459418ef8d96120ceeff3877300df7d66981069dbe7a167b9810cfee564c384c

General

Target

459418ef8d96120ceeff3877300df7d66981069dbe7a167b9810cfee564c384c.exe
Size

96KB
MD5

1b2a16d2f48cd2418a97035a815a13c0
SHA1

49b1b1b154b9674d2c219e7dfa1d01b71fa882a6
SHA256

459418ef8d96120ceeff3877300df7d66981069dbe7a167b9810cfee564c384c
SHA512

106f8b3a4517bf935fd466674989805c24eafb4f58d59ddb07fa79faa6afed068e1e6d395c5f85c27a5a08f57332fded174177c6881893fc6d2a11d9fc95ce29
SSDEEP

1536:20wOlGILFwI8VjF58CU7i2pkhQFFimoGkybDuJm7N2V5duV9jojTIvjrH:JlPwI8OCB2uhUQZSwV5d69jc0vf

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Efaibbij.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ejobhppq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ejobhppq.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	459418ef8d96120ceeff3877300df7d66981069dbe7a167b9810cfee564c384c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	459418ef8d96120ceeff3877300df7d66981069dbe7a167b9810cfee564c384c.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Efaibbij.exe

Executes dropped EXE 3 IoCs

pid	Process
2832	Efaibbij.exe
2564	Ejobhppq.exe
2848	Fkckeh32.exe

Loads dropped DLL 10 IoCs

pid	Process
2168	459418ef8d96120ceeff3877300df7d66981069dbe7a167b9810cfee564c384c.exe
2168	459418ef8d96120ceeff3877300df7d66981069dbe7a167b9810cfee564c384c.exe
2832	Efaibbij.exe
2832	Efaibbij.exe
2564	Ejobhppq.exe
2564	Ejobhppq.exe
2576	WerFault.exe
2576	WerFault.exe
2576	WerFault.exe
2576	WerFault.exe

Drops file in System32 directory 9 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Efaibbij.exe	459418ef8d96120ceeff3877300df7d66981069dbe7a167b9810cfee564c384c.exe
File opened for modification	C:\Windows\SysWOW64\Efaibbij.exe	459418ef8d96120ceeff3877300df7d66981069dbe7a167b9810cfee564c384c.exe
File created	C:\Windows\SysWOW64\Lbadbn32.dll	459418ef8d96120ceeff3877300df7d66981069dbe7a167b9810cfee564c384c.exe
File created	C:\Windows\SysWOW64\Ekgednng.dll	Efaibbij.exe
File opened for modification	C:\Windows\SysWOW64\Fkckeh32.exe	Ejobhppq.exe
File created	C:\Windows\SysWOW64\Ejobhppq.exe	Efaibbij.exe
File opened for modification	C:\Windows\SysWOW64\Ejobhppq.exe	Efaibbij.exe
File created	C:\Windows\SysWOW64\Fkckeh32.exe	Ejobhppq.exe
File created	C:\Windows\SysWOW64\Clkmne32.dll	Ejobhppq.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2576	2848	WerFault.exe	30

Modifies registry class 12 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	459418ef8d96120ceeff3877300df7d66981069dbe7a167b9810cfee564c384c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}	459418ef8d96120ceeff3877300df7d66981069dbe7a167b9810cfee564c384c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbadbn32.dll"	459418ef8d96120ceeff3877300df7d66981069dbe7a167b9810cfee564c384c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Efaibbij.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ejobhppq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	459418ef8d96120ceeff3877300df7d66981069dbe7a167b9810cfee564c384c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	459418ef8d96120ceeff3877300df7d66981069dbe7a167b9810cfee564c384c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	459418ef8d96120ceeff3877300df7d66981069dbe7a167b9810cfee564c384c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekgednng.dll"	Efaibbij.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Efaibbij.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clkmne32.dll"	Ejobhppq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ejobhppq.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2168 wrote to memory of 2832	2168	459418ef8d96120ceeff3877300df7d66981069dbe7a167b9810cfee564c384c.exe	28
PID 2168 wrote to memory of 2832	2168	459418ef8d96120ceeff3877300df7d66981069dbe7a167b9810cfee564c384c.exe	28
PID 2168 wrote to memory of 2832	2168	459418ef8d96120ceeff3877300df7d66981069dbe7a167b9810cfee564c384c.exe	28
PID 2168 wrote to memory of 2832	2168	459418ef8d96120ceeff3877300df7d66981069dbe7a167b9810cfee564c384c.exe	28
PID 2832 wrote to memory of 2564	2832	Efaibbij.exe	29
PID 2832 wrote to memory of 2564	2832	Efaibbij.exe	29
PID 2832 wrote to memory of 2564	2832	Efaibbij.exe	29
PID 2832 wrote to memory of 2564	2832	Efaibbij.exe	29
PID 2564 wrote to memory of 2848	2564	Ejobhppq.exe	30
PID 2564 wrote to memory of 2848	2564	Ejobhppq.exe	30
PID 2564 wrote to memory of 2848	2564	Ejobhppq.exe	30
PID 2564 wrote to memory of 2848	2564	Ejobhppq.exe	30
PID 2848 wrote to memory of 2576	2848	Fkckeh32.exe	31
PID 2848 wrote to memory of 2576	2848	Fkckeh32.exe	31
PID 2848 wrote to memory of 2576	2848	Fkckeh32.exe	31
PID 2848 wrote to memory of 2576	2848	Fkckeh32.exe	31

C:\Users\Admin\AppData\Local\Temp\459418ef8d96120ceeff3877300df7d66981069dbe7a167b9810cfee564c384c.exe
"C:\Users\Admin\AppData\Local\Temp\459418ef8d96120ceeff3877300df7d66981069dbe7a167b9810cfee564c384c.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2168
- C:\Windows\SysWOW64\Efaibbij.exe
  C:\Windows\system32\Efaibbij.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2832
- - C:\Windows\SysWOW64\Ejobhppq.exe
    C:\Windows\system32\Ejobhppq.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2564
  - - C:\Windows\SysWOW64\Fkckeh32.exe
      C:\Windows\system32\Fkckeh32.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:2848
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2848 -s 140
        5⤵
        Loads dropped DLL
        Program crash
        
        PID:2576

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Fkckeh32.exe

Filesize
96KB

MD5
72e821d5e4083515a8fa0959852cd558

SHA1
3a9f16f6ebdd55721b62680da149a1048f953124

SHA256
0d8b46cf103cdb78dea52224eeb1abfa45c72a4ad6f67456546eb9917afa1fc3

SHA512
da50b0d03e76d3e192dc6ea645ae5462fb0aa2434b6c1b49a7fcf2c3423c056afe610b6e3f264d89e98d6295a1722b95e53685d401b5fea80c4a3d7b1f790fcf

Download Submit
\Windows\SysWOW64\Efaibbij.exe

Filesize
96KB

MD5
160bbac79d77b358855772344b6f30f8

SHA1
6bf297e4ce6ecc3f6c9cb22f135553d9eafe6ad1

SHA256
39fc7f568a22cf9183b7d818b96068523ca7d39a167cb9bf0437f342d9d71e62

SHA512
f401c25229e67f1cb528f580c86f4dec318f44981550b3db5ae6395b2f6d3888077423e000252e46ee1b064e510badd8607fb497d79fd45f8b7ad69c87f654cf

Download Submit
\Windows\SysWOW64\Ejobhppq.exe

Filesize
96KB

MD5
cd297395a0cca6a1756b39aa003a414d

SHA1
a9da5d49502fba00f568dcb7a00ff728d1708a5e

SHA256
75f93bd7649cd2fde977e134b25c75db2268920e50ec9df6f1c78ed24b93d2d0

SHA512
ac3b4fbcb56eefe79ee2bd25c9c4157fd716aa41ac7d5078d75417231261dce73722dd6e8ce60434aee339108af07733fc1d9f74f1dac424bf2661da2a2db0de

Download Submit
memory/2168-0-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2168-6-0x0000000000220000-0x0000000000262000-memory.dmp

Filesize
264KB

Download
memory/2168-45-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2564-39-0x0000000000220000-0x0000000000262000-memory.dmp

Filesize
264KB

Download
memory/2564-47-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2832-14-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2832-21-0x0000000000220000-0x0000000000262000-memory.dmp

Filesize
264KB

Download
memory/2832-46-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2848-40-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads