bca1d67a09b120d3ba95ba33f1ae711310fe80ec0c4618f1f51e5d66ff895a94

General

Target

c71c462c926fdb17b853893bc0d913f0N.exe
Size

256KB
MD5

c71c462c926fdb17b853893bc0d913f0
SHA1

027b0031b4705be0eab11e1f17f429f3f1cef8ea
SHA256

bca1d67a09b120d3ba95ba33f1ae711310fe80ec0c4618f1f51e5d66ff895a94
SHA512

eaabf099a5e2022a1dd2f3883e2b1c46e23f5707afe675a01623f0de4668ae4a6fc2029a85fcc3250099335504740d7d502e15182bdb0ec76f2384a394383d67
SSDEEP

3072:gbvkVxLgaq3TqpaI2VceK3KcWmjRrzqzWspSnocyA5qKcWmjRrzeceKSAxpce7f4:gbxjqpa3HVpaopOpHVILifyeYVDcfR

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nodgel32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nodgel32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncpcfkbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncpcfkbg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Niikceid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Niikceid.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	c71c462c926fdb17b853893bc0d913f0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	c71c462c926fdb17b853893bc0d913f0N.exe

Executes dropped EXE 4 IoCs

pid	Process
2792	Nodgel32.exe
2472	Ncpcfkbg.exe
2896	Niikceid.exe
2044	Nlhgoqhh.exe

Loads dropped DLL 8 IoCs

pid	Process
2312	c71c462c926fdb17b853893bc0d913f0N.exe
2312	c71c462c926fdb17b853893bc0d913f0N.exe
2792	Nodgel32.exe
2792	Nodgel32.exe
2472	Ncpcfkbg.exe
2472	Ncpcfkbg.exe
2896	Niikceid.exe
2896	Niikceid.exe

Drops file in System32 directory 12 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Dnlbnp32.dll	Ncpcfkbg.exe
File opened for modification	C:\Windows\SysWOW64\Nlhgoqhh.exe	Niikceid.exe
File opened for modification	C:\Windows\SysWOW64\Nodgel32.exe	c71c462c926fdb17b853893bc0d913f0N.exe
File created	C:\Windows\SysWOW64\Cnjgia32.dll	c71c462c926fdb17b853893bc0d913f0N.exe
File created	C:\Windows\SysWOW64\Ncpcfkbg.exe	Nodgel32.exe
File created	C:\Windows\SysWOW64\Niikceid.exe	Ncpcfkbg.exe
File created	C:\Windows\SysWOW64\Nlhgoqhh.exe	Niikceid.exe
File created	C:\Windows\SysWOW64\Lamajm32.dll	Niikceid.exe
File created	C:\Windows\SysWOW64\Nodgel32.exe	c71c462c926fdb17b853893bc0d913f0N.exe
File opened for modification	C:\Windows\SysWOW64\Ncpcfkbg.exe	Nodgel32.exe
File created	C:\Windows\SysWOW64\Pfdmil32.dll	Nodgel32.exe
File opened for modification	C:\Windows\SysWOW64\Niikceid.exe	Ncpcfkbg.exe

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c71c462c926fdb17b853893bc0d913f0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nodgel32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ncpcfkbg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Niikceid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nlhgoqhh.exe

Modifies registry class 15 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	c71c462c926fdb17b853893bc0d913f0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cnjgia32.dll"	c71c462c926fdb17b853893bc0d913f0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nodgel32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nodgel32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Niikceid.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ncpcfkbg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	c71c462c926fdb17b853893bc0d913f0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	c71c462c926fdb17b853893bc0d913f0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pfdmil32.dll"	Nodgel32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnlbnp32.dll"	Ncpcfkbg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	c71c462c926fdb17b853893bc0d913f0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	c71c462c926fdb17b853893bc0d913f0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ncpcfkbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lamajm32.dll"	Niikceid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Niikceid.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2312 wrote to memory of 2792	2312	c71c462c926fdb17b853893bc0d913f0N.exe	30
PID 2312 wrote to memory of 2792	2312	c71c462c926fdb17b853893bc0d913f0N.exe	30
PID 2312 wrote to memory of 2792	2312	c71c462c926fdb17b853893bc0d913f0N.exe	30
PID 2312 wrote to memory of 2792	2312	c71c462c926fdb17b853893bc0d913f0N.exe	30
PID 2792 wrote to memory of 2472	2792	Nodgel32.exe	31
PID 2792 wrote to memory of 2472	2792	Nodgel32.exe	31
PID 2792 wrote to memory of 2472	2792	Nodgel32.exe	31
PID 2792 wrote to memory of 2472	2792	Nodgel32.exe	31
PID 2472 wrote to memory of 2896	2472	Ncpcfkbg.exe	32
PID 2472 wrote to memory of 2896	2472	Ncpcfkbg.exe	32
PID 2472 wrote to memory of 2896	2472	Ncpcfkbg.exe	32
PID 2472 wrote to memory of 2896	2472	Ncpcfkbg.exe	32
PID 2896 wrote to memory of 2044	2896	Niikceid.exe	33
PID 2896 wrote to memory of 2044	2896	Niikceid.exe	33
PID 2896 wrote to memory of 2044	2896	Niikceid.exe	33
PID 2896 wrote to memory of 2044	2896	Niikceid.exe	33

C:\Users\Admin\AppData\Local\Temp\c71c462c926fdb17b853893bc0d913f0N.exe
"C:\Users\Admin\AppData\Local\Temp\c71c462c926fdb17b853893bc0d913f0N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2312
- C:\Windows\SysWOW64\Nodgel32.exe
  C:\Windows\system32\Nodgel32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2792
- - C:\Windows\SysWOW64\Ncpcfkbg.exe
    C:\Windows\system32\Ncpcfkbg.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2472
  - - C:\Windows\SysWOW64\Niikceid.exe
      C:\Windows\system32\Niikceid.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2896
    - - C:\Windows\SysWOW64\Nlhgoqhh.exe
        
        C:\Windows\system32\Nlhgoqhh.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2044

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Ncpcfkbg.exe

Filesize
256KB

MD5
6dbb9d11022c45374c7e2cee22cec26a

SHA1
fa8ff8b8cd35ab9c2507915f1b2a25715c42ecc9

SHA256
ec4d4b9d6463a5713f25d11e1c2f9721e927318343fbf7dd7e925e5872a182ff

SHA512
ba1ff2cbd02a88d3d902fbdc1fbb47bb74f9895c483d48184973e7f289d2d6413928623c4d6f5dce61265e7810c3c7b37fd3613a6ae67c3f555a8901de4eb098

Download Submit
C:\Windows\SysWOW64\Niikceid.exe

Filesize
256KB

MD5
e5a08ccce0554aacadfca50a4c82ab4d

SHA1
cc518f29c011334ae72bf9d50c99b82e43ad5d5c

SHA256
80f2c20eaf074f4dac480259044dbc2e2f55483abe7218ea44c6f41403b7b622

SHA512
a3df907bcab5112990b7d8a3657ec5424f3b3670935a3b76c73391e317a3a48094490477fd4d810e52efe06940f86c8f7596cb85b477843d05e15675b2394d8b

Download Submit
\Windows\SysWOW64\Nlhgoqhh.exe

Filesize
256KB

MD5
0e0e63958fb45457cd5bf44f4fe35a9c

SHA1
3939ccc6c6dca4b3330524628a81c62da905d19e

SHA256
6d7797b990c3ee78d191e573ceaa1a1049cb4ef5ef9fe582751f1586c310ae6e

SHA512
82d3c864f3935aeb6b1c968794a887d24e73853230ec37ee70d823d5745a17c524d3fe362d1de688a9e410722ee568f877234842c453b0f340b9c1a98def74c3

Download Submit
\Windows\SysWOW64\Nodgel32.exe

Filesize
256KB

MD5
7d4dff7b727792b14e6b92a7e6ae2a6a

SHA1
3b9f391b95eef13f9c7adaabba30c464ab0d1e90

SHA256
c192c7dc5b3520380b802c091351651cb7bfea7c40c2d76544fb5c6b8408a57a

SHA512
490ed8f9bcf58d95741a1e49d425e5fe83143b959f31d0564ed512ba569606355338e90b139f0ca429aa05ab7410afd65e30cb01dae6da1a64d3056c93db4098

Download Submit
memory/2044-57-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2312-13-0x00000000002E0000-0x0000000000339000-memory.dmp

Filesize
356KB

Download
memory/2312-0-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2312-60-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2472-55-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2792-58-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2792-18-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2896-44-0x0000000001FE0000-0x0000000002039000-memory.dmp

Filesize
356KB

Download
memory/2896-54-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2896-52-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads