c7969fb169f7eb3724f92622a5afc0d33a0c48ba6090e73a84f5ddc297b06386

General

Target

Backdoor.Win32.Padodor.exe
Size

104KB
MD5

05753ad259cd707414ec61dd4122b1f1
SHA1

4c098df57d14a621eee039777f7bf296efe60ea2
SHA256

c7969fb169f7eb3724f92622a5afc0d33a0c48ba6090e73a84f5ddc297b06386
SHA512

fc52a30e994d4d05a95666f190e241fc13246b7eda7be861a54fceec30b06e1378a36d563114ca307f9bcfd079a94a4cd1196eefa027c7906973a2d0b665da8b
SSDEEP

3072:LspvMiyP5eIMGrJDfU8vJe5Zx7cEGrhkngpDvchkqbAIQS:Qt+8IMsU8k5Zx4brq2Ahn

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Backdoor.Win32.Padodor.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Backdoor.Win32.Padodor.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hacmcfge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hacmcfge.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hkkalk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hkkalk32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ilknfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ilknfn32.exe

Executes dropped EXE 4 IoCs

pid	Process
2328	Hacmcfge.exe
2556	Hkkalk32.exe
2260	Ilknfn32.exe
2716	Iagfoe32.exe

Loads dropped DLL 12 IoCs

pid	Process
2236	Backdoor.Win32.Padodor.exe
2236	Backdoor.Win32.Padodor.exe
2328	Hacmcfge.exe
2328	Hacmcfge.exe
2556	Hkkalk32.exe
2556	Hkkalk32.exe
2260	Ilknfn32.exe
2260	Ilknfn32.exe
2724	WerFault.exe
2724	WerFault.exe
2724	WerFault.exe
2724	WerFault.exe

Drops file in System32 directory 12 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Iagfoe32.exe	Ilknfn32.exe
File created	C:\Windows\SysWOW64\Hkkalk32.exe	Hacmcfge.exe
File opened for modification	C:\Windows\SysWOW64\Hkkalk32.exe	Hacmcfge.exe
File created	C:\Windows\SysWOW64\Ilknfn32.exe	Hkkalk32.exe
File created	C:\Windows\SysWOW64\Iagfoe32.exe	Ilknfn32.exe
File opened for modification	C:\Windows\SysWOW64\Ilknfn32.exe	Hkkalk32.exe
File created	C:\Windows\SysWOW64\Pdpfph32.dll	Hkkalk32.exe
File created	C:\Windows\SysWOW64\Gjenmobn.dll	Ilknfn32.exe
File created	C:\Windows\SysWOW64\Hacmcfge.exe	Backdoor.Win32.Padodor.exe
File opened for modification	C:\Windows\SysWOW64\Hacmcfge.exe	Backdoor.Win32.Padodor.exe
File created	C:\Windows\SysWOW64\Alogkm32.dll	Backdoor.Win32.Padodor.exe
File created	C:\Windows\SysWOW64\Ejdmpb32.dll	Hacmcfge.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2724	2716	WerFault.exe	31

Modifies registry class 15 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	Backdoor.Win32.Padodor.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	Backdoor.Win32.Padodor.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Hacmcfge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejdmpb32.dll"	Hacmcfge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Hkkalk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdpfph32.dll"	Hkkalk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjenmobn.dll"	Ilknfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Hacmcfge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Hkkalk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ilknfn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ilknfn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Backdoor.Win32.Padodor.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}	Backdoor.Win32.Padodor.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Alogkm32.dll"	Backdoor.Win32.Padodor.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Backdoor.Win32.Padodor.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2236 wrote to memory of 2328	2236	Backdoor.Win32.Padodor.exe	28
PID 2236 wrote to memory of 2328	2236	Backdoor.Win32.Padodor.exe	28
PID 2236 wrote to memory of 2328	2236	Backdoor.Win32.Padodor.exe	28
PID 2236 wrote to memory of 2328	2236	Backdoor.Win32.Padodor.exe	28
PID 2328 wrote to memory of 2556	2328	Hacmcfge.exe	29
PID 2328 wrote to memory of 2556	2328	Hacmcfge.exe	29
PID 2328 wrote to memory of 2556	2328	Hacmcfge.exe	29
PID 2328 wrote to memory of 2556	2328	Hacmcfge.exe	29
PID 2556 wrote to memory of 2260	2556	Hkkalk32.exe	30
PID 2556 wrote to memory of 2260	2556	Hkkalk32.exe	30
PID 2556 wrote to memory of 2260	2556	Hkkalk32.exe	30
PID 2556 wrote to memory of 2260	2556	Hkkalk32.exe	30
PID 2260 wrote to memory of 2716	2260	Ilknfn32.exe	31
PID 2260 wrote to memory of 2716	2260	Ilknfn32.exe	31
PID 2260 wrote to memory of 2716	2260	Ilknfn32.exe	31
PID 2260 wrote to memory of 2716	2260	Ilknfn32.exe	31
PID 2716 wrote to memory of 2724	2716	Iagfoe32.exe	32
PID 2716 wrote to memory of 2724	2716	Iagfoe32.exe	32
PID 2716 wrote to memory of 2724	2716	Iagfoe32.exe	32
PID 2716 wrote to memory of 2724	2716	Iagfoe32.exe	32

C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Padodor.exe
"C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Padodor.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2236
- C:\Windows\SysWOW64\Hacmcfge.exe
  C:\Windows\system32\Hacmcfge.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2328
- - C:\Windows\SysWOW64\Hkkalk32.exe
    C:\Windows\system32\Hkkalk32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2556
  - - C:\Windows\SysWOW64\Ilknfn32.exe
      C:\Windows\system32\Ilknfn32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2260
    - - C:\Windows\SysWOW64\Iagfoe32.exe
        
        C:\Windows\system32\Iagfoe32.exe
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2716
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2716 -s 140
        6⤵
        Loads dropped DLL
        Program crash
        
        PID:2724

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Hacmcfge.exe

Filesize
104KB

MD5
58fb29fb7d1c8fe557fc71d4c0c9bac5

SHA1
d1930d0c6ccb82077fabc542d556ab5360d51c68

SHA256
6e158df042275509aa59f6a59309ac379ce17e16f154efe88aaf2d34c133e742

SHA512
7afd88b8cf4cb7cb2f2abb6b2f4e6104dd6198d433f7973750baee5e927fff8525f84459e732071db0b9b423f070f53dae795414875fb6c0a60ea5829f3db7c7

Download Submit
C:\Windows\SysWOW64\Hkkalk32.exe

Filesize
104KB

MD5
a1ea5b7ad279f08d245b7132b6dcee0d

SHA1
bc835080334c78b7616d06a75c59d2bb6fb0ce14

SHA256
f81a108a074054de91604dafb36f4c5e3b03273a833f02d0fb6aace5b2b3244f

SHA512
814ff44cf68c1dfd7e572357ffdcacaad8c619012632f012a1c11383c1b92fca1bda9761fcd9ab2c3ccdd40b93224d50d5f088a54eb2c4e8e13cc02f5033b416

Download Submit
C:\Windows\SysWOW64\Iagfoe32.exe

Filesize
104KB

MD5
97ead085ee161f1e1d5bfb29becbc773

SHA1
55bcefe82d5adf4e27c29b08130c736f51a0d5a8

SHA256
9e5196ab3047388fbd6e076c62bf46e5509e43a1a26f93a1f157e17e3d38f9e5

SHA512
01202ab58696f48c4245187b232546ba821f47233f9bb12b91b18b5a6c8dea9e8d42944591f4a999d2bb9fcec68cfc1c4b717d8289efafff3a9a45101aa04c05

Download Submit
\Windows\SysWOW64\Ilknfn32.exe

Filesize
104KB

MD5
1476589bbb35b30aa9b148dd8380313f

SHA1
4d4876e20b5db699ee36b7ab623f0e696a12697b

SHA256
df0863b5a0335ccf02c40a040fed5258f93ee6be320948c206795154e4b07ff8

SHA512
e35ad739755f088a061103e8fcc3dd6ae7b1d36e8e57e87082f05ebdcfccad6a3370426b810ffc51c2156dd8272c4e7c68cd1e38c36f73826aeadbd884b4c9e0

Download Submit
memory/2236-59-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2236-13-0x00000000002B0000-0x00000000002F3000-memory.dmp

Filesize
268KB

Download
memory/2236-6-0x00000000002B0000-0x00000000002F3000-memory.dmp

Filesize
268KB

Download
memory/2236-0-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2260-41-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2260-62-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2328-26-0x0000000000280000-0x00000000002C3000-memory.dmp

Filesize
268KB

Download
memory/2328-60-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2556-28-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2556-35-0x0000000000320000-0x0000000000363000-memory.dmp

Filesize
268KB

Download
memory/2556-61-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2716-54-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads