896
- - C:\Windows\SysWOW64\Ndbnboqb.exe
    C:\Windows\system32\Ndbnboqb.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4932
  - - C:\Windows\SysWOW64\Njogjfoj.exe
      C:\Windows\system32\Njogjfoj.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4540
    - - C:\Windows\SysWOW64\Nkncdifl.exe
        
        C:\Windows\system32\Nkncdifl.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4444
      - C:\Windows\SysWOW64\Nqklmpdd.exe
        
        C:\Windows\system32\Nqklmpdd.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4276
        
        C:\Windows\SysWOW64\Ngedij32.exe
        
        C:\Windows\system32\Ngedij32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:116
        
        C:\Windows\SysWOW64\Nkqpjidj.exe
        
        C:\Windows\system32\Nkqpjidj.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4888
        
        C:\Windows\SysWOW64\Nnolfdcn.exe
        
        C:\Windows\system32\Nnolfdcn.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1092
        
        C:\Windows\SysWOW64\Nbkhfc32.exe
        
        C:\Windows\system32\Nbkhfc32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4416
        
        C:\Windows\SysWOW64\Ncldnkae.exe
        
        C:\Windows\system32\Ncldnkae.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2100
        
        C:\Windows\SysWOW64\Nggqoj32.exe
        
        C:\Windows\system32\Nggqoj32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1180
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        13⤵
        Executes dropped EXE
        
        PID:3452
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3452 -s 400
        14⤵
        Program crash
        
        PID:844

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3452 -ip 3452
1⤵
PID:2004

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Mcbahlip.exe

Filesize
456KB

MD5
2e567c526242d3703e9fb0510edbbe44

SHA1
328c49d9b6f081179abc2c1d8bbfd7ef4e328684

SHA256
8178c1bd1855568204c5a717d128b561e152b1460ad1c114e11185703609cbce

SHA512
a2e7dedde2090ce0d23638ea1ccfa1c76236526b19511c2aa89365129f5bff3ccbd797c7f65ad21239987452cafb14675037d28ffc1bb0f0d4f5beda328a4df1

Download Submit
C:\Windows\SysWOW64\Nbkhfc32.exe

Filesize
456KB

MD5
32f608b35f3ab170de02f79637a5ceb5

SHA1
6dcce465ebd6bb607298bf3e86b769fb33b96547

SHA256
5389ab7db5ed66bda80f0f66848b2eae7db867634529fd1d3cfd909a68603188

SHA512
1a2786dca890a6788b56123bce05e910d0722f7913685ffc6de87305425e938ae1fde6499048b0313b0e3c9be96521c84b9ba1f7f42ab2cf58b61b5af777b5b8

Download Submit
C:\Windows\SysWOW64\Ncldnkae.exe

Filesize
456KB

MD5
c0a1e834f30923cc1ac63cadbd535226

SHA1
c5b52703d9d81114068eee46184e07153913c93f

SHA256
8251c38fb5fa8a40608e63ba837324bb782e56d6941dedb6917f1d763d05ba25

SHA512
bf7ccf3a0277c567e32eb15a97201dc5704bb3431cbc91a0229279d450c8a65781497e663d18cf202246b7263cc46d3f14cace915ed24e50b0d59507aa8c44b5

Download Submit
C:\Windows\SysWOW64\Ndbnboqb.exe

Filesize
456KB

MD5
ce5bd30d82ae1e7f4ea4a7767d71a1d9

SHA1
cbfec9e1961d2771025cc01b85645f534be92f55

SHA256
94d60a1da41f224c865732e4728d2ecc439253dcdebc60b09673baaf2aa0f6e2

SHA512
c57f60e167675140c7535a9f3e4fbb6dd01bd0508b3e252bd22796aadc023a451ae466e82f5b5f43bf3cafa8369a17b9b08bdc3743ec8e6666a54137ec3fe096

Download Submit
C:\Windows\SysWOW64\Ngedij32.exe

Filesize
456KB

MD5
17aa705f0a5fd2a2e57e06c09eacac6c

SHA1
4f9eca6038991f55614176db3f52c0522381d40c

SHA256
6ceccd8093ef1d7ebf63b46996f132f3480cb93b79f965571d84484f1ec7a040

SHA512
58ca4e7c6534c121074b1a95b1e0180d34a98e8097d8dc4f20a63e8ea5ff1ced35a3d52f9209d9cde91a6121ee7754fc60d9a38ad70ab603036caaf978380f92

Download Submit
C:\Windows\SysWOW64\Nggqoj32.exe

Filesize
456KB

MD5
51d740e5582b8dd68110d105c128cdad

SHA1
fbc5ed797e10ebff966c3f564c0ed714e1092f7c

SHA256
a3eff60456fe76074496f9e2d27dc5b2aaa6ed78a62aa4ef390e0a35e6b7f7b6

SHA512
aac7b2d97638b3c9c0e362ef1c846aedea3d58425f6f4b7de2741a409fceac75d77e4bb36cb15660808d52de59386e7b5839c207c4ce376c3ba011fd00961e60

Download Submit
C:\Windows\SysWOW64\Njogjfoj.exe

Filesize
456KB

MD5
47d160a38ff86a27118536749d925d42

SHA1
5289d3290ccf380505dd822ff183df4428ef49ef

SHA256
52ce6458d37dda4ac45803123648dd1bf058a8c92f62908ad7e61cd204dfad3e

SHA512
e53661f6bab7e310594ae780606364761a0f60bb2569707b35ab8db9f6de4f3ef5dc4212a2863593fb7b96a945a4bf56cbd53f1252d90aef98a1aaa0e2ee9776

Download Submit
C:\Windows\SysWOW64\Nkcmohbg.exe

Filesize
456KB

MD5
d5e3e3d93c2a48d681d0d715a96075c3

SHA1
575652e18083fe6d668512265a00cced8466ac7e

SHA256
a341b3d95ef935b548bdcd23d7873785c2ad2864674f51cc3779bd680da94022

SHA512
df4b71569e2085030e8170fc7ecf4976a3053fe3eeea4c98c7d5c793810c548489c94b0cac2d84680c9a27533a849ea7b1dbc97bb940ade8a8306c5fb4cc6ef6

Download Submit
C:\Windows\SysWOW64\Nkncdifl.exe

Filesize
456KB

MD5
c81219979836c0fa9e185b0b0d107465

SHA1
bc83816aafdd8acd8698808e3c230aa2da3cee4c

SHA256
2631d4aa89ec6508ec18a9c9fc69e7b2699aa4abdeec6b0ac8d64b6c787b5b6a

SHA512
401f147c302aef8bd1232a0946e3eb32814c44b9625347ffa13ecd2efbadbcf4f86ff679a2ab0edbb3fde44316b776e4acdfe1b13cf8ac2bc32b2be484474bf8

Download Submit
C:\Windows\SysWOW64\Nkqpjidj.exe

Filesize
456KB

MD5
c61677b20db7e18effa6268940cd54ef

SHA1
a8e935532b54791acd2b2bbb8241a34ea451d08f

SHA256
3bc7a77cfaa35bdfcdcac1aa8ffa005c60e9048eb03568442082a381bc8a41ac

SHA512
03bd9a11d83578a7e0cecbe19ff4b7da0e9023f1f983d5a663f276fdf890c3774ef2d6b2c52580f6fb20d6b1a8da73027cc72a336191c811446abdd27abaf94e

Download Submit
C:\Windows\SysWOW64\Nnolfdcn.exe

Filesize
456KB

MD5
388ad8e3ba1390d36699e604b68fa87a

SHA1
c38cf09af5347423f06cedc89e395ab4b3ec5c4e

SHA256
56a64bd1a4b86f2770193e90eb564adfdfd3c8ec13496cedb4aeaa6195d1cdcc

SHA512
21caa6513c0ce195cc1d55c203788e17c69d1332980e4591042b8c806744ac1742c4e73e1e9dedd31fe1401184de92a6145df9143c616a3908c7512df3d97d71

Download Submit
C:\Windows\SysWOW64\Nqklmpdd.exe

Filesize
456KB

MD5
0907745791cfb5896eecf0ac90109917

SHA1
db0db8ae3644a3092ba0cc00a145b92945b8ecb0

SHA256
a7e43fd34aa6a9c2e758bcdd31ad7a508625622336f4d098d2d7d6e596032fc9

SHA512
6f01c8986e140eb04b2f5b4ae11bc22a08168b4faab16b074cf14d860054e5a16ed8cd54fd0d584556b103d2ff3d859df4bcb36eb097b6fc397a1a26f4bd0b5b

Download Submit
memory/116-61-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1092-65-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1092-103-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1180-96-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2100-95-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3452-97-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3912-116-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3912-5-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/3912-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4276-107-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4276-41-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4416-94-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4444-37-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4540-24-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4540-110-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4888-64-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4896-8-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4896-114-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4932-16-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4932-112-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads