e5925c9396470928e7954cf5e59a410f3708938b1fed6fcb7f01bfe160b2b97d

General

Target

0ac5a367b805f5b5b8238b61b1bc3f68.exe
Size

9.6MB
MD5

0ac5a367b805f5b5b8238b61b1bc3f68
SHA1

3e4676ce4954c726210fee84973ab9f8a71d6cc5
SHA256

e5925c9396470928e7954cf5e59a410f3708938b1fed6fcb7f01bfe160b2b97d
SHA512

1e8ab451ab4fe74db6870fda6f45bb832276d59a46dff341ea865b4b7d5287396ff3adddba6f1445bc59e019f41a544be8aff865e566b4ae038d1b720863e24f
SSDEEP

98304:t7g2b79b7yG7g2b79b7B7U79b7g2b79b7:

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	0ac5a367b805f5b5b8238b61b1bc3f68.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	0ac5a367b805f5b5b8238b61b1bc3f68.exe

Executes dropped EXE 1 IoCs

pid	Process
2356	Cacacg32.exe

Loads dropped DLL 6 IoCs

pid	Process
2188	0ac5a367b805f5b5b8238b61b1bc3f68.exe
2188	0ac5a367b805f5b5b8238b61b1bc3f68.exe
2336	WerFault.exe
2336	WerFault.exe
2336	WerFault.exe
2336	WerFault.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Cacacg32.exe	0ac5a367b805f5b5b8238b61b1bc3f68.exe
File opened for modification	C:\Windows\SysWOW64\Cacacg32.exe	0ac5a367b805f5b5b8238b61b1bc3f68.exe
File created	C:\Windows\SysWOW64\Fdlpjk32.dll	0ac5a367b805f5b5b8238b61b1bc3f68.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2336	2356	WerFault.exe	28

Modifies registry class 6 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	0ac5a367b805f5b5b8238b61b1bc3f68.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	0ac5a367b805f5b5b8238b61b1bc3f68.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	0ac5a367b805f5b5b8238b61b1bc3f68.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}	0ac5a367b805f5b5b8238b61b1bc3f68.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdlpjk32.dll"	0ac5a367b805f5b5b8238b61b1bc3f68.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	0ac5a367b805f5b5b8238b61b1bc3f68.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2188 wrote to memory of 2356	2188	0ac5a367b805f5b5b8238b61b1bc3f68.exe	28
PID 2188 wrote to memory of 2356	2188	0ac5a367b805f5b5b8238b61b1bc3f68.exe	28
PID 2188 wrote to memory of 2356	2188	0ac5a367b805f5b5b8238b61b1bc3f68.exe	28
PID 2188 wrote to memory of 2356	2188	0ac5a367b805f5b5b8238b61b1bc3f68.exe	28
PID 2356 wrote to memory of 2336	2356	Cacacg32.exe	29
PID 2356 wrote to memory of 2336	2356	Cacacg32.exe	29
PID 2356 wrote to memory of 2336	2356	Cacacg32.exe	29
PID 2356 wrote to memory of 2336	2356	Cacacg32.exe	29

C:\Users\Admin\AppData\Local\Temp\0ac5a367b805f5b5b8238b61b1bc3f68.exe
"C:\Users\Admin\AppData\Local\Temp\0ac5a367b805f5b5b8238b61b1bc3f68.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2188
- C:\Windows\SysWOW64\Cacacg32.exe
  C:\Windows\system32\Cacacg32.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2356
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2356 -s 140
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:2336

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Cacacg32.exe

Filesize
1.2MB

MD5
fb36803c3f39e054deb81e0b676902a8

SHA1
932be33852cf2f76c268a5f423f01f747fd5aef6

SHA256
0fcbc152bfdcb9ab8aca146331d013b23438f81ebd2fda85eca81f8eecb1e38a

SHA512
f4b6e733dd389d1b98c827f69c7b79787607b3d6705490cc66ce30aab78d34d4d1f20396339aba068306d76197db41a7ce483d729700ccf10ab9e8df7b380d8a

Download Submit
C:\Windows\SysWOW64\Cacacg32.exe

Filesize
1.6MB

MD5
500e4c23dfc602c318f798436b73f509

SHA1
fa7d2ed4331712e4aa7258138f0919f51adfd35c

SHA256
772f9cc3545569c64e5baa5e6b5da9c220349e26550fc87a34301129293fd0bf

SHA512
ac21e97ca5f2d530bc32b03b6d6327b11618beeb040b0ca8480c16ab60e2c203da1e8d82d6f4ef72bc474b84e3abaddd20be465ad154cc1f9d2d4e1fc494c966

Download Submit
\Windows\SysWOW64\Cacacg32.exe

Filesize
1.9MB

MD5
a94e94e16ea0228c9eb1617d87b787f9

SHA1
2e4ee4332cd1ad06ade1907c49faf1ecd5b1a499

SHA256
77b87ac2e45db7f82705e9f48f469b9c1630e63f1e0d50c5cad45a9d0f98808e

SHA512
a415c9df4f01e38f1ab05222ab00669503566a15878232aa17f975152e4962e9428425fb639549ebb56a5a26b053df08e11a4a2fc85ceebec45f7645b8350924

Download Submit
\Windows\SysWOW64\Cacacg32.exe

Filesize
1.9MB

MD5
5fe1bc0bd6f8c466a3f908bca383fc4c

SHA1
0be6897db6b9d248e8fbd7e8b0f62fd003a5b7b9

SHA256
0823de5bdeb6cdb34acde81fcc3b5d20c0f4f13f3a6550e5da3ba242e7980aba

SHA512
d70cb6028bcd5c2a4250fed0f8390f2f2827be56bae9f7838c6d8f0359a7a0abf3398a368611055228eaf9bbb8e48fc219e32694ce31efecb8123aa19c3e8783

Download Submit
\Windows\SysWOW64\Cacacg32.exe

Filesize
1.5MB

MD5
10d217242ab81067419fe6d45a5c1f4e

SHA1
cab493a097e0dca7b485c80a3ace60ee894e323d

SHA256
bf8b23eef4ebfe481ec101c37554727c09c44af83f3de820d87e2160d5542401

SHA512
d26fbd12e95c9c5402cbbb208b0c116ebf081334258331cd37b0739d00fe1008f68cb35c97ba64a85e5aa82e0c031616865b378b21ff38f7bd96ba843cdf4b5a

Download Submit
\Windows\SysWOW64\Cacacg32.exe

Filesize
1.7MB

MD5
2dc489aa1e7e09aa47536c07afb8e1ed

SHA1
9789b2b9bd34fd4291b125ca2b8a02f9b2327cdc

SHA256
793b34c4a264374b370b51d193da34d25c748b069d028c507d21bf2bd084e6f7

SHA512
cbb085ef55c25a98d9831e42d1c40a7598cd4a3a923f7cddc713736d2173d27e70cbc5b215bf4d8b68b64b47532da0471f6a5b30d20eebf4043a93a8dd2e2f8d

Download Submit
\Windows\SysWOW64\Cacacg32.exe

Filesize
2.3MB

MD5
30c7fccdde2b643bbcd15b7e1f221f55

SHA1
a8ae7455ea69088cf04e11360ca1618d40ed73e6

SHA256
4adf7a4ef5f37432b1693b972bed107cadaeacd08bcf515b057ff943b7e3eb5d

SHA512
452dd8774288cda67eb3d4265a38ba30f0ab8680248cfeea742b8e6e327e6d7d964e73b5379283fd5907b8459ade0a8e5154e2d97e14764f81e7165650bb6577

Download Submit
\Windows\SysWOW64\Cacacg32.exe

Filesize
1.6MB

MD5
c3348fe0d9e739b9c19655d7a95c2e00

SHA1
4cf1c705ebbf98da8883f727e7f960975e49a0a0

SHA256
6b2102d964aa141cc8354e1d5afd957fdc734005a8a01d29eae639371fe27f60

SHA512
cc99630bcaf37684cfee5ed2d6f6a28bf526c2915f422f0c16df1163b3db0219e3f76044fb934f7feb19390892569653d042092d2e039cd1c23a8477dcb5c8fc

Download Submit
memory/2188-13-0x0000000000440000-0x0000000000474000-memory.dmp

Filesize
208KB

Download
memory/2188-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2188-6-0x0000000000440000-0x0000000000474000-memory.dmp

Filesize
208KB

Download
memory/2188-19-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2356-14-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads