8054b81527cb970c28d4f5c5359e7f89727a37d4e356938648411cbf56e3a655

General

Target

f29fcab37b45fad06c4070de2697e7ba_JC.exe
Size

227KB
MD5

f29fcab37b45fad06c4070de2697e7ba
SHA1

cd1761d24e03ffee66642b4b406c1f9581150136
SHA256

8054b81527cb970c28d4f5c5359e7f89727a37d4e356938648411cbf56e3a655
SHA512

51c377783e6624d53034adbcdfbe32d5bf64b8d056bec2558cb11921a32ee5b575014a86638e205c1814a22c1ffe947cb157b32143eab0b32bbf88113685fd61
SSDEEP

6144:B0rQQrKrfFtuum7U5j2QE2+g24Id2jFHu:EQzrFziojj+Td20

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	f29fcab37b45fad06c4070de2697e7ba_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	f29fcab37b45fad06c4070de2697e7ba_JC.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gqkhda32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Gqkhda32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gbkdod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Gbkdod32.exe

Executes dropped EXE 3 IoCs

pid	Process
4008	Gqkhda32.exe
1100	Gbkdod32.exe
2288	Gbmadd32.exe

Drops file in System32 directory 9 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Hjmgbm32.dll	Gbkdod32.exe
File opened for modification	C:\Windows\SysWOW64\Gqkhda32.exe	f29fcab37b45fad06c4070de2697e7ba_JC.exe
File created	C:\Windows\SysWOW64\Gbkdod32.exe	Gqkhda32.exe
File created	C:\Windows\SysWOW64\Gbmadd32.exe	Gbkdod32.exe
File created	C:\Windows\SysWOW64\Nneilmna.dll	Gqkhda32.exe
File opened for modification	C:\Windows\SysWOW64\Gbmadd32.exe	Gbkdod32.exe
File created	C:\Windows\SysWOW64\Gqkhda32.exe	f29fcab37b45fad06c4070de2697e7ba_JC.exe
File created	C:\Windows\SysWOW64\Lifcnk32.dll	f29fcab37b45fad06c4070de2697e7ba_JC.exe
File opened for modification	C:\Windows\SysWOW64\Gbkdod32.exe	Gqkhda32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4840	2288	WerFault.exe	89

Modifies registry class 12 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	f29fcab37b45fad06c4070de2697e7ba_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lifcnk32.dll"	f29fcab37b45fad06c4070de2697e7ba_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Gqkhda32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nneilmna.dll"	Gqkhda32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	f29fcab37b45fad06c4070de2697e7ba_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	f29fcab37b45fad06c4070de2697e7ba_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}	f29fcab37b45fad06c4070de2697e7ba_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	f29fcab37b45fad06c4070de2697e7ba_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Gqkhda32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Gbkdod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjmgbm32.dll"	Gbkdod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Gbkdod32.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4400 wrote to memory of 4008	4400	f29fcab37b45fad06c4070de2697e7ba_JC.exe	87
PID 4400 wrote to memory of 4008	4400	f29fcab37b45fad06c4070de2697e7ba_JC.exe	87
PID 4400 wrote to memory of 4008	4400	f29fcab37b45fad06c4070de2697e7ba_JC.exe	87
PID 4008 wrote to memory of 1100	4008	Gqkhda32.exe	88
PID 4008 wrote to memory of 1100	4008	Gqkhda32.exe	88
PID 4008 wrote to memory of 1100	4008	Gqkhda32.exe	88
PID 1100 wrote to memory of 2288	1100	Gbkdod32.exe	89
PID 1100 wrote to memory of 2288	1100	Gbkdod32.exe	89
PID 1100 wrote to memory of 2288	1100	Gbkdod32.exe	89

C:\Users\Admin\AppData\Local\Temp\f29fcab37b45fad06c4070de2697e7ba_JC.exe
"C:\Users\Admin\AppData\Local\Temp\f29fcab37b45fad06c4070de2697e7ba_JC.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4400
- C:\Windows\SysWOW64\Gqkhda32.exe
  C:\Windows\system32\Gqkhda32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4008
- - C:\Windows\SysWOW64\Gbkdod32.exe
    C:\Windows\system32\Gbkdod32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1100
  - - C:\Windows\SysWOW64\Gbmadd32.exe
      C:\Windows\system32\Gbmadd32.exe
      4⤵
      Executes dropped EXE
      PID:2288
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2288 -s 412
        5⤵
        Program crash
        
        PID:4840

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 2288 -ip 2288
1⤵
PID:3540

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Gbkdod32.exe

Filesize
227KB

MD5
f6a26c7a90fb6fa538ab0aed283bfaa9

SHA1
052ad796c103a72dc804cba3d39e75ae09f358c5

SHA256
082a07364d9cfaf3822fe0dc502f92aae5a76ec055d5ea6eb1969bc60962acbb

SHA512
6a25444781033c15345349963edfc1b4f5c004af7022ea75534f392e822220a27bbe3bfc19b8dfd9b62e0b9efbe003f4d33a77fda9508882780bfedb3123ddf1

Download Submit
C:\Windows\SysWOW64\Gbkdod32.exe

Filesize
227KB

MD5
f6a26c7a90fb6fa538ab0aed283bfaa9

SHA1
052ad796c103a72dc804cba3d39e75ae09f358c5

SHA256
082a07364d9cfaf3822fe0dc502f92aae5a76ec055d5ea6eb1969bc60962acbb

SHA512
6a25444781033c15345349963edfc1b4f5c004af7022ea75534f392e822220a27bbe3bfc19b8dfd9b62e0b9efbe003f4d33a77fda9508882780bfedb3123ddf1

Download Submit
C:\Windows\SysWOW64\Gbmadd32.exe

Filesize
227KB

MD5
1db5a8fb9712e7ac409f412de719f442

SHA1
0419f04b2e4eb8ff4405246314033450021345f3

SHA256
86cdca0821ba62252f6d3a2f2644042122208bbc345f6326b3c9ecbf17934246

SHA512
407f13ef713d900d3e13f8729fb13692b871d377cba2c4731b66bf8d065fa4b8861b83dd7c0b4f5f3d5e326f6ac7f1d75ccaa3f7d3452b4adfdbd1197aadd59f

Download Submit
C:\Windows\SysWOW64\Gbmadd32.exe

Filesize
227KB

MD5
1db5a8fb9712e7ac409f412de719f442

SHA1
0419f04b2e4eb8ff4405246314033450021345f3

SHA256
86cdca0821ba62252f6d3a2f2644042122208bbc345f6326b3c9ecbf17934246

SHA512
407f13ef713d900d3e13f8729fb13692b871d377cba2c4731b66bf8d065fa4b8861b83dd7c0b4f5f3d5e326f6ac7f1d75ccaa3f7d3452b4adfdbd1197aadd59f

Download Submit
C:\Windows\SysWOW64\Gqkhda32.exe

Filesize
227KB

MD5
dd0a10f9059aba7719ebbde65dabf964

SHA1
2f33025191200efa7c2b6a6277caf302b4cfde1a

SHA256
d4635c6c2f22e5c0019ea73c6a9a61e252824a38da88d2e87de63dee2684f10e

SHA512
d396b842fa664f21a7278a125c89fa2afe0a40c69cc65a7a565d62e5c3ff3e076fbaa20e3d2c138f12450e5aff82c21436e2edde3b662a3e69130427f80f814b

Download Submit
C:\Windows\SysWOW64\Gqkhda32.exe

Filesize
227KB

MD5
dd0a10f9059aba7719ebbde65dabf964

SHA1
2f33025191200efa7c2b6a6277caf302b4cfde1a

SHA256
d4635c6c2f22e5c0019ea73c6a9a61e252824a38da88d2e87de63dee2684f10e

SHA512
d396b842fa664f21a7278a125c89fa2afe0a40c69cc65a7a565d62e5c3ff3e076fbaa20e3d2c138f12450e5aff82c21436e2edde3b662a3e69130427f80f814b

Download Submit
memory/1100-15-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1100-26-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2288-24-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2288-25-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4008-7-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4008-27-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4400-0-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4400-28-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads