2d5b6ee9858a3b2557f78df99001fc53811b39d1807351d9151e30f04bd8be47

General

Target

2d5b6ee9858a3b2557f78df99001fc53811b39d1807351d9151e30f04bd8be47N.exe
Size

319KB
MD5

7a7e7b05ca9c35113a068ff0b4fc33e0
SHA1

eba6421c9599d2c77341a1eb3dbf8dda0a9b7230
SHA256

2d5b6ee9858a3b2557f78df99001fc53811b39d1807351d9151e30f04bd8be47
SHA512

801a4c9d62303926190a1db4323c9ce3c220d646dacb14c8b84eddd774ba0f88a0dd1a5557878a33a90687125c6c87da5a2df941b6a7209aba4bc5b9360ad599
SSDEEP

6144:MEcCB+jGHvHlp4PlXj4IyqrQ///NR5fLYG3eujPQ///NR5f:aCGG/7YxxC/NcZ7/N

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncnlnaim.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncnlnaim.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	2d5b6ee9858a3b2557f78df99001fc53811b39d1807351d9151e30f04bd8be47N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	2d5b6ee9858a3b2557f78df99001fc53811b39d1807351d9151e30f04bd8be47N.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mmkafhnb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mmkafhnb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nogmin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nogmin32.exe

Executes dropped EXE 4 IoCs

pid	Process
3028	Mmkafhnb.exe
2760	Nogmin32.exe
2828	Ncnlnaim.exe
1916	Opblgehg.exe

Loads dropped DLL 12 IoCs

pid	Process
2320	2d5b6ee9858a3b2557f78df99001fc53811b39d1807351d9151e30f04bd8be47N.exe
2320	2d5b6ee9858a3b2557f78df99001fc53811b39d1807351d9151e30f04bd8be47N.exe
3028	Mmkafhnb.exe
3028	Mmkafhnb.exe
2760	Nogmin32.exe
2760	Nogmin32.exe
2828	Ncnlnaim.exe
2828	Ncnlnaim.exe
2556	WerFault.exe
2556	WerFault.exe
2556	WerFault.exe
2556	WerFault.exe

Drops file in System32 directory 12 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Ajenah32.dll	2d5b6ee9858a3b2557f78df99001fc53811b39d1807351d9151e30f04bd8be47N.exe
File opened for modification	C:\Windows\SysWOW64\Nogmin32.exe	Mmkafhnb.exe
File created	C:\Windows\SysWOW64\Ojqeofnd.dll	Mmkafhnb.exe
File created	C:\Windows\SysWOW64\Ncnlnaim.exe	Nogmin32.exe
File created	C:\Windows\SysWOW64\Gcjajedk.dll	Nogmin32.exe
File opened for modification	C:\Windows\SysWOW64\Opblgehg.exe	Ncnlnaim.exe
File created	C:\Windows\SysWOW64\Mmkafhnb.exe	2d5b6ee9858a3b2557f78df99001fc53811b39d1807351d9151e30f04bd8be47N.exe
File created	C:\Windows\SysWOW64\Nogmin32.exe	Mmkafhnb.exe
File opened for modification	C:\Windows\SysWOW64\Ncnlnaim.exe	Nogmin32.exe
File created	C:\Windows\SysWOW64\Opblgehg.exe	Ncnlnaim.exe
File created	C:\Windows\SysWOW64\Ahmjfimi.dll	Ncnlnaim.exe
File opened for modification	C:\Windows\SysWOW64\Mmkafhnb.exe	2d5b6ee9858a3b2557f78df99001fc53811b39d1807351d9151e30f04bd8be47N.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2556	1916	WerFault.exe	33

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mmkafhnb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nogmin32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ncnlnaim.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Opblgehg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2d5b6ee9858a3b2557f78df99001fc53811b39d1807351d9151e30f04bd8be47N.exe

Modifies registry class 15 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ajenah32.dll"	2d5b6ee9858a3b2557f78df99001fc53811b39d1807351d9151e30f04bd8be47N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	2d5b6ee9858a3b2557f78df99001fc53811b39d1807351d9151e30f04bd8be47N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ojqeofnd.dll"	Mmkafhnb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nogmin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ahmjfimi.dll"	Ncnlnaim.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mmkafhnb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcjajedk.dll"	Nogmin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ncnlnaim.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	2d5b6ee9858a3b2557f78df99001fc53811b39d1807351d9151e30f04bd8be47N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	2d5b6ee9858a3b2557f78df99001fc53811b39d1807351d9151e30f04bd8be47N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nogmin32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ncnlnaim.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	2d5b6ee9858a3b2557f78df99001fc53811b39d1807351d9151e30f04bd8be47N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	2d5b6ee9858a3b2557f78df99001fc53811b39d1807351d9151e30f04bd8be47N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mmkafhnb.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2320 wrote to memory of 3028	2320	2d5b6ee9858a3b2557f78df99001fc53811b39d1807351d9151e30f04bd8be47N.exe	30
PID 2320 wrote to memory of 3028	2320	2d5b6ee9858a3b2557f78df99001fc53811b39d1807351d9151e30f04bd8be47N.exe	30
PID 2320 wrote to memory of 3028	2320	2d5b6ee9858a3b2557f78df99001fc53811b39d1807351d9151e30f04bd8be47N.exe	30
PID 2320 wrote to memory of 3028	2320	2d5b6ee9858a3b2557f78df99001fc53811b39d1807351d9151e30f04bd8be47N.exe	30
PID 3028 wrote to memory of 2760	3028	Mmkafhnb.exe	31
PID 3028 wrote to memory of 2760	3028	Mmkafhnb.exe	31
PID 3028 wrote to memory of 2760	3028	Mmkafhnb.exe	31
PID 3028 wrote to memory of 2760	3028	Mmkafhnb.exe	31
PID 2760 wrote to memory of 2828	2760	Nogmin32.exe	32
PID 2760 wrote to memory of 2828	2760	Nogmin32.exe	32
PID 2760 wrote to memory of 2828	2760	Nogmin32.exe	32
PID 2760 wrote to memory of 2828	2760	Nogmin32.exe	32
PID 2828 wrote to memory of 1916	2828	Ncnlnaim.exe	33
PID 2828 wrote to memory of 1916	2828	Ncnlnaim.exe	33
PID 2828 wrote to memory of 1916	2828	Ncnlnaim.exe	33
PID 2828 wrote to memory of 1916	2828	Ncnlnaim.exe	33
PID 1916 wrote to memory of 2556	1916	Opblgehg.exe	34
PID 1916 wrote to memory of 2556	1916	Opblgehg.exe	34
PID 1916 wrote to memory of 2556	1916	Opblgehg.exe	34
PID 1916 wrote to memory of 2556	1916	Opblgehg.exe	34

C:\Users\Admin\AppData\Local\Temp\2d5b6ee9858a3b2557f78df99001fc53811b39d1807351d9151e30f04bd8be47N.exe
"C:\Users\Admin\AppData\Local\Temp\2d5b6ee9858a3b2557f78df99001fc53811b39d1807351d9151e30f04bd8be47N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2320
- C:\Windows\SysWOW64\Mmkafhnb.exe
  C:\Windows\system32\Mmkafhnb.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3028
- - C:\Windows\SysWOW64\Nogmin32.exe
    C:\Windows\system32\Nogmin32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2760
  - - C:\Windows\SysWOW64\Ncnlnaim.exe
      C:\Windows\system32\Ncnlnaim.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2828
    - - C:\Windows\SysWOW64\Opblgehg.exe
        
        C:\Windows\system32\Opblgehg.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1916
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1916 -s 140
        6⤵
        Loads dropped DLL
        Program crash
        
        PID:2556

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Windows\SysWOW64\Mmkafhnb.exe

Filesize
319KB

MD5
687eb20bbdf99c08b04d97f8b168f78e

SHA1
08e87ba2def12d3dc4007f25880fa3ade9c4f6c6

SHA256
3bfc25457c9e866c1256dd3256028bdcf98303d24d158a3dc71ea06d2ee40dc9

SHA512
c7edb150c4f2b791bf773416d1d4070926f696f9ca09bcbce2a998b1e4c0683965a45cfd4acf1015c137a9751df1f4707e5062f8be4f18768ad5ee1753f06a47

Download Submit
\Windows\SysWOW64\Ncnlnaim.exe

Filesize
319KB

MD5
c655e99fa43cb1a836c667c38fe1d07b

SHA1
61ebff74fe729e81b90ef7dd799194790b9e6bcc

SHA256
1bb5b325430dfc4f39d6ad3199b559ac4cf7fcf10f547dff006ea3f3a6d2f7a6

SHA512
b0f5951387e9fadbc8d7e65fde848edaae7adf4f1b266c7147e29230da50b12dd562d9dfc535a6a003abb98db29cc08d3a2766355ccef49b7caf4a1590edd805

Download Submit
\Windows\SysWOW64\Nogmin32.exe

Filesize
319KB

MD5
2831bc0b58d120ec39f68e09a6eabead

SHA1
b1886c951bb15ac597633cdc046a54f5e0802941

SHA256
8abbd2673537c889cbbbc3919da296c7674561716dfd9c69818909ecd01d2efb

SHA512
edcd002b22e71b8e3bd4856818df480ad96af9efa805718a08528410819d8f81247eae98b521936a20d6b170dbed83ae6b11efda937630502c64c683a9269aa8

Download Submit
\Windows\SysWOW64\Opblgehg.exe

Filesize
319KB

MD5
94b1845c67dd5e2fdb0bd1d7deeea737

SHA1
60702bcd93d610c246e8636faf20918b03548e03

SHA256
9780eaf038b5bc1f30ee12a9ecb19bf70bc6d600fb90062b4608eca673734ae4

SHA512
36cefb3997327958ba9ae6b1612bd609087d7a236a544c7c2feb7d0286b408f1eb71147ab5cb8683181f3711d48aac95f48eea3b3000fc5fdd36138dfd71a5ac

Download Submit
memory/1916-90-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/1916-57-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/2320-76-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/2320-7-0x0000000000280000-0x00000000002D1000-memory.dmp

Filesize
324KB

Download
memory/2320-12-0x0000000000280000-0x00000000002D1000-memory.dmp

Filesize
324KB

Download
memory/2320-0-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/2760-80-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/2760-29-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/2760-41-0x0000000000310000-0x0000000000361000-memory.dmp

Filesize
324KB

Download
memory/2828-44-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/2828-84-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/2828-55-0x0000000000220000-0x0000000000271000-memory.dmp

Filesize
324KB

Download
memory/3028-19-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/3028-78-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/3028-27-0x0000000000220000-0x0000000000271000-memory.dmp

Filesize
324KB

Download
memory/3028-26-0x0000000000220000-0x0000000000271000-memory.dmp

Filesize
324KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads