f959599edcaa078aabb81eeec99e772157220f0cf5107dd18f7070f637f22cf2

Analysis

max time kernel
118s
max time network
123s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
28-06-2024 04:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f959599edcaa078aabb81eeec99e772157220f0cf5107dd18f7070f637f22cf2.exe
Size

100KB
MD5

b4fc689211acdba3aa47651fd571a06d
SHA1

44e0b212b84cda8c3ad9e1b6be5ebeda4dc8d73b
SHA256

f959599edcaa078aabb81eeec99e772157220f0cf5107dd18f7070f637f22cf2
SHA512

e16f92a05d514feb7de24b1613726f967a697d44d71612a27eb3e6948845671490ed8b9f3fdb1b1e647de0a94505aa721623440c52330b8447a33cbb70adeee2
SSDEEP

1536:MsLNGQvf1eN6RoAHJK1b79qT6KZZmZv/3L9gUFgblQQa3+om13XRzT:MKiNNApi7gT6I8v/7GWgb3a3+X13XRzT

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nodgel32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nodgel32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lccdel32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lccdel32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Libicbma.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Migbnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Magqncba.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkbalifo.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpmapm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mencccop.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mholen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mholen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nibebfpl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	f959599edcaa078aabb81eeec99e772157220f0cf5107dd18f7070f637f22cf2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Libicbma.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mpmapm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Migbnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mencccop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ncmfqkdj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	f959599edcaa078aabb81eeec99e772157220f0cf5107dd18f7070f637f22cf2.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Magqncba.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nibebfpl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nkbalifo.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncmfqkdj.exe

Executes dropped EXE 12 IoCs

pid	Process
2576	Lccdel32.exe
2748	Libicbma.exe
1304	Mpmapm32.exe
2572	Migbnb32.exe
2556	Mencccop.exe
2468	Mholen32.exe
768	Magqncba.exe
2684	Nibebfpl.exe
2144	Nkbalifo.exe
2424	Ncmfqkdj.exe
3064	Nodgel32.exe
1280	Nlhgoqhh.exe

Loads dropped DLL 28 IoCs

pid	Process
2852	f959599edcaa078aabb81eeec99e772157220f0cf5107dd18f7070f637f22cf2.exe
2852	f959599edcaa078aabb81eeec99e772157220f0cf5107dd18f7070f637f22cf2.exe
2576	Lccdel32.exe
2576	Lccdel32.exe
2748	Libicbma.exe
2748	Libicbma.exe
1304	Mpmapm32.exe
1304	Mpmapm32.exe
2572	Migbnb32.exe
2572	Migbnb32.exe
2556	Mencccop.exe
2556	Mencccop.exe
2468	Mholen32.exe
2468	Mholen32.exe
768	Magqncba.exe
768	Magqncba.exe
2684	Nibebfpl.exe
2684	Nibebfpl.exe
2144	Nkbalifo.exe
2144	Nkbalifo.exe
2424	Ncmfqkdj.exe
2424	Ncmfqkdj.exe
3064	Nodgel32.exe
3064	Nodgel32.exe
2552	WerFault.exe
2552	WerFault.exe
2552	WerFault.exe
2552	WerFault.exe

Drops file in System32 directory 36 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Mholen32.exe	Mencccop.exe
File opened for modification	C:\Windows\SysWOW64\Ncmfqkdj.exe	Nkbalifo.exe
File created	C:\Windows\SysWOW64\Magqncba.exe	Mholen32.exe
File created	C:\Windows\SysWOW64\Elonamqm.dll	Mholen32.exe
File created	C:\Windows\SysWOW64\Mpmapm32.exe	Libicbma.exe
File created	C:\Windows\SysWOW64\Mencccop.exe	Migbnb32.exe
File opened for modification	C:\Windows\SysWOW64\Mencccop.exe	Migbnb32.exe
File created	C:\Windows\SysWOW64\Mholen32.exe	Mencccop.exe
File opened for modification	C:\Windows\SysWOW64\Magqncba.exe	Mholen32.exe
File created	C:\Windows\SysWOW64\Cnjgia32.dll	Ncmfqkdj.exe
File created	C:\Windows\SysWOW64\Lamajm32.dll	Nodgel32.exe
File created	C:\Windows\SysWOW64\Kbelde32.dll	Lccdel32.exe
File created	C:\Windows\SysWOW64\Olahaplc.dll	Libicbma.exe
File created	C:\Windows\SysWOW64\Migbnb32.exe	Mpmapm32.exe
File created	C:\Windows\SysWOW64\Ncmfqkdj.exe	Nkbalifo.exe
File created	C:\Windows\SysWOW64\Fdbnmk32.dll	f959599edcaa078aabb81eeec99e772157220f0cf5107dd18f7070f637f22cf2.exe
File created	C:\Windows\SysWOW64\Gbdalp32.dll	Magqncba.exe
File opened for modification	C:\Windows\SysWOW64\Nkbalifo.exe	Nibebfpl.exe
File created	C:\Windows\SysWOW64\Kgdjgo32.dll	Nkbalifo.exe
File opened for modification	C:\Windows\SysWOW64\Lccdel32.exe	f959599edcaa078aabb81eeec99e772157220f0cf5107dd18f7070f637f22cf2.exe
File opened for modification	C:\Windows\SysWOW64\Mpmapm32.exe	Libicbma.exe
File created	C:\Windows\SysWOW64\Nodgel32.exe	Ncmfqkdj.exe
File opened for modification	C:\Windows\SysWOW64\Nodgel32.exe	Ncmfqkdj.exe
File created	C:\Windows\SysWOW64\Lccdel32.exe	f959599edcaa078aabb81eeec99e772157220f0cf5107dd18f7070f637f22cf2.exe
File opened for modification	C:\Windows\SysWOW64\Libicbma.exe	Lccdel32.exe
File created	C:\Windows\SysWOW64\Nldodg32.dll	Mencccop.exe
File opened for modification	C:\Windows\SysWOW64\Nibebfpl.exe	Magqncba.exe
File opened for modification	C:\Windows\SysWOW64\Nlhgoqhh.exe	Nodgel32.exe
File created	C:\Windows\SysWOW64\Libicbma.exe	Lccdel32.exe
File opened for modification	C:\Windows\SysWOW64\Migbnb32.exe	Mpmapm32.exe
File created	C:\Windows\SysWOW64\Cpbplnnk.dll	Mpmapm32.exe
File created	C:\Windows\SysWOW64\Hendhe32.dll	Migbnb32.exe
File created	C:\Windows\SysWOW64\Nibebfpl.exe	Magqncba.exe
File created	C:\Windows\SysWOW64\Nkbalifo.exe	Nibebfpl.exe
File created	C:\Windows\SysWOW64\Eeejnlhc.dll	Nibebfpl.exe
File created	C:\Windows\SysWOW64\Nlhgoqhh.exe	Nodgel32.exe

Program crash 1 IoCs

pid	pid_target	Process
2552	1280	WerFault.exe

Modifies registry class 39 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Libicbma.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mencccop.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ncmfqkdj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	f959599edcaa078aabb81eeec99e772157220f0cf5107dd18f7070f637f22cf2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpbplnnk.dll"	Mpmapm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nldodg32.dll"	Mencccop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nibebfpl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nkbalifo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}	f959599edcaa078aabb81eeec99e772157220f0cf5107dd18f7070f637f22cf2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mholen32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nibebfpl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbdalp32.dll"	Magqncba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ncmfqkdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nodgel32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	f959599edcaa078aabb81eeec99e772157220f0cf5107dd18f7070f637f22cf2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	f959599edcaa078aabb81eeec99e772157220f0cf5107dd18f7070f637f22cf2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lccdel32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Migbnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mholen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdbnmk32.dll"	f959599edcaa078aabb81eeec99e772157220f0cf5107dd18f7070f637f22cf2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Magqncba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cnjgia32.dll"	Ncmfqkdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Libicbma.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mpmapm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mencccop.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nodgel32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hendhe32.dll"	Migbnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Magqncba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgdjgo32.dll"	Nkbalifo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nkbalifo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lamajm32.dll"	Nodgel32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Migbnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elonamqm.dll"	Mholen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eeejnlhc.dll"	Nibebfpl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	f959599edcaa078aabb81eeec99e772157220f0cf5107dd18f7070f637f22cf2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lccdel32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kbelde32.dll"	Lccdel32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olahaplc.dll"	Libicbma.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mpmapm32.exe

Suspicious use of WriteProcessMemory 52 IoCs

description	pid	Process	procid_target
PID 2852 wrote to memory of 2576	2852	f959599edcaa078aabb81eeec99e772157220f0cf5107dd18f7070f637f22cf2.exe	28
PID 2852 wrote to memory of 2576	2852	f959599edcaa078aabb81eeec99e772157220f0cf5107dd18f7070f637f22cf2.exe	28
PID 2852 wrote to memory of 2576	2852	f959599edcaa078aabb81eeec99e772157220f0cf5107dd18f7070f637f22cf2.exe	28
PID 2852 wrote to memory of 2576	2852	f959599edcaa078aabb81eeec99e772157220f0cf5107dd18f7070f637f22cf2.exe	28
PID 2576 wrote to memory of 2748	2576	Lccdel32.exe	29
PID 2576 wrote to memory of 2748	2576	Lccdel32.exe	29
PID 2576 wrote to memory of 2748	2576	Lccdel32.exe	29
PID 2576 wrote to memory of 2748	2576	Lccdel32.exe	29
PID 2748 wrote to memory of 1304	2748	Libicbma.exe	30
PID 2748 wrote to memory of 1304	2748	Libicbma.exe	30
PID 2748 wrote to memory of 1304	2748	Libicbma.exe	30
PID 2748 wrote to memory of 1304	2748	Libicbma.exe	30
PID 1304 wrote to memory of 2572	1304	Mpmapm32.exe	31
PID 1304 wrote to memory of 2572	1304	Mpmapm32.exe	31
PID 1304 wrote to memory of 2572	1304	Mpmapm32.exe	31
PID 1304 wrote to memory of 2572	1304	Mpmapm32.exe	31
PID 2572 wrote to memory of 2556	2572	Migbnb32.exe	32
PID 2572 wrote to memory of 2556	2572	Migbnb32.exe	32
PID 2572 wrote to memory of 2556	2572	Migbnb32.exe	32
PID 2572 wrote to memory of 2556	2572	Migbnb32.exe	32
PID 2556 wrote to memory of 2468	2556	Mencccop.exe	33
PID 2556 wrote to memory of 2468	2556	Mencccop.exe	33
PID 2556 wrote to memory of 2468	2556	Mencccop.exe	33
PID 2556 wrote to memory of 2468	2556	Mencccop.exe	33
PID 2468 wrote to memory of 768	2468	Mholen32.exe	34
PID 2468 wrote to memory of 768	2468	Mholen32.exe	34
PID 2468 wrote to memory of 768	2468	Mholen32.exe	34
PID 2468 wrote to memory of 768	2468	Mholen32.exe	34
PID 768 wrote to memory of 2684	768	Magqncba.exe	35
PID 768 wrote to memory of 2684	768	Magqncba.exe	35
PID 768 wrote to memory of 2684	768	Magqncba.exe	35
PID 768 wrote to memory of 2684	768	Magqncba.exe	35
PID 2684 wrote to memory of 2144	2684	Nibebfpl.exe	36
PID 2684 wrote to memory of 2144	2684	Nibebfpl.exe	36
PID 2684 wrote to memory of 2144	2684	Nibebfpl.exe	36
PID 2684 wrote to memory of 2144	2684	Nibebfpl.exe	36
PID 2144 wrote to memory of 2424	2144	Nkbalifo.exe	37
PID 2144 wrote to memory of 2424	2144	Nkbalifo.exe	37
PID 2144 wrote to memory of 2424	2144	Nkbalifo.exe	37
PID 2144 wrote to memory of 2424	2144	Nkbalifo.exe	37
PID 2424 wrote to memory of 3064	2424	Ncmfqkdj.exe	38
PID 2424 wrote to memory of 3064	2424	Ncmfqkdj.exe	38
PID 2424 wrote to memory of 3064	2424	Ncmfqkdj.exe	38
PID 2424 wrote to memory of 3064	2424	Ncmfqkdj.exe	38
PID 3064 wrote to memory of 1280	3064	Nodgel32.exe	39
PID 3064 wrote to memory of 1280	3064	Nodgel32.exe	39
PID 3064 wrote to memory of 1280	3064	Nodgel32.exe	39
PID 3064 wrote to memory of 1280	3064	Nodgel32.exe	39
PID 1280 wrote to memory of 2552	1280	Nlhgoqhh.exe	40
PID 1280 wrote to memory of 2552	1280	Nlhgoqhh.exe	40
PID 1280 wrote to memory of 2552	1280	Nlhgoqhh.exe	40
PID 1280 wrote to memory of 2552	1280	Nlhgoqhh.exe	40

C:\Users\Admin\AppData\Local\Temp\f959599edcaa078aabb81eeec99e772157220f0cf5107dd18f7070f637f22cf2.exe
"C:\Users\Admin\AppData\Local\Temp\f959599edcaa078aabb81eeec99e772157220f0cf5107dd18f7070f637f22cf2.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2852
- C:\Windows\SysWOW64\Lccdel32.exe
  C:\Windows\system32\Lccdel32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2576
- - C:\Windows\SysWOW64\Libicbma.exe
    C:\Windows\system32\Libicbma.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2748
  - - C:\Windows\SysWOW64\Mpmapm32.exe
      C:\Windows\system32\Mpmapm32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:1304
    - - C:\Windows\SysWOW64\Migbnb32.exe
        
        C:\Windows\system32\Migbnb32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2572
      - C:\Windows\SysWOW64\Mencccop.exe
        
        C:\Windows\system32\Mencccop.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2556
        
        C:\Windows\SysWOW64\Mholen32.exe
        
        C:\Windows\system32\Mholen32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2468
        
        C:\Windows\SysWOW64\Magqncba.exe
        
        C:\Windows\system32\Magqncba.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:768
        
        C:\Windows\SysWOW64\Nibebfpl.exe
        
        C:\Windows\system32\Nibebfpl.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2684
        
        C:\Windows\SysWOW64\Nkbalifo.exe
        
        C:\Windows\system32\Nkbalifo.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2144
        
        C:\Windows\SysWOW64\Ncmfqkdj.exe
        
        C:\Windows\system32\Ncmfqkdj.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2424
        
        C:\Windows\SysWOW64\Nodgel32.exe
        
        C:\Windows\system32\Nodgel32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3064
        
        C:\Windows\SysWOW64\Nlhgoqhh.exe
        
        C:\Windows\system32\Nlhgoqhh.exe
        13⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1280
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1280 -s 140
        14⤵
        Loads dropped DLL
        Program crash
        
        PID:2552

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Hendhe32.dll

Filesize
7KB

MD5
fe03f88cb3802663b1ad97640cc388c5

SHA1
96bfe2f5ac49c58b6d731dd53ebb07dd7d4d61c1

SHA256
b5129194e0e059f7d711018c6cb816407b8e941e515f5db08d496b744b95458b

SHA512
14222c2421cc2db3e7ed050b5ac417512cdbf26079522876da390796b19fa4b04880401135bf16a6616d0714ff2c0207dac082d3eff53cdaa0d63807685ef7b4

Download Submit
C:\Windows\SysWOW64\Mpmapm32.exe

Filesize
100KB

MD5
c0d8abf463c338f9db4b987353203fb6

SHA1
d4fc682bdd52d0fc6de5021fd7ebe000ac5ffdd3

SHA256
70a539ad12c3f4fcfef8d99542f602ab120c91aa3309aead9995b8fcbfe4231c

SHA512
d4c2e2d5c8e20dd766265523c3e1b7189c2c57f557a065c4a43589c12702f6390266d3420ebb8fddfcdfb7ee0e2ef62f67dbf65f58366362426a64c2026bb250

Download Submit
C:\Windows\SysWOW64\Nkbalifo.exe

Filesize
100KB

MD5
559499cf0f90c74ed66a5f782751332a

SHA1
8235bdbb2bc7cb8fd9b75164bbf632aa075bf389

SHA256
c18e8cac2d4f73c52d94ca2da1ab99705ac0d9bb265c47609a3dffbb12034012

SHA512
77b9e7a37e42ae614bc399e3a4a5399f3c37ba744fb7cbb06d9ebd32218670b4a8427a2735052fa4b3398bbd90c003998de517733c4a52814d41419e87b45064

Download Submit
\Windows\SysWOW64\Lccdel32.exe

Filesize
100KB

MD5
8520e0b8910c09dd526c57773a13134f

SHA1
3c5ab402c4f57f3bf1a026fa3eb9e595af03cb89

SHA256
7175ba565227ddeb8f419f760821d37acb36728e06281f97606b0551986a3ca5

SHA512
da1b726dcb446d2bdd64c99a9b132273f97cc7b6be16254106dbe7396ad4d164a9e3010337c1b347537c4e3f51f33f14af89cd9061a7621c8e1d5993e27de1d8

Download Submit
\Windows\SysWOW64\Libicbma.exe

Filesize
100KB

MD5
006b19a9c0fba5d84976ce7212f2f158

SHA1
f469e924acbaab91ace7f3601cb5889d89c028c5

SHA256
69dd8462e9c9c5426efe63199ca3eeac8dcd97fc23cf64d9770cb3b044e6195e

SHA512
8f1d1974a6263da1925461eb765e9f8fcadff6edc166f5b2402b2d86231040a4c60cf1c46182dd0d5054ebb3488637ee8d7809b6e2ef1977753fb9a3e668ab49

Download Submit
\Windows\SysWOW64\Magqncba.exe

Filesize
100KB

MD5
9a30e03220bd54c3905c2c7a3c0a6ef4

SHA1
9cf103d3bd9c9e95d51f0bc92167235212201e55

SHA256
5c5eb305e7f2771269bff906462324a73b696d7596ee0d01bebcb6434f5adcc2

SHA512
7611efa748de4095624ecb510a7aaff3c68490874e2f0593b9e91cb49b7fd1d69da531f85b7c9035e870035ac9f7bd36fa34069d75c2bdf7921bcdc33dd18370

Download Submit
\Windows\SysWOW64\Mencccop.exe

Filesize
100KB

MD5
66608c991012a333447e86aff349a4df

SHA1
717cddf2f7c624f4c2b459e4e54e83610dbe8634

SHA256
532d69b1737a41fce153ae5218e457cb8261c11a982928721b11d3609fa19402

SHA512
d3ebc8fc5e40f32c2e837c91d5a0a420c0011064b259d2d4103b71f13dec63c22f601a5ea66aa44eb491a14abe06c899679546e251de79162e14172b46cd1949

Download Submit
\Windows\SysWOW64\Mholen32.exe

Filesize
100KB

MD5
4161477eedcab9c95a92b45e4bca7392

SHA1
4e16e6ecd9fc9f9a9f52c4f1e98ab7e159575758

SHA256
8757cc7b20a717222a133aff87030019b2e6e82445274db1098e3e423a97964b

SHA512
835b6cefefb92ee3d1ff6d6e3a87ac5ff3031b02483057561d03795eb03bbe39bb157caf24dc715c42ae4d999a26f460048705cece7ce745a683c85abc16cd45

Download Submit
\Windows\SysWOW64\Migbnb32.exe

Filesize
100KB

MD5
3f20938896b1a3b02f5bc97f63b48a07

SHA1
3a6afedef40d7de98631dbcf3e0d41ab3adac810

SHA256
568554c36612dacaa00db9144669cbc468094c5538e6a99cd9a11846d00372ff

SHA512
cb97a6a07baf2aa9aec814cabb395f321e7f002538896dc0c1a1fb27f6445962afca860c2c12fbb206a6de6cff2987e18df4dd9ef68e570a9233a4c32a73cffd

Download Submit
\Windows\SysWOW64\Ncmfqkdj.exe

Filesize
100KB

MD5
8e05fa297665b9f19614336d3bcd5c7c

SHA1
b1d24144873a96c6e41d65f5ba6423d3296893ca

SHA256
31f72a4b085fc3242c2349dfa27d689eddfc3860697b217a30826168d758a97d

SHA512
61273f479f2a9d1fc765d4125b56945eecfb30e3c7ab42205d99b9c071873455b204a3a6a0c5bc619de0b59392f71ead531279006cc3257ffb2887a59dfba7cf

Download Submit
\Windows\SysWOW64\Nibebfpl.exe

Filesize
100KB

MD5
6eca0b1161069c1b6c8e2d1432930e74

SHA1
dbf08e7da45091550c121e39d67675dacadd1513

SHA256
dd9eadebe8ab9934f66e15a49fba75f6ef76f5ffc986461440b73b83c7957ad1

SHA512
8159703f4dea6345fa840631ea2d6b76b08f564cf343f8706400db6108c1a169b5747bf64f8a6b370b02d9917af1961af1af02d6b1fe3dfe366590bbb93abc52

Download Submit
\Windows\SysWOW64\Nlhgoqhh.exe

Filesize
100KB

MD5
a1add5192b825f99688345369e19c299

SHA1
03a9f62c7549de1d276cac3800e84d4d8916fd34

SHA256
7b9c3f20eca5d251993f8fc3dbc1cb0a1364f79a57f8aa5e0f87d3f8e0845b0f

SHA512
a28b3c9bef775d090b50e3b755be6d6d9bb9c6d44ef556e1ecdf21a85de56f2b17925af53ee39e9c406d479c4cbfed51fe4fab2f8ba9f841c7723d71ea99c659

Download Submit
\Windows\SysWOW64\Nodgel32.exe

Filesize
100KB

MD5
2e6cc94540dab0a7fe4ea176f87a20fb

SHA1
69677933108d273c540f02336b49e33f7cba01f1

SHA256
dda68162e87ca28f0830dc73338769fd8d11d1360d309e57cb3edb8d62919c29

SHA512
57a085cfb1d919f26c48eb251a5f17b471ec52769ea037a8c487de586cf0f690d0bd1c2bf0d377943379f3ab833890c087016fc0e0052c8a9ef19a54ea7aa560

Download Submit
memory/768-106-0x00000000002C0000-0x0000000000303000-memory.dmp

Filesize
268KB

Download
memory/768-94-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/768-171-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1280-160-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1304-167-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1304-39-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2144-129-0x0000000000220000-0x0000000000263000-memory.dmp

Filesize
268KB

Download
memory/2144-173-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2144-121-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2424-142-0x00000000001B0000-0x00000000001F3000-memory.dmp

Filesize
268KB

Download
memory/2424-174-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2468-92-0x0000000000220000-0x0000000000263000-memory.dmp

Filesize
268KB

Download
memory/2468-170-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2468-80-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2556-66-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2556-78-0x0000000000220000-0x0000000000263000-memory.dmp

Filesize
268KB

Download
memory/2556-169-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2572-65-0x00000000002E0000-0x0000000000323000-memory.dmp

Filesize
268KB

Download
memory/2572-168-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2572-52-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2576-166-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2576-24-0x00000000001B0000-0x00000000001F3000-memory.dmp

Filesize
268KB

Download
memory/2684-115-0x00000000001B0000-0x00000000001F3000-memory.dmp

Filesize
268KB

Download
memory/2684-172-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2748-31-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2852-165-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2852-6-0x0000000000220000-0x0000000000263000-memory.dmp

Filesize
268KB

Download
memory/2852-0-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3064-175-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads