86d523ec1a0ad3d1c69434b5bd6897134598169f0fe8e09c2423c5a9e81170f2

General

Target

86d523ec1a0ad3d1c69434b5bd6897134598169f0fe8e09c2423c5a9e81170f2.exe
Size

64KB
MD5

68a42153119b720483e4448508dc4929
SHA1

31d9febfcb4c61755a037fd7e0e4afb158f9c3c2
SHA256

86d523ec1a0ad3d1c69434b5bd6897134598169f0fe8e09c2423c5a9e81170f2
SHA512

12631af935fd112c87ad8c3fb4054e77b8bccab2104b265aff035fd0781f9b288ffdacd1060650bedaf23d2e331d4715f06ac670348b3fdf5c55eb3dad27aeae
SSDEEP

1536:TNMgRboyEPxV6HYRWX4VUXruCHcpzt/Idn:55hEEYRgqpFwn

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	86d523ec1a0ad3d1c69434b5bd6897134598169f0fe8e09c2423c5a9e81170f2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	86d523ec1a0ad3d1c69434b5bd6897134598169f0fe8e09c2423c5a9e81170f2.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndidbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndidbn32.exe

Executes dropped EXE 2 IoCs

pid	Process
2964	Ndidbn32.exe
836	Nkcmohbg.exe

Drops file in System32 directory 6 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Nkcmohbg.exe	Ndidbn32.exe
File opened for modification	C:\Windows\SysWOW64\Nkcmohbg.exe	Ndidbn32.exe
File created	C:\Windows\SysWOW64\Hnibdpde.dll	Ndidbn32.exe
File created	C:\Windows\SysWOW64\Ndidbn32.exe	86d523ec1a0ad3d1c69434b5bd6897134598169f0fe8e09c2423c5a9e81170f2.exe
File opened for modification	C:\Windows\SysWOW64\Ndidbn32.exe	86d523ec1a0ad3d1c69434b5bd6897134598169f0fe8e09c2423c5a9e81170f2.exe
File created	C:\Windows\SysWOW64\Opbnic32.dll	86d523ec1a0ad3d1c69434b5bd6897134598169f0fe8e09c2423c5a9e81170f2.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4388	836	WerFault.exe	84

Modifies registry class 9 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	86d523ec1a0ad3d1c69434b5bd6897134598169f0fe8e09c2423c5a9e81170f2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	86d523ec1a0ad3d1c69434b5bd6897134598169f0fe8e09c2423c5a9e81170f2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnibdpde.dll"	Ndidbn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	86d523ec1a0ad3d1c69434b5bd6897134598169f0fe8e09c2423c5a9e81170f2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	86d523ec1a0ad3d1c69434b5bd6897134598169f0fe8e09c2423c5a9e81170f2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ndidbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ndidbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opbnic32.dll"	86d523ec1a0ad3d1c69434b5bd6897134598169f0fe8e09c2423c5a9e81170f2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	86d523ec1a0ad3d1c69434b5bd6897134598169f0fe8e09c2423c5a9e81170f2.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1160 wrote to memory of 2964	1160	86d523ec1a0ad3d1c69434b5bd6897134598169f0fe8e09c2423c5a9e81170f2.exe	83
PID 1160 wrote to memory of 2964	1160	86d523ec1a0ad3d1c69434b5bd6897134598169f0fe8e09c2423c5a9e81170f2.exe	83
PID 1160 wrote to memory of 2964	1160	86d523ec1a0ad3d1c69434b5bd6897134598169f0fe8e09c2423c5a9e81170f2.exe	83
PID 2964 wrote to memory of 836	2964	Ndidbn32.exe	84
PID 2964 wrote to memory of 836	2964	Ndidbn32.exe	84
PID 2964 wrote to memory of 836	2964	Ndidbn32.exe	84

C:\Users\Admin\AppData\Local\Temp\86d523ec1a0ad3d1c69434b5bd6897134598169f0fe8e09c2423c5a9e81170f2.exe
"C:\Users\Admin\AppData\Local\Temp\86d523ec1a0ad3d1c69434b5bd6897134598169f0fe8e09c2423c5a9e81170f2.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1160
- C:\Windows\SysWOW64\Ndidbn32.exe
  C:\Windows\system32\Ndidbn32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2964
- - C:\Windows\SysWOW64\Nkcmohbg.exe
    C:\Windows\system32\Nkcmohbg.exe
    3⤵
    - Executes dropped EXE
    PID:836
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 836 -s 400
      4⤵
      Program crash
      PID:4388

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 836 -ip 836
1⤵
PID:3948

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Ndidbn32.exe

Filesize
64KB

MD5
27481eb598cd8c560f89d0d2dab16f0d

SHA1
2cc0c157e4dbb745143fa847fde407aa2c8a1e8d

SHA256
8fc2a2e0e12e28e5778e0bddfb1d70cdd41705b6ee58cc56aaff4063ebd63314

SHA512
76d8e14f8005ad360cdde770a4678934474b5259649870073c628326776f54047de847f1a84274102c82462d9bd1182e121dcb0dbe662229c0dde1e38fdcaa39

Download Submit
C:\Windows\SysWOW64\Nkcmohbg.exe

Filesize
64KB

MD5
fd6336188ebca14c009693ae1ac8b31e

SHA1
027d1cffc1f42f3e87e11b648390c434bca508c3

SHA256
3892b2e43a4e7853dec56e121c934941b131f8373298b8f808fd405fb61edbe6

SHA512
88370feec4033d166842d8ca07c93d7f4c56d92302275256cda089c08bbac4503ae4d0bf101e0d5e72e3c1a5e9594010d7f9b631f5d8feeec91cc00151af3486

Download Submit
memory/836-15-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/836-17-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1160-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1160-19-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2964-7-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2964-18-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads