Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
07/11/2024, 04:13
Static task
static1
Behavioral task
behavioral1
Sample
894b7925596453122639ec7fe6eb57e5948ca6c92f314eb4dbc62153e8b565fbN.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
894b7925596453122639ec7fe6eb57e5948ca6c92f314eb4dbc62153e8b565fbN.exe
Resource
win10v2004-20241007-en
General
-
Target
894b7925596453122639ec7fe6eb57e5948ca6c92f314eb4dbc62153e8b565fbN.exe
-
Size
74KB
-
MD5
a7ee6165f7cb793b1226f9f27a24c0f0
-
SHA1
420b7c28aab5466eddc1f1b462a4e5942cf1c7bb
-
SHA256
894b7925596453122639ec7fe6eb57e5948ca6c92f314eb4dbc62153e8b565fb
-
SHA512
d2a8a1d7cab1ae2a44bcc6b6306485d737d24c2bebe8f3b8e25a395101c06be0f59266c1ab400c25d12cf8eb66ccdf55a8f45d127b2aa27f51c6498d3fbcf950
-
SSDEEP
1536:38oW484sGOWyMYtnrCIq3iYiWzzVD6iqdX:38JusPWyRn27Sgz4iqt
Malware Config
Extracted
berbew
http://f/wcmd.htm
http://f/ppslog.php
http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 20 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nkbalifo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Niikceid.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ndhipoob.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nmbknddp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Niikceid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ndhipoob.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ngfflj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nekbmgcn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nodgel32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ngkogj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad 894b7925596453122639ec7fe6eb57e5948ca6c92f314eb4dbc62153e8b565fbN.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ngfflj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ngfflj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ngfflj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nkbalifo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nekbmgcn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nmbknddp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nodgel32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" 894b7925596453122639ec7fe6eb57e5948ca6c92f314eb4dbc62153e8b565fbN.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ngkogj32.exe -
Berbew family
-
Executes dropped EXE 10 IoCs
pid Process 2772 Ndhipoob.exe 2328 Ngfflj32.exe 2668 Ngfflj32.exe 2684 Nkbalifo.exe 2000 Nekbmgcn.exe 292 Nmbknddp.exe 528 Nodgel32.exe 2560 Ngkogj32.exe 2860 Niikceid.exe 2864 Nlhgoqhh.exe -
Loads dropped DLL 24 IoCs
pid Process 2852 894b7925596453122639ec7fe6eb57e5948ca6c92f314eb4dbc62153e8b565fbN.exe 2852 894b7925596453122639ec7fe6eb57e5948ca6c92f314eb4dbc62153e8b565fbN.exe 2772 Ndhipoob.exe 2772 Ndhipoob.exe 2328 Ngfflj32.exe 2328 Ngfflj32.exe 2668 Ngfflj32.exe 2668 Ngfflj32.exe 2684 Nkbalifo.exe 2684 Nkbalifo.exe 2000 Nekbmgcn.exe 2000 Nekbmgcn.exe 292 Nmbknddp.exe 292 Nmbknddp.exe 528 Nodgel32.exe 528 Nodgel32.exe 2560 Ngkogj32.exe 2560 Ngkogj32.exe 2860 Niikceid.exe 2860 Niikceid.exe 856 WerFault.exe 856 WerFault.exe 856 WerFault.exe 856 WerFault.exe -
Drops file in System32 directory 29 IoCs
description ioc Process File created C:\Windows\SysWOW64\Ndhipoob.exe 894b7925596453122639ec7fe6eb57e5948ca6c92f314eb4dbc62153e8b565fbN.exe File opened for modification C:\Windows\SysWOW64\Nekbmgcn.exe Nkbalifo.exe File opened for modification C:\Windows\SysWOW64\Ngkogj32.exe Nodgel32.exe File created C:\Windows\SysWOW64\Niikceid.exe Ngkogj32.exe File created C:\Windows\SysWOW64\Hljdna32.dll Ndhipoob.exe File created C:\Windows\SysWOW64\Kklcab32.dll Nodgel32.exe File opened for modification C:\Windows\SysWOW64\Hljdna32.dll Ngfflj32.exe File created C:\Windows\SysWOW64\Nekbmgcn.exe Nkbalifo.exe File opened for modification C:\Windows\SysWOW64\Nmbknddp.exe Nekbmgcn.exe File created C:\Windows\SysWOW64\Ngoohnkj.dll Nekbmgcn.exe File created C:\Windows\SysWOW64\Ngkogj32.exe Nodgel32.exe File created C:\Windows\SysWOW64\Nlhgoqhh.exe Niikceid.exe File created C:\Windows\SysWOW64\Nodgel32.exe Nmbknddp.exe File created C:\Windows\SysWOW64\Ngfflj32.exe Ndhipoob.exe File opened for modification C:\Windows\SysWOW64\Niikceid.exe Ngkogj32.exe File opened for modification C:\Windows\SysWOW64\Ndhipoob.exe 894b7925596453122639ec7fe6eb57e5948ca6c92f314eb4dbc62153e8b565fbN.exe File opened for modification C:\Windows\SysWOW64\Ngfflj32.exe Ndhipoob.exe File created C:\Windows\SysWOW64\Ngfflj32.exe Ngfflj32.exe File created C:\Windows\SysWOW64\Nkbalifo.exe Ngfflj32.exe File opened for modification C:\Windows\SysWOW64\Nkbalifo.exe Ngfflj32.exe File created C:\Windows\SysWOW64\Eeejnlhc.dll Ngfflj32.exe File opened for modification C:\Windows\SysWOW64\Nodgel32.exe Nmbknddp.exe File created C:\Windows\SysWOW64\Cnjgia32.dll Nmbknddp.exe File opened for modification C:\Windows\SysWOW64\Nlhgoqhh.exe Niikceid.exe File created C:\Windows\SysWOW64\Lamajm32.dll Niikceid.exe File created C:\Windows\SysWOW64\Egnhob32.dll 894b7925596453122639ec7fe6eb57e5948ca6c92f314eb4dbc62153e8b565fbN.exe File created C:\Windows\SysWOW64\Pjclpeak.dll Nkbalifo.exe File created C:\Windows\SysWOW64\Nmbknddp.exe Nekbmgcn.exe File created C:\Windows\SysWOW64\Dnlbnp32.dll Ngkogj32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 856 2864 WerFault.exe 39 -
System Location Discovery: System Language Discovery 1 TTPs 11 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ngfflj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nekbmgcn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nmbknddp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nodgel32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ngkogj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Niikceid.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 894b7925596453122639ec7fe6eb57e5948ca6c92f314eb4dbc62153e8b565fbN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ndhipoob.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nlhgoqhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ngfflj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nkbalifo.exe -
Modifies registry class 33 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ndhipoob.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hljdna32.dll" Ndhipoob.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ngfflj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nkbalifo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID 894b7925596453122639ec7fe6eb57e5948ca6c92f314eb4dbc62153e8b565fbN.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ngkogj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjclpeak.dll" Nkbalifo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ngfflj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cnjgia32.dll" Nmbknddp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nodgel32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nodgel32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lamajm32.dll" Niikceid.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 894b7925596453122639ec7fe6eb57e5948ca6c92f314eb4dbc62153e8b565fbN.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ngfflj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eeejnlhc.dll" Ngfflj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ngoohnkj.dll" Nekbmgcn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ngkogj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egnhob32.dll" 894b7925596453122639ec7fe6eb57e5948ca6c92f314eb4dbc62153e8b565fbN.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ngfflj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nkbalifo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Niikceid.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node 894b7925596453122639ec7fe6eb57e5948ca6c92f314eb4dbc62153e8b565fbN.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hljdna32.dll" Ngfflj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnlbnp32.dll" Ngkogj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" 894b7925596453122639ec7fe6eb57e5948ca6c92f314eb4dbc62153e8b565fbN.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nekbmgcn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nekbmgcn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nmbknddp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kklcab32.dll" Nodgel32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ndhipoob.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nmbknddp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Niikceid.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717} 894b7925596453122639ec7fe6eb57e5948ca6c92f314eb4dbc62153e8b565fbN.exe -
Suspicious use of WriteProcessMemory 44 IoCs
description pid Process procid_target PID 2852 wrote to memory of 2772 2852 894b7925596453122639ec7fe6eb57e5948ca6c92f314eb4dbc62153e8b565fbN.exe 30 PID 2852 wrote to memory of 2772 2852 894b7925596453122639ec7fe6eb57e5948ca6c92f314eb4dbc62153e8b565fbN.exe 30 PID 2852 wrote to memory of 2772 2852 894b7925596453122639ec7fe6eb57e5948ca6c92f314eb4dbc62153e8b565fbN.exe 30 PID 2852 wrote to memory of 2772 2852 894b7925596453122639ec7fe6eb57e5948ca6c92f314eb4dbc62153e8b565fbN.exe 30 PID 2772 wrote to memory of 2328 2772 Ndhipoob.exe 31 PID 2772 wrote to memory of 2328 2772 Ndhipoob.exe 31 PID 2772 wrote to memory of 2328 2772 Ndhipoob.exe 31 PID 2772 wrote to memory of 2328 2772 Ndhipoob.exe 31 PID 2328 wrote to memory of 2668 2328 Ngfflj32.exe 32 PID 2328 wrote to memory of 2668 2328 Ngfflj32.exe 32 PID 2328 wrote to memory of 2668 2328 Ngfflj32.exe 32 PID 2328 wrote to memory of 2668 2328 Ngfflj32.exe 32 PID 2668 wrote to memory of 2684 2668 Ngfflj32.exe 33 PID 2668 wrote to memory of 2684 2668 Ngfflj32.exe 33 PID 2668 wrote to memory of 2684 2668 Ngfflj32.exe 33 PID 2668 wrote to memory of 2684 2668 Ngfflj32.exe 33 PID 2684 wrote to memory of 2000 2684 Nkbalifo.exe 34 PID 2684 wrote to memory of 2000 2684 Nkbalifo.exe 34 PID 2684 wrote to memory of 2000 2684 Nkbalifo.exe 34 PID 2684 wrote to memory of 2000 2684 Nkbalifo.exe 34 PID 2000 wrote to memory of 292 2000 Nekbmgcn.exe 35 PID 2000 wrote to memory of 292 2000 Nekbmgcn.exe 35 PID 2000 wrote to memory of 292 2000 Nekbmgcn.exe 35 PID 2000 wrote to memory of 292 2000 Nekbmgcn.exe 35 PID 292 wrote to memory of 528 292 Nmbknddp.exe 36 PID 292 wrote to memory of 528 292 Nmbknddp.exe 36 PID 292 wrote to memory of 528 292 Nmbknddp.exe 36 PID 292 wrote to memory of 528 292 Nmbknddp.exe 36 PID 528 wrote to memory of 2560 528 Nodgel32.exe 37 PID 528 wrote to memory of 2560 528 Nodgel32.exe 37 PID 528 wrote to memory of 2560 528 Nodgel32.exe 37 PID 528 wrote to memory of 2560 528 Nodgel32.exe 37 PID 2560 wrote to memory of 2860 2560 Ngkogj32.exe 38 PID 2560 wrote to memory of 2860 2560 Ngkogj32.exe 38 PID 2560 wrote to memory of 2860 2560 Ngkogj32.exe 38 PID 2560 wrote to memory of 2860 2560 Ngkogj32.exe 38 PID 2860 wrote to memory of 2864 2860 Niikceid.exe 39 PID 2860 wrote to memory of 2864 2860 Niikceid.exe 39 PID 2860 wrote to memory of 2864 2860 Niikceid.exe 39 PID 2860 wrote to memory of 2864 2860 Niikceid.exe 39 PID 2864 wrote to memory of 856 2864 Nlhgoqhh.exe 40 PID 2864 wrote to memory of 856 2864 Nlhgoqhh.exe 40 PID 2864 wrote to memory of 856 2864 Nlhgoqhh.exe 40 PID 2864 wrote to memory of 856 2864 Nlhgoqhh.exe 40
Processes
-
C:\Users\Admin\AppData\Local\Temp\894b7925596453122639ec7fe6eb57e5948ca6c92f314eb4dbc62153e8b565fbN.exe"C:\Users\Admin\AppData\Local\Temp\894b7925596453122639ec7fe6eb57e5948ca6c92f314eb4dbc62153e8b565fbN.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2852 -
C:\Windows\SysWOW64\Ndhipoob.exeC:\Windows\system32\Ndhipoob.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2772 -
C:\Windows\SysWOW64\Ngfflj32.exeC:\Windows\system32\Ngfflj32.exe3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2328 -
C:\Windows\SysWOW64\Ngfflj32.exeC:\Windows\system32\Ngfflj32.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2668 -
C:\Windows\SysWOW64\Nkbalifo.exeC:\Windows\system32\Nkbalifo.exe5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2684 -
C:\Windows\SysWOW64\Nekbmgcn.exeC:\Windows\system32\Nekbmgcn.exe6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2000 -
C:\Windows\SysWOW64\Nmbknddp.exeC:\Windows\system32\Nmbknddp.exe7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:292 -
C:\Windows\SysWOW64\Nodgel32.exeC:\Windows\system32\Nodgel32.exe8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:528 -
C:\Windows\SysWOW64\Ngkogj32.exeC:\Windows\system32\Ngkogj32.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2560 -
C:\Windows\SysWOW64\Niikceid.exeC:\Windows\system32\Niikceid.exe10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2860 -
C:\Windows\SysWOW64\Nlhgoqhh.exeC:\Windows\system32\Nlhgoqhh.exe11⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2864 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2864 -s 14012⤵
- Loads dropped DLL
- Program crash
PID:856
-
-
-
-
-
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
7KB
MD582da3253d66b7d445f57e548c2386423
SHA1abc7d3ed05c6b09078aba7f2cab0e1880c460b17
SHA25623c2af27c3e28df0732faf148b5d67e9dd3ed1ca2c3f47c58932772de5baccdf
SHA512160bbe047140d9808af93acbed2f72baa4be13ecdbc6ce108733bb9fa5a5def1d001f6fc47b00c5ce1c6ec2ddfada090673f0982d343bffc1126eaa57d1c1605
-
Filesize
74KB
MD52a72158b9e3e3a00bf980b6799ff7db7
SHA1cd9953556779810042f1195b3fb12452b8108268
SHA256e3bcee96641de012cbe591f1ae37732bdf1f5bd42b4b23743b7d7111efb6a55a
SHA5127ce9f2a99fa71e9db437d940f4beb4c20dc0ae22110aac0e30d3cdaab018b6276e61c77c621be0ec9e9ca6b483c0ab31750d994bf880d15518669c529e014a82
-
Filesize
74KB
MD5d75406a0c58db0bda6bc86dcf3db547c
SHA1229057b07ad559847655b6e666814140386a4868
SHA256e3705d0ab3a06430510b029bdb16f9c16016cd99a55c5138de4fb4194b6a26c9
SHA512ae0f1e88091c054b35ab9c942623a0daf398a437a5889ea29ee1b8a7f7a7099395992428f89cdd168c9282b95229aee7139e64a6837ebac81470a225fa5ca31f
-
Filesize
74KB
MD57dcb361cb59b56d420d407bc136bc73e
SHA10456f4dd7aaf213bddf49154560d21c8903c8981
SHA2564245ea3bb588a4791ac765f108a7ad6865d37ec2b856967d6bf3f4307b20166e
SHA512a377f610aafd13fa553930e34779e1916f498c89c68912ec5673aedcdc4e42816cf633204904db8ae75be7037fd576a8bdc3c4730695eef5509aa80cbb65c2a8
-
Filesize
7KB
MD57e4268c7997482cbf802736bcef85509
SHA154f3aaf64ea9e2bf6f2715228511ecd9e9456578
SHA25607e128654c908b70987b46e06cb37929f4aa221a95fc025c5bcaebd19e4e77f4
SHA5121298f247a62efdbd777dd1329d2e83fbcada5d2099fea33564f7eff575c4f24fe46a686b2e14959df01ea185ff9af253fb34c00354318437b9c91597fe028388
-
Filesize
74KB
MD51d4fd494eb8d5fff8d140b4dcc89bb0c
SHA1796511862f8652e331456a2e2991e1329038e87b
SHA256496a419355efb4a701aaba6ad5550437d3c7605464ee3e528e82046c64e70919
SHA512b3b6cf79d8f2f0408bd34d777e6cb497d9a8b31877c7cfd3e2ded0e72fd893fbccadbdd9b27e5974be4a52b929a2e89f8390f9f053988360dac803c36957fa90
-
Filesize
74KB
MD52a5b4cdfe5dbc9df64f9c93a455c99bd
SHA14adb1559eecb525cc79934fa80be7ef4c67bfb84
SHA256b61557fa92c1ea85a80bfa0af82594645a477f9007c1311e15877e50dc26fe15
SHA512d1942ddd56d55775909338e1076e107e04cd8104b5877924d97d14da445e98279ba4836d354de79996b61cc4e6a48f2426707b1d85e9ad7dd2a136860a780801
-
Filesize
74KB
MD52abf0da6ab106ac9f43d5861f5a13dbc
SHA1af28eb51a4bf61fab7689f68b3d569567934a3cd
SHA256edd67c34e3c4d6c68f7e188e178b8c39cd8cbdc129ecab980b1488f7542c1a11
SHA512de6058b10ac00f5c86c9d1e8b588e60e4f077fb0c969efa09cba9c7457be7ced41886759f37cbf7d7fa09da3859265eb9f387d52c8afd2ef622d8274b51686ec
-
Filesize
74KB
MD5cc9382b099ef5a204aeb18a813ea9581
SHA184fcb9d2b3a1074812f559476b0e538a48e95365
SHA256a89a5dd2c10028902442828f5d7079c3b87ad0939517a7dc25ab5f481e7c675b
SHA512d347b39b1ba86f7620810de648f4551c109fc01bdb6ef22f7b53aa0d65f693236e85a0223fb802511e1b0ba3080be630211eba28c89e17fd6d2b21d9d2e2011d
-
Filesize
74KB
MD57b4232c367b85e94dde86ba1cfc1f405
SHA1543b090c90c6c6d8744ab56b244ed8f7ad2bd730
SHA25698ef517dade27988e2958c74a7707e877e37ddeb846f84bff07b29a70d74a275
SHA5120d5c74fe64dcb8b47626d3cba4d893d4717035c8d8de98a0119f01d665fe9642b90b92b30e657880d5b3fee8f72c3940367f1fda6f321c7c463e3522c67ab176
-
Filesize
74KB
MD562c43d8685c239aa67361d53f1e871f6
SHA1a706b5c3621b1d3039cd3409a74b270d4cb057c8
SHA2564b9e4fc918dc1559592cef03312c6a976811a13a7189e0b37a742107266cde63
SHA51292cfd0c0e09df97dbc65d663be70abad426ae55a2e6aa51eaf96011f37591a43a0550e5fc0d27fe83b38605aa23c94d73c0c845d7f2990303b61fb15834e587d