Analysis
-
max time kernel
121s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
10-11-2024 01:12
Static task
static1
Behavioral task
behavioral1
Sample
a318bb4de7f7ad2901270ac5437f316e987b10b33484d4b449eff0a40485eaec.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
a318bb4de7f7ad2901270ac5437f316e987b10b33484d4b449eff0a40485eaec.exe
Resource
win10v2004-20241007-en
General
-
Target
a318bb4de7f7ad2901270ac5437f316e987b10b33484d4b449eff0a40485eaec.exe
-
Size
364KB
-
MD5
c888455fdf0cefda3eb8249318ff75ee
-
SHA1
95656a8ffcf4e16e3a721ab360c2ea6e75eee94b
-
SHA256
a318bb4de7f7ad2901270ac5437f316e987b10b33484d4b449eff0a40485eaec
-
SHA512
e4f0684daa3df279a37bdc5a782025b1f9a8cd38c1a32cc4e1b5ea36e33f78a781b80e275276060579b0e8442b6d385f6975e47188fec8f1e28133be4c202439
-
SSDEEP
6144:iW7mooWmLnPpV+tbFOLM77OLnFe3HCqxNRmJ4PavntPRRI:sG6nytsNePmjvtPRRI
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 4 IoCs
Processes:
a318bb4de7f7ad2901270ac5437f316e987b10b33484d4b449eff0a40485eaec.exeNpagjpcd.exedescription ioc process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad a318bb4de7f7ad2901270ac5437f316e987b10b33484d4b449eff0a40485eaec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" a318bb4de7f7ad2901270ac5437f316e987b10b33484d4b449eff0a40485eaec.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Npagjpcd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Npagjpcd.exe -
Berbew family
-
Executes dropped EXE 2 IoCs
Processes:
Npagjpcd.exeNlhgoqhh.exepid process 2792 Npagjpcd.exe 2168 Nlhgoqhh.exe -
Loads dropped DLL 8 IoCs
Processes:
a318bb4de7f7ad2901270ac5437f316e987b10b33484d4b449eff0a40485eaec.exeNpagjpcd.exeWerFault.exepid process 2160 a318bb4de7f7ad2901270ac5437f316e987b10b33484d4b449eff0a40485eaec.exe 2160 a318bb4de7f7ad2901270ac5437f316e987b10b33484d4b449eff0a40485eaec.exe 2792 Npagjpcd.exe 2792 Npagjpcd.exe 2752 WerFault.exe 2752 WerFault.exe 2752 WerFault.exe 2752 WerFault.exe -
Drops file in System32 directory 6 IoCs
Processes:
Npagjpcd.exea318bb4de7f7ad2901270ac5437f316e987b10b33484d4b449eff0a40485eaec.exedescription ioc process File created C:\Windows\SysWOW64\Nlhgoqhh.exe Npagjpcd.exe File opened for modification C:\Windows\SysWOW64\Nlhgoqhh.exe Npagjpcd.exe File created C:\Windows\SysWOW64\Lamajm32.dll Npagjpcd.exe File created C:\Windows\SysWOW64\Npagjpcd.exe a318bb4de7f7ad2901270ac5437f316e987b10b33484d4b449eff0a40485eaec.exe File opened for modification C:\Windows\SysWOW64\Npagjpcd.exe a318bb4de7f7ad2901270ac5437f316e987b10b33484d4b449eff0a40485eaec.exe File created C:\Windows\SysWOW64\Mahqjm32.dll a318bb4de7f7ad2901270ac5437f316e987b10b33484d4b449eff0a40485eaec.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2752 2168 WerFault.exe Nlhgoqhh.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
Npagjpcd.exeNlhgoqhh.exea318bb4de7f7ad2901270ac5437f316e987b10b33484d4b449eff0a40485eaec.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Npagjpcd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nlhgoqhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a318bb4de7f7ad2901270ac5437f316e987b10b33484d4b449eff0a40485eaec.exe -
Modifies registry class 9 IoCs
Processes:
Npagjpcd.exea318bb4de7f7ad2901270ac5437f316e987b10b33484d4b449eff0a40485eaec.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lamajm32.dll" Npagjpcd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Npagjpcd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 a318bb4de7f7ad2901270ac5437f316e987b10b33484d4b449eff0a40485eaec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node a318bb4de7f7ad2901270ac5437f316e987b10b33484d4b449eff0a40485eaec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" a318bb4de7f7ad2901270ac5437f316e987b10b33484d4b449eff0a40485eaec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Npagjpcd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID a318bb4de7f7ad2901270ac5437f316e987b10b33484d4b449eff0a40485eaec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717} a318bb4de7f7ad2901270ac5437f316e987b10b33484d4b449eff0a40485eaec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mahqjm32.dll" a318bb4de7f7ad2901270ac5437f316e987b10b33484d4b449eff0a40485eaec.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
a318bb4de7f7ad2901270ac5437f316e987b10b33484d4b449eff0a40485eaec.exeNpagjpcd.exeNlhgoqhh.exedescription pid process target process PID 2160 wrote to memory of 2792 2160 a318bb4de7f7ad2901270ac5437f316e987b10b33484d4b449eff0a40485eaec.exe Npagjpcd.exe PID 2160 wrote to memory of 2792 2160 a318bb4de7f7ad2901270ac5437f316e987b10b33484d4b449eff0a40485eaec.exe Npagjpcd.exe PID 2160 wrote to memory of 2792 2160 a318bb4de7f7ad2901270ac5437f316e987b10b33484d4b449eff0a40485eaec.exe Npagjpcd.exe PID 2160 wrote to memory of 2792 2160 a318bb4de7f7ad2901270ac5437f316e987b10b33484d4b449eff0a40485eaec.exe Npagjpcd.exe PID 2792 wrote to memory of 2168 2792 Npagjpcd.exe Nlhgoqhh.exe PID 2792 wrote to memory of 2168 2792 Npagjpcd.exe Nlhgoqhh.exe PID 2792 wrote to memory of 2168 2792 Npagjpcd.exe Nlhgoqhh.exe PID 2792 wrote to memory of 2168 2792 Npagjpcd.exe Nlhgoqhh.exe PID 2168 wrote to memory of 2752 2168 Nlhgoqhh.exe WerFault.exe PID 2168 wrote to memory of 2752 2168 Nlhgoqhh.exe WerFault.exe PID 2168 wrote to memory of 2752 2168 Nlhgoqhh.exe WerFault.exe PID 2168 wrote to memory of 2752 2168 Nlhgoqhh.exe WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a318bb4de7f7ad2901270ac5437f316e987b10b33484d4b449eff0a40485eaec.exe"C:\Users\Admin\AppData\Local\Temp\a318bb4de7f7ad2901270ac5437f316e987b10b33484d4b449eff0a40485eaec.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2160 -
C:\Windows\SysWOW64\Npagjpcd.exeC:\Windows\system32\Npagjpcd.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2792 -
C:\Windows\SysWOW64\Nlhgoqhh.exeC:\Windows\system32\Nlhgoqhh.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2168 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2168 -s 1404⤵
- Loads dropped DLL
- Program crash
PID:2752
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
364KB
MD5096bd25ffb16647fb8577c9da14aeab1
SHA1485d423a94f28b040de7e9529500c634c2fce3cc
SHA256d97617c5f485899f09a654128ace9d1e035f58366ad4ac91dfab1436023bc84a
SHA51296d7606c3a01bf3a7f19bf0762a366c1cc9631a1140eb538ecf423070713f34bf7628fd815f2b79c2bee763d7395cb41e142d10146b8259dec255a906a8d13e7
-
Filesize
364KB
MD51070c2ee886db07cf2c37559119209c6
SHA1166a2fe50dad978c63020e21f62cf699b3f82fa3
SHA2565412c939043b7ab3825149e33ddadddaca623527c016132862debf5c9b54ef29
SHA5120707a862fa1103fdaba634ea447ffafccd4e53ba0be0ec01b47355c2fcefe3428691f0101e71c5c8a67f2a15d30b05a3589973302594e7578c137c378971e5e5