64867e13c8eae6e3e35fcc37e0a443d8a0485f5ff85f063ac2051d5c8956f059

General

Target

64867e13c8eae6e3e35fcc37e0a443d8a0485f5ff85f063ac2051d5c8956f059.exe
Size

135KB
MD5

dee1abdbd2add3611e5a55909c9cc118
SHA1

c1df41d99f7e7208f6258cae987961823a18f305
SHA256

64867e13c8eae6e3e35fcc37e0a443d8a0485f5ff85f063ac2051d5c8956f059
SHA512

64d570026ba705661edd2b82a9632ca85a6b381d3c1c6ab015ecc8b185f42956b91eef8f7c62620a009bdf6196586aff42f52d057074e5786048d0096edc2c41
SSDEEP

3072:Q39/WsTE859W958mTIK8Qr5+ViKGe7Yfs0a0Uoi:QcswxTIK9cViK4fs0l

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	64867e13c8eae6e3e35fcc37e0a443d8a0485f5ff85f063ac2051d5c8956f059.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	64867e13c8eae6e3e35fcc37e0a443d8a0485f5ff85f063ac2051d5c8956f059.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncldnkae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncldnkae.exe

Executes dropped EXE 2 IoCs

pid	Process
4464	Ncldnkae.exe
4256	Nkcmohbg.exe

Drops file in System32 directory 6 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Ncldnkae.exe	64867e13c8eae6e3e35fcc37e0a443d8a0485f5ff85f063ac2051d5c8956f059.exe
File opened for modification	C:\Windows\SysWOW64\Ncldnkae.exe	64867e13c8eae6e3e35fcc37e0a443d8a0485f5ff85f063ac2051d5c8956f059.exe
File created	C:\Windows\SysWOW64\Dlddhggk.dll	64867e13c8eae6e3e35fcc37e0a443d8a0485f5ff85f063ac2051d5c8956f059.exe
File created	C:\Windows\SysWOW64\Nkcmohbg.exe	Ncldnkae.exe
File opened for modification	C:\Windows\SysWOW64\Nkcmohbg.exe	Ncldnkae.exe
File created	C:\Windows\SysWOW64\Hnibdpde.dll	Ncldnkae.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4528	4256	WerFault.exe	82

Modifies registry class 9 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	64867e13c8eae6e3e35fcc37e0a443d8a0485f5ff85f063ac2051d5c8956f059.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dlddhggk.dll"	64867e13c8eae6e3e35fcc37e0a443d8a0485f5ff85f063ac2051d5c8956f059.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	64867e13c8eae6e3e35fcc37e0a443d8a0485f5ff85f063ac2051d5c8956f059.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ncldnkae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ncldnkae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	64867e13c8eae6e3e35fcc37e0a443d8a0485f5ff85f063ac2051d5c8956f059.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	64867e13c8eae6e3e35fcc37e0a443d8a0485f5ff85f063ac2051d5c8956f059.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnibdpde.dll"	Ncldnkae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	64867e13c8eae6e3e35fcc37e0a443d8a0485f5ff85f063ac2051d5c8956f059.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3564 wrote to memory of 4464	3564	64867e13c8eae6e3e35fcc37e0a443d8a0485f5ff85f063ac2051d5c8956f059.exe	81
PID 3564 wrote to memory of 4464	3564	64867e13c8eae6e3e35fcc37e0a443d8a0485f5ff85f063ac2051d5c8956f059.exe	81
PID 3564 wrote to memory of 4464	3564	64867e13c8eae6e3e35fcc37e0a443d8a0485f5ff85f063ac2051d5c8956f059.exe	81
PID 4464 wrote to memory of 4256	4464	Ncldnkae.exe	82
PID 4464 wrote to memory of 4256	4464	Ncldnkae.exe	82
PID 4464 wrote to memory of 4256	4464	Ncldnkae.exe	82

C:\Users\Admin\AppData\Local\Temp\64867e13c8eae6e3e35fcc37e0a443d8a0485f5ff85f063ac2051d5c8956f059.exe
"C:\Users\Admin\AppData\Local\Temp\64867e13c8eae6e3e35fcc37e0a443d8a0485f5ff85f063ac2051d5c8956f059.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3564
- C:\Windows\SysWOW64\Ncldnkae.exe
  C:\Windows\system32\Ncldnkae.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4464
- - C:\Windows\SysWOW64\Nkcmohbg.exe
    C:\Windows\system32\Nkcmohbg.exe
    3⤵
    - Executes dropped EXE
    PID:4256
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4256 -s 416
      4⤵
      Program crash
      PID:4528

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 364 -p 4256 -ip 4256
1⤵
PID:1112

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Ncldnkae.exe

Filesize
135KB

MD5
a92442bbb444c31ead8ea4d18fea2e5c

SHA1
cc8888cacbc8456fcfb03e960876bf76a155f221

SHA256
32203017eaa9ad73504ecea9a25036023fd453ef6127e6cdbbab91e7cdce29f4

SHA512
d8104b2daad492c65700c4b86cb0e29e894f52edcc39e19d62a5559bedae7abdc202fd8c438ce9e3fa41af264f089f7ac90501b256c76400f6a25d7e0a288c7a

Download Submit
C:\Windows\SysWOW64\Nkcmohbg.exe

Filesize
135KB

MD5
f8088493cfb84edb08f1f0571ffeef2c

SHA1
682d1b5ba9062434be87168ca69111b9c9f320f0

SHA256
7a746b543840ee514d7202eacda184296c6c1af8970bebc35f75315a68f96591

SHA512
2771f2073106111ef16dd0bf1f37d106b99ef6c84d0a1fe5908a7409384424116cec7cfccc225798cafe9eb89cba486efe4eb29bb7d20c0b5650c9abbdcf0684

Download Submit
memory/3564-0-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3564-5-0x0000000000432000-0x0000000000433000-memory.dmp

Filesize
4KB

Download
memory/3564-20-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4256-16-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4256-18-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4464-9-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4464-19-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads