4696314a5e21adc9e8b697b86643b83058a6f75bce882c0e098a1cae75b13307

General

Target

4696314a5e21adc9e8b697b86643b83058a6f75bce882c0e098a1cae75b13307.exe
Size

176KB
MD5

31e98044fdb24061066562686cd7a8f8
SHA1

fe00db41639a0cf35ee10970c2c494b4a501119e
SHA256

4696314a5e21adc9e8b697b86643b83058a6f75bce882c0e098a1cae75b13307
SHA512

d3164406fab832bd34da5dc53368bcfef70feada20adb046e2921b489f7014290748b1182a15ecc006019d77a9a0adf19f9f78e90b8b795c2bbdf5ef7267eb09
SSDEEP

3072:OyMO2Lb/urHZ3faZ5De/Ey032yaCMMq9FIUPv9XOVw1FaX6lwzmOJfYerMMq9FIT:Oy4HKvaZ5q/E4f9FIUpOVw86CmOJfToG

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ecejkf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Echfaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Echfaf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	4696314a5e21adc9e8b697b86643b83058a6f75bce882c0e098a1cae75b13307.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	4696314a5e21adc9e8b697b86643b83058a6f75bce882c0e098a1cae75b13307.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ecqqpgli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ecqqpgli.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ecejkf32.exe

Executes dropped EXE 4 IoCs

pid	Process
2204	Ecqqpgli.exe
1916	Ecejkf32.exe
2564	Echfaf32.exe
2524	Fkckeh32.exe

Loads dropped DLL 12 IoCs

pid	Process
1220	4696314a5e21adc9e8b697b86643b83058a6f75bce882c0e098a1cae75b13307.exe
1220	4696314a5e21adc9e8b697b86643b83058a6f75bce882c0e098a1cae75b13307.exe
2204	Ecqqpgli.exe
2204	Ecqqpgli.exe
1916	Ecejkf32.exe
1916	Ecejkf32.exe
2564	Echfaf32.exe
2564	Echfaf32.exe
2912	WerFault.exe
2912	WerFault.exe
2912	WerFault.exe
2912	WerFault.exe

Drops file in System32 directory 12 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Ecqqpgli.exe	4696314a5e21adc9e8b697b86643b83058a6f75bce882c0e098a1cae75b13307.exe
File created	C:\Windows\SysWOW64\Ecejkf32.exe	Ecqqpgli.exe
File opened for modification	C:\Windows\SysWOW64\Ecejkf32.exe	Ecqqpgli.exe
File opened for modification	C:\Windows\SysWOW64\Echfaf32.exe	Ecejkf32.exe
File created	C:\Windows\SysWOW64\Najgne32.dll	Ecejkf32.exe
File created	C:\Windows\SysWOW64\Clkmne32.dll	Echfaf32.exe
File created	C:\Windows\SysWOW64\Ecqqpgli.exe	4696314a5e21adc9e8b697b86643b83058a6f75bce882c0e098a1cae75b13307.exe
File created	C:\Windows\SysWOW64\Dinhacjp.dll	4696314a5e21adc9e8b697b86643b83058a6f75bce882c0e098a1cae75b13307.exe
File created	C:\Windows\SysWOW64\Bdacap32.dll	Ecqqpgli.exe
File created	C:\Windows\SysWOW64\Echfaf32.exe	Ecejkf32.exe
File created	C:\Windows\SysWOW64\Fkckeh32.exe	Echfaf32.exe
File opened for modification	C:\Windows\SysWOW64\Fkckeh32.exe	Echfaf32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2912	2524	WerFault.exe	31

Modifies registry class 15 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Echfaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Echfaf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	4696314a5e21adc9e8b697b86643b83058a6f75bce882c0e098a1cae75b13307.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}	4696314a5e21adc9e8b697b86643b83058a6f75bce882c0e098a1cae75b13307.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ecqqpgli.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	4696314a5e21adc9e8b697b86643b83058a6f75bce882c0e098a1cae75b13307.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	4696314a5e21adc9e8b697b86643b83058a6f75bce882c0e098a1cae75b13307.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdacap32.dll"	Ecqqpgli.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ecejkf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clkmne32.dll"	Echfaf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	4696314a5e21adc9e8b697b86643b83058a6f75bce882c0e098a1cae75b13307.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dinhacjp.dll"	4696314a5e21adc9e8b697b86643b83058a6f75bce882c0e098a1cae75b13307.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ecqqpgli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Najgne32.dll"	Ecejkf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ecejkf32.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 1220 wrote to memory of 2204	1220	4696314a5e21adc9e8b697b86643b83058a6f75bce882c0e098a1cae75b13307.exe	28
PID 1220 wrote to memory of 2204	1220	4696314a5e21adc9e8b697b86643b83058a6f75bce882c0e098a1cae75b13307.exe	28
PID 1220 wrote to memory of 2204	1220	4696314a5e21adc9e8b697b86643b83058a6f75bce882c0e098a1cae75b13307.exe	28
PID 1220 wrote to memory of 2204	1220	4696314a5e21adc9e8b697b86643b83058a6f75bce882c0e098a1cae75b13307.exe	28
PID 2204 wrote to memory of 1916	2204	Ecqqpgli.exe	29
PID 2204 wrote to memory of 1916	2204	Ecqqpgli.exe	29
PID 2204 wrote to memory of 1916	2204	Ecqqpgli.exe	29
PID 2204 wrote to memory of 1916	2204	Ecqqpgli.exe	29
PID 1916 wrote to memory of 2564	1916	Ecejkf32.exe	30
PID 1916 wrote to memory of 2564	1916	Ecejkf32.exe	30
PID 1916 wrote to memory of 2564	1916	Ecejkf32.exe	30
PID 1916 wrote to memory of 2564	1916	Ecejkf32.exe	30
PID 2564 wrote to memory of 2524	2564	Echfaf32.exe	31
PID 2564 wrote to memory of 2524	2564	Echfaf32.exe	31
PID 2564 wrote to memory of 2524	2564	Echfaf32.exe	31
PID 2564 wrote to memory of 2524	2564	Echfaf32.exe	31
PID 2524 wrote to memory of 2912	2524	Fkckeh32.exe	32
PID 2524 wrote to memory of 2912	2524	Fkckeh32.exe	32
PID 2524 wrote to memory of 2912	2524	Fkckeh32.exe	32
PID 2524 wrote to memory of 2912	2524	Fkckeh32.exe	32

C:\Users\Admin\AppData\Local\Temp\4696314a5e21adc9e8b697b86643b83058a6f75bce882c0e098a1cae75b13307.exe
"C:\Users\Admin\AppData\Local\Temp\4696314a5e21adc9e8b697b86643b83058a6f75bce882c0e098a1cae75b13307.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1220
- C:\Windows\SysWOW64\Ecqqpgli.exe
  C:\Windows\system32\Ecqqpgli.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2204
- - C:\Windows\SysWOW64\Ecejkf32.exe
    C:\Windows\system32\Ecejkf32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1916
  - - C:\Windows\SysWOW64\Echfaf32.exe
      C:\Windows\system32\Echfaf32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2564
    - - C:\Windows\SysWOW64\Fkckeh32.exe
        
        C:\Windows\system32\Fkckeh32.exe
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2524
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2524 -s 140
        6⤵
        Loads dropped DLL
        Program crash
        
        PID:2912

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Fkckeh32.exe

Filesize
176KB

MD5
f5465494db345d3e4e416e4d6f037700

SHA1
912557b094343be87c2fe5edb3d4bbfc024512d3

SHA256
85db5f9a9b87a1d8949b20c2e1637b5dbe1bf2e285134309995eeab982f6b72f

SHA512
a69aebc1c9d043e9b806f358e6a8c71484fecab1f119f9e38fd233b1ce73ded2e80d1512602005d433ddc9b6ac351fc6e2f6e80c83987fc0e5a38dd35102ab68

Download Submit
\Windows\SysWOW64\Ecejkf32.exe

Filesize
176KB

MD5
81d80b02cdb13bb7fda58fe9accb431e

SHA1
5f2e1ff1261b2baa77cdcf5e100a01b8afff0335

SHA256
e280b513f82a2a71dc0328d4cc4e1fdc4bfd268032389a76f4d00f95246b6c62

SHA512
d11e52cc21b05ca3bb1f0d384bd14e1ed67fc19f32eb772e714cd51361bbe9d60d0b93ef91397220092e10ea0c8c18389bb361696d53e4852748d8c5f919b056

Download Submit
\Windows\SysWOW64\Echfaf32.exe

Filesize
176KB

MD5
2d0d4a29688c70dca8e8c8e7ffc99366

SHA1
e275dfbba340103b20706422d6fb87d4a9f59e6b

SHA256
1fc4f4accfa1cb7959796cae5da0acdca2ee6a5d344f5019d61afe7cfeae773e

SHA512
14447e0b4c595fc31781938356882d21aacb65f0bb81d1db4cfe4543089ecc896ee41bbccf02564c7e298cba1886a01988d0f9181417595938f477206820e8cb

Download Submit
\Windows\SysWOW64\Ecqqpgli.exe

Filesize
176KB

MD5
0c70cd7760ecd487cc3fad5d4a15205c

SHA1
a96f2b4c333d682c36433ef1b6e81d5c528b8363

SHA256
9fe40e7c68f2e173e8ba06ac6ab579aa6b8a59e982e2e64f02da4bed3576b15b

SHA512
d8ed500a96bae77c190720221a8101042a598de311a3365a6b9774ae3f311345dc9a33fbd37a25946a821cdf52a4cf7a4757827622c12935ae46eb5c772c8288

Download Submit
memory/1220-6-0x0000000000220000-0x0000000000259000-memory.dmp

Filesize
228KB

Download
memory/1220-60-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1220-0-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1916-38-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1916-52-0x00000000003B0000-0x00000000003E9000-memory.dmp

Filesize
228KB

Download
memory/2204-26-0x0000000000270000-0x00000000002A9000-memory.dmp

Filesize
228KB

Download
memory/2204-20-0x0000000000270000-0x00000000002A9000-memory.dmp

Filesize
228KB

Download
memory/2204-61-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2524-54-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2564-53-0x0000000000220000-0x0000000000259000-memory.dmp

Filesize
228KB

Download
memory/2564-55-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads