ffa1e04cc45ee427448a797280aae6ac725137b486b1a566e21cc72f9455e3e0

General

Target

ffa1e04cc45ee427448a797280aae6ac725137b486b1a566e21cc72f9455e3e0.exe
Size

194KB
MD5

a01041d8adfd31bcf02485cc62edf1e6
SHA1

d05563c79a2324c9e55db9d977d1d77bc146ecd8
SHA256

ffa1e04cc45ee427448a797280aae6ac725137b486b1a566e21cc72f9455e3e0
SHA512

3878de83b0c3a0629360a04a7dd9639e6e50e00c2c18a449da7d4f74022702bb0d2e13bc49342799848326e78ea64c8838632120a761d75d61393680f29bd033
SSDEEP

6144:vwfLQzUdSfUNRbCeKpNYxWlJ7mkD6pNY:Yz

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	ffa1e04cc45ee427448a797280aae6ac725137b486b1a566e21cc72f9455e3e0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	ffa1e04cc45ee427448a797280aae6ac725137b486b1a566e21cc72f9455e3e0.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cpbjkn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cpbjkn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhphmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhphmj32.exe

Executes dropped EXE 3 IoCs

pid	Process
4420	Cpbjkn32.exe
3980	Dhphmj32.exe
4428	Dkqaoe32.exe

Drops file in System32 directory 9 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Dhphmj32.exe	Cpbjkn32.exe
File created	C:\Windows\SysWOW64\Glfdiedd.dll	Dhphmj32.exe
File opened for modification	C:\Windows\SysWOW64\Dhphmj32.exe	Cpbjkn32.exe
File created	C:\Windows\SysWOW64\Ekppjn32.dll	Cpbjkn32.exe
File created	C:\Windows\SysWOW64\Dkqaoe32.exe	Dhphmj32.exe
File opened for modification	C:\Windows\SysWOW64\Dkqaoe32.exe	Dhphmj32.exe
File created	C:\Windows\SysWOW64\Cpbjkn32.exe	ffa1e04cc45ee427448a797280aae6ac725137b486b1a566e21cc72f9455e3e0.exe
File opened for modification	C:\Windows\SysWOW64\Cpbjkn32.exe	ffa1e04cc45ee427448a797280aae6ac725137b486b1a566e21cc72f9455e3e0.exe
File created	C:\Windows\SysWOW64\Cpkhqmjb.dll	ffa1e04cc45ee427448a797280aae6ac725137b486b1a566e21cc72f9455e3e0.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2832	4428	WerFault.exe	98

Modifies registry class 12 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	ffa1e04cc45ee427448a797280aae6ac725137b486b1a566e21cc72f9455e3e0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	ffa1e04cc45ee427448a797280aae6ac725137b486b1a566e21cc72f9455e3e0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhphmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Glfdiedd.dll"	Dhphmj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	ffa1e04cc45ee427448a797280aae6ac725137b486b1a566e21cc72f9455e3e0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	ffa1e04cc45ee427448a797280aae6ac725137b486b1a566e21cc72f9455e3e0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpkhqmjb.dll"	ffa1e04cc45ee427448a797280aae6ac725137b486b1a566e21cc72f9455e3e0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	ffa1e04cc45ee427448a797280aae6ac725137b486b1a566e21cc72f9455e3e0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cpbjkn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekppjn32.dll"	Cpbjkn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cpbjkn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhphmj32.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4104 wrote to memory of 4420	4104	ffa1e04cc45ee427448a797280aae6ac725137b486b1a566e21cc72f9455e3e0.exe	96
PID 4104 wrote to memory of 4420	4104	ffa1e04cc45ee427448a797280aae6ac725137b486b1a566e21cc72f9455e3e0.exe	96
PID 4104 wrote to memory of 4420	4104	ffa1e04cc45ee427448a797280aae6ac725137b486b1a566e21cc72f9455e3e0.exe	96
PID 4420 wrote to memory of 3980	4420	Cpbjkn32.exe	97
PID 4420 wrote to memory of 3980	4420	Cpbjkn32.exe	97
PID 4420 wrote to memory of 3980	4420	Cpbjkn32.exe	97
PID 3980 wrote to memory of 4428	3980	Dhphmj32.exe	98
PID 3980 wrote to memory of 4428	3980	Dhphmj32.exe	98
PID 3980 wrote to memory of 4428	3980	Dhphmj32.exe	98

C:\Users\Admin\AppData\Local\Temp\ffa1e04cc45ee427448a797280aae6ac725137b486b1a566e21cc72f9455e3e0.exe
"C:\Users\Admin\AppData\Local\Temp\ffa1e04cc45ee427448a797280aae6ac725137b486b1a566e21cc72f9455e3e0.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4104
- C:\Windows\SysWOW64\Cpbjkn32.exe
  C:\Windows\system32\Cpbjkn32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4420
- - C:\Windows\SysWOW64\Dhphmj32.exe
    C:\Windows\system32\Dhphmj32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3980
  - - C:\Windows\SysWOW64\Dkqaoe32.exe
      C:\Windows\system32\Dkqaoe32.exe
      4⤵
      Executes dropped EXE
      PID:4428
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4428 -s 400
        5⤵
        Program crash
        
        PID:2832

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 4428 -ip 4428
1⤵
PID:4828

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1028 --field-trial-handle=2328,i,5873823382323802923,13134441441264702821,262144 --variations-seed-version /prefetch:8
1⤵
PID:1932

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Cpbjkn32.exe

Filesize
194KB

MD5
f7ae1d098e5d316892017676d7b1499b

SHA1
70138d3b091da0754b434ed5bc872ca7096c2e09

SHA256
de4c21a25217b9a30ad3cdcdc499f2dba2668155286b64f8f18732cbb711dd8c

SHA512
0c0878e151616d9a2b8ebf1e49a0fb6ea225b329650c97f7c25eb7a0c343b6f9c6b715a80b1923a6729dd87e2fe41ab030387078403b60b920b561be005e6e3d

Download Submit
C:\Windows\SysWOW64\Dhphmj32.exe

Filesize
194KB

MD5
9c0a1fcc981e77d63cc1ba6bfeb4f83f

SHA1
9e69dd0990d420555a69e658709762a989eaf7c8

SHA256
b894a2e1dc524a9ba32941deef8b79b131241b339c3ae0dd0c98685f5841ccfa

SHA512
f0fed8a730a9571ea054c7d3448fb2c4185883ee7e4ee04771f5ad14029226ae782a67e11027276746bedca3f3ba575aeca2c2ce4247f98a56cf338427e53cdd

Download Submit
C:\Windows\SysWOW64\Dkqaoe32.exe

Filesize
194KB

MD5
be68458b231386707a0dfdf6cb8880b9

SHA1
aa0bf20adbaec0f7ea8d89b177fafa422ddc9f8f

SHA256
df9ed15d46fed2f8aec239bf737f8e1aa83449430d771c3e1b54cc9b74ac943a

SHA512
b8a5d6e3f84f69e1a209420f137cffe5fbd228826c14214445b02447c488e2cc9ddc5f0222eb58e8134682cebb9b8653625ea0911c13635146784e5790c14780

Download Submit
memory/3980-15-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/3980-29-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4104-0-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4104-33-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4420-7-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4420-31-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4428-25-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4428-32-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads