84bc517807aff4e43d7d92b595bdd58d4a1cb4db8b5a93cffadd2ca90f434fca

Analysis

max time kernel
119s
max time network
124s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
11/10/2023, 13:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

36c0ebc42d89064ae5d10675a96e9035_JC.exe
Size

80KB
MD5

36c0ebc42d89064ae5d10675a96e9035
SHA1

9036a9856ed2f0238c16957595a8b97d4c716da1
SHA256

84bc517807aff4e43d7d92b595bdd58d4a1cb4db8b5a93cffadd2ca90f434fca
SHA512

d502660d82dd2e509954bc939221e7d361153654fa781dce8c2b39d480d4a8aa72fd0cc80c6a25961cdbe7ff1697c30217d8313a8e53392bbce356b987b27a4e
SSDEEP

1536:nWzl8kvLb/vtV3rBb2dqR2LOS5DUHRbPa9b6i+sIk:slNPl2nOS5DSCopsIk

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Echfaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Echfaf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	36c0ebc42d89064ae5d10675a96e9035_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	36c0ebc42d89064ae5d10675a96e9035_JC.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ejhlgaeh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ejhlgaeh.exe

Executes dropped EXE 3 IoCs

pid	Process
2656	Ejhlgaeh.exe
2612	Echfaf32.exe
2544	Fkckeh32.exe

Loads dropped DLL 10 IoCs

pid	Process
2600	36c0ebc42d89064ae5d10675a96e9035_JC.exe
2600	36c0ebc42d89064ae5d10675a96e9035_JC.exe
2656	Ejhlgaeh.exe
2656	Ejhlgaeh.exe
2612	Echfaf32.exe
2612	Echfaf32.exe
2672	WerFault.exe
2672	WerFault.exe
2672	WerFault.exe
2672	WerFault.exe

Drops file in System32 directory 9 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Ejhlgaeh.exe	36c0ebc42d89064ae5d10675a96e9035_JC.exe
File opened for modification	C:\Windows\SysWOW64\Echfaf32.exe	Ejhlgaeh.exe
File created	C:\Windows\SysWOW64\Najgne32.dll	Ejhlgaeh.exe
File created	C:\Windows\SysWOW64\Fkckeh32.exe	Echfaf32.exe
File opened for modification	C:\Windows\SysWOW64\Fkckeh32.exe	Echfaf32.exe
File created	C:\Windows\SysWOW64\Ejhlgaeh.exe	36c0ebc42d89064ae5d10675a96e9035_JC.exe
File created	C:\Windows\SysWOW64\Dhhlgc32.dll	36c0ebc42d89064ae5d10675a96e9035_JC.exe
File created	C:\Windows\SysWOW64\Echfaf32.exe	Ejhlgaeh.exe
File created	C:\Windows\SysWOW64\Clkmne32.dll	Echfaf32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2672	2544	WerFault.exe	30

Modifies registry class 12 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	36c0ebc42d89064ae5d10675a96e9035_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dhhlgc32.dll"	36c0ebc42d89064ae5d10675a96e9035_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Echfaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Echfaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ejhlgaeh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clkmne32.dll"	Echfaf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	36c0ebc42d89064ae5d10675a96e9035_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	36c0ebc42d89064ae5d10675a96e9035_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	36c0ebc42d89064ae5d10675a96e9035_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	36c0ebc42d89064ae5d10675a96e9035_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ejhlgaeh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Najgne32.dll"	Ejhlgaeh.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2600 wrote to memory of 2656	2600	36c0ebc42d89064ae5d10675a96e9035_JC.exe	28
PID 2600 wrote to memory of 2656	2600	36c0ebc42d89064ae5d10675a96e9035_JC.exe	28
PID 2600 wrote to memory of 2656	2600	36c0ebc42d89064ae5d10675a96e9035_JC.exe	28
PID 2600 wrote to memory of 2656	2600	36c0ebc42d89064ae5d10675a96e9035_JC.exe	28
PID 2656 wrote to memory of 2612	2656	Ejhlgaeh.exe	29
PID 2656 wrote to memory of 2612	2656	Ejhlgaeh.exe	29
PID 2656 wrote to memory of 2612	2656	Ejhlgaeh.exe	29
PID 2656 wrote to memory of 2612	2656	Ejhlgaeh.exe	29
PID 2612 wrote to memory of 2544	2612	Echfaf32.exe	30
PID 2612 wrote to memory of 2544	2612	Echfaf32.exe	30
PID 2612 wrote to memory of 2544	2612	Echfaf32.exe	30
PID 2612 wrote to memory of 2544	2612	Echfaf32.exe	30
PID 2544 wrote to memory of 2672	2544	Fkckeh32.exe	31
PID 2544 wrote to memory of 2672	2544	Fkckeh32.exe	31
PID 2544 wrote to memory of 2672	2544	Fkckeh32.exe	31
PID 2544 wrote to memory of 2672	2544	Fkckeh32.exe	31

C:\Users\Admin\AppData\Local\Temp\36c0ebc42d89064ae5d10675a96e9035_JC.exe
"C:\Users\Admin\AppData\Local\Temp\36c0ebc42d89064ae5d10675a96e9035_JC.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2600
- C:\Windows\SysWOW64\Ejhlgaeh.exe
  C:\Windows\system32\Ejhlgaeh.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2656
- - C:\Windows\SysWOW64\Echfaf32.exe
    C:\Windows\system32\Echfaf32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2612
  - - C:\Windows\SysWOW64\Fkckeh32.exe
      C:\Windows\system32\Fkckeh32.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:2544
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2544 -s 140
        5⤵
        Loads dropped DLL
        Program crash
        
        PID:2672

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Echfaf32.exe

Filesize
80KB

MD5
dda35a5ce60fc8601fb2e85cc910316e

SHA1
56edc79cc0f5fd536893a0b233e7f8c0ef8938b4

SHA256
74e293639c48829dcff59d5e687fef428d034a866ee241270aa4a69a5474b784

SHA512
0e80694012824c90a7b17f049747558e3b3580c4a167956d3cd094dd930a05ac6f382a84ee30ec82ecf75e3d5c902d81cb1badff99e773adf63cee554caa982b

Download Submit
C:\Windows\SysWOW64\Echfaf32.exe

Filesize
80KB

MD5
dda35a5ce60fc8601fb2e85cc910316e

SHA1
56edc79cc0f5fd536893a0b233e7f8c0ef8938b4

SHA256
74e293639c48829dcff59d5e687fef428d034a866ee241270aa4a69a5474b784

SHA512
0e80694012824c90a7b17f049747558e3b3580c4a167956d3cd094dd930a05ac6f382a84ee30ec82ecf75e3d5c902d81cb1badff99e773adf63cee554caa982b

Download Submit
C:\Windows\SysWOW64\Echfaf32.exe

Filesize
80KB

MD5
dda35a5ce60fc8601fb2e85cc910316e

SHA1
56edc79cc0f5fd536893a0b233e7f8c0ef8938b4

SHA256
74e293639c48829dcff59d5e687fef428d034a866ee241270aa4a69a5474b784

SHA512
0e80694012824c90a7b17f049747558e3b3580c4a167956d3cd094dd930a05ac6f382a84ee30ec82ecf75e3d5c902d81cb1badff99e773adf63cee554caa982b

Download Submit
C:\Windows\SysWOW64\Ejhlgaeh.exe

Filesize
80KB

MD5
a4965d0be9d85c339d05ccb6afbcfa1b

SHA1
aafd46eca5d93984514ed21066a74bd5c8de7cf1

SHA256
75278c9f0d4d2963c75cbdbdc7fe74fa77f66cae9cf72de723410845457d259d

SHA512
75c97b66e630c43ea4508da73e76781ce53f8661f88b786588471d2224322dad5b435a9838c6a1468baf9715f8cc101b3056debfcd441978e6f5befded9c5c74

Download Submit
C:\Windows\SysWOW64\Ejhlgaeh.exe

Filesize
80KB

MD5
a4965d0be9d85c339d05ccb6afbcfa1b

SHA1
aafd46eca5d93984514ed21066a74bd5c8de7cf1

SHA256
75278c9f0d4d2963c75cbdbdc7fe74fa77f66cae9cf72de723410845457d259d

SHA512
75c97b66e630c43ea4508da73e76781ce53f8661f88b786588471d2224322dad5b435a9838c6a1468baf9715f8cc101b3056debfcd441978e6f5befded9c5c74

Download Submit
C:\Windows\SysWOW64\Ejhlgaeh.exe

Filesize
80KB

MD5
a4965d0be9d85c339d05ccb6afbcfa1b

SHA1
aafd46eca5d93984514ed21066a74bd5c8de7cf1

SHA256
75278c9f0d4d2963c75cbdbdc7fe74fa77f66cae9cf72de723410845457d259d

SHA512
75c97b66e630c43ea4508da73e76781ce53f8661f88b786588471d2224322dad5b435a9838c6a1468baf9715f8cc101b3056debfcd441978e6f5befded9c5c74

Download Submit
C:\Windows\SysWOW64\Fkckeh32.exe

Filesize
80KB

MD5
95fcf0f4aef80f36f7c0e4822b633027

SHA1
788237bdaeeef2317a39dba6c1dc509497eed1b9

SHA256
396d4455b050d91206ab3aa61d4f52bc7e4db3eca5bcbbb0b08e897efc264ecc

SHA512
cac58e6c8557f7018fec0479da59f7e721ffe617217d545cbdee16ac2e60eb9d575673f5b4b1e99377b8dc86bee61f1786e1ab53fe7c1e5ad0310960a8bb2f94

Download Submit
C:\Windows\SysWOW64\Fkckeh32.exe

Filesize
80KB

MD5
95fcf0f4aef80f36f7c0e4822b633027

SHA1
788237bdaeeef2317a39dba6c1dc509497eed1b9

SHA256
396d4455b050d91206ab3aa61d4f52bc7e4db3eca5bcbbb0b08e897efc264ecc

SHA512
cac58e6c8557f7018fec0479da59f7e721ffe617217d545cbdee16ac2e60eb9d575673f5b4b1e99377b8dc86bee61f1786e1ab53fe7c1e5ad0310960a8bb2f94

Download Submit
\Windows\SysWOW64\Echfaf32.exe

Filesize
80KB

MD5
dda35a5ce60fc8601fb2e85cc910316e

SHA1
56edc79cc0f5fd536893a0b233e7f8c0ef8938b4

SHA256
74e293639c48829dcff59d5e687fef428d034a866ee241270aa4a69a5474b784

SHA512
0e80694012824c90a7b17f049747558e3b3580c4a167956d3cd094dd930a05ac6f382a84ee30ec82ecf75e3d5c902d81cb1badff99e773adf63cee554caa982b

Download Submit
\Windows\SysWOW64\Echfaf32.exe

Filesize
80KB

MD5
dda35a5ce60fc8601fb2e85cc910316e

SHA1
56edc79cc0f5fd536893a0b233e7f8c0ef8938b4

SHA256
74e293639c48829dcff59d5e687fef428d034a866ee241270aa4a69a5474b784

SHA512
0e80694012824c90a7b17f049747558e3b3580c4a167956d3cd094dd930a05ac6f382a84ee30ec82ecf75e3d5c902d81cb1badff99e773adf63cee554caa982b

Download Submit
\Windows\SysWOW64\Ejhlgaeh.exe

Filesize
80KB

MD5
a4965d0be9d85c339d05ccb6afbcfa1b

SHA1
aafd46eca5d93984514ed21066a74bd5c8de7cf1

SHA256
75278c9f0d4d2963c75cbdbdc7fe74fa77f66cae9cf72de723410845457d259d

SHA512
75c97b66e630c43ea4508da73e76781ce53f8661f88b786588471d2224322dad5b435a9838c6a1468baf9715f8cc101b3056debfcd441978e6f5befded9c5c74

Download Submit
\Windows\SysWOW64\Ejhlgaeh.exe

Filesize
80KB

MD5
a4965d0be9d85c339d05ccb6afbcfa1b

SHA1
aafd46eca5d93984514ed21066a74bd5c8de7cf1

SHA256
75278c9f0d4d2963c75cbdbdc7fe74fa77f66cae9cf72de723410845457d259d

SHA512
75c97b66e630c43ea4508da73e76781ce53f8661f88b786588471d2224322dad5b435a9838c6a1468baf9715f8cc101b3056debfcd441978e6f5befded9c5c74

Download Submit
\Windows\SysWOW64\Fkckeh32.exe

Filesize
80KB

MD5
95fcf0f4aef80f36f7c0e4822b633027

SHA1
788237bdaeeef2317a39dba6c1dc509497eed1b9

SHA256
396d4455b050d91206ab3aa61d4f52bc7e4db3eca5bcbbb0b08e897efc264ecc

SHA512
cac58e6c8557f7018fec0479da59f7e721ffe617217d545cbdee16ac2e60eb9d575673f5b4b1e99377b8dc86bee61f1786e1ab53fe7c1e5ad0310960a8bb2f94

Download Submit
\Windows\SysWOW64\Fkckeh32.exe

Filesize
80KB

MD5
95fcf0f4aef80f36f7c0e4822b633027

SHA1
788237bdaeeef2317a39dba6c1dc509497eed1b9

SHA256
396d4455b050d91206ab3aa61d4f52bc7e4db3eca5bcbbb0b08e897efc264ecc

SHA512
cac58e6c8557f7018fec0479da59f7e721ffe617217d545cbdee16ac2e60eb9d575673f5b4b1e99377b8dc86bee61f1786e1ab53fe7c1e5ad0310960a8bb2f94

Download Submit
\Windows\SysWOW64\Fkckeh32.exe

Filesize
80KB

MD5
95fcf0f4aef80f36f7c0e4822b633027

SHA1
788237bdaeeef2317a39dba6c1dc509497eed1b9

SHA256
396d4455b050d91206ab3aa61d4f52bc7e4db3eca5bcbbb0b08e897efc264ecc

SHA512
cac58e6c8557f7018fec0479da59f7e721ffe617217d545cbdee16ac2e60eb9d575673f5b4b1e99377b8dc86bee61f1786e1ab53fe7c1e5ad0310960a8bb2f94

Download Submit
\Windows\SysWOW64\Fkckeh32.exe

Filesize
80KB

MD5
95fcf0f4aef80f36f7c0e4822b633027

SHA1
788237bdaeeef2317a39dba6c1dc509497eed1b9

SHA256
396d4455b050d91206ab3aa61d4f52bc7e4db3eca5bcbbb0b08e897efc264ecc

SHA512
cac58e6c8557f7018fec0479da59f7e721ffe617217d545cbdee16ac2e60eb9d575673f5b4b1e99377b8dc86bee61f1786e1ab53fe7c1e5ad0310960a8bb2f94

Download Submit
\Windows\SysWOW64\Fkckeh32.exe

Filesize
80KB

MD5
95fcf0f4aef80f36f7c0e4822b633027

SHA1
788237bdaeeef2317a39dba6c1dc509497eed1b9

SHA256
396d4455b050d91206ab3aa61d4f52bc7e4db3eca5bcbbb0b08e897efc264ecc

SHA512
cac58e6c8557f7018fec0479da59f7e721ffe617217d545cbdee16ac2e60eb9d575673f5b4b1e99377b8dc86bee61f1786e1ab53fe7c1e5ad0310960a8bb2f94

Download Submit
\Windows\SysWOW64\Fkckeh32.exe

Filesize
80KB

MD5
95fcf0f4aef80f36f7c0e4822b633027

SHA1
788237bdaeeef2317a39dba6c1dc509497eed1b9

SHA256
396d4455b050d91206ab3aa61d4f52bc7e4db3eca5bcbbb0b08e897efc264ecc

SHA512
cac58e6c8557f7018fec0479da59f7e721ffe617217d545cbdee16ac2e60eb9d575673f5b4b1e99377b8dc86bee61f1786e1ab53fe7c1e5ad0310960a8bb2f94

Download Submit
memory/2544-47-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2600-12-0x0000000000220000-0x000000000025E000-memory.dmp

Filesize
248KB

Download
memory/2600-0-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2600-46-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2600-6-0x0000000000220000-0x000000000025E000-memory.dmp

Filesize
248KB

Download
memory/2612-33-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2612-36-0x00000000002E0000-0x000000000031E000-memory.dmp

Filesize
248KB

Download
memory/2656-20-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2656-26-0x0000000000290000-0x00000000002CE000-memory.dmp

Filesize
248KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads