a28c5a5b1f1f15f9c6c12f108165d647593fd81df81a69840c41ecddd79614f6

Analysis

max time kernel
144s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
26-11-2022 09:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a28c5a5b1f1f15f9c6c12f108165d647593fd81df81a69840c41ecddd79614f6.exe
Size

51KB
MD5

fdbc22599f42ed87d841e2b3f31e7ea0
SHA1

7138a958b0be85cf284b01c6b7e84ab97e48930d
SHA256

a28c5a5b1f1f15f9c6c12f108165d647593fd81df81a69840c41ecddd79614f6
SHA512

453e11c5e0f47dfd94cf90b9717b2b1b4a8e7992136b5454c5e767bf72a0b88837d6b4ea5b57960d4926bea9e94f2bbb9cc4b378b9b6b88e459c8cb2fb1375b3
SSDEEP

1536:VIOoM2g6adwmDxYYErVyxhFDZYjV0J6f4uOzBc:p2g6ahDCrVyFDijVMM4u8

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 10 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Ijbpnhnn.exeIhfphlmg.exeIhhmml32.exea28c5a5b1f1f15f9c6c12f108165d647593fd81df81a69840c41ecddd79614f6.exeCflfca32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ijbpnhnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ihfphlmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ihhmml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	a28c5a5b1f1f15f9c6c12f108165d647593fd81df81a69840c41ecddd79614f6.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cflfca32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cflfca32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ijbpnhnn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	a28c5a5b1f1f15f9c6c12f108165d647593fd81df81a69840c41ecddd79614f6.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ihfphlmg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ihhmml32.exe

Executes dropped EXE 5 IoCs

Processes:

Cflfca32.exeIjbpnhnn.exeIhfphlmg.exeIhhmml32.exeIfnjnhpl.exe

pid process

4848 Cflfca32.exe
444 Ijbpnhnn.exe
2412 Ihfphlmg.exe
5012 Ihhmml32.exe
4716 Ifnjnhpl.exe

pid	process
4848	Cflfca32.exe
444	Ijbpnhnn.exe
2412	Ihfphlmg.exe
5012	Ihhmml32.exe
4716	Ifnjnhpl.exe

Drops file in System32 directory 15 IoCs

Processes:

Ihhmml32.exea28c5a5b1f1f15f9c6c12f108165d647593fd81df81a69840c41ecddd79614f6.exeCflfca32.exeIjbpnhnn.exeIhfphlmg.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\Ifnjnhpl.exe	Ihhmml32.exe
File created	C:\Windows\SysWOW64\Cflfca32.exe	a28c5a5b1f1f15f9c6c12f108165d647593fd81df81a69840c41ecddd79614f6.exe
File created	C:\Windows\SysWOW64\Koghjijk.dll	a28c5a5b1f1f15f9c6c12f108165d647593fd81df81a69840c41ecddd79614f6.exe
File opened for modification	C:\Windows\SysWOW64\Ijbpnhnn.exe	Cflfca32.exe
File opened for modification	C:\Windows\SysWOW64\Ihfphlmg.exe	Ijbpnhnn.exe
File created	C:\Windows\SysWOW64\Hihade32.dll	Ijbpnhnn.exe
File created	C:\Windows\SysWOW64\Ihhmml32.exe	Ihfphlmg.exe
File created	C:\Windows\SysWOW64\Jajighno.dll	Ihfphlmg.exe
File created	C:\Windows\SysWOW64\Ncllhiab.dll	Ihhmml32.exe
File created	C:\Windows\SysWOW64\Ifnjnhpl.exe	Ihhmml32.exe
File created	C:\Windows\SysWOW64\Hbbfka32.dll	Cflfca32.exe
File created	C:\Windows\SysWOW64\Ihfphlmg.exe	Ijbpnhnn.exe
File opened for modification	C:\Windows\SysWOW64\Cflfca32.exe	a28c5a5b1f1f15f9c6c12f108165d647593fd81df81a69840c41ecddd79614f6.exe
File created	C:\Windows\SysWOW64\Ijbpnhnn.exe	Cflfca32.exe
File opened for modification	C:\Windows\SysWOW64\Ihhmml32.exe	Ihfphlmg.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1204 4716 WerFault.exe Ifnjnhpl.exe

pid	pid_target	process	target process
1204	4716	WerFault.exe	Ifnjnhpl.exe

Modifies registry class 18 IoCs

Processes:

a28c5a5b1f1f15f9c6c12f108165d647593fd81df81a69840c41ecddd79614f6.exeIjbpnhnn.exeIhfphlmg.exeIhhmml32.exeCflfca32.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	a28c5a5b1f1f15f9c6c12f108165d647593fd81df81a69840c41ecddd79614f6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Koghjijk.dll"	a28c5a5b1f1f15f9c6c12f108165d647593fd81df81a69840c41ecddd79614f6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	a28c5a5b1f1f15f9c6c12f108165d647593fd81df81a69840c41ecddd79614f6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ijbpnhnn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ihfphlmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jajighno.dll"	Ihfphlmg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ihhmml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbbfka32.dll"	Cflfca32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cflfca32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ijbpnhnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ncllhiab.dll"	Ihhmml32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	a28c5a5b1f1f15f9c6c12f108165d647593fd81df81a69840c41ecddd79614f6.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cflfca32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hihade32.dll"	Ijbpnhnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ihhmml32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	a28c5a5b1f1f15f9c6c12f108165d647593fd81df81a69840c41ecddd79614f6.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	a28c5a5b1f1f15f9c6c12f108165d647593fd81df81a69840c41ecddd79614f6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ihfphlmg.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

a28c5a5b1f1f15f9c6c12f108165d647593fd81df81a69840c41ecddd79614f6.exeCflfca32.exeIjbpnhnn.exeIhfphlmg.exeIhhmml32.exe

description	pid	process	target process
PID 4056 wrote to memory of 4848	4056	a28c5a5b1f1f15f9c6c12f108165d647593fd81df81a69840c41ecddd79614f6.exe	Cflfca32.exe
PID 4056 wrote to memory of 4848	4056	a28c5a5b1f1f15f9c6c12f108165d647593fd81df81a69840c41ecddd79614f6.exe	Cflfca32.exe
PID 4056 wrote to memory of 4848	4056	a28c5a5b1f1f15f9c6c12f108165d647593fd81df81a69840c41ecddd79614f6.exe	Cflfca32.exe
PID 4848 wrote to memory of 444	4848	Cflfca32.exe	Ijbpnhnn.exe
PID 4848 wrote to memory of 444	4848	Cflfca32.exe	Ijbpnhnn.exe
PID 4848 wrote to memory of 444	4848	Cflfca32.exe	Ijbpnhnn.exe
PID 444 wrote to memory of 2412	444	Ijbpnhnn.exe	Ihfphlmg.exe
PID 444 wrote to memory of 2412	444	Ijbpnhnn.exe	Ihfphlmg.exe
PID 444 wrote to memory of 2412	444	Ijbpnhnn.exe	Ihfphlmg.exe
PID 2412 wrote to memory of 5012	2412	Ihfphlmg.exe	Ihhmml32.exe
PID 2412 wrote to memory of 5012	2412	Ihfphlmg.exe	Ihhmml32.exe
PID 2412 wrote to memory of 5012	2412	Ihfphlmg.exe	Ihhmml32.exe
PID 5012 wrote to memory of 4716	5012	Ihhmml32.exe	Ifnjnhpl.exe
PID 5012 wrote to memory of 4716	5012	Ihhmml32.exe	Ifnjnhpl.exe
PID 5012 wrote to memory of 4716	5012	Ihhmml32.exe	Ifnjnhpl.exe

C:\Users\Admin\AppData\Local\Temp\a28c5a5b1f1f15f9c6c12f108165d647593fd81df81a69840c41ecddd79614f6.exe
"C:\Users\Admin\AppData\Local\Temp\a28c5a5b1f1f15f9c6c12f108165d647593fd81df81a69840c41ecddd79614f6.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4056

C:\Windows\SysWOW64\Cflfca32.exe
C:\Windows\system32\Cflfca32.exe
2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4848

C:\Windows\SysWOW64\Ijbpnhnn.exe
C:\Windows\system32\Ijbpnhnn.exe
3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:444

C:\Windows\SysWOW64\Ihfphlmg.exe
C:\Windows\system32\Ihfphlmg.exe
4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2412

C:\Windows\SysWOW64\Ihhmml32.exe
C:\Windows\system32\Ihhmml32.exe
5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5012

C:\Windows\SysWOW64\Ifnjnhpl.exe
C:\Windows\system32\Ifnjnhpl.exe
6⤵
- Executes dropped EXE
PID:4716

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4716 -s 224
7⤵
- Program crash
PID:1204

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 4716 -ip 4716
1⤵
PID:4584

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Cflfca32.exe
Filesize
51KB

MD5
2c62d684026406545a88a9f58d7f09f8

SHA1
1036c0cfeeba7bcc61b512688a9c3d7b3eeac63b

SHA256
56d6433e92793a500253a6535404e891a17505743af89745bae28775a6ee94d9

SHA512
ceab034e8ae933b3cc84e1027a443d9ecce9cf2f80bc4df958d0a42f5f5e62a5799ce9ea69a53ce168ce6bcbd56ddbbb399818ffb96eb00c9a59760c3c3f582c

Download Submit
C:\Windows\SysWOW64\Cflfca32.exe
Filesize
51KB

MD5
2c62d684026406545a88a9f58d7f09f8

SHA1
1036c0cfeeba7bcc61b512688a9c3d7b3eeac63b

SHA256
56d6433e92793a500253a6535404e891a17505743af89745bae28775a6ee94d9

SHA512
ceab034e8ae933b3cc84e1027a443d9ecce9cf2f80bc4df958d0a42f5f5e62a5799ce9ea69a53ce168ce6bcbd56ddbbb399818ffb96eb00c9a59760c3c3f582c

Download Submit
C:\Windows\SysWOW64\Ifnjnhpl.exe
Filesize
51KB

MD5
478df882ad2122b0ccedf7e7cec1b019

SHA1
1c812ae2dbb46e863b87cbc763449742f0e1dcb9

SHA256
4bf83905927d53039ce36a0df40ad37452325694a801377ee1860a484f4c8f8c

SHA512
87a76237cf2a831ee5aeab2c993c9a8bb4a0bec138ca6653cde388ddaf570f006a4251d435575e81a4a865404c5758c2da7e04bb4af96f192f9381fa14333486

Download Submit
C:\Windows\SysWOW64\Ifnjnhpl.exe
Filesize
51KB

MD5
478df882ad2122b0ccedf7e7cec1b019

SHA1
1c812ae2dbb46e863b87cbc763449742f0e1dcb9

SHA256
4bf83905927d53039ce36a0df40ad37452325694a801377ee1860a484f4c8f8c

SHA512
87a76237cf2a831ee5aeab2c993c9a8bb4a0bec138ca6653cde388ddaf570f006a4251d435575e81a4a865404c5758c2da7e04bb4af96f192f9381fa14333486

Download Submit
C:\Windows\SysWOW64\Ihfphlmg.exe
Filesize
51KB

MD5
e053ef899ec02369f1ff5b25563d2bfa

SHA1
8aef49ba81a4cc04bc77b2a80bc066a04d38e634

SHA256
78915c4042a2651c937279fd7afb2fd532ba68a262b719dfd585580692b8a513

SHA512
77ba6a06517219ae8b9b0107ab47e9c2d3ae43490ae3640f48ca1755c6cbe97a50f0eef27633a316e9d50ca3fe15e1507429775143ff0f62fd9b6ed52e669b70

Download Submit
C:\Windows\SysWOW64\Ihfphlmg.exe
Filesize
51KB

MD5
e053ef899ec02369f1ff5b25563d2bfa

SHA1
8aef49ba81a4cc04bc77b2a80bc066a04d38e634

SHA256
78915c4042a2651c937279fd7afb2fd532ba68a262b719dfd585580692b8a513

SHA512
77ba6a06517219ae8b9b0107ab47e9c2d3ae43490ae3640f48ca1755c6cbe97a50f0eef27633a316e9d50ca3fe15e1507429775143ff0f62fd9b6ed52e669b70

Download Submit
C:\Windows\SysWOW64\Ihhmml32.exe
Filesize
51KB

MD5
a4c2e2753b99e23694bad200e820aafb

SHA1
f0f7a710d7a45f3a003f9ef814ef522968bf7272

SHA256
206e88e7808a663e61983b7e451c11ff855644b3e3301c305c1728f45400261c

SHA512
bb5f0bd51afca4d881204388468587ad6f45ad7f0d8001fdcff955e6e21745d8b6e2336f0db8b0b97d61314eaa1e2998c2ecd1c03d31cba312f6652822199796

Download Submit
C:\Windows\SysWOW64\Ihhmml32.exe
Filesize
51KB

MD5
a4c2e2753b99e23694bad200e820aafb

SHA1
f0f7a710d7a45f3a003f9ef814ef522968bf7272

SHA256
206e88e7808a663e61983b7e451c11ff855644b3e3301c305c1728f45400261c

SHA512
bb5f0bd51afca4d881204388468587ad6f45ad7f0d8001fdcff955e6e21745d8b6e2336f0db8b0b97d61314eaa1e2998c2ecd1c03d31cba312f6652822199796

Download Submit
C:\Windows\SysWOW64\Ijbpnhnn.exe
Filesize
51KB

MD5
354952faa43b9f5e7516b942af7afd0a

SHA1
dcb1b327a566638b0bf7d169da7d3ee5ef5e1c68

SHA256
b26bc0e284967620a4e9ba88e7062143730be9c77d13d3e247c9f05210777fc9

SHA512
2f8c2d43cbc85b5307ad2b86eedf924ee7e050d1facfa14235b31ccf6a4f0318689d20adf72c6af39bfc5c79c1e10cdb11abe6bdd8e7bc32a19984973fc62cba

Download Submit
C:\Windows\SysWOW64\Ijbpnhnn.exe
Filesize
51KB

MD5
354952faa43b9f5e7516b942af7afd0a

SHA1
dcb1b327a566638b0bf7d169da7d3ee5ef5e1c68

SHA256
b26bc0e284967620a4e9ba88e7062143730be9c77d13d3e247c9f05210777fc9

SHA512
2f8c2d43cbc85b5307ad2b86eedf924ee7e050d1facfa14235b31ccf6a4f0318689d20adf72c6af39bfc5c79c1e10cdb11abe6bdd8e7bc32a19984973fc62cba

Download Submit
memory/444-149-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/444-137-0x0000000000000000-mapping.dmp

Download
memory/2412-150-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2412-140-0x0000000000000000-mapping.dmp

Download
memory/4056-132-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4056-153-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4716-146-0x0000000000000000-mapping.dmp

Download
memory/4716-152-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4848-133-0x0000000000000000-mapping.dmp

Download
memory/4848-136-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/5012-143-0x0000000000000000-mapping.dmp

Download
memory/5012-151-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download