28302c55522d3517679f9a5373652ccdb279962aa6712edfdb6fc5f7ecf79453

Analysis

max time kernel
119s
max time network
17s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
06/09/2024, 11:26

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

85f8bc2f4d373c287cfcc80ecbaf31b0N.exe
Size

71KB
MD5

85f8bc2f4d373c287cfcc80ecbaf31b0
SHA1

d8ccff942c2820089302dc0bf1402812fc136dac
SHA256

28302c55522d3517679f9a5373652ccdb279962aa6712edfdb6fc5f7ecf79453
SHA512

7a234f848695a66cf4919cb8b880c187609cbd2c1a811a570cf16b0b6e7dbfd718497b3246ee1b1c1ea24ad6df0f43c146f14a1d936c838eab481a2c813f1d16
SSDEEP

1536:J/4452JXKjESi8lRog9G+v70MXSRQb+DbEyRCRRRoR4Rk:R4KkaC8EgGeEEy032ya

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 20 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndhipoob.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ndhipoob.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nmpnhdfc.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndjfeo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nekbmgcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nmbknddp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	85f8bc2f4d373c287cfcc80ecbaf31b0N.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nmnace32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ncpcfkbg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncpcfkbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nenobfak.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nekbmgcn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nmbknddp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nenobfak.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nmnace32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nmpnhdfc.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Npagjpcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Npagjpcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	85f8bc2f4d373c287cfcc80ecbaf31b0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ndjfeo32.exe

Executes dropped EXE 10 IoCs

pid	Process
2300	Nmnace32.exe
2808	Ndhipoob.exe
2636	Nmpnhdfc.exe
2392	Ndjfeo32.exe
540	Nekbmgcn.exe
1988	Nmbknddp.exe
1628	Npagjpcd.exe
3016	Ncpcfkbg.exe
2680	Nenobfak.exe
2104	Nlhgoqhh.exe

Loads dropped DLL 24 IoCs

pid	Process
2892	85f8bc2f4d373c287cfcc80ecbaf31b0N.exe
2892	85f8bc2f4d373c287cfcc80ecbaf31b0N.exe
2300	Nmnace32.exe
2300	Nmnace32.exe
2808	Ndhipoob.exe
2808	Ndhipoob.exe
2636	Nmpnhdfc.exe
2636	Nmpnhdfc.exe
2392	Ndjfeo32.exe
2392	Ndjfeo32.exe
540	Nekbmgcn.exe
540	Nekbmgcn.exe
1988	Nmbknddp.exe
1988	Nmbknddp.exe
1628	Npagjpcd.exe
1628	Npagjpcd.exe
3016	Ncpcfkbg.exe
3016	Ncpcfkbg.exe
2680	Nenobfak.exe
2680	Nenobfak.exe
1308	WerFault.exe
1308	WerFault.exe
1308	WerFault.exe
1308	WerFault.exe

Drops file in System32 directory 30 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Nlhgoqhh.exe	Nenobfak.exe
File created	C:\Windows\SysWOW64\Ndhipoob.exe	Nmnace32.exe
File created	C:\Windows\SysWOW64\Lmnppf32.dll	Ndhipoob.exe
File created	C:\Windows\SysWOW64\Ndjfeo32.exe	Nmpnhdfc.exe
File created	C:\Windows\SysWOW64\Ncpcfkbg.exe	Npagjpcd.exe
File created	C:\Windows\SysWOW64\Mehjml32.dll	Ncpcfkbg.exe
File opened for modification	C:\Windows\SysWOW64\Ndhipoob.exe	Nmnace32.exe
File created	C:\Windows\SysWOW64\Nmpnhdfc.exe	Ndhipoob.exe
File opened for modification	C:\Windows\SysWOW64\Nmpnhdfc.exe	Ndhipoob.exe
File opened for modification	C:\Windows\SysWOW64\Nenobfak.exe	Ncpcfkbg.exe
File created	C:\Windows\SysWOW64\Nekbmgcn.exe	Ndjfeo32.exe
File opened for modification	C:\Windows\SysWOW64\Npagjpcd.exe	Nmbknddp.exe
File opened for modification	C:\Windows\SysWOW64\Ncpcfkbg.exe	Npagjpcd.exe
File created	C:\Windows\SysWOW64\Fibkpd32.dll	85f8bc2f4d373c287cfcc80ecbaf31b0N.exe
File opened for modification	C:\Windows\SysWOW64\Nmnace32.exe	85f8bc2f4d373c287cfcc80ecbaf31b0N.exe
File created	C:\Windows\SysWOW64\Egnhob32.dll	Nmnace32.exe
File opened for modification	C:\Windows\SysWOW64\Ndjfeo32.exe	Nmpnhdfc.exe
File created	C:\Windows\SysWOW64\Nmbknddp.exe	Nekbmgcn.exe
File created	C:\Windows\SysWOW64\Nenobfak.exe	Ncpcfkbg.exe
File created	C:\Windows\SysWOW64\Nlhgoqhh.exe	Nenobfak.exe
File created	C:\Windows\SysWOW64\Nmnace32.exe	85f8bc2f4d373c287cfcc80ecbaf31b0N.exe
File created	C:\Windows\SysWOW64\Ngoohnkj.dll	Nekbmgcn.exe
File created	C:\Windows\SysWOW64\Mahqjm32.dll	Nmbknddp.exe
File created	C:\Windows\SysWOW64\Pfdmil32.dll	Npagjpcd.exe
File opened for modification	C:\Windows\SysWOW64\Nekbmgcn.exe	Ndjfeo32.exe
File created	C:\Windows\SysWOW64\Lamajm32.dll	Nenobfak.exe
File created	C:\Windows\SysWOW64\Kjbgng32.dll	Nmpnhdfc.exe
File created	C:\Windows\SysWOW64\Pjclpeak.dll	Ndjfeo32.exe
File opened for modification	C:\Windows\SysWOW64\Nmbknddp.exe	Nekbmgcn.exe
File created	C:\Windows\SysWOW64\Npagjpcd.exe	Nmbknddp.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1308	2104	WerFault.exe	39

System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nmnace32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ndhipoob.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ndjfeo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nmbknddp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nlhgoqhh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	85f8bc2f4d373c287cfcc80ecbaf31b0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nmpnhdfc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nekbmgcn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Npagjpcd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ncpcfkbg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nenobfak.exe

Modifies registry class 33 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nmnace32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ndhipoob.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nmbknddp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nenobfak.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fibkpd32.dll"	85f8bc2f4d373c287cfcc80ecbaf31b0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nmpnhdfc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Npagjpcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pfdmil32.dll"	Npagjpcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lamajm32.dll"	Nenobfak.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ncpcfkbg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	85f8bc2f4d373c287cfcc80ecbaf31b0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egnhob32.dll"	Nmnace32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nmnace32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nekbmgcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nmbknddp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mehjml32.dll"	Ncpcfkbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ncpcfkbg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	85f8bc2f4d373c287cfcc80ecbaf31b0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nmpnhdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ndjfeo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Npagjpcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nekbmgcn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	85f8bc2f4d373c287cfcc80ecbaf31b0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}	85f8bc2f4d373c287cfcc80ecbaf31b0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmnppf32.dll"	Ndhipoob.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ndjfeo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ngoohnkj.dll"	Nekbmgcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	85f8bc2f4d373c287cfcc80ecbaf31b0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjbgng32.dll"	Nmpnhdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjclpeak.dll"	Ndjfeo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mahqjm32.dll"	Nmbknddp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nenobfak.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ndhipoob.exe

Suspicious use of WriteProcessMemory 44 IoCs

description	pid	Process	procid_target
PID 2892 wrote to memory of 2300	2892	85f8bc2f4d373c287cfcc80ecbaf31b0N.exe	30
PID 2892 wrote to memory of 2300	2892	85f8bc2f4d373c287cfcc80ecbaf31b0N.exe	30
PID 2892 wrote to memory of 2300	2892	85f8bc2f4d373c287cfcc80ecbaf31b0N.exe	30
PID 2892 wrote to memory of 2300	2892	85f8bc2f4d373c287cfcc80ecbaf31b0N.exe	30
PID 2300 wrote to memory of 2808	2300	Nmnace32.exe	31
PID 2300 wrote to memory of 2808	2300	Nmnace32.exe	31
PID 2300 wrote to memory of 2808	2300	Nmnace32.exe	31
PID 2300 wrote to memory of 2808	2300	Nmnace32.exe	31
PID 2808 wrote to memory of 2636	2808	Ndhipoob.exe	32
PID 2808 wrote to memory of 2636	2808	Ndhipoob.exe	32
PID 2808 wrote to memory of 2636	2808	Ndhipoob.exe	32
PID 2808 wrote to memory of 2636	2808	Ndhipoob.exe	32
PID 2636 wrote to memory of 2392	2636	Nmpnhdfc.exe	33
PID 2636 wrote to memory of 2392	2636	Nmpnhdfc.exe	33
PID 2636 wrote to memory of 2392	2636	Nmpnhdfc.exe	33
PID 2636 wrote to memory of 2392	2636	Nmpnhdfc.exe	33
PID 2392 wrote to memory of 540	2392	Ndjfeo32.exe	34
PID 2392 wrote to memory of 540	2392	Ndjfeo32.exe	34
PID 2392 wrote to memory of 540	2392	Ndjfeo32.exe	34
PID 2392 wrote to memory of 540	2392	Ndjfeo32.exe	34
PID 540 wrote to memory of 1988	540	Nekbmgcn.exe	35
PID 540 wrote to memory of 1988	540	Nekbmgcn.exe	35
PID 540 wrote to memory of 1988	540	Nekbmgcn.exe	35
PID 540 wrote to memory of 1988	540	Nekbmgcn.exe	35
PID 1988 wrote to memory of 1628	1988	Nmbknddp.exe	36
PID 1988 wrote to memory of 1628	1988	Nmbknddp.exe	36
PID 1988 wrote to memory of 1628	1988	Nmbknddp.exe	36
PID 1988 wrote to memory of 1628	1988	Nmbknddp.exe	36
PID 1628 wrote to memory of 3016	1628	Npagjpcd.exe	37
PID 1628 wrote to memory of 3016	1628	Npagjpcd.exe	37
PID 1628 wrote to memory of 3016	1628	Npagjpcd.exe	37
PID 1628 wrote to memory of 3016	1628	Npagjpcd.exe	37
PID 3016 wrote to memory of 2680	3016	Ncpcfkbg.exe	38
PID 3016 wrote to memory of 2680	3016	Ncpcfkbg.exe	38
PID 3016 wrote to memory of 2680	3016	Ncpcfkbg.exe	38
PID 3016 wrote to memory of 2680	3016	Ncpcfkbg.exe	38
PID 2680 wrote to memory of 2104	2680	Nenobfak.exe	39
PID 2680 wrote to memory of 2104	2680	Nenobfak.exe	39
PID 2680 wrote to memory of 2104	2680	Nenobfak.exe	39
PID 2680 wrote to memory of 2104	2680	Nenobfak.exe	39
PID 2104 wrote to memory of 1308	2104	Nlhgoqhh.exe	40
PID 2104 wrote to memory of 1308	2104	Nlhgoqhh.exe	40
PID 2104 wrote to memory of 1308	2104	Nlhgoqhh.exe	40
PID 2104 wrote to memory of 1308	2104	Nlhgoqhh.exe	40

C:\Users\Admin\AppData\Local\Temp\85f8bc2f4d373c287cfcc80ecbaf31b0N.exe
"C:\Users\Admin\AppData\Local\Temp\85f8bc2f4d373c287cfcc80ecbaf31b0N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2892
- C:\Windows\SysWOW64\Nmnace32.exe
  C:\Windows\system32\Nmnace32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2300
- - C:\Windows\SysWOW64\Ndhipoob.exe
    C:\Windows\system32\Ndhipoob.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2808
  - - C:\Windows\SysWOW64\Nmpnhdfc.exe
      C:\Windows\system32\Nmpnhdfc.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2636
    - - C:\Windows\SysWOW64\Ndjfeo32.exe
        
        C:\Windows\system32\Ndjfeo32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2392
      - C:\Windows\SysWOW64\Nekbmgcn.exe
        
        C:\Windows\system32\Nekbmgcn.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:540
        
        C:\Windows\SysWOW64\Nmbknddp.exe
        
        C:\Windows\system32\Nmbknddp.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1988
        
        C:\Windows\SysWOW64\Npagjpcd.exe
        
        C:\Windows\system32\Npagjpcd.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1628
        
        C:\Windows\SysWOW64\Ncpcfkbg.exe
        
        C:\Windows\system32\Ncpcfkbg.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3016
        
        C:\Windows\SysWOW64\Nenobfak.exe
        
        C:\Windows\system32\Nenobfak.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2680
        
        C:\Windows\SysWOW64\Nlhgoqhh.exe
        
        C:\Windows\system32\Nlhgoqhh.exe
        11⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2104
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2104 -s 140
        12⤵
        Loads dropped DLL
        Program crash
        
        PID:1308

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Ndhipoob.exe

Filesize
71KB

MD5
3a9fb7a30e461a4c1ad29bb88ca0bfc3

SHA1
d304a7b85cd4624146d19cffb6b3b64c7aa3aeb1

SHA256
9673f56f1b1dcd588036e62a196d811674d8a1d1f308dcb505ae9829f63ba451

SHA512
9e538c54cc079f11d1533229e7f3c4ef7cc3a6c644cea172917924f8fa68ee782a08997376a9fac28eb338c7dcc335aa70039a399da77383d84dd66f562116a6

Download Submit
C:\Windows\SysWOW64\Nlhgoqhh.exe

Filesize
71KB

MD5
4cf6c11981bbe6c40e76d04fc2efa6de

SHA1
1f10f70836662a49e5498200d1b6ef37194f3601

SHA256
5db64f37c6550cf3991e94a2173728c88c4fd423691959bebe19e4296310b0a9

SHA512
93c2eb82b27ac6f3ef56f5ab14587b9b8496d5d8405786c6e732d0a072b0b4def634597ce399ea337ad368ea03cc66eeddc7d314030d16ffc3b7b01033ec62a0

Download Submit
C:\Windows\SysWOW64\Nmbknddp.exe

Filesize
71KB

MD5
95f19ef6b2ce50dccfb1fe53c622a265

SHA1
d2dd89ab3e3ad4f685c9aa5a06af429b3b45c1ce

SHA256
95a28ba36c7c67a6175b0a625be497779a7986985d3e7c713ba0326b91ad2286

SHA512
921f3bca008204dd2f045341bf5f8d533a941c9e6070cdb30c46b022e90ccef20f40219a7d287ce2dac4b06df90518c4fc1acb1afe97b5fd9cbe2e855fbbdf62

Download Submit
C:\Windows\SysWOW64\Nmnace32.exe

Filesize
71KB

MD5
4fbc88866f424ce8f569031d334d574d

SHA1
36529fe8300d31130afe52bd62ffc6ed52bdd790

SHA256
bb9d848850a33d1202a68f1fbd2c9ec63670da60a8ae8ff5b839df7088787dea

SHA512
23fbba56fc943e9431bfaf70af8d15c0a72661336543bda5dc1ec4df6ca7ded75d1cec85d90bcaa177e1c2b4f401e4c20fdf4c1f72cf5192616ae3b109567a1a

Download Submit
C:\Windows\SysWOW64\Pjclpeak.dll

Filesize
7KB

MD5
1e8aa2cdbbb63d81da9cbad0955b1e0c

SHA1
618688eea1656621ea91b4f6cda467f965da78aa

SHA256
1fd32e9d870116e96866663a52cd933ab9102aaa758b9bdf86263ccf8405e05f

SHA512
692faea1654d666c725137a7610f0462d5c5254a78ff31f7a270047f4e578d90b6e21d7a2d7b35915c148fa563fea3ee80569560cec997b2843df64fa38eec00

Download Submit
\Windows\SysWOW64\Ncpcfkbg.exe

Filesize
71KB

MD5
d6f90a2b96371002547c5d3067a5dc7a

SHA1
a84755e878c2c174aab9b7767e8fb25c0c6e09b2

SHA256
c4af452a269fe9c8ab0b5863c10f189b9e53d101bae61be146fa904979759e01

SHA512
2e1b4f75358afa48302b9133f0b5e129cf268916a2ef5d69cf5f02c684d085df8fbaf6954406512fe042210ddbbdec164a9ed2d9173b5191c639332cad030b71

Download Submit
\Windows\SysWOW64\Ndjfeo32.exe

Filesize
71KB

MD5
b24fd28764bca3e7e434226b4664867a

SHA1
9c7026febbf8cdfd4efe1a0b10c8e01865b69297

SHA256
1b4ef18d62db629de41ec30e6baa05513c555b4800a6ded613a4479580283c68

SHA512
d6ef077ceec76e0fd4729bf2f436b9017c587a536d5a8cdf5c6e65390a688341aac428db7fc11c9dc306d325b7bf999d683664e7623e434147627fb3edf8d16f

Download Submit
\Windows\SysWOW64\Nekbmgcn.exe

Filesize
71KB

MD5
fcdf0dfea87ec5d814be6290bc2c30e9

SHA1
83b773263b092267c25679a2630519aaa408d6b3

SHA256
dbdf09eb4de48833e822abcc5df0a42c46bed30f5c6d0ca79f210f121aee3b97

SHA512
2fd00628e0c222620be485ab1fd7a133975e692878ea2413ded9fc4784f96baa3db71c1d18b91c15b1202444e0887a22e71468d863f47d64615695e02c87e439

Download Submit
\Windows\SysWOW64\Nenobfak.exe

Filesize
71KB

MD5
93c3011fdad8642f7de86a345b050843

SHA1
c9ae336aa06f7cba6bbc669d26757e66bef4731f

SHA256
3fdac8080d490e61565f59a800d9cbaca35e60dd6e450f16bd14dcfcbe287315

SHA512
e021a92ae554a578c4e58f446c30b14666be9f38dc70b0f90d1b16d5e3ca99608c89871f6e21afabf840e4469258232d4eb20dc79b874ea5d74abdd6d4fff1ff

Download Submit
\Windows\SysWOW64\Nmpnhdfc.exe

Filesize
71KB

MD5
2ed29c7b0ea8a934db04cd927326eda2

SHA1
c75e8cbb09d15d696a93dbff443243d6bb99a0e6

SHA256
1b6f638388fd71902177bc7d414cb44ddff7a87169cba7365d55a25af9e97efe

SHA512
706fcc6184a88fd8bce99a709fee728bd873ca1133b7a3ce22151a3bb0d3e1dbce33b74f743df9b778336799b666141994b9565622ceac5b1027e135ba06253b

Download Submit
\Windows\SysWOW64\Npagjpcd.exe

Filesize
71KB

MD5
cc3e6dfea507fdfe45da730afde5771d

SHA1
b9d6a2a206a6c49daa64f5a1155f3f9a696af653

SHA256
1c1829bc2bfb098d7fe26d9d4d844a4e8f98ec53488632b19d85d887ae46f0e5

SHA512
5133fa471ddc53b754bf4f05d23eee4a86bd64814fd922e50891cc5854ef3a4b977b310db264ba090e12369dd59f1edd5b3b991234e7da12b6e1da897892c5f4

Download Submit
memory/540-143-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1628-99-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1628-145-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1988-87-0x00000000002C0000-0x00000000002F9000-memory.dmp

Filesize
228KB

Download
memory/1988-80-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1988-144-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2104-148-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2104-134-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2300-20-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2300-22-0x0000000000440000-0x0000000000479000-memory.dmp

Filesize
228KB

Download
memory/2392-142-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2392-54-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2392-62-0x0000000000300000-0x0000000000339000-memory.dmp

Filesize
228KB

Download
memory/2636-141-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2636-52-0x0000000000290000-0x00000000002C9000-memory.dmp

Filesize
228KB

Download
memory/2680-121-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2680-147-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2808-140-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2808-34-0x0000000000250000-0x0000000000289000-memory.dmp

Filesize
228KB

Download
memory/2892-139-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2892-18-0x0000000000270000-0x00000000002A9000-memory.dmp

Filesize
228KB

Download
memory/2892-0-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2892-17-0x0000000000270000-0x00000000002A9000-memory.dmp

Filesize
228KB

Download
memory/3016-107-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3016-146-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3016-114-0x00000000002F0000-0x0000000000329000-memory.dmp

Filesize
228KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads