96138db76fd5ababbeee7679820f67226dc924cbc02a9d646b8c200ed69a969f

Analysis

max time kernel
143s
max time network
145s
platform
windows7_x64
resource
win7v20210410
submitted
04-05-2021 21:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

96138db76fd5ababbeee7679820f67226dc924cbc02a9d646b8c200ed69a969f.exe
Size

9.6MB
MD5

e42d21095d220b1ccd7720e0d3297670
SHA1

be8f7f7c13659a1bd01e650362d7a759a50495b6
SHA256

96138db76fd5ababbeee7679820f67226dc924cbc02a9d646b8c200ed69a969f
SHA512

155b831621f32c54b32854e78fd773744fcab26eee04ded14d6958b9dbd11f31255d8a7340a9b9435d4b10dfb473f63c0d0661f615291be0fec18240c54027c0

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112
Executes dropped EXE 3 IoCs

Processes:

Jnbigp32.exeJohpjgab.exeLpdkeiia.exe

pid process

1500 Jnbigp32.exe
2044 Johpjgab.exe
1396 Lpdkeiia.exe

pid	process
1500	Jnbigp32.exe
2044	Johpjgab.exe
1396	Lpdkeiia.exe

Loads dropped DLL 8 IoCs

Processes:

96138db76fd5ababbeee7679820f67226dc924cbc02a9d646b8c200ed69a969f.exeJnbigp32.exeJohpjgab.exeLpdkeiia.exe

pid	process
1096	96138db76fd5ababbeee7679820f67226dc924cbc02a9d646b8c200ed69a969f.exe
1096	96138db76fd5ababbeee7679820f67226dc924cbc02a9d646b8c200ed69a969f.exe
1500	Jnbigp32.exe
1500	Jnbigp32.exe
2044	Johpjgab.exe
2044	Johpjgab.exe
1396	Lpdkeiia.exe
1396	Lpdkeiia.exe

Drops file in System32 directory 12 IoCs

Processes:

Johpjgab.exeLpdkeiia.exe96138db76fd5ababbeee7679820f67226dc924cbc02a9d646b8c200ed69a969f.exeJnbigp32.exe

description	ioc	process
File created	C:\Windows\SysWOW64\Lpdkeiia.exe	Johpjgab.exe
File created	C:\Windows\SysWOW64\Mhhcojoa.exe	Lpdkeiia.exe
File created	C:\Windows\SysWOW64\Chkcbknj.dll	Lpdkeiia.exe
File created	C:\Windows\SysWOW64\Oleaabgi.dll	96138db76fd5ababbeee7679820f67226dc924cbc02a9d646b8c200ed69a969f.exe
File created	C:\Windows\SysWOW64\Johpjgab.exe	Jnbigp32.exe
File created	C:\Windows\SysWOW64\Bnclioan.dll	Jnbigp32.exe
File opened for modification	C:\Windows\SysWOW64\Lpdkeiia.exe	Johpjgab.exe
File created	C:\Windows\SysWOW64\Bamboapd.dll	Johpjgab.exe
File opened for modification	C:\Windows\SysWOW64\Mhhcojoa.exe	Lpdkeiia.exe
File created	C:\Windows\SysWOW64\Jnbigp32.exe	96138db76fd5ababbeee7679820f67226dc924cbc02a9d646b8c200ed69a969f.exe
File opened for modification	C:\Windows\SysWOW64\Jnbigp32.exe	96138db76fd5ababbeee7679820f67226dc924cbc02a9d646b8c200ed69a969f.exe
File opened for modification	C:\Windows\SysWOW64\Johpjgab.exe	Jnbigp32.exe

Modifies registry class 15 IoCs

Processes:

96138db76fd5ababbeee7679820f67226dc924cbc02a9d646b8c200ed69a969f.exeJnbigp32.exeJohpjgab.exeLpdkeiia.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	96138db76fd5ababbeee7679820f67226dc924cbc02a9d646b8c200ed69a969f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	96138db76fd5ababbeee7679820f67226dc924cbc02a9d646b8c200ed69a969f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oleaabgi.dll"	96138db76fd5ababbeee7679820f67226dc924cbc02a9d646b8c200ed69a969f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	96138db76fd5ababbeee7679820f67226dc924cbc02a9d646b8c200ed69a969f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jnbigp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bnclioan.dll"	Jnbigp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Johpjgab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Johpjgab.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lpdkeiia.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	96138db76fd5ababbeee7679820f67226dc924cbc02a9d646b8c200ed69a969f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lpdkeiia.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	96138db76fd5ababbeee7679820f67226dc924cbc02a9d646b8c200ed69a969f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jnbigp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bamboapd.dll"	Johpjgab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chkcbknj.dll"	Lpdkeiia.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

96138db76fd5ababbeee7679820f67226dc924cbc02a9d646b8c200ed69a969f.exeJnbigp32.exeJohpjgab.exeLpdkeiia.exe

description	pid	process	target process
PID 1096 wrote to memory of 1500	1096	96138db76fd5ababbeee7679820f67226dc924cbc02a9d646b8c200ed69a969f.exe	Jnbigp32.exe
PID 1096 wrote to memory of 1500	1096	96138db76fd5ababbeee7679820f67226dc924cbc02a9d646b8c200ed69a969f.exe	Jnbigp32.exe
PID 1096 wrote to memory of 1500	1096	96138db76fd5ababbeee7679820f67226dc924cbc02a9d646b8c200ed69a969f.exe	Jnbigp32.exe
PID 1096 wrote to memory of 1500	1096	96138db76fd5ababbeee7679820f67226dc924cbc02a9d646b8c200ed69a969f.exe	Jnbigp32.exe
PID 1500 wrote to memory of 2044	1500	Jnbigp32.exe	Johpjgab.exe
PID 1500 wrote to memory of 2044	1500	Jnbigp32.exe	Johpjgab.exe
PID 1500 wrote to memory of 2044	1500	Jnbigp32.exe	Johpjgab.exe
PID 1500 wrote to memory of 2044	1500	Jnbigp32.exe	Johpjgab.exe
PID 2044 wrote to memory of 1396	2044	Johpjgab.exe	Lpdkeiia.exe
PID 2044 wrote to memory of 1396	2044	Johpjgab.exe	Lpdkeiia.exe
PID 2044 wrote to memory of 1396	2044	Johpjgab.exe	Lpdkeiia.exe
PID 2044 wrote to memory of 1396	2044	Johpjgab.exe	Lpdkeiia.exe
PID 1396 wrote to memory of 1972	1396	Lpdkeiia.exe	Mhhcojoa.exe
PID 1396 wrote to memory of 1972	1396	Lpdkeiia.exe	Mhhcojoa.exe
PID 1396 wrote to memory of 1972	1396	Lpdkeiia.exe	Mhhcojoa.exe
PID 1396 wrote to memory of 1972	1396	Lpdkeiia.exe	Mhhcojoa.exe

C:\Users\Admin\AppData\Local\Temp\96138db76fd5ababbeee7679820f67226dc924cbc02a9d646b8c200ed69a969f.exe
"C:\Users\Admin\AppData\Local\Temp\96138db76fd5ababbeee7679820f67226dc924cbc02a9d646b8c200ed69a969f.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1096

C:\Windows\SysWOW64\Jnbigp32.exe
C:\Windows\system32\Jnbigp32.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1500

C:\Windows\SysWOW64\Johpjgab.exe
C:\Windows\system32\Johpjgab.exe
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2044

C:\Windows\SysWOW64\Lpdkeiia.exe
C:\Windows\system32\Lpdkeiia.exe
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1396

C:\Windows\SysWOW64\Mhhcojoa.exe
C:\Windows\system32\Mhhcojoa.exe
5⤵
PID:1972

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Jnbigp32.exe
MD5
0dd26f2c607aa7908580b2de6d74c133

SHA1
e55b4fe196f451904f33918e70fdbdeabe8a2779

SHA256
6e72207867cc3994117d9ebd231ba8a171d0b8a79c6c16fa56e23426222c9c88

SHA512
ec42704c4030fcd61e95b631edbd52893eb552e5001f91b0e2f4ee017d021f3664b359df666fcf5d4670eb988da43acfe0f99c12935d36c4f7e700ef1498cd65

Download Submit
C:\Windows\SysWOW64\Jnbigp32.exe
MD5
0dd26f2c607aa7908580b2de6d74c133

SHA1
e55b4fe196f451904f33918e70fdbdeabe8a2779

SHA256
6e72207867cc3994117d9ebd231ba8a171d0b8a79c6c16fa56e23426222c9c88

SHA512
ec42704c4030fcd61e95b631edbd52893eb552e5001f91b0e2f4ee017d021f3664b359df666fcf5d4670eb988da43acfe0f99c12935d36c4f7e700ef1498cd65

Download Submit
C:\Windows\SysWOW64\Johpjgab.exe
MD5
99aadad882cd4d12b44cb6075c955d02

SHA1
7bb3808b92a10b4026264d3e41d0de7bec521d79

SHA256
465d752161320838cfc43c1d1a993e4f06470e22bb2b0f50f1bb79c197496502

SHA512
b4143d678e8f2f3162646efff06f3b541cd9b46757eefc4c79f21d1095dd995c8d460cc2a9910daa3dcc77581049bca52a1cb68c3cb23e968cb28ee53544bd5b

Download Submit
C:\Windows\SysWOW64\Johpjgab.exe
MD5
99aadad882cd4d12b44cb6075c955d02

SHA1
7bb3808b92a10b4026264d3e41d0de7bec521d79

SHA256
465d752161320838cfc43c1d1a993e4f06470e22bb2b0f50f1bb79c197496502

SHA512
b4143d678e8f2f3162646efff06f3b541cd9b46757eefc4c79f21d1095dd995c8d460cc2a9910daa3dcc77581049bca52a1cb68c3cb23e968cb28ee53544bd5b

Download Submit
C:\Windows\SysWOW64\Lpdkeiia.exe
MD5
9e60b9e084f1b6d9e00efe62d28c3848

SHA1
c02d956a01955f6073124701bf4db75c370cb483

SHA256
b100d84ab706c3889defd6b34cf8c05a8c67e7d605529a33f5f032ea5a7598be

SHA512
a86eae8a7c4c4637cc47ce8653cfcdc711be33eab955a874f5a19732bde167280beae9d50f9d8c026282dd21008a8fe42db29fa65e6ad3386cd32ed833645b0a

Download Submit
C:\Windows\SysWOW64\Lpdkeiia.exe
MD5
9e60b9e084f1b6d9e00efe62d28c3848

SHA1
c02d956a01955f6073124701bf4db75c370cb483

SHA256
b100d84ab706c3889defd6b34cf8c05a8c67e7d605529a33f5f032ea5a7598be

SHA512
a86eae8a7c4c4637cc47ce8653cfcdc711be33eab955a874f5a19732bde167280beae9d50f9d8c026282dd21008a8fe42db29fa65e6ad3386cd32ed833645b0a

Download Submit
\Windows\SysWOW64\Jnbigp32.exe
MD5
0dd26f2c607aa7908580b2de6d74c133

SHA1
e55b4fe196f451904f33918e70fdbdeabe8a2779

SHA256
6e72207867cc3994117d9ebd231ba8a171d0b8a79c6c16fa56e23426222c9c88

SHA512
ec42704c4030fcd61e95b631edbd52893eb552e5001f91b0e2f4ee017d021f3664b359df666fcf5d4670eb988da43acfe0f99c12935d36c4f7e700ef1498cd65

Download Submit
\Windows\SysWOW64\Jnbigp32.exe
MD5
0dd26f2c607aa7908580b2de6d74c133

SHA1
e55b4fe196f451904f33918e70fdbdeabe8a2779

SHA256
6e72207867cc3994117d9ebd231ba8a171d0b8a79c6c16fa56e23426222c9c88

SHA512
ec42704c4030fcd61e95b631edbd52893eb552e5001f91b0e2f4ee017d021f3664b359df666fcf5d4670eb988da43acfe0f99c12935d36c4f7e700ef1498cd65

Download Submit
\Windows\SysWOW64\Johpjgab.exe
MD5
99aadad882cd4d12b44cb6075c955d02

SHA1
7bb3808b92a10b4026264d3e41d0de7bec521d79

SHA256
465d752161320838cfc43c1d1a993e4f06470e22bb2b0f50f1bb79c197496502

SHA512
b4143d678e8f2f3162646efff06f3b541cd9b46757eefc4c79f21d1095dd995c8d460cc2a9910daa3dcc77581049bca52a1cb68c3cb23e968cb28ee53544bd5b

Download Submit
\Windows\SysWOW64\Johpjgab.exe
MD5
99aadad882cd4d12b44cb6075c955d02

SHA1
7bb3808b92a10b4026264d3e41d0de7bec521d79

SHA256
465d752161320838cfc43c1d1a993e4f06470e22bb2b0f50f1bb79c197496502

SHA512
b4143d678e8f2f3162646efff06f3b541cd9b46757eefc4c79f21d1095dd995c8d460cc2a9910daa3dcc77581049bca52a1cb68c3cb23e968cb28ee53544bd5b

Download Submit
\Windows\SysWOW64\Lpdkeiia.exe
MD5
9e60b9e084f1b6d9e00efe62d28c3848

SHA1
c02d956a01955f6073124701bf4db75c370cb483

SHA256
b100d84ab706c3889defd6b34cf8c05a8c67e7d605529a33f5f032ea5a7598be

SHA512
a86eae8a7c4c4637cc47ce8653cfcdc711be33eab955a874f5a19732bde167280beae9d50f9d8c026282dd21008a8fe42db29fa65e6ad3386cd32ed833645b0a

Download Submit
\Windows\SysWOW64\Lpdkeiia.exe
MD5
9e60b9e084f1b6d9e00efe62d28c3848

SHA1
c02d956a01955f6073124701bf4db75c370cb483

SHA256
b100d84ab706c3889defd6b34cf8c05a8c67e7d605529a33f5f032ea5a7598be

SHA512
a86eae8a7c4c4637cc47ce8653cfcdc711be33eab955a874f5a19732bde167280beae9d50f9d8c026282dd21008a8fe42db29fa65e6ad3386cd32ed833645b0a

Download Submit
\Windows\SysWOW64\Mhhcojoa.exe
MD5
af88eb401436534ddd8c305d692e4948

SHA1
070242b48e5ff761e36ec299be98e54e40b0c3ac

SHA256
d79f3292388b96fbb426ddbca2913661636b404de34c61936d33196535490643

SHA512
e19568444e1535c6f297834b968a73752ff78ec03a0108a54aa2e9d1ea56921737180b6242c0be63c4534eaa8cd6e27e2eebc05a5beb32d4190324fa9f30b926

Download Submit
\Windows\SysWOW64\Mhhcojoa.exe
MD5
af88eb401436534ddd8c305d692e4948

SHA1
070242b48e5ff761e36ec299be98e54e40b0c3ac

SHA256
d79f3292388b96fbb426ddbca2913661636b404de34c61936d33196535490643

SHA512
e19568444e1535c6f297834b968a73752ff78ec03a0108a54aa2e9d1ea56921737180b6242c0be63c4534eaa8cd6e27e2eebc05a5beb32d4190324fa9f30b926

Download Submit
memory/1396-71-0x0000000000000000-mapping.dmp

Download
memory/1500-61-0x0000000000000000-mapping.dmp

Download
memory/1972-76-0x0000000000000000-mapping.dmp

Download
memory/2044-66-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads