2e6ec0ac0d833f6ea1eeeafa68936894b115af036dfa4c49d277866801c8ea58

General

Target

2e6ec0ac0d833f6ea1eeeafa68936894b115af036dfa4c49d277866801c8ea58.exe
Size

45KB
MD5

33d9e9a072b109981e0fddf5794bda50
SHA1

58b547aa439f477708298614ebd2bf54f4a8f826
SHA256

2e6ec0ac0d833f6ea1eeeafa68936894b115af036dfa4c49d277866801c8ea58
SHA512

7511a8aeddc27cfe28251230acccd197b8a8ef69b1e2a2ecb8618071f03e5c3cbfd990ecb6ec0c3d51f46aec055274246f3a874a8a2873e047696830e4b9dbda
SSDEEP

768:0LR8ttHmjjQaIgWFnaz+kIumMp/QjsLscl2WfZ/1H52:mKt4hItkbYjsLsCBb8

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

2e6ec0ac0d833f6ea1eeeafa68936894b115af036dfa4c49d277866801c8ea58.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	2e6ec0ac0d833f6ea1eeeafa68936894b115af036dfa4c49d277866801c8ea58.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	2e6ec0ac0d833f6ea1eeeafa68936894b115af036dfa4c49d277866801c8ea58.exe

Executes dropped EXE 1 IoCs

Processes:

Opjnck32.exe

pid process

1696 Opjnck32.exe

pid	process
1696	Opjnck32.exe

Loads dropped DLL 2 IoCs

Processes:

2e6ec0ac0d833f6ea1eeeafa68936894b115af036dfa4c49d277866801c8ea58.exe

pid	process
1352	2e6ec0ac0d833f6ea1eeeafa68936894b115af036dfa4c49d277866801c8ea58.exe
1352	2e6ec0ac0d833f6ea1eeeafa68936894b115af036dfa4c49d277866801c8ea58.exe

Drops file in System32 directory 3 IoCs

Processes:

2e6ec0ac0d833f6ea1eeeafa68936894b115af036dfa4c49d277866801c8ea58.exe

description	ioc	process
File created	C:\Windows\SysWOW64\Opjnck32.exe	2e6ec0ac0d833f6ea1eeeafa68936894b115af036dfa4c49d277866801c8ea58.exe
File opened for modification	C:\Windows\SysWOW64\Opjnck32.exe	2e6ec0ac0d833f6ea1eeeafa68936894b115af036dfa4c49d277866801c8ea58.exe
File created	C:\Windows\SysWOW64\Kbnpceph.dll	2e6ec0ac0d833f6ea1eeeafa68936894b115af036dfa4c49d277866801c8ea58.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

Opjnck32.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BrowseNewProcess	Opjnck32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BrowseNewProcess\BrowseNewProcess = "yes"	Opjnck32.exe

Modifies registry class 6 IoCs

Processes:

2e6ec0ac0d833f6ea1eeeafa68936894b115af036dfa4c49d277866801c8ea58.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	2e6ec0ac0d833f6ea1eeeafa68936894b115af036dfa4c49d277866801c8ea58.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	2e6ec0ac0d833f6ea1eeeafa68936894b115af036dfa4c49d277866801c8ea58.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	2e6ec0ac0d833f6ea1eeeafa68936894b115af036dfa4c49d277866801c8ea58.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	2e6ec0ac0d833f6ea1eeeafa68936894b115af036dfa4c49d277866801c8ea58.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kbnpceph.dll"	2e6ec0ac0d833f6ea1eeeafa68936894b115af036dfa4c49d277866801c8ea58.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	2e6ec0ac0d833f6ea1eeeafa68936894b115af036dfa4c49d277866801c8ea58.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Opjnck32.exe

pid process

1696 Opjnck32.exe

pid	process
1696	Opjnck32.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

2e6ec0ac0d833f6ea1eeeafa68936894b115af036dfa4c49d277866801c8ea58.exe

description	pid	process	target process
PID 1352 wrote to memory of 1696	1352	2e6ec0ac0d833f6ea1eeeafa68936894b115af036dfa4c49d277866801c8ea58.exe	Opjnck32.exe
PID 1352 wrote to memory of 1696	1352	2e6ec0ac0d833f6ea1eeeafa68936894b115af036dfa4c49d277866801c8ea58.exe	Opjnck32.exe
PID 1352 wrote to memory of 1696	1352	2e6ec0ac0d833f6ea1eeeafa68936894b115af036dfa4c49d277866801c8ea58.exe	Opjnck32.exe
PID 1352 wrote to memory of 1696	1352	2e6ec0ac0d833f6ea1eeeafa68936894b115af036dfa4c49d277866801c8ea58.exe	Opjnck32.exe

C:\Users\Admin\AppData\Local\Temp\2e6ec0ac0d833f6ea1eeeafa68936894b115af036dfa4c49d277866801c8ea58.exe
"C:\Users\Admin\AppData\Local\Temp\2e6ec0ac0d833f6ea1eeeafa68936894b115af036dfa4c49d277866801c8ea58.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1352

C:\Windows\SysWOW64\Opjnck32.exe
C:\Windows\system32\Opjnck32.exe
2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious behavior: GetForegroundWindowSpam
PID:1696

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Opjnck32.exe
Filesize
45KB

MD5
8b854683b4aaa6d244b75f0dc5cd3aaf

SHA1
9a65376f8510155e0de4ae5328af06f5b53e8380

SHA256
6a812c74a74f2c075eb9365bc799fed35a233c40966089bdc21deb87c9f2a5c8

SHA512
6bf6eba129abd5dc66c0dbb1bb74097fe82d9eade70b24e996a9a285daccfc15b31b2d028dc781fe9cd4eb07fffb90ce3e716f30ee942f1b58198dc15e24157f

Download Submit
\Windows\SysWOW64\Opjnck32.exe
Filesize
45KB

MD5
8b854683b4aaa6d244b75f0dc5cd3aaf

SHA1
9a65376f8510155e0de4ae5328af06f5b53e8380

SHA256
6a812c74a74f2c075eb9365bc799fed35a233c40966089bdc21deb87c9f2a5c8

SHA512
6bf6eba129abd5dc66c0dbb1bb74097fe82d9eade70b24e996a9a285daccfc15b31b2d028dc781fe9cd4eb07fffb90ce3e716f30ee942f1b58198dc15e24157f

Download Submit
\Windows\SysWOW64\Opjnck32.exe
Filesize
45KB

MD5
8b854683b4aaa6d244b75f0dc5cd3aaf

SHA1
9a65376f8510155e0de4ae5328af06f5b53e8380

SHA256
6a812c74a74f2c075eb9365bc799fed35a233c40966089bdc21deb87c9f2a5c8

SHA512
6bf6eba129abd5dc66c0dbb1bb74097fe82d9eade70b24e996a9a285daccfc15b31b2d028dc781fe9cd4eb07fffb90ce3e716f30ee942f1b58198dc15e24157f

Download Submit
memory/1352-58-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1352-59-0x0000000000220000-0x000000000024F000-memory.dmp

Filesize
188KB

Download
memory/1352-62-0x0000000000220000-0x000000000024F000-memory.dmp

Filesize
188KB

Download
memory/1696-56-0x0000000000000000-mapping.dmp

Download
memory/1696-60-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1696-61-0x0000000075B51000-0x0000000075B53000-memory.dmp

Filesize
8KB

Download
memory/1696-63-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads