d0051eec84e965bcc80b3d5cbcabfff3a92ad475d6a7b45d8fd2fd37cbe6bed5

Analysis

max time kernel
44s
max time network
50s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
20/02/2024, 14:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

VirusSign.2024.02.08/03a4ed0cb8c9721fc1369cc5f381fd76.exe
Size

141KB
MD5

03a4ed0cb8c9721fc1369cc5f381fd76
SHA1

2ecac749fe4791a39876458be83c7101b5513e71
SHA256

b60ae197bb4109e48286207da2ab9eaa1642d37dda797ac6aabbe8c4dc10ae88
SHA512

f495bfafce3c029fd01f55272e101f84f7e6c5be579dbca0b69dad1731ead82db10de661a9dac043bc1de2f853086644d042b6ceb6f4aa00cc5581c7ae77d832
SSDEEP

3072:aSqxOrrOWl+oWxkFPwQ9bGCmBJFWpoPSkGFj/p7sW0l:aOaWFPN9bGCKJFtE/JK

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 10 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kkjpggkn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kipmhc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldgnklmi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Libjncnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ldgnklmi.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	03a4ed0cb8c9721fc1369cc5f381fd76.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	03a4ed0cb8c9721fc1369cc5f381fd76.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kkjpggkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kipmhc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Libjncnc.exe

Executes dropped EXE 5 IoCs

pid	Process
2692	Kkjpggkn.exe
2668	Kipmhc32.exe
1208	Libjncnc.exe
2612	Ldgnklmi.exe
2620	Lbjofi32.exe

Loads dropped DLL 14 IoCs

pid	Process
2296	03a4ed0cb8c9721fc1369cc5f381fd76.exe
2296	03a4ed0cb8c9721fc1369cc5f381fd76.exe
2692	Kkjpggkn.exe
2692	Kkjpggkn.exe
2668	Kipmhc32.exe
2668	Kipmhc32.exe
1208	Libjncnc.exe
1208	Libjncnc.exe
2612	Ldgnklmi.exe
2612	Ldgnklmi.exe
2392	WerFault.exe
2392	WerFault.exe
2392	WerFault.exe
2392	WerFault.exe

Drops file in System32 directory 15 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Kkjpggkn.exe	03a4ed0cb8c9721fc1369cc5f381fd76.exe
File created	C:\Windows\SysWOW64\Hlekjpbi.dll	03a4ed0cb8c9721fc1369cc5f381fd76.exe
File created	C:\Windows\SysWOW64\Lbjofi32.exe	Ldgnklmi.exe
File created	C:\Windows\SysWOW64\Ipafocdg.dll	Ldgnklmi.exe
File created	C:\Windows\SysWOW64\Ldgnklmi.exe	Libjncnc.exe
File opened for modification	C:\Windows\SysWOW64\Kkjpggkn.exe	03a4ed0cb8c9721fc1369cc5f381fd76.exe
File created	C:\Windows\SysWOW64\Dkpnde32.dll	Kkjpggkn.exe
File created	C:\Windows\SysWOW64\Cbamip32.dll	Libjncnc.exe
File created	C:\Windows\SysWOW64\Kipmhc32.exe	Kkjpggkn.exe
File opened for modification	C:\Windows\SysWOW64\Kipmhc32.exe	Kkjpggkn.exe
File created	C:\Windows\SysWOW64\Libjncnc.exe	Kipmhc32.exe
File opened for modification	C:\Windows\SysWOW64\Libjncnc.exe	Kipmhc32.exe
File created	C:\Windows\SysWOW64\Ipbkjl32.dll	Kipmhc32.exe
File opened for modification	C:\Windows\SysWOW64\Ldgnklmi.exe	Libjncnc.exe
File opened for modification	C:\Windows\SysWOW64\Lbjofi32.exe	Ldgnklmi.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2392	2620	WerFault.exe	31

Modifies registry class 18 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	03a4ed0cb8c9721fc1369cc5f381fd76.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kkjpggkn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Libjncnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipafocdg.dll"	Ldgnklmi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlekjpbi.dll"	03a4ed0cb8c9721fc1369cc5f381fd76.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dkpnde32.dll"	Kkjpggkn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kipmhc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipbkjl32.dll"	Kipmhc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kipmhc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cbamip32.dll"	Libjncnc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	03a4ed0cb8c9721fc1369cc5f381fd76.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	03a4ed0cb8c9721fc1369cc5f381fd76.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	03a4ed0cb8c9721fc1369cc5f381fd76.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kkjpggkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Libjncnc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ldgnklmi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ldgnklmi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	03a4ed0cb8c9721fc1369cc5f381fd76.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2296 wrote to memory of 2692	2296	03a4ed0cb8c9721fc1369cc5f381fd76.exe	29
PID 2296 wrote to memory of 2692	2296	03a4ed0cb8c9721fc1369cc5f381fd76.exe	29
PID 2296 wrote to memory of 2692	2296	03a4ed0cb8c9721fc1369cc5f381fd76.exe	29
PID 2296 wrote to memory of 2692	2296	03a4ed0cb8c9721fc1369cc5f381fd76.exe	29
PID 2692 wrote to memory of 2668	2692	Kkjpggkn.exe	30
PID 2692 wrote to memory of 2668	2692	Kkjpggkn.exe	30
PID 2692 wrote to memory of 2668	2692	Kkjpggkn.exe	30
PID 2692 wrote to memory of 2668	2692	Kkjpggkn.exe	30
PID 2668 wrote to memory of 1208	2668	Kipmhc32.exe	34
PID 2668 wrote to memory of 1208	2668	Kipmhc32.exe	34
PID 2668 wrote to memory of 1208	2668	Kipmhc32.exe	34
PID 2668 wrote to memory of 1208	2668	Kipmhc32.exe	34
PID 1208 wrote to memory of 2612	1208	Libjncnc.exe	33
PID 1208 wrote to memory of 2612	1208	Libjncnc.exe	33
PID 1208 wrote to memory of 2612	1208	Libjncnc.exe	33
PID 1208 wrote to memory of 2612	1208	Libjncnc.exe	33
PID 2612 wrote to memory of 2620	2612	Ldgnklmi.exe	31
PID 2612 wrote to memory of 2620	2612	Ldgnklmi.exe	31
PID 2612 wrote to memory of 2620	2612	Ldgnklmi.exe	31
PID 2612 wrote to memory of 2620	2612	Ldgnklmi.exe	31
PID 2620 wrote to memory of 2392	2620	Lbjofi32.exe	32
PID 2620 wrote to memory of 2392	2620	Lbjofi32.exe	32
PID 2620 wrote to memory of 2392	2620	Lbjofi32.exe	32
PID 2620 wrote to memory of 2392	2620	Lbjofi32.exe	32

C:\Users\Admin\AppData\Local\Temp\VirusSign.2024.02.08\03a4ed0cb8c9721fc1369cc5f381fd76.exe
"C:\Users\Admin\AppData\Local\Temp\VirusSign.2024.02.08\03a4ed0cb8c9721fc1369cc5f381fd76.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2296
- C:\Windows\SysWOW64\Kkjpggkn.exe
  C:\Windows\system32\Kkjpggkn.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2692
- - C:\Windows\SysWOW64\Kipmhc32.exe
    C:\Windows\system32\Kipmhc32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2668
  - - C:\Windows\SysWOW64\Libjncnc.exe
      C:\Windows\system32\Libjncnc.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:1208

C:\Windows\SysWOW64\Lbjofi32.exe
C:\Windows\system32\Lbjofi32.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2620
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2620 -s 140
  2⤵
  - Loads dropped DLL
  - Program crash
  PID:2392

C:\Windows\SysWOW64\Ldgnklmi.exe
C:\Windows\system32\Ldgnklmi.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2612

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Lbjofi32.exe

Filesize
141KB

MD5
fdacbd1fd9b8f351dd1019720d793cc6

SHA1
3c127a159c6b16ae06539ff4b798394585c2106c

SHA256
8ec413702c2f5ff6874dc1e143669c52a388b871cfeebb4212933ce15c24dd04

SHA512
552f6d3eaf1310e21b8e0ebaa545bbb6dc7891919df43aee4dbd993df83db05067d306b2da65da2b0e344fe287a18009ef415aa4023df9f016b8124208d87433

Download Submit
C:\Windows\SysWOW64\Ldgnklmi.exe

Filesize
141KB

MD5
98066d84c94b9033ff7224b18545ec48

SHA1
6204fcedfc66fb0ba4c44476da00a0b10c3d7efd

SHA256
121102a93cb14985c39d4f7e170cbc889ccb35c5a81c7ec878a0bd12309be672

SHA512
1d8152947aae1bb92d1662c533d168483fe276906f08e94384198e92074c6ab534230733bc95bd75838e4898d8ee38da689749b8e60467cdae8dff3865a0ecbd

Download Submit
C:\Windows\SysWOW64\Libjncnc.exe

Filesize
141KB

MD5
e3567f8f9ced82463db15aa2dd63e9f5

SHA1
a2158f9d34971f223af86ba25f68b74a8a7eb416

SHA256
4a4be41b4fdaf3fe867b2c56135107893436be1e368ca91a2a314cde1eccaa4d

SHA512
349d8b5ad8c69dd3490fdcb6f12cee03747319f84e644f58d8d88760544344ac2aa2c65a8177c97f4df7954e32a8bc31e61447f8838f470c1328c105ffaa3563

Download Submit
\Windows\SysWOW64\Kipmhc32.exe

Filesize
141KB

MD5
8df79baf31f097b08cb9aedd6c550f29

SHA1
0c2426c4eec8eb7e1d41b118d2c42c5d5a8df59d

SHA256
5a521a4b717d39572f932a8fab78ba892815b7abe2580673bf86bc33103e8aa0

SHA512
fd0362dada2f4e331801ace539a4f29d3af32ff9144ed1444fb850b4953dd3461fb77b035aa0e2a90ea361dbb2728d2b23f39fffec7507eba382cc358ad55984

Download Submit
\Windows\SysWOW64\Kkjpggkn.exe

Filesize
141KB

MD5
2b252960aa382f56e90d1ae71a1d9aed

SHA1
95efe62608033e6402a382a17ff7e6ae25d8d964

SHA256
71c611692d2b4c940cbe6ac6a9298848378e3f87c55cdd429e10a0a7e080daea

SHA512
7d7d609c57dc418ae174192b7b320580ca5c281f8b48a1f9d7d48f940123ba85095fd53a8cace93bc81b369631d045b6b0697c5f681ae8ba5d20fb57afc130ad

Download Submit
memory/1208-60-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1208-69-0x00000000002B0000-0x00000000002F3000-memory.dmp

Filesize
268KB

Download
memory/2296-76-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2296-6-0x0000000000220000-0x0000000000263000-memory.dmp

Filesize
268KB

Download
memory/2296-0-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2612-71-0x0000000000220000-0x0000000000263000-memory.dmp

Filesize
268KB

Download
memory/2612-66-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2612-70-0x0000000000220000-0x0000000000263000-memory.dmp

Filesize
268KB

Download
memory/2620-67-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2668-68-0x0000000000220000-0x0000000000263000-memory.dmp

Filesize
268KB

Download
memory/2668-40-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2692-26-0x0000000000270000-0x00000000002B3000-memory.dmp

Filesize
268KB

Download
memory/2692-33-0x0000000000270000-0x00000000002B3000-memory.dmp

Filesize
268KB

Download
memory/2692-13-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2692-77-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads