36fa3b790539bc84ba93738bfec928455e465c0271e9ac2620039d571228c839

General

Target

3c398e90f07f0cd29cd687815cb43c4e.exe
Size

220KB
MD5

3c398e90f07f0cd29cd687815cb43c4e
SHA1

548b74f683fb3ba5661d5e9eca710436eb12c069
SHA256

36fa3b790539bc84ba93738bfec928455e465c0271e9ac2620039d571228c839
SHA512

c5fb22522ca965a20c6e34c5d90cffd0892ed85b7f0a77b3c9e8545502533cffa06d606123e0b4fb8521f79a7de59136b928e07fa8c9afe503d7d0acac111a17
SSDEEP

6144:tt7QeJhCD2jvosK6mUzWtuEQQQf5D2jvosK6mUzW:lex67tFx67

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	3c398e90f07f0cd29cd687815cb43c4e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	3c398e90f07f0cd29cd687815cb43c4e.exe

Executes dropped EXE 1 IoCs

pid	Process
2428	Lcfqkl32.exe

Loads dropped DLL 6 IoCs

pid	Process
2648	3c398e90f07f0cd29cd687815cb43c4e.exe
2648	3c398e90f07f0cd29cd687815cb43c4e.exe
2072	WerFault.exe
2072	WerFault.exe
2072	WerFault.exe
2072	WerFault.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Lcfqkl32.exe	3c398e90f07f0cd29cd687815cb43c4e.exe
File opened for modification	C:\Windows\SysWOW64\Lcfqkl32.exe	3c398e90f07f0cd29cd687815cb43c4e.exe
File created	C:\Windows\SysWOW64\Negoebdd.dll	3c398e90f07f0cd29cd687815cb43c4e.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2072	2428	WerFault.exe	28

Modifies registry class 6 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Negoebdd.dll"	3c398e90f07f0cd29cd687815cb43c4e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	3c398e90f07f0cd29cd687815cb43c4e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	3c398e90f07f0cd29cd687815cb43c4e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	3c398e90f07f0cd29cd687815cb43c4e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	3c398e90f07f0cd29cd687815cb43c4e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	3c398e90f07f0cd29cd687815cb43c4e.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2648 wrote to memory of 2428	2648	3c398e90f07f0cd29cd687815cb43c4e.exe	28
PID 2648 wrote to memory of 2428	2648	3c398e90f07f0cd29cd687815cb43c4e.exe	28
PID 2648 wrote to memory of 2428	2648	3c398e90f07f0cd29cd687815cb43c4e.exe	28
PID 2648 wrote to memory of 2428	2648	3c398e90f07f0cd29cd687815cb43c4e.exe	28
PID 2428 wrote to memory of 2072	2428	Lcfqkl32.exe	29
PID 2428 wrote to memory of 2072	2428	Lcfqkl32.exe	29
PID 2428 wrote to memory of 2072	2428	Lcfqkl32.exe	29
PID 2428 wrote to memory of 2072	2428	Lcfqkl32.exe	29

C:\Users\Admin\AppData\Local\Temp\3c398e90f07f0cd29cd687815cb43c4e.exe
"C:\Users\Admin\AppData\Local\Temp\3c398e90f07f0cd29cd687815cb43c4e.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2648
- C:\Windows\SysWOW64\Lcfqkl32.exe
  C:\Windows\system32\Lcfqkl32.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2428
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2428 -s 140
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:2072

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Windows\SysWOW64\Lcfqkl32.exe

Filesize
168KB

MD5
28327cc08ac335c5d7d1804d2459cb5d

SHA1
83ffe248d02290dac1759d3dedcd074f2d58166d

SHA256
39a2a750c1884056f5eaa1bb3c35a60b1d10d57e377f53dda12e9d9308e07026

SHA512
c72a8397a7e9549258f7de1d51188f8718c617806a699e4ab50f23abc301e4045600d8cc6266e0a9a2f441be248f6400ce96cb1a49f940c12e8d3e81996df220

Download Submit
\Windows\SysWOW64\Lcfqkl32.exe

Filesize
84KB

MD5
dbf3c47f70fd2e46c4124603a3851252

SHA1
a850939b1118040f04bbcd174794874b9a186e3f

SHA256
c8093959e11fd26867b5a1c2dda3570a58bd4d5163cd3baad87eaa189db27890

SHA512
2ce8899de124f6b24e3dc8084d1967cf0f83ea959d547f07d1f51583c028d9394a8fc4f707b67be16c28332be14414bf782617cd56ed2e878a11a58fae5ff7ce

Download Submit
\Windows\SysWOW64\Lcfqkl32.exe

Filesize
136KB

MD5
54d66a5496cf5aee2143f59148b92892

SHA1
c0d5f137ad3b50796e6e1f7d95f902ab500eed67

SHA256
7ccac975ee0159e6264de86b12f29f29461c718623364b27b902c5019bd02304

SHA512
37aafd5352786c6cd270fa1e8a9558edfb7620751671aefcb045f62205c3926e3fcef44732025d32d3a17397949dd64b695d98b8798a048637f35509dbfef264

Download Submit
\Windows\SysWOW64\Lcfqkl32.exe

Filesize
220KB

MD5
b2d0a57b5d59a10ddae5f093c432d334

SHA1
b70b22f07cafaaeaf7e99177f4981055d2e7dad6

SHA256
0f962143e5a68d29fc5aaadf9fdac36ff4af85f9cfc96fa73d437029d52212f4

SHA512
509b5103af546c59452db8084af7506cf7035e3f2d1940ceede5a7a82a63feeda944358b91b6b8c79c4c73d97b55f72f5fe874da433ffabb2281c3969b9e2eb9

Download Submit
memory/2428-14-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2648-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2648-6-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download
memory/2648-13-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download
memory/2648-19-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads