3a76f842c0de4c86568fce9efdd0c22e19025c1ed1b9da3f849e56ad8fb70b8a

General

Target

97ba349b5993c5a6056fa26919413303.exe
Size

120KB
MD5

97ba349b5993c5a6056fa26919413303
SHA1

7f1632c18ba58b915b7d3be5543aa5976728b65b
SHA256

3a76f842c0de4c86568fce9efdd0c22e19025c1ed1b9da3f849e56ad8fb70b8a
SHA512

60c63cf735b98dfc11eb3a612c1eace25184ffeae28b1f072e25df3796a5a8f3f3da03cec9c4d316932245bd812b5ceffc0310f9164719e893991c494ba6f72e
SSDEEP

3072:5WFjq0plDumeJ203H/6TC+qF1SsB1bw4AVRrd9:Q9xu9J9C81NBy9

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ihoafpmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ihoafpmp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iknnbklc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Iknnbklc.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	97ba349b5993c5a6056fa26919413303.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	97ba349b5993c5a6056fa26919413303.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hkkalk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hkkalk32.exe

Executes dropped EXE 4 IoCs

pid	Process
2364	Hkkalk32.exe
2696	Ihoafpmp.exe
2516	Iknnbklc.exe
2988	Iagfoe32.exe

Loads dropped DLL 12 IoCs

pid	Process
2728	97ba349b5993c5a6056fa26919413303.exe
2728	97ba349b5993c5a6056fa26919413303.exe
2364	Hkkalk32.exe
2364	Hkkalk32.exe
2696	Ihoafpmp.exe
2696	Ihoafpmp.exe
2516	Iknnbklc.exe
2516	Iknnbklc.exe
2184	WerFault.exe
2184	WerFault.exe
2184	WerFault.exe
2184	WerFault.exe

Drops file in System32 directory 12 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Ejdmpb32.dll	97ba349b5993c5a6056fa26919413303.exe
File opened for modification	C:\Windows\SysWOW64\Ihoafpmp.exe	Hkkalk32.exe
File created	C:\Windows\SysWOW64\Amammd32.dll	Hkkalk32.exe
File created	C:\Windows\SysWOW64\Iagfoe32.exe	Iknnbklc.exe
File opened for modification	C:\Windows\SysWOW64\Iagfoe32.exe	Iknnbklc.exe
File created	C:\Windows\SysWOW64\Gjenmobn.dll	Iknnbklc.exe
File created	C:\Windows\SysWOW64\Hkkalk32.exe	97ba349b5993c5a6056fa26919413303.exe
File opened for modification	C:\Windows\SysWOW64\Hkkalk32.exe	97ba349b5993c5a6056fa26919413303.exe
File created	C:\Windows\SysWOW64\Ihoafpmp.exe	Hkkalk32.exe
File created	C:\Windows\SysWOW64\Iknnbklc.exe	Ihoafpmp.exe
File opened for modification	C:\Windows\SysWOW64\Iknnbklc.exe	Ihoafpmp.exe
File created	C:\Windows\SysWOW64\Eqpofkjo.dll	Ihoafpmp.exe

Program crash 1 IoCs

pid	pid_target	Process
2184	2988	WerFault.exe

Modifies registry class 15 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amammd32.dll"	Hkkalk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eqpofkjo.dll"	Ihoafpmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjenmobn.dll"	Iknnbklc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	97ba349b5993c5a6056fa26919413303.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	97ba349b5993c5a6056fa26919413303.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}	97ba349b5993c5a6056fa26919413303.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Hkkalk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	97ba349b5993c5a6056fa26919413303.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ihoafpmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Iknnbklc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Iknnbklc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejdmpb32.dll"	97ba349b5993c5a6056fa26919413303.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	97ba349b5993c5a6056fa26919413303.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Hkkalk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ihoafpmp.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2728 wrote to memory of 2364	2728	97ba349b5993c5a6056fa26919413303.exe	28
PID 2728 wrote to memory of 2364	2728	97ba349b5993c5a6056fa26919413303.exe	28
PID 2728 wrote to memory of 2364	2728	97ba349b5993c5a6056fa26919413303.exe	28
PID 2728 wrote to memory of 2364	2728	97ba349b5993c5a6056fa26919413303.exe	28
PID 2364 wrote to memory of 2696	2364	Hkkalk32.exe	29
PID 2364 wrote to memory of 2696	2364	Hkkalk32.exe	29
PID 2364 wrote to memory of 2696	2364	Hkkalk32.exe	29
PID 2364 wrote to memory of 2696	2364	Hkkalk32.exe	29
PID 2696 wrote to memory of 2516	2696	Ihoafpmp.exe	30
PID 2696 wrote to memory of 2516	2696	Ihoafpmp.exe	30
PID 2696 wrote to memory of 2516	2696	Ihoafpmp.exe	30
PID 2696 wrote to memory of 2516	2696	Ihoafpmp.exe	30
PID 2516 wrote to memory of 2988	2516	Iknnbklc.exe	31
PID 2516 wrote to memory of 2988	2516	Iknnbklc.exe	31
PID 2516 wrote to memory of 2988	2516	Iknnbklc.exe	31
PID 2516 wrote to memory of 2988	2516	Iknnbklc.exe	31
PID 2988 wrote to memory of 2184	2988	Iagfoe32.exe	32
PID 2988 wrote to memory of 2184	2988	Iagfoe32.exe	32
PID 2988 wrote to memory of 2184	2988	Iagfoe32.exe	32
PID 2988 wrote to memory of 2184	2988	Iagfoe32.exe	32

C:\Users\Admin\AppData\Local\Temp\97ba349b5993c5a6056fa26919413303.exe
"C:\Users\Admin\AppData\Local\Temp\97ba349b5993c5a6056fa26919413303.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2728
- C:\Windows\SysWOW64\Hkkalk32.exe
  C:\Windows\system32\Hkkalk32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2364
- - C:\Windows\SysWOW64\Ihoafpmp.exe
    C:\Windows\system32\Ihoafpmp.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2696
  - - C:\Windows\SysWOW64\Iknnbklc.exe
      C:\Windows\system32\Iknnbklc.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2516
    - - C:\Windows\SysWOW64\Iagfoe32.exe
        
        C:\Windows\system32\Iagfoe32.exe
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2988
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2988 -s 140
        6⤵
        Loads dropped DLL
        Program crash
        
        PID:2184

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Iagfoe32.exe

Filesize
120KB

MD5
dc33d74422a4fb7be51d66dd08cebcc6

SHA1
936672849b8f96f0d93537f933f0770b19afb0c7

SHA256
246d8c658e5a177b0340b5d0b02dcf7094cc29803210790e00a7342b61715998

SHA512
ce521df348bbdb85bcc7d41fff69c2ed0d0dfb440f858d24d3889068c60744cc1fe697ca3f3424cf42f6bb1fa3473e3f4e4b4fca9d0a055878e4c04d9d62434d

Download Submit
C:\Windows\SysWOW64\Ihoafpmp.exe

Filesize
120KB

MD5
8f6c4c57e22414a144c1dd13029582dc

SHA1
2dc2fbd86778f0b1a223477528fec188a66268df

SHA256
60a6abdf69fd99730a687a6c45240b162b356740835305429d1b8338158c8619

SHA512
d5e6dd46ea49ef07877f060098593dc088e4ea6daa8f5c5e3e0a22aab5614aac74d241e56a3682fbbd9b999e724105c8ceb0d2507a84dbb98f390452e26b73d4

Download Submit
C:\Windows\SysWOW64\Iknnbklc.exe

Filesize
120KB

MD5
5452973ad4b56c8c9bc81b4c6571df3d

SHA1
1180e15c712e0d08dd528a94703495ca3a7e40e5

SHA256
2ec8d5c4daea71bcb800909ca0d9823686e1c345e89496dd9bbbb1f87e0122b1

SHA512
e7633fce7aed46bcd534b611bc69d7cbc369af124c18c72e15f1f40a54d05936229aac7a8910f992570b1f0d1acedcf858ea08d73d73078fa18e70305fd72539

Download Submit
\Windows\SysWOW64\Hkkalk32.exe

Filesize
120KB

MD5
49625994daec8da48170379b9c8f865d

SHA1
22eeaf47b1fb4289a5ca6d739b1b598d5148c5a4

SHA256
f0bb7873d38c92c8d1ebd58e7bda467758f5e521fd3bd69328006f91ea9eba6b

SHA512
ffd21dce64935f934c90689d43f3776a8753870d15b7fe8db50a3d50dded5be90e2c4f58a32604b24af51b1db6b27b33f491812927377a8d6f0b80186be2eb7c

Download Submit
memory/2364-38-0x0000000000310000-0x000000000034E000-memory.dmp

Filesize
248KB

Download
memory/2364-26-0x0000000000310000-0x000000000034E000-memory.dmp

Filesize
248KB

Download
memory/2364-13-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2364-60-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2516-52-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2696-45-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2728-0-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2728-6-0x0000000000440000-0x000000000047E000-memory.dmp

Filesize
248KB

Download
memory/2728-59-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2988-54-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads