e2ec535531bcc6a572195f75e2413745f1939b123c6d883bf3e25553eb5a69ed

General

Target

e2ec535531bcc6a572195f75e2413745f1939b123c6d883bf3e25553eb5a69ed.exe
Size

45KB
MD5

130e2a8bec03a74bebee7d2b157347f0
SHA1

672940bd811df503ab76b58b737c5f9e8409024c
SHA256

e2ec535531bcc6a572195f75e2413745f1939b123c6d883bf3e25553eb5a69ed
SHA512

e81cc76bdb6bd977818f2009cf9a9dde8df908679e20eb224bcab99332d84ebc205f77bbc2759a163ee60bdedb50fe5fadaf5db0b41ace7f20357d8fee6263c8
SSDEEP

768:61gOAr1W1x1wouGz+zvY5OBU3KRcXANcIypfNxydwH/1H5:6661xqNk+zvY5FXANcIdq

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	e2ec535531bcc6a572195f75e2413745f1939b123c6d883bf3e25553eb5a69ed.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	e2ec535531bcc6a572195f75e2413745f1939b123c6d883bf3e25553eb5a69ed.exe

Executes dropped EXE 1 IoCs

pid	Process
972	Mcdjbf32.exe

Loads dropped DLL 2 IoCs

pid	Process
900	e2ec535531bcc6a572195f75e2413745f1939b123c6d883bf3e25553eb5a69ed.exe
900	e2ec535531bcc6a572195f75e2413745f1939b123c6d883bf3e25553eb5a69ed.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Mcdjbf32.exe	e2ec535531bcc6a572195f75e2413745f1939b123c6d883bf3e25553eb5a69ed.exe
File opened for modification	C:\Windows\SysWOW64\Mcdjbf32.exe	e2ec535531bcc6a572195f75e2413745f1939b123c6d883bf3e25553eb5a69ed.exe
File created	C:\Windows\SysWOW64\Kekjcdnl.dll	e2ec535531bcc6a572195f75e2413745f1939b123c6d883bf3e25553eb5a69ed.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BrowseNewProcess	Mcdjbf32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BrowseNewProcess\BrowseNewProcess = "yes"	Mcdjbf32.exe

Modifies registry class 6 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	e2ec535531bcc6a572195f75e2413745f1939b123c6d883bf3e25553eb5a69ed.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	e2ec535531bcc6a572195f75e2413745f1939b123c6d883bf3e25553eb5a69ed.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	e2ec535531bcc6a572195f75e2413745f1939b123c6d883bf3e25553eb5a69ed.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kekjcdnl.dll"	e2ec535531bcc6a572195f75e2413745f1939b123c6d883bf3e25553eb5a69ed.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	e2ec535531bcc6a572195f75e2413745f1939b123c6d883bf3e25553eb5a69ed.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	e2ec535531bcc6a572195f75e2413745f1939b123c6d883bf3e25553eb5a69ed.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
972	Mcdjbf32.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 900 wrote to memory of 972	900	e2ec535531bcc6a572195f75e2413745f1939b123c6d883bf3e25553eb5a69ed.exe	27
PID 900 wrote to memory of 972	900	e2ec535531bcc6a572195f75e2413745f1939b123c6d883bf3e25553eb5a69ed.exe	27
PID 900 wrote to memory of 972	900	e2ec535531bcc6a572195f75e2413745f1939b123c6d883bf3e25553eb5a69ed.exe	27
PID 900 wrote to memory of 972	900	e2ec535531bcc6a572195f75e2413745f1939b123c6d883bf3e25553eb5a69ed.exe	27

C:\Users\Admin\AppData\Local\Temp\e2ec535531bcc6a572195f75e2413745f1939b123c6d883bf3e25553eb5a69ed.exe
"C:\Users\Admin\AppData\Local\Temp\e2ec535531bcc6a572195f75e2413745f1939b123c6d883bf3e25553eb5a69ed.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:900
- C:\Windows\SysWOW64\Mcdjbf32.exe
  C:\Windows\system32\Mcdjbf32.exe
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious behavior: GetForegroundWindowSpam
  PID:972

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Mcdjbf32.exe

Filesize
45KB

MD5
d83f923ac59269d6730f0a3d87472711

SHA1
8cb4582d7ba83426762b62c9b88d0fe523080956

SHA256
21b8b458dd45d07b2ce9ef3f11ebbbb3b6c679311b18def70f89fb9787352b1f

SHA512
6e958863574bcda13abd8be3edcfef52a0190fe625749ca4333db54d9310b488b05f48b1d1c748e4eefad338760a0e21d46984fcd517ff6522916b616693ec36

Download Submit
\Windows\SysWOW64\Mcdjbf32.exe

Filesize
45KB

MD5
d83f923ac59269d6730f0a3d87472711

SHA1
8cb4582d7ba83426762b62c9b88d0fe523080956

SHA256
21b8b458dd45d07b2ce9ef3f11ebbbb3b6c679311b18def70f89fb9787352b1f

SHA512
6e958863574bcda13abd8be3edcfef52a0190fe625749ca4333db54d9310b488b05f48b1d1c748e4eefad338760a0e21d46984fcd517ff6522916b616693ec36

Download Submit
\Windows\SysWOW64\Mcdjbf32.exe

Filesize
45KB

MD5
d83f923ac59269d6730f0a3d87472711

SHA1
8cb4582d7ba83426762b62c9b88d0fe523080956

SHA256
21b8b458dd45d07b2ce9ef3f11ebbbb3b6c679311b18def70f89fb9787352b1f

SHA512
6e958863574bcda13abd8be3edcfef52a0190fe625749ca4333db54d9310b488b05f48b1d1c748e4eefad338760a0e21d46984fcd517ff6522916b616693ec36

Download Submit
memory/900-55-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/900-56-0x0000000000220000-0x000000000024F000-memory.dmp

Filesize
188KB

Download
memory/900-60-0x0000000000220000-0x000000000024F000-memory.dmp

Filesize
188KB

Download
memory/972-61-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/972-62-0x0000000076071000-0x0000000076073000-memory.dmp

Filesize
8KB

Download
memory/972-63-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download

Analysis

Sharing