4dec4960d72b365d2cfaba4f55b0cd6fd789fbd99662e6639bdb8dc5d11b07ef

Analysis

max time kernel
141s
max time network
121s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
24/08/2024, 22:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4dec4960d72b365d2cfaba4f55b0cd6fd789fbd99662e6639bdb8dc5d11b07ef.exe
Size

64KB
MD5

71086e111572fb73e849404c5867879f
SHA1

6b79403ee8f5c10bba42636f82b4e5b2c84d62a1
SHA256

4dec4960d72b365d2cfaba4f55b0cd6fd789fbd99662e6639bdb8dc5d11b07ef
SHA512

03fa0d6350d3faf07e6fedc74ecc572542d4f0195b2ee482f77ba8d773fd6c4bf367e35b2242765bacbe3eee9bd27de2bc6954266dadfc70287dd8f96ff5decf
SSDEEP

1536:425e1Mcj7sidBW2zDR5NTT8zI4v4PPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPP3PPk:r5ebsiHlTT8zIZhsJuw2Bi

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	4dec4960d72b365d2cfaba4f55b0cd6fd789fbd99662e6639bdb8dc5d11b07ef.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nahfkigd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nmogpj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nggkipci.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nifgekbm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncnlnaim.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oemhjlha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oemhjlha.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ohkdfhge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ohkdfhge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nahfkigd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nggkipci.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nifgekbm.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nldcagaq.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Npppaejj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	4dec4960d72b365d2cfaba4f55b0cd6fd789fbd99662e6639bdb8dc5d11b07ef.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nlbgkgcc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nlbgkgcc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Npppaejj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nmogpj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nldcagaq.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncnlnaim.exe

Executes dropped EXE 11 IoCs

pid	Process
2300	Nahfkigd.exe
2788	Nmogpj32.exe
2692	Nlbgkgcc.exe
2752	Nggkipci.exe
2624	Nifgekbm.exe
2700	Nldcagaq.exe
1504	Npppaejj.exe
1952	Ncnlnaim.exe
1128	Oemhjlha.exe
2980	Ohkdfhge.exe
2672	Opblgehg.exe

Loads dropped DLL 26 IoCs

pid	Process
1648	4dec4960d72b365d2cfaba4f55b0cd6fd789fbd99662e6639bdb8dc5d11b07ef.exe
1648	4dec4960d72b365d2cfaba4f55b0cd6fd789fbd99662e6639bdb8dc5d11b07ef.exe
2300	Nahfkigd.exe
2300	Nahfkigd.exe
2788	Nmogpj32.exe
2788	Nmogpj32.exe
2692	Nlbgkgcc.exe
2692	Nlbgkgcc.exe
2752	Nggkipci.exe
2752	Nggkipci.exe
2624	Nifgekbm.exe
2624	Nifgekbm.exe
2700	Nldcagaq.exe
2700	Nldcagaq.exe
1504	Npppaejj.exe
1504	Npppaejj.exe
1952	Ncnlnaim.exe
1952	Ncnlnaim.exe
1128	Oemhjlha.exe
1128	Oemhjlha.exe
2980	Ohkdfhge.exe
2980	Ohkdfhge.exe
2384	WerFault.exe
2384	WerFault.exe
2384	WerFault.exe
2384	WerFault.exe

Drops file in System32 directory 33 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Dgbddi32.dll	Nahfkigd.exe
File created	C:\Windows\SysWOW64\Jdbmjldj.dll	Nmogpj32.exe
File created	C:\Windows\SysWOW64\Nldcagaq.exe	Nifgekbm.exe
File created	C:\Windows\SysWOW64\Nhcedjfb.dll	Ncnlnaim.exe
File opened for modification	C:\Windows\SysWOW64\Ohkdfhge.exe	Oemhjlha.exe
File opened for modification	C:\Windows\SysWOW64\Nahfkigd.exe	4dec4960d72b365d2cfaba4f55b0cd6fd789fbd99662e6639bdb8dc5d11b07ef.exe
File opened for modification	C:\Windows\SysWOW64\Nlbgkgcc.exe	Nmogpj32.exe
File created	C:\Windows\SysWOW64\Nlbgkgcc.exe	Nmogpj32.exe
File created	C:\Windows\SysWOW64\Mmfmkf32.dll	Nifgekbm.exe
File opened for modification	C:\Windows\SysWOW64\Oemhjlha.exe	Ncnlnaim.exe
File opened for modification	C:\Windows\SysWOW64\Npppaejj.exe	Nldcagaq.exe
File created	C:\Windows\SysWOW64\Ahmjfimi.dll	Ohkdfhge.exe
File created	C:\Windows\SysWOW64\Gcnemg32.dll	Nlbgkgcc.exe
File created	C:\Windows\SysWOW64\Npppaejj.exe	Nldcagaq.exe
File opened for modification	C:\Windows\SysWOW64\Ncnlnaim.exe	Npppaejj.exe
File created	C:\Windows\SysWOW64\Oemhjlha.exe	Ncnlnaim.exe
File created	C:\Windows\SysWOW64\Ohkdfhge.exe	Oemhjlha.exe
File opened for modification	C:\Windows\SysWOW64\Opblgehg.exe	Ohkdfhge.exe
File created	C:\Windows\SysWOW64\Nggkipci.exe	Nlbgkgcc.exe
File created	C:\Windows\SysWOW64\Gcjajedk.dll	Npppaejj.exe
File created	C:\Windows\SysWOW64\Opblgehg.exe	Ohkdfhge.exe
File created	C:\Windows\SysWOW64\Pfknaf32.dll	4dec4960d72b365d2cfaba4f55b0cd6fd789fbd99662e6639bdb8dc5d11b07ef.exe
File opened for modification	C:\Windows\SysWOW64\Nggkipci.exe	Nlbgkgcc.exe
File created	C:\Windows\SysWOW64\Nifgekbm.exe	Nggkipci.exe
File opened for modification	C:\Windows\SysWOW64\Nldcagaq.exe	Nifgekbm.exe
File created	C:\Windows\SysWOW64\Ooicngen.dll	Nldcagaq.exe
File created	C:\Windows\SysWOW64\Blagna32.dll	Oemhjlha.exe
File created	C:\Windows\SysWOW64\Nahfkigd.exe	4dec4960d72b365d2cfaba4f55b0cd6fd789fbd99662e6639bdb8dc5d11b07ef.exe
File created	C:\Windows\SysWOW64\Nmogpj32.exe	Nahfkigd.exe
File opened for modification	C:\Windows\SysWOW64\Nmogpj32.exe	Nahfkigd.exe
File opened for modification	C:\Windows\SysWOW64\Nifgekbm.exe	Nggkipci.exe
File created	C:\Windows\SysWOW64\Jhjalgho.dll	Nggkipci.exe
File created	C:\Windows\SysWOW64\Ncnlnaim.exe	Npppaejj.exe

Program crash 1 IoCs

pid	pid_target	Process
2384	2672	WerFault.exe

System Location Discovery: System Language Discovery 1 TTPs 12 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ncnlnaim.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ohkdfhge.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nahfkigd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nmogpj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nlbgkgcc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nggkipci.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Npppaejj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4dec4960d72b365d2cfaba4f55b0cd6fd789fbd99662e6639bdb8dc5d11b07ef.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nifgekbm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nldcagaq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oemhjlha.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Opblgehg.exe

Modifies registry class 36 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Npppaejj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ohkdfhge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ohkdfhge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nifgekbm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	4dec4960d72b365d2cfaba4f55b0cd6fd789fbd99662e6639bdb8dc5d11b07ef.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	4dec4960d72b365d2cfaba4f55b0cd6fd789fbd99662e6639bdb8dc5d11b07ef.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nahfkigd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcnemg32.dll"	Nlbgkgcc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ncnlnaim.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	4dec4960d72b365d2cfaba4f55b0cd6fd789fbd99662e6639bdb8dc5d11b07ef.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nahfkigd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nmogpj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nggkipci.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmfmkf32.dll"	Nifgekbm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ncnlnaim.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Oemhjlha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Oemhjlha.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	4dec4960d72b365d2cfaba4f55b0cd6fd789fbd99662e6639bdb8dc5d11b07ef.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ahmjfimi.dll"	Ohkdfhge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nmogpj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nlbgkgcc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhjalgho.dll"	Nggkipci.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nldcagaq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ooicngen.dll"	Nldcagaq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcjajedk.dll"	Npppaejj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	4dec4960d72b365d2cfaba4f55b0cd6fd789fbd99662e6639bdb8dc5d11b07ef.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nlbgkgcc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nifgekbm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nhcedjfb.dll"	Ncnlnaim.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Blagna32.dll"	Oemhjlha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdbmjldj.dll"	Nmogpj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nggkipci.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nldcagaq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Npppaejj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pfknaf32.dll"	4dec4960d72b365d2cfaba4f55b0cd6fd789fbd99662e6639bdb8dc5d11b07ef.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgbddi32.dll"	Nahfkigd.exe

Suspicious use of WriteProcessMemory 48 IoCs

description	pid	Process	procid_target
PID 1648 wrote to memory of 2300	1648	4dec4960d72b365d2cfaba4f55b0cd6fd789fbd99662e6639bdb8dc5d11b07ef.exe	30
PID 1648 wrote to memory of 2300	1648	4dec4960d72b365d2cfaba4f55b0cd6fd789fbd99662e6639bdb8dc5d11b07ef.exe	30
PID 1648 wrote to memory of 2300	1648	4dec4960d72b365d2cfaba4f55b0cd6fd789fbd99662e6639bdb8dc5d11b07ef.exe	30
PID 1648 wrote to memory of 2300	1648	4dec4960d72b365d2cfaba4f55b0cd6fd789fbd99662e6639bdb8dc5d11b07ef.exe	30
PID 2300 wrote to memory of 2788	2300	Nahfkigd.exe	31
PID 2300 wrote to memory of 2788	2300	Nahfkigd.exe	31
PID 2300 wrote to memory of 2788	2300	Nahfkigd.exe	31
PID 2300 wrote to memory of 2788	2300	Nahfkigd.exe	31
PID 2788 wrote to memory of 2692	2788	Nmogpj32.exe	32
PID 2788 wrote to memory of 2692	2788	Nmogpj32.exe	32
PID 2788 wrote to memory of 2692	2788	Nmogpj32.exe	32
PID 2788 wrote to memory of 2692	2788	Nmogpj32.exe	32
PID 2692 wrote to memory of 2752	2692	Nlbgkgcc.exe	33
PID 2692 wrote to memory of 2752	2692	Nlbgkgcc.exe	33
PID 2692 wrote to memory of 2752	2692	Nlbgkgcc.exe	33
PID 2692 wrote to memory of 2752	2692	Nlbgkgcc.exe	33
PID 2752 wrote to memory of 2624	2752	Nggkipci.exe	34
PID 2752 wrote to memory of 2624	2752	Nggkipci.exe	34
PID 2752 wrote to memory of 2624	2752	Nggkipci.exe	34
PID 2752 wrote to memory of 2624	2752	Nggkipci.exe	34
PID 2624 wrote to memory of 2700	2624	Nifgekbm.exe	35
PID 2624 wrote to memory of 2700	2624	Nifgekbm.exe	35
PID 2624 wrote to memory of 2700	2624	Nifgekbm.exe	35
PID 2624 wrote to memory of 2700	2624	Nifgekbm.exe	35
PID 2700 wrote to memory of 1504	2700	Nldcagaq.exe	36
PID 2700 wrote to memory of 1504	2700	Nldcagaq.exe	36
PID 2700 wrote to memory of 1504	2700	Nldcagaq.exe	36
PID 2700 wrote to memory of 1504	2700	Nldcagaq.exe	36
PID 1504 wrote to memory of 1952	1504	Npppaejj.exe	37
PID 1504 wrote to memory of 1952	1504	Npppaejj.exe	37
PID 1504 wrote to memory of 1952	1504	Npppaejj.exe	37
PID 1504 wrote to memory of 1952	1504	Npppaejj.exe	37
PID 1952 wrote to memory of 1128	1952	Ncnlnaim.exe	38
PID 1952 wrote to memory of 1128	1952	Ncnlnaim.exe	38
PID 1952 wrote to memory of 1128	1952	Ncnlnaim.exe	38
PID 1952 wrote to memory of 1128	1952	Ncnlnaim.exe	38
PID 1128 wrote to memory of 2980	1128	Oemhjlha.exe	39
PID 1128 wrote to memory of 2980	1128	Oemhjlha.exe	39
PID 1128 wrote to memory of 2980	1128	Oemhjlha.exe	39
PID 1128 wrote to memory of 2980	1128	Oemhjlha.exe	39
PID 2980 wrote to memory of 2672	2980	Ohkdfhge.exe	40
PID 2980 wrote to memory of 2672	2980	Ohkdfhge.exe	40
PID 2980 wrote to memory of 2672	2980	Ohkdfhge.exe	40
PID 2980 wrote to memory of 2672	2980	Ohkdfhge.exe	40
PID 2672 wrote to memory of 2384	2672	Opblgehg.exe	41
PID 2672 wrote to memory of 2384	2672	Opblgehg.exe	41
PID 2672 wrote to memory of 2384	2672	Opblgehg.exe	41
PID 2672 wrote to memory of 2384	2672	Opblgehg.exe	41

C:\Users\Admin\AppData\Local\Temp\4dec4960d72b365d2cfaba4f55b0cd6fd789fbd99662e6639bdb8dc5d11b07ef.exe
"C:\Users\Admin\AppData\Local\Temp\4dec4960d72b365d2cfaba4f55b0cd6fd789fbd99662e6639bdb8dc5d11b07ef.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1648
- C:\Windows\SysWOW64\Nahfkigd.exe
  C:\Windows\system32\Nahfkigd.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2300
- - C:\Windows\SysWOW64\Nmogpj32.exe
    C:\Windows\system32\Nmogpj32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2788
  - - C:\Windows\SysWOW64\Nlbgkgcc.exe
      C:\Windows\system32\Nlbgkgcc.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2692
    - - C:\Windows\SysWOW64\Nggkipci.exe
        
        C:\Windows\system32\Nggkipci.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2752
      - C:\Windows\SysWOW64\Nifgekbm.exe
        
        C:\Windows\system32\Nifgekbm.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2624
        
        C:\Windows\SysWOW64\Nldcagaq.exe
        
        C:\Windows\system32\Nldcagaq.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2700
        
        C:\Windows\SysWOW64\Npppaejj.exe
        
        C:\Windows\system32\Npppaejj.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1504
        
        C:\Windows\SysWOW64\Ncnlnaim.exe
        
        C:\Windows\system32\Ncnlnaim.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1952
        
        C:\Windows\SysWOW64\Oemhjlha.exe
        
        C:\Windows\system32\Oemhjlha.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1128
        
        C:\Windows\SysWOW64\Ohkdfhge.exe
        
        C:\Windows\system32\Ohkdfhge.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2980
        
        C:\Windows\SysWOW64\Opblgehg.exe
        
        C:\Windows\system32\Opblgehg.exe
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2672
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2672 -s 140
        13⤵
        Loads dropped DLL
        Program crash
        
        PID:2384

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Ncnlnaim.exe

Filesize
64KB

MD5
61893c5d3d4f11d50875ed704aa4f051

SHA1
adac9363ffd8a0b8024ae75170d9e5561c7c678b

SHA256
2a5d5720f27655bf518df117f956b78afcbf15cc66ee478391fb3229166e966c

SHA512
1c6966e0624568980db5928a4c72592c162ca321a258d88c708a5ba29152fcf630f4ec96d2dc28c4cda751b67f6db6019b7d9abce3ea31b5adb8e3b95e54dbaa

Download Submit
C:\Windows\SysWOW64\Nifgekbm.exe

Filesize
64KB

MD5
ecab4564e091b8ddb05c26e680decf80

SHA1
348d700716066e57c66b2472c08cb88abef77d0b

SHA256
8a5af6b2dabdc12c80215efaf7f494cd0369e5ac00517f73668d2eab7aaa7263

SHA512
1ad2919b47c4bff28eb29a1d90b379f57fd7ef47e47fc2e23f751be243ab6585c1013c36e3db84a0494a140a3448911aaf7a42b58edd1ba0167a563b3b302c1f

Download Submit
C:\Windows\SysWOW64\Nlbgkgcc.exe

Filesize
64KB

MD5
03b362484d1eff692ffd9279ac3e8693

SHA1
4e5811590a01239fdd929fe999b8b152e99b14ed

SHA256
90baec5bbb21be209e5dadc9632d8f9b74e8c799a3d7013e61487f98e71bdeac

SHA512
d4db4b152ec914dc955eee465d266e152e7c9cd8e272e7a7f3cc8d2ab8a11a1628bff7fd285adfa9055a4b88bdc1bb8d117980dac15f7a5737f2c8b2568e77a3

Download Submit
C:\Windows\SysWOW64\Nldcagaq.exe

Filesize
64KB

MD5
5a263276f818b55f3f6a493c329811c0

SHA1
d7ee574d8fa26abb7fc95f38b45660f544544abf

SHA256
c2a15bc7ba635b63b1e326535e9c07adbb8e03fc7ef47ab7b6daa3a0c2687847

SHA512
f9d2c71c52b76d46936e759a97d57b15338aa35cad2fafc059af4045e9502923923df7e44c8bb1a07a1b93b584ba825970d6f3dead9395db288e53b59f14c39a

Download Submit
C:\Windows\SysWOW64\Oemhjlha.exe

Filesize
64KB

MD5
7289f51b9ca20684a8e9a72959f65fb7

SHA1
a11708729a64a9b92714d3c0f006243e74d9f003

SHA256
c487824ddd5bf7ab403d61d6475fd202c6fe0ead77841fa1a91e2fbb746d3713

SHA512
2f5ab0d5404d0aaf810a9e16ee3d250c5df1bad157a89fb4ed83a9199104cf18e9385b0c1b61982d5abff3b26532421d73e7ed186f5ca6889a2becbdfebbfab2

Download Submit
C:\Windows\SysWOW64\Ohkdfhge.exe

Filesize
64KB

MD5
0a138a0e1612cb6884ed06f5b3c6a6f2

SHA1
501d9cde3bad17cd0679d529fa6d373cb1158c14

SHA256
247af2a10b81b9e45830415b7f6a71a74504217048de1e011ed01b53c5347e82

SHA512
3452b1e598ab9328df0139ade47471d2f55757137dbfaf46f1d7341156c0788b562b27d718f06142b19138e158ce19f1081b1d5f421344e5539d46bc1b470701

Download Submit
C:\Windows\SysWOW64\Opblgehg.exe

Filesize
64KB

MD5
be9223d522ae90659b282180b317015a

SHA1
6531340ffc4f4555883cf592cbd5e14ed0b0490a

SHA256
509aec68e36de4e878b9fff4f33fd5aadf355302fc0a8d523d8a9f7bdc986d65

SHA512
6f0262b8f45e39fcd5347c106e14c59fada7088e64c0e32ac09261d2ddf8e2b714773a92fc5beea4fd82517ff12e993e286378aaf96aba63a57a1385e6c867da

Download Submit
\Windows\SysWOW64\Nahfkigd.exe

Filesize
64KB

MD5
780b87fe72bbb5baa94a16bdec5a890c

SHA1
318a0338cb55877556ed7d11871b8826c3e78797

SHA256
f61f60d989709684ac1f4beedd310b2076e3a02c53909d71a359d31413d5695e

SHA512
5e64a6d1943cad1777d8805e47a0b999c8d9b7a5100297384e52a268544b36d85360fa189d6afd2acd69a790ad6042e0f9d1c24f1c8578d2e2ad169ce85e8d48

Download Submit
\Windows\SysWOW64\Nggkipci.exe

Filesize
64KB

MD5
109a39ae5e1b6bb46a76ff107014e6df

SHA1
8f77d214e7e8dfecf42f2715f4eea611a18a8864

SHA256
81333142420c7b39ba1d26ddee67e034588d03e0ddee9661e7b1af953087917b

SHA512
dc81907d01e5bf7a128506fb39bbf3349c1cb3544107069cf89e265a52bf9ae883691fe0cdce466a7d3f1671421e592756fdf9324147903f1c1a6e0a46333918

Download Submit
\Windows\SysWOW64\Nmogpj32.exe

Filesize
64KB

MD5
4d1a8189eedb76f9cb680a9570ffc4a3

SHA1
fa0a5823774c666567dfce9a463b1d4fec5b19d7

SHA256
e37994a2bddd4921030755f12437a44c795b606323954bddfb1cca09a3f6a5a3

SHA512
d4867f1ee9122dad40d1391550be50e7f3c3d00ff9f92dcca0490965ff1f7df68968bc456deb712af1f3c9b03936ca27ab95857758a13621cd067cacc9bab18a

Download Submit
\Windows\SysWOW64\Npppaejj.exe

Filesize
64KB

MD5
b033d6cd811d6f792183266a5515cc6a

SHA1
1ae5097d4d98e7d98bab3a6f1e334f3539880a06

SHA256
e763874832bb481560abc1c1ae6de3261535e81f99e46dcb04181cd4a1f3d1a5

SHA512
95a5f1b04a1f0439ad57f27cb90ffc852eaaa6fcc5edc58c5850a0f6f525f35c52481d9cef535b0864962802ffafdacafebc868bf7e6e5cb94036c653f06a0ee

Download Submit
memory/1128-137-0x00000000005D0000-0x0000000000603000-memory.dmp

Filesize
204KB

Download
memory/1128-128-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1128-166-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1504-151-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1504-99-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1504-108-0x0000000000290000-0x00000000002C3000-memory.dmp

Filesize
204KB

Download
memory/1648-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1648-11-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/1648-12-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/1648-67-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/1648-66-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1952-165-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/1952-163-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1952-164-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/1952-126-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2300-38-0x00000000002E0000-0x0000000000313000-memory.dmp

Filesize
204KB

Download
memory/2300-77-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2300-14-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2624-125-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2624-82-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2624-69-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2672-179-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2692-96-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2692-41-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2692-49-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2700-84-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2700-143-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2700-135-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2700-97-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2752-106-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2788-39-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2980-144-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2980-153-0x00000000002D0000-0x0000000000303000-memory.dmp

Filesize
204KB

Download
memory/2980-167-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads