Analysis
-
max time kernel
119s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20240611-en -
resource tags
arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system -
submitted
24-06-2024 03:52
Static task
static1
Behavioral task
behavioral1
Sample
e2b18f47227923daffe75a7a8ff4955a3e903cbf25feb640182289f2e0f5a95b.exe
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
e2b18f47227923daffe75a7a8ff4955a3e903cbf25feb640182289f2e0f5a95b.exe
Resource
win10v2004-20240508-en
General
-
Target
e2b18f47227923daffe75a7a8ff4955a3e903cbf25feb640182289f2e0f5a95b.exe
-
Size
89KB
-
MD5
b7fe9009c6403ce29d1f530bce5294e2
-
SHA1
9f864cfeb7216a9d874e484e62f34c44d19c9d22
-
SHA256
e2b18f47227923daffe75a7a8ff4955a3e903cbf25feb640182289f2e0f5a95b
-
SHA512
cff41f046fa6266bda5341acd60e4d79ec447ae1d2bae352d4214dd16a8e9e20a5af66df99bfc5fee216ba55b9149e2264bc181c13fac66827e52cbe8609b5ff
-
SSDEEP
1536:w+pYYQrQI4WQplUO6LtHJZ2IvT5QcfS+XaY8Bur6P5Drz+TcvlExkg8Fk:RKQIq4LtHmIvhSRZur6P5DriTcvlakgN
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 14 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Meppiblm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nckjkl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ndjfeo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ncpcfkbg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad e2b18f47227923daffe75a7a8ff4955a3e903cbf25feb640182289f2e0f5a95b.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nkpegi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ncpcfkbg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ndjfeo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Modkfi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Modkfi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Meppiblm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nkpegi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nckjkl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" e2b18f47227923daffe75a7a8ff4955a3e903cbf25feb640182289f2e0f5a95b.exe -
Executes dropped EXE 7 IoCs
pid Process 2236 Modkfi32.exe 2600 Meppiblm.exe 2648 Nkpegi32.exe 2316 Nckjkl32.exe 2608 Ndjfeo32.exe 2556 Ncpcfkbg.exe 2940 Nlhgoqhh.exe -
Loads dropped DLL 18 IoCs
pid Process 2100 e2b18f47227923daffe75a7a8ff4955a3e903cbf25feb640182289f2e0f5a95b.exe 2100 e2b18f47227923daffe75a7a8ff4955a3e903cbf25feb640182289f2e0f5a95b.exe 2236 Modkfi32.exe 2236 Modkfi32.exe 2600 Meppiblm.exe 2600 Meppiblm.exe 2648 Nkpegi32.exe 2648 Nkpegi32.exe 2316 Nckjkl32.exe 2316 Nckjkl32.exe 2608 Ndjfeo32.exe 2608 Ndjfeo32.exe 2556 Ncpcfkbg.exe 2556 Ncpcfkbg.exe 520 WerFault.exe 520 WerFault.exe 520 WerFault.exe 520 WerFault.exe -
Drops file in System32 directory 21 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Modkfi32.exe e2b18f47227923daffe75a7a8ff4955a3e903cbf25feb640182289f2e0f5a95b.exe File created C:\Windows\SysWOW64\Iggbhk32.dll e2b18f47227923daffe75a7a8ff4955a3e903cbf25feb640182289f2e0f5a95b.exe File created C:\Windows\SysWOW64\Ndjfeo32.exe Nckjkl32.exe File created C:\Windows\SysWOW64\Kjbgng32.dll Nckjkl32.exe File opened for modification C:\Windows\SysWOW64\Nlhgoqhh.exe Ncpcfkbg.exe File created C:\Windows\SysWOW64\Meppiblm.exe Modkfi32.exe File opened for modification C:\Windows\SysWOW64\Meppiblm.exe Modkfi32.exe File created C:\Windows\SysWOW64\Lhajpc32.dll Modkfi32.exe File opened for modification C:\Windows\SysWOW64\Nkpegi32.exe Meppiblm.exe File created C:\Windows\SysWOW64\Nckjkl32.exe Nkpegi32.exe File created C:\Windows\SysWOW64\Nkpegi32.exe Meppiblm.exe File opened for modification C:\Windows\SysWOW64\Nckjkl32.exe Nkpegi32.exe File opened for modification C:\Windows\SysWOW64\Ndjfeo32.exe Nckjkl32.exe File created C:\Windows\SysWOW64\Pfdmil32.dll Ndjfeo32.exe File created C:\Windows\SysWOW64\Nlhgoqhh.exe Ncpcfkbg.exe File created C:\Windows\SysWOW64\Lamajm32.dll Ncpcfkbg.exe File created C:\Windows\SysWOW64\Modkfi32.exe e2b18f47227923daffe75a7a8ff4955a3e903cbf25feb640182289f2e0f5a95b.exe File created C:\Windows\SysWOW64\Afdignjb.dll Meppiblm.exe File created C:\Windows\SysWOW64\Kcpnnfqg.dll Nkpegi32.exe File created C:\Windows\SysWOW64\Ncpcfkbg.exe Ndjfeo32.exe File opened for modification C:\Windows\SysWOW64\Ncpcfkbg.exe Ndjfeo32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 520 2940 WerFault.exe 34 -
Modifies registry class 24 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ndjfeo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Modkfi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nkpegi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kcpnnfqg.dll" Nkpegi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nkpegi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nckjkl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjbgng32.dll" Nckjkl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nckjkl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ndjfeo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node e2b18f47227923daffe75a7a8ff4955a3e903cbf25feb640182289f2e0f5a95b.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID e2b18f47227923daffe75a7a8ff4955a3e903cbf25feb640182289f2e0f5a95b.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Modkfi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pfdmil32.dll" Ndjfeo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lamajm32.dll" Ncpcfkbg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ncpcfkbg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717} e2b18f47227923daffe75a7a8ff4955a3e903cbf25feb640182289f2e0f5a95b.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iggbhk32.dll" e2b18f47227923daffe75a7a8ff4955a3e903cbf25feb640182289f2e0f5a95b.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" e2b18f47227923daffe75a7a8ff4955a3e903cbf25feb640182289f2e0f5a95b.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Meppiblm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ncpcfkbg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 e2b18f47227923daffe75a7a8ff4955a3e903cbf25feb640182289f2e0f5a95b.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lhajpc32.dll" Modkfi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Meppiblm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Afdignjb.dll" Meppiblm.exe -
Suspicious use of WriteProcessMemory 32 IoCs
description pid Process procid_target PID 2100 wrote to memory of 2236 2100 e2b18f47227923daffe75a7a8ff4955a3e903cbf25feb640182289f2e0f5a95b.exe 28 PID 2100 wrote to memory of 2236 2100 e2b18f47227923daffe75a7a8ff4955a3e903cbf25feb640182289f2e0f5a95b.exe 28 PID 2100 wrote to memory of 2236 2100 e2b18f47227923daffe75a7a8ff4955a3e903cbf25feb640182289f2e0f5a95b.exe 28 PID 2100 wrote to memory of 2236 2100 e2b18f47227923daffe75a7a8ff4955a3e903cbf25feb640182289f2e0f5a95b.exe 28 PID 2236 wrote to memory of 2600 2236 Modkfi32.exe 29 PID 2236 wrote to memory of 2600 2236 Modkfi32.exe 29 PID 2236 wrote to memory of 2600 2236 Modkfi32.exe 29 PID 2236 wrote to memory of 2600 2236 Modkfi32.exe 29 PID 2600 wrote to memory of 2648 2600 Meppiblm.exe 30 PID 2600 wrote to memory of 2648 2600 Meppiblm.exe 30 PID 2600 wrote to memory of 2648 2600 Meppiblm.exe 30 PID 2600 wrote to memory of 2648 2600 Meppiblm.exe 30 PID 2648 wrote to memory of 2316 2648 Nkpegi32.exe 31 PID 2648 wrote to memory of 2316 2648 Nkpegi32.exe 31 PID 2648 wrote to memory of 2316 2648 Nkpegi32.exe 31 PID 2648 wrote to memory of 2316 2648 Nkpegi32.exe 31 PID 2316 wrote to memory of 2608 2316 Nckjkl32.exe 32 PID 2316 wrote to memory of 2608 2316 Nckjkl32.exe 32 PID 2316 wrote to memory of 2608 2316 Nckjkl32.exe 32 PID 2316 wrote to memory of 2608 2316 Nckjkl32.exe 32 PID 2608 wrote to memory of 2556 2608 Ndjfeo32.exe 33 PID 2608 wrote to memory of 2556 2608 Ndjfeo32.exe 33 PID 2608 wrote to memory of 2556 2608 Ndjfeo32.exe 33 PID 2608 wrote to memory of 2556 2608 Ndjfeo32.exe 33 PID 2556 wrote to memory of 2940 2556 Ncpcfkbg.exe 34 PID 2556 wrote to memory of 2940 2556 Ncpcfkbg.exe 34 PID 2556 wrote to memory of 2940 2556 Ncpcfkbg.exe 34 PID 2556 wrote to memory of 2940 2556 Ncpcfkbg.exe 34 PID 2940 wrote to memory of 520 2940 Nlhgoqhh.exe 35 PID 2940 wrote to memory of 520 2940 Nlhgoqhh.exe 35 PID 2940 wrote to memory of 520 2940 Nlhgoqhh.exe 35 PID 2940 wrote to memory of 520 2940 Nlhgoqhh.exe 35
Processes
-
C:\Users\Admin\AppData\Local\Temp\e2b18f47227923daffe75a7a8ff4955a3e903cbf25feb640182289f2e0f5a95b.exe"C:\Users\Admin\AppData\Local\Temp\e2b18f47227923daffe75a7a8ff4955a3e903cbf25feb640182289f2e0f5a95b.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2100 -
C:\Windows\SysWOW64\Modkfi32.exeC:\Windows\system32\Modkfi32.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2236 -
C:\Windows\SysWOW64\Meppiblm.exeC:\Windows\system32\Meppiblm.exe3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2600 -
C:\Windows\SysWOW64\Nkpegi32.exeC:\Windows\system32\Nkpegi32.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2648 -
C:\Windows\SysWOW64\Nckjkl32.exeC:\Windows\system32\Nckjkl32.exe5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2316 -
C:\Windows\SysWOW64\Ndjfeo32.exeC:\Windows\system32\Ndjfeo32.exe6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2608 -
C:\Windows\SysWOW64\Ncpcfkbg.exeC:\Windows\system32\Ncpcfkbg.exe7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2556 -
C:\Windows\SysWOW64\Nlhgoqhh.exeC:\Windows\system32\Nlhgoqhh.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2940 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2940 -s 1409⤵
- Loads dropped DLL
- Program crash
PID:520
-
-
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
7KB
MD57fd2ca275cf5eb12a4bc624dadfb4bdf
SHA19f2856cbc3566b20acb199b579795219d7bfcbaa
SHA2568cb9526ca1d32ae321c073e89dbf29550104a9fce80e5982dc26a5c924c436db
SHA51205c786bedd696edbde61075d1ab9b39368bede6753155193e7a710f0b1930ca96572bf5cf89bfdeb3aaa9dfb8c598f732a7f7aba3c840121f3ab3be187279d56
-
Filesize
89KB
MD54180d0da126bda74de630c984f5655d0
SHA1642bfa0f11ffe723be545d16727977474791ca7f
SHA256697c32d24a6ab447fc53c37d2f7720250be5e02683fdcfaa4f8d3cec66320203
SHA512ddd9e944680f32248edecfb0aa1aa727e0a71ddf1c9fdd8735dac1af931987347a2b17be57d029d7473cad6d41c4d47f5e8e2102af900199949eb7a1d352961c
-
Filesize
89KB
MD51ca981bd2260c869e82342d603c6902f
SHA1da3462295aa7c7e01c8232c09d0155d04751331d
SHA25604b28c2f841b335bd7d09bdc0f76cea4f2d4d6882710922445f3be61981313c6
SHA512b3b955a0feaa37d913c80801ea1cfecbc394e0389a784f3049efca410b02d2cb6ab3c5e065d93aba2e56cb75131730029514b10e5bed46e9e56f9fd8aeaa254e
-
Filesize
89KB
MD50c10433e76dcda2374f22b459a5b635a
SHA135644ca4b1cddc4e969d0d0df7ca336a11774c08
SHA2568f87c431d126943b20780194308f44b660b33fad857777a5925519b2e99ca120
SHA51282b546aac213935612a53be80db7c255291f05ce5ffe46f01b494c058825b708586a16cf0398d7a3cb65eb5ae1ae70cbeb8af90672f8a67d8c204141dba2d436
-
Filesize
89KB
MD57260f4733bb3d0ddee572d6873c8f1df
SHA12107aa1e5383b3281292e8b8535e2abb3759b6da
SHA256ebb52bcd4ccd4513f05ed654a820b01eb290556ba08934ce2900edd14fc7a6e6
SHA51254255380cb900002a66f932a65ef41b5bd5520277ab4951d89c23cf4fe68293d428ea8e1eb53cbec8598a65b62a9680925b93a23f98320f3c4c752a204ff360c
-
Filesize
89KB
MD5420b6b25a60a849b1ba34caa31ff1ca4
SHA15fbd868905fa83b3e47e7d95969fd08256633a39
SHA25687eb72192d17261b045c4134ec56dc524fc780c5808196c7fc0e7df61387d28a
SHA512e767ffd57b82087aaf53c6f4b9a012c15b6d5c87ac0003a136940bfd4f537f149e4c6c693773556d47c591f8f5736c76ae63ef5acc1c6bd554c05e898f6e8f2a
-
Filesize
89KB
MD552556117694e60f1c38c43ed50835d70
SHA1758a499316d8557b6c227369fbda63795b4d6056
SHA2569d272be20a469ca5e2849573acfefab4ef79e7e0e4df65e53dea4a8928c9e35c
SHA512c0f599a470242202900696865c879af996cbb59d39733d2e62cc3de5e786b196d158b852dde2f6b136c0e63eea357fe628806f1eeed6bcffac473696d2b67290
-
Filesize
89KB
MD5f57f18cd54f5f5a480e791fccc6e3d18
SHA18009893e310b043b908ec7f4c7f82f9dcff6fe2a
SHA2563f2f3b9a94263cb71d67a97f90b6c7d1c362e9c464f8ff0b05e9ba3fb498e533
SHA51270704461441fcc9b2176f6842158c142aa90fc70d705da8b39a9316d0761b05eaef699e71a3772bff10593cb519269432d8aa403cd8ef3c4fcc8de6f0d17b9d0