d300f21048d062084cec36432cd28c62806a9a6e187eff33b28512ede8269261

General

Target

d300f21048d062084cec36432cd28c62806a9a6e187eff33b28512ede8269261.exe
Size

80KB
MD5

49d9ccb6749b44e918f5eb5442ae014e
SHA1

1fbe4c4ed9a27bbe78b202f6d2d61cf087f53a9b
SHA256

d300f21048d062084cec36432cd28c62806a9a6e187eff33b28512ede8269261
SHA512

8c2744c0a352c5bd0e3f0b3068c96fc419d014d98df1f588d4700a1f70f73361132e43d10b0fffd0ba97f65359e70545347300822f861234391e546680d5c0dd
SSDEEP

768:WOOMBYp6C+AEOgPw9mpqfe5uGpPTKLRL1YQOgsGeEmEwLjV/6ojCeYnkv7RUCWdU:O6CjfFHf8uFLGEALuCegjFeJuqnhCN

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hlhaqogk.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ioijbj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ioijbj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	d300f21048d062084cec36432cd28c62806a9a6e187eff33b28512ede8269261.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	d300f21048d062084cec36432cd28c62806a9a6e187eff33b28512ede8269261.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hlhaqogk.exe

Executes dropped EXE 3 IoCs

pid	Process
2364	Hlhaqogk.exe
2688	Ioijbj32.exe
3020	Iagfoe32.exe

Loads dropped DLL 10 IoCs

pid	Process
2728	d300f21048d062084cec36432cd28c62806a9a6e187eff33b28512ede8269261.exe
2728	d300f21048d062084cec36432cd28c62806a9a6e187eff33b28512ede8269261.exe
2364	Hlhaqogk.exe
2364	Hlhaqogk.exe
2688	Ioijbj32.exe
2688	Ioijbj32.exe
2744	WerFault.exe
2744	WerFault.exe
2744	WerFault.exe
2744	WerFault.exe

Drops file in System32 directory 9 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Hlhaqogk.exe	d300f21048d062084cec36432cd28c62806a9a6e187eff33b28512ede8269261.exe
File opened for modification	C:\Windows\SysWOW64\Ioijbj32.exe	Hlhaqogk.exe
File opened for modification	C:\Windows\SysWOW64\Iagfoe32.exe	Ioijbj32.exe
File created	C:\Windows\SysWOW64\Gjenmobn.dll	Ioijbj32.exe
File opened for modification	C:\Windows\SysWOW64\Hlhaqogk.exe	d300f21048d062084cec36432cd28c62806a9a6e187eff33b28512ede8269261.exe
File created	C:\Windows\SysWOW64\Pnbgan32.dll	d300f21048d062084cec36432cd28c62806a9a6e187eff33b28512ede8269261.exe
File created	C:\Windows\SysWOW64\Ioijbj32.exe	Hlhaqogk.exe
File created	C:\Windows\SysWOW64\Dgnijonn.dll	Hlhaqogk.exe
File created	C:\Windows\SysWOW64\Iagfoe32.exe	Ioijbj32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2744	3020	WerFault.exe	30

Modifies registry class 12 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	d300f21048d062084cec36432cd28c62806a9a6e187eff33b28512ede8269261.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}	d300f21048d062084cec36432cd28c62806a9a6e187eff33b28512ede8269261.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pnbgan32.dll"	d300f21048d062084cec36432cd28c62806a9a6e187eff33b28512ede8269261.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hlhaqogk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgnijonn.dll"	Hlhaqogk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjenmobn.dll"	Ioijbj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	d300f21048d062084cec36432cd28c62806a9a6e187eff33b28512ede8269261.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	d300f21048d062084cec36432cd28c62806a9a6e187eff33b28512ede8269261.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hlhaqogk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ioijbj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ioijbj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	d300f21048d062084cec36432cd28c62806a9a6e187eff33b28512ede8269261.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2728 wrote to memory of 2364	2728	d300f21048d062084cec36432cd28c62806a9a6e187eff33b28512ede8269261.exe	28
PID 2728 wrote to memory of 2364	2728	d300f21048d062084cec36432cd28c62806a9a6e187eff33b28512ede8269261.exe	28
PID 2728 wrote to memory of 2364	2728	d300f21048d062084cec36432cd28c62806a9a6e187eff33b28512ede8269261.exe	28
PID 2728 wrote to memory of 2364	2728	d300f21048d062084cec36432cd28c62806a9a6e187eff33b28512ede8269261.exe	28
PID 2364 wrote to memory of 2688	2364	Hlhaqogk.exe	29
PID 2364 wrote to memory of 2688	2364	Hlhaqogk.exe	29
PID 2364 wrote to memory of 2688	2364	Hlhaqogk.exe	29
PID 2364 wrote to memory of 2688	2364	Hlhaqogk.exe	29
PID 2688 wrote to memory of 3020	2688	Ioijbj32.exe	30
PID 2688 wrote to memory of 3020	2688	Ioijbj32.exe	30
PID 2688 wrote to memory of 3020	2688	Ioijbj32.exe	30
PID 2688 wrote to memory of 3020	2688	Ioijbj32.exe	30
PID 3020 wrote to memory of 2744	3020	Iagfoe32.exe	31
PID 3020 wrote to memory of 2744	3020	Iagfoe32.exe	31
PID 3020 wrote to memory of 2744	3020	Iagfoe32.exe	31
PID 3020 wrote to memory of 2744	3020	Iagfoe32.exe	31

C:\Users\Admin\AppData\Local\Temp\d300f21048d062084cec36432cd28c62806a9a6e187eff33b28512ede8269261.exe
"C:\Users\Admin\AppData\Local\Temp\d300f21048d062084cec36432cd28c62806a9a6e187eff33b28512ede8269261.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2728
- C:\Windows\SysWOW64\Hlhaqogk.exe
  C:\Windows\system32\Hlhaqogk.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2364
- - C:\Windows\SysWOW64\Ioijbj32.exe
    C:\Windows\system32\Ioijbj32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2688
  - - C:\Windows\SysWOW64\Iagfoe32.exe
      C:\Windows\system32\Iagfoe32.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:3020
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3020 -s 140
        5⤵
        Loads dropped DLL
        Program crash
        
        PID:2744

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Windows\SysWOW64\Hlhaqogk.exe

Filesize
80KB

MD5
41ea20622e7733ff9ade7028f51e52e8

SHA1
b0ec458bc10a21ad5d589a1847a4fabaedcaa201

SHA256
0c5b680a8e26a135a5502c0ace18348b1613ae170f1750b2343af334e5b0c048

SHA512
a8fa5c516f6d808844ed05313b27f75420b8394efe2d3e5f2e74c429177bfb0d1af730a29828dc4deb189c0eff834f2ac3c1ebfe9697437d94f43c1c4e0f7409

Download Submit
\Windows\SysWOW64\Iagfoe32.exe

Filesize
80KB

MD5
fec458919ec12fd328cb0a2e1ede2058

SHA1
7a9316b6a487e8ba232f0dae591128d036f068e6

SHA256
71243ca2c2e2f81f3cd157ae8e3b30b89ccd9e90d8452e911752a2fadbff5165

SHA512
dc87522664ee6c66248685ec515bc0b1b24bf9ae27c04c99cf0bfd9f5fd41ec034b33da804ab35c4ca3618169db504bf4655c1f83b99aef7574a05c1aacd64ba

Download Submit
\Windows\SysWOW64\Ioijbj32.exe

Filesize
80KB

MD5
b4b87f66a90496f815f66f5cbb6b7b6b

SHA1
1523d1dfd1b9ca72f2d900d5d1fbe0046b9a7088

SHA256
26af6ad1bf5dc4c41f0f6acdcb8d38edfd374fbed979b42502b1b9df541bcff4

SHA512
ccfd7ea074a8785e7a3392aa71620fa59daa8ae881b666cae9702c1c1dbd58af7195b003a920f5f4ae92156cea5719650be53ad9d9e23d6ad65a142e0f479265

Download Submit
memory/2364-24-0x00000000002D0000-0x0000000000305000-memory.dmp

Filesize
212KB

Download
memory/2364-45-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2688-37-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2728-0-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2728-6-0x0000000000440000-0x0000000000475000-memory.dmp

Filesize
212KB

Download
memory/2728-44-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3020-39-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads