486609f2da0b23ea0d4207c5ffb0e52069047fb6cf25fe4ee5ad60f848a4b679

Analysis

max time kernel
118s
max time network
120s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
05-09-2024 15:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ec187112ab7cd11ccc5ed818a50bb7e0N.exe
Size

416KB
MD5

ec187112ab7cd11ccc5ed818a50bb7e0
SHA1

eb182fcbc5a51e09bfa6ac9c7272f5c00e981727
SHA256

486609f2da0b23ea0d4207c5ffb0e52069047fb6cf25fe4ee5ad60f848a4b679
SHA512

78398b68768c938c0c0a962a17e51fb8e8608270d5ff51ee699ef338d4041d488a7f1c926a90a8224482dc30952e01268e27f59cfa2ce8a4911facbbb0994202
SSDEEP

6144:mYUmemqVvUsORs+HLlD0rN2ZwVht740PP:2memq4HpoxsoP

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lbfdaigg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	ec187112ab7cd11ccc5ed818a50bb7e0N.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Laegiq32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lbfdaigg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lpjdjmfp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Migbnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mofglh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Maedhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nmpnhdfc.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	ec187112ab7cd11ccc5ed818a50bb7e0N.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Npagjpcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ljmlbfhi.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Migbnb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Maedhd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Magqncba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Magqncba.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nmpnhdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Npagjpcd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ljmlbfhi.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpjdjmfp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mbmjah32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mbmjah32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mofglh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Laegiq32.exe

Executes dropped EXE 12 IoCs

pid	Process
2688	Laegiq32.exe
2836	Lbfdaigg.exe
2772	Ljmlbfhi.exe
2252	Lpjdjmfp.exe
596	Mbmjah32.exe
584	Migbnb32.exe
2568	Mofglh32.exe
2928	Maedhd32.exe
2516	Magqncba.exe
2800	Nmpnhdfc.exe
3044	Npagjpcd.exe
1720	Nlhgoqhh.exe

Loads dropped DLL 28 IoCs

pid	Process
2756	ec187112ab7cd11ccc5ed818a50bb7e0N.exe
2756	ec187112ab7cd11ccc5ed818a50bb7e0N.exe
2688	Laegiq32.exe
2688	Laegiq32.exe
2836	Lbfdaigg.exe
2836	Lbfdaigg.exe
2772	Ljmlbfhi.exe
2772	Ljmlbfhi.exe
2252	Lpjdjmfp.exe
2252	Lpjdjmfp.exe
596	Mbmjah32.exe
596	Mbmjah32.exe
584	Migbnb32.exe
584	Migbnb32.exe
2568	Mofglh32.exe
2568	Mofglh32.exe
2928	Maedhd32.exe
2928	Maedhd32.exe
2516	Magqncba.exe
2516	Magqncba.exe
2800	Nmpnhdfc.exe
2800	Nmpnhdfc.exe
3044	Npagjpcd.exe
3044	Npagjpcd.exe
1940	WerFault.exe
1940	WerFault.exe
1940	WerFault.exe
1940	WerFault.exe

Drops file in System32 directory 36 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Laegiq32.exe	ec187112ab7cd11ccc5ed818a50bb7e0N.exe
File created	C:\Windows\SysWOW64\Fjngcolf.dll	Lbfdaigg.exe
File created	C:\Windows\SysWOW64\Gkcfcoqm.dll	Ljmlbfhi.exe
File created	C:\Windows\SysWOW64\Migbnb32.exe	Mbmjah32.exe
File opened for modification	C:\Windows\SysWOW64\Nmpnhdfc.exe	Magqncba.exe
File created	C:\Windows\SysWOW64\Mahqjm32.dll	Nmpnhdfc.exe
File created	C:\Windows\SysWOW64\Ljmlbfhi.exe	Lbfdaigg.exe
File opened for modification	C:\Windows\SysWOW64\Ljmlbfhi.exe	Lbfdaigg.exe
File created	C:\Windows\SysWOW64\Mofglh32.exe	Migbnb32.exe
File created	C:\Windows\SysWOW64\Maedhd32.exe	Mofglh32.exe
File created	C:\Windows\SysWOW64\Macalohk.dll	Mofglh32.exe
File opened for modification	C:\Windows\SysWOW64\Lpjdjmfp.exe	Ljmlbfhi.exe
File opened for modification	C:\Windows\SysWOW64\Maedhd32.exe	Mofglh32.exe
File created	C:\Windows\SysWOW64\Magqncba.exe	Maedhd32.exe
File opened for modification	C:\Windows\SysWOW64\Npagjpcd.exe	Nmpnhdfc.exe
File created	C:\Windows\SysWOW64\Nlhgoqhh.exe	Npagjpcd.exe
File opened for modification	C:\Windows\SysWOW64\Magqncba.exe	Maedhd32.exe
File created	C:\Windows\SysWOW64\Lbfdaigg.exe	Laegiq32.exe
File created	C:\Windows\SysWOW64\Mbmjah32.exe	Lpjdjmfp.exe
File created	C:\Windows\SysWOW64\Cpbplnnk.dll	Mbmjah32.exe
File created	C:\Windows\SysWOW64\Elonamqm.dll	Maedhd32.exe
File created	C:\Windows\SysWOW64\Npagjpcd.exe	Nmpnhdfc.exe
File created	C:\Windows\SysWOW64\Lamajm32.dll	Npagjpcd.exe
File created	C:\Windows\SysWOW64\Kacgbnfl.dll	Laegiq32.exe
File opened for modification	C:\Windows\SysWOW64\Mbmjah32.exe	Lpjdjmfp.exe
File opened for modification	C:\Windows\SysWOW64\Migbnb32.exe	Mbmjah32.exe
File opened for modification	C:\Windows\SysWOW64\Mofglh32.exe	Migbnb32.exe
File created	C:\Windows\SysWOW64\Ekebnbmn.dll	Migbnb32.exe
File opened for modification	C:\Windows\SysWOW64\Lbfdaigg.exe	Laegiq32.exe
File created	C:\Windows\SysWOW64\Lpjdjmfp.exe	Ljmlbfhi.exe
File opened for modification	C:\Windows\SysWOW64\Nlhgoqhh.exe	Npagjpcd.exe
File created	C:\Windows\SysWOW64\Laegiq32.exe	ec187112ab7cd11ccc5ed818a50bb7e0N.exe
File created	C:\Windows\SysWOW64\Aadlcdpk.dll	ec187112ab7cd11ccc5ed818a50bb7e0N.exe
File created	C:\Windows\SysWOW64\Njfppiho.dll	Lpjdjmfp.exe
File created	C:\Windows\SysWOW64\Nmpnhdfc.exe	Magqncba.exe
File created	C:\Windows\SysWOW64\Lmnppf32.dll	Magqncba.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1940	1720	WerFault.exe	41

System Location Discovery: System Language Discovery 1 TTPs 13 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Migbnb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lbfdaigg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Maedhd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ec187112ab7cd11ccc5ed818a50bb7e0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mbmjah32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Magqncba.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nlhgoqhh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Laegiq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ljmlbfhi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lpjdjmfp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mofglh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nmpnhdfc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Npagjpcd.exe

Modifies registry class 39 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	ec187112ab7cd11ccc5ed818a50bb7e0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aadlcdpk.dll"	ec187112ab7cd11ccc5ed818a50bb7e0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Migbnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Macalohk.dll"	Mofglh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Maedhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmnppf32.dll"	Magqncba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Npagjpcd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	ec187112ab7cd11ccc5ed818a50bb7e0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kacgbnfl.dll"	Laegiq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mbmjah32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mofglh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nmpnhdfc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	ec187112ab7cd11ccc5ed818a50bb7e0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lbfdaigg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ljmlbfhi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njfppiho.dll"	Lpjdjmfp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nmpnhdfc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Npagjpcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fjngcolf.dll"	Lbfdaigg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Migbnb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mofglh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Maedhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mbmjah32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lamajm32.dll"	Npagjpcd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Laegiq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Laegiq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gkcfcoqm.dll"	Ljmlbfhi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpbplnnk.dll"	Mbmjah32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Magqncba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lbfdaigg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lpjdjmfp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lpjdjmfp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekebnbmn.dll"	Migbnb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Magqncba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mahqjm32.dll"	Nmpnhdfc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	ec187112ab7cd11ccc5ed818a50bb7e0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	ec187112ab7cd11ccc5ed818a50bb7e0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ljmlbfhi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elonamqm.dll"	Maedhd32.exe

Suspicious use of WriteProcessMemory 52 IoCs

description	pid	Process	procid_target
PID 2756 wrote to memory of 2688	2756	ec187112ab7cd11ccc5ed818a50bb7e0N.exe	30
PID 2756 wrote to memory of 2688	2756	ec187112ab7cd11ccc5ed818a50bb7e0N.exe	30
PID 2756 wrote to memory of 2688	2756	ec187112ab7cd11ccc5ed818a50bb7e0N.exe	30
PID 2756 wrote to memory of 2688	2756	ec187112ab7cd11ccc5ed818a50bb7e0N.exe	30
PID 2688 wrote to memory of 2836	2688	Laegiq32.exe	31
PID 2688 wrote to memory of 2836	2688	Laegiq32.exe	31
PID 2688 wrote to memory of 2836	2688	Laegiq32.exe	31
PID 2688 wrote to memory of 2836	2688	Laegiq32.exe	31
PID 2836 wrote to memory of 2772	2836	Lbfdaigg.exe	32
PID 2836 wrote to memory of 2772	2836	Lbfdaigg.exe	32
PID 2836 wrote to memory of 2772	2836	Lbfdaigg.exe	32
PID 2836 wrote to memory of 2772	2836	Lbfdaigg.exe	32
PID 2772 wrote to memory of 2252	2772	Ljmlbfhi.exe	33
PID 2772 wrote to memory of 2252	2772	Ljmlbfhi.exe	33
PID 2772 wrote to memory of 2252	2772	Ljmlbfhi.exe	33
PID 2772 wrote to memory of 2252	2772	Ljmlbfhi.exe	33
PID 2252 wrote to memory of 596	2252	Lpjdjmfp.exe	34
PID 2252 wrote to memory of 596	2252	Lpjdjmfp.exe	34
PID 2252 wrote to memory of 596	2252	Lpjdjmfp.exe	34
PID 2252 wrote to memory of 596	2252	Lpjdjmfp.exe	34
PID 596 wrote to memory of 584	596	Mbmjah32.exe	35
PID 596 wrote to memory of 584	596	Mbmjah32.exe	35
PID 596 wrote to memory of 584	596	Mbmjah32.exe	35
PID 596 wrote to memory of 584	596	Mbmjah32.exe	35
PID 584 wrote to memory of 2568	584	Migbnb32.exe	36
PID 584 wrote to memory of 2568	584	Migbnb32.exe	36
PID 584 wrote to memory of 2568	584	Migbnb32.exe	36
PID 584 wrote to memory of 2568	584	Migbnb32.exe	36
PID 2568 wrote to memory of 2928	2568	Mofglh32.exe	37
PID 2568 wrote to memory of 2928	2568	Mofglh32.exe	37
PID 2568 wrote to memory of 2928	2568	Mofglh32.exe	37
PID 2568 wrote to memory of 2928	2568	Mofglh32.exe	37
PID 2928 wrote to memory of 2516	2928	Maedhd32.exe	38
PID 2928 wrote to memory of 2516	2928	Maedhd32.exe	38
PID 2928 wrote to memory of 2516	2928	Maedhd32.exe	38
PID 2928 wrote to memory of 2516	2928	Maedhd32.exe	38
PID 2516 wrote to memory of 2800	2516	Magqncba.exe	39
PID 2516 wrote to memory of 2800	2516	Magqncba.exe	39
PID 2516 wrote to memory of 2800	2516	Magqncba.exe	39
PID 2516 wrote to memory of 2800	2516	Magqncba.exe	39
PID 2800 wrote to memory of 3044	2800	Nmpnhdfc.exe	40
PID 2800 wrote to memory of 3044	2800	Nmpnhdfc.exe	40
PID 2800 wrote to memory of 3044	2800	Nmpnhdfc.exe	40
PID 2800 wrote to memory of 3044	2800	Nmpnhdfc.exe	40
PID 3044 wrote to memory of 1720	3044	Npagjpcd.exe	41
PID 3044 wrote to memory of 1720	3044	Npagjpcd.exe	41
PID 3044 wrote to memory of 1720	3044	Npagjpcd.exe	41
PID 3044 wrote to memory of 1720	3044	Npagjpcd.exe	41
PID 1720 wrote to memory of 1940	1720	Nlhgoqhh.exe	42
PID 1720 wrote to memory of 1940	1720	Nlhgoqhh.exe	42
PID 1720 wrote to memory of 1940	1720	Nlhgoqhh.exe	42
PID 1720 wrote to memory of 1940	1720	Nlhgoqhh.exe	42

C:\Users\Admin\AppData\Local\Temp\ec187112ab7cd11ccc5ed818a50bb7e0N.exe
"C:\Users\Admin\AppData\Local\Temp\ec187112ab7cd11ccc5ed818a50bb7e0N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2756
- C:\Windows\SysWOW64\Laegiq32.exe
  C:\Windows\system32\Laegiq32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2688
- - C:\Windows\SysWOW64\Lbfdaigg.exe
    C:\Windows\system32\Lbfdaigg.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2836
  - - C:\Windows\SysWOW64\Ljmlbfhi.exe
      C:\Windows\system32\Ljmlbfhi.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2772
    - - C:\Windows\SysWOW64\Lpjdjmfp.exe
        
        C:\Windows\system32\Lpjdjmfp.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2252
      - C:\Windows\SysWOW64\Mbmjah32.exe
        
        C:\Windows\system32\Mbmjah32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:596
        
        C:\Windows\SysWOW64\Migbnb32.exe
        
        C:\Windows\system32\Migbnb32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:584
        
        C:\Windows\SysWOW64\Mofglh32.exe
        
        C:\Windows\system32\Mofglh32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2568
        
        C:\Windows\SysWOW64\Maedhd32.exe
        
        C:\Windows\system32\Maedhd32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2928
        
        C:\Windows\SysWOW64\Magqncba.exe
        
        C:\Windows\system32\Magqncba.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2516
        
        C:\Windows\SysWOW64\Nmpnhdfc.exe
        
        C:\Windows\system32\Nmpnhdfc.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2800
        
        C:\Windows\SysWOW64\Npagjpcd.exe
        
        C:\Windows\system32\Npagjpcd.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3044
        
        C:\Windows\SysWOW64\Nlhgoqhh.exe
        
        C:\Windows\system32\Nlhgoqhh.exe
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1720
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1720 -s 140
        14⤵
        Loads dropped DLL
        Program crash
        
        PID:1940

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Laegiq32.exe

Filesize
416KB

MD5
04c9bf18fad589a410f6949dfe6a04a4

SHA1
70c8a969dfe2c5c4a7c39dd2e8ed2cf4758a302b

SHA256
6baeeb42a32333d9aa1ebc2389391eb386e87a872ee59a507a3718793ec84a1b

SHA512
2925a470d40e616ebb613ba778bfec5e430172d20630fc22b26a47f3c328f240c90064089110a2bffe2dc32d1e25c66d48d7ab4cb2723ada44a5c2a794fa3ece

Download Submit
C:\Windows\SysWOW64\Lbfdaigg.exe

Filesize
416KB

MD5
fed3e824bbba415dfc80e2776d1f7637

SHA1
25541208f5916ee5797e65e739196c12775d383b

SHA256
46f20638c1452da22b2ecd2cdf870bb6ff05286896385224a7692f526e7b0bf3

SHA512
3079a467f74fc0ddc0bafcc2137ae436338ae9d830168efcc7d818cf0c90acf55ef260b0e63f17db247b44e4a58e8d8008f4bdfbadc0e40dabc81c19cd9cbf81

Download Submit
C:\Windows\SysWOW64\Ljmlbfhi.exe

Filesize
416KB

MD5
541abf10ca9cf5b9b41810eb5fccbfde

SHA1
ef83a974147953226a095f44a896c313e53d10cc

SHA256
02aaed479ff16b3aa1dbb7d60c41ac2e968395dfe1a68e2d86a5a8e27872737a

SHA512
5455dca4e54b440710a3760f54f548a01f8f0e25c8aa2aa2ee82dce21d30a5e3e950841a94fcc323dae964d20b6c926ec373c34dfe7e051600803966ce0aaa6b

Download Submit
C:\Windows\SysWOW64\Migbnb32.exe

Filesize
416KB

MD5
d0e031d54f844df1fa7c1412a3335117

SHA1
0de1166a8a17df32ee1190fb98d5e69a9dcadf2e

SHA256
bb14eff5d1bdc73b8414d4f1947e2603e1b8cc6c3f449558ed667b4c209a1e9e

SHA512
bd071e389d47f9e79762dc4a87b0b4511035b9c37ed3795e21892c30a71fdac94155d43a4119b93f5637dbad4d47872ac28632f5775260c1aa104b3dbfa7f3ce

Download Submit
\Windows\SysWOW64\Lpjdjmfp.exe

Filesize
416KB

MD5
978cc9e28669c032557b4021f206e5f7

SHA1
34b8937d5d6f76cf131d2581b21273abbe08495b

SHA256
65c8bedfef8067b6e7ba5137dc48a89a10ce4f53521114648296e1e29027c6f0

SHA512
7583d2f57a73235a9a65625252acd55b189732ea4404af067126a8da5a486ba6235ea5c82f59b42433fbe69ec0a939d8c0fdb03330bbf5a3ecc3caabc2d085e6

Download Submit
\Windows\SysWOW64\Maedhd32.exe

Filesize
416KB

MD5
4f63a4e25413951d0225870291ec572a

SHA1
329f9d606c1b28bb1667144a6121c449ab8e1bef

SHA256
0404e9c116ed055352899d6aa4a0a05031b42f354df71812c57adf9ef92ee580

SHA512
6b94d9edf976e82b21ffbd3a4fce7fa530f701e60e7728efb5dcc0e1ac8937bce284962235425dc8a4c81549f7ed681c066909f5f606d9d0bfcd9282fc81c525

Download Submit
\Windows\SysWOW64\Magqncba.exe

Filesize
416KB

MD5
e1c716bba3f18fd95769ee6b3914373f

SHA1
bce2663cf43b7063ced21cce03b5c2fe289b0d5e

SHA256
c0178f6fa23fc6a7b701bafffbb5d9aba6d504d764a21cd9b107d9882f1c8a8f

SHA512
324aae59ce837563ea0ac242491f10b759e6c5a0a973546b7c2ff7626018bc6247679a11af85018f99818065f16cdecfb7ef1bd84a457f841f29e9fdb54b48c5

Download Submit
\Windows\SysWOW64\Mbmjah32.exe

Filesize
416KB

MD5
3ee4d0eaef5894122155854680e8b828

SHA1
64f4de21e8caa59e146414a0e236f128fe848dfb

SHA256
b20f7902e1ea835101fb2769cfdcc91aa9a9f7017e4a6a3efa574a822907af65

SHA512
38ba09232bd70d9891bdb3baf907939fc0f9915be4e15563ca4911db3a2343b8a6dfc4013454d4bfc3415084d23bfb70b166cd08fc67f01979ea035a2235f44a

Download Submit
\Windows\SysWOW64\Mofglh32.exe

Filesize
416KB

MD5
de0f2313065a0e1a8b33eca5a8e9a1e6

SHA1
e4ea80a3d8c8f2c28e12e7082174fc6e986c5fcd

SHA256
5e2eff56fe2bca36273dc018b13b77cbed8190017cde8d6022199110f07a1ed7

SHA512
298a6cd536175edf7e02ede72c012ee3cf0bbf6d0a479211662124c3e2bb678690f5b13c653a526b33e594a0145c1df50c6032c74e032283986fdbefa65c4c5a

Download Submit
\Windows\SysWOW64\Nlhgoqhh.exe

Filesize
416KB

MD5
665d3ed4b1df0a98b437a8eba86350ce

SHA1
413c37ac72e152e6fc7d94db497b6f71eb420584

SHA256
6bf1cd90c25a0ae19281995a6919300797eacebbb2349ce9bfef4e79d523e009

SHA512
beb6a96eba142ca0228dfa4e691e245ba6678b03e915ae4ee7966ff545d77704e2587447231b8c67e2a87a6acdf96200b7dec2e7af1028e3f72be67bd5c496dd

Download Submit
\Windows\SysWOW64\Nmpnhdfc.exe

Filesize
416KB

MD5
e7c756df7b626a2b6987dc66f04691b3

SHA1
c79277760bb15fcc0c9e6380970f3549f82344c3

SHA256
2d4336e1da6918d760302bc619f696a7cfd985ae0191ca0af1630385d6303f1e

SHA512
891dda2b5265987e0e67222dda198546bcfc4a214bff1b75607cdcd6e34d1886480741f1ff5f6d49a342f6837990447276da18babcf098cfa3faa44d4e0b7241

Download Submit
\Windows\SysWOW64\Npagjpcd.exe

Filesize
416KB

MD5
61790c3921606e8f6fec86c3ac5bee19

SHA1
c1e5d079cb0182e85484f3ecfd3d4560313d1386

SHA256
6b0ffcb0ab847b06eb62394bedb03e76e92c91e1359f25ad0cbbe12b2ece2883

SHA512
e223b3207bcb9b2a099d1cb540d698e7d1b249760bcd59e2843285b39654a53c54358881b350a2038a351127a97dd91e52900564b1b80a00dfa8ef9b2c27cdb2

Download Submit
memory/584-83-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/584-178-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/584-96-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/596-177-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/596-70-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1720-167-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2252-68-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2252-176-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2252-69-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2516-137-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2516-181-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2516-125-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2568-98-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2568-179-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2568-109-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2688-19-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2756-172-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2756-18-0x00000000002F0000-0x0000000000323000-memory.dmp

Filesize
204KB

Download
memory/2756-17-0x00000000002F0000-0x0000000000323000-memory.dmp

Filesize
204KB

Download
memory/2756-4-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2772-54-0x0000000000440000-0x0000000000473000-memory.dmp

Filesize
204KB

Download
memory/2772-46-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2772-53-0x0000000000440000-0x0000000000473000-memory.dmp

Filesize
204KB

Download
memory/2800-182-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2800-139-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2800-152-0x00000000005D0000-0x0000000000603000-memory.dmp

Filesize
204KB

Download
memory/2836-45-0x0000000000440000-0x0000000000473000-memory.dmp

Filesize
204KB

Download
memory/2836-32-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2928-180-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2928-119-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2928-111-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3044-165-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/3044-153-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3044-183-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads