8dbba95008edf4fba7bf229ab780a033160b87934b301f74643eaebe8b3c6029

General

Target

8dbba95008edf4fba7bf229ab780a033160b87934b301f74643eaebe8b3c6029.exe
Size

89KB
MD5

2c61f88b4e5b7e7770667cdcc091042a
SHA1

7f20b0fb0d479972018d5311f6902b22026fca11
SHA256

8dbba95008edf4fba7bf229ab780a033160b87934b301f74643eaebe8b3c6029
SHA512

33393aaebdfd1bd01c5c0450e15c721bb742b3c3e7704a169eb98d26ae4ae2bd56f4359c2924aba239f3ae15025fd68d64549ae14506f1516551d8c9a041bbfb
SSDEEP

1536:kVY3HnUh0LmDLZY485AA46F0VJlduPWGHrxbmsCIK282c8CPGCECa9bC7e3iaqW/:dUf98eA4G0VJld/4xbmhD28Qxnd9GMHD

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 10 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hodpgjha.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hkkalk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hkkalk32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Icbimi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Icbimi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ilknfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ilknfn32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	8dbba95008edf4fba7bf229ab780a033160b87934b301f74643eaebe8b3c6029.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	8dbba95008edf4fba7bf229ab780a033160b87934b301f74643eaebe8b3c6029.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hodpgjha.exe

Executes dropped EXE 5 IoCs

pid	Process
2220	Hodpgjha.exe
2004	Hkkalk32.exe
2648	Icbimi32.exe
2740	Ilknfn32.exe
2564	Iagfoe32.exe

Loads dropped DLL 14 IoCs

pid	Process
2012	8dbba95008edf4fba7bf229ab780a033160b87934b301f74643eaebe8b3c6029.exe
2012	8dbba95008edf4fba7bf229ab780a033160b87934b301f74643eaebe8b3c6029.exe
2220	Hodpgjha.exe
2220	Hodpgjha.exe
2004	Hkkalk32.exe
2004	Hkkalk32.exe
2648	Icbimi32.exe
2648	Icbimi32.exe
2740	Ilknfn32.exe
2740	Ilknfn32.exe
2640	WerFault.exe
2640	WerFault.exe
2640	WerFault.exe
2640	WerFault.exe

Drops file in System32 directory 15 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Hodpgjha.exe	8dbba95008edf4fba7bf229ab780a033160b87934b301f74643eaebe8b3c6029.exe
File created	C:\Windows\SysWOW64\Liqebf32.dll	8dbba95008edf4fba7bf229ab780a033160b87934b301f74643eaebe8b3c6029.exe
File created	C:\Windows\SysWOW64\Icbimi32.exe	Hkkalk32.exe
File opened for modification	C:\Windows\SysWOW64\Ilknfn32.exe	Icbimi32.exe
File created	C:\Windows\SysWOW64\Gjenmobn.dll	Ilknfn32.exe
File created	C:\Windows\SysWOW64\Ejdmpb32.dll	Hodpgjha.exe
File opened for modification	C:\Windows\SysWOW64\Icbimi32.exe	Hkkalk32.exe
File created	C:\Windows\SysWOW64\Ecmkgokh.dll	Hkkalk32.exe
File opened for modification	C:\Windows\SysWOW64\Hkkalk32.exe	Hodpgjha.exe
File created	C:\Windows\SysWOW64\Ilknfn32.exe	Icbimi32.exe
File created	C:\Windows\SysWOW64\Iagfoe32.exe	Ilknfn32.exe
File created	C:\Windows\SysWOW64\Hodpgjha.exe	8dbba95008edf4fba7bf229ab780a033160b87934b301f74643eaebe8b3c6029.exe
File created	C:\Windows\SysWOW64\Hkkalk32.exe	Hodpgjha.exe
File created	C:\Windows\SysWOW64\Pdpfph32.dll	Icbimi32.exe
File opened for modification	C:\Windows\SysWOW64\Iagfoe32.exe	Ilknfn32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2640	2564	WerFault.exe	32

Modifies registry class 18 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdpfph32.dll"	Icbimi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Icbimi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjenmobn.dll"	Ilknfn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	8dbba95008edf4fba7bf229ab780a033160b87934b301f74643eaebe8b3c6029.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejdmpb32.dll"	Hodpgjha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hodpgjha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Liqebf32.dll"	8dbba95008edf4fba7bf229ab780a033160b87934b301f74643eaebe8b3c6029.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hkkalk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Icbimi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hkkalk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ecmkgokh.dll"	Hkkalk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ilknfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	8dbba95008edf4fba7bf229ab780a033160b87934b301f74643eaebe8b3c6029.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hodpgjha.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ilknfn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	8dbba95008edf4fba7bf229ab780a033160b87934b301f74643eaebe8b3c6029.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	8dbba95008edf4fba7bf229ab780a033160b87934b301f74643eaebe8b3c6029.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	8dbba95008edf4fba7bf229ab780a033160b87934b301f74643eaebe8b3c6029.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2012 wrote to memory of 2220	2012	8dbba95008edf4fba7bf229ab780a033160b87934b301f74643eaebe8b3c6029.exe	28
PID 2012 wrote to memory of 2220	2012	8dbba95008edf4fba7bf229ab780a033160b87934b301f74643eaebe8b3c6029.exe	28
PID 2012 wrote to memory of 2220	2012	8dbba95008edf4fba7bf229ab780a033160b87934b301f74643eaebe8b3c6029.exe	28
PID 2012 wrote to memory of 2220	2012	8dbba95008edf4fba7bf229ab780a033160b87934b301f74643eaebe8b3c6029.exe	28
PID 2220 wrote to memory of 2004	2220	Hodpgjha.exe	29
PID 2220 wrote to memory of 2004	2220	Hodpgjha.exe	29
PID 2220 wrote to memory of 2004	2220	Hodpgjha.exe	29
PID 2220 wrote to memory of 2004	2220	Hodpgjha.exe	29
PID 2004 wrote to memory of 2648	2004	Hkkalk32.exe	30
PID 2004 wrote to memory of 2648	2004	Hkkalk32.exe	30
PID 2004 wrote to memory of 2648	2004	Hkkalk32.exe	30
PID 2004 wrote to memory of 2648	2004	Hkkalk32.exe	30
PID 2648 wrote to memory of 2740	2648	Icbimi32.exe	31
PID 2648 wrote to memory of 2740	2648	Icbimi32.exe	31
PID 2648 wrote to memory of 2740	2648	Icbimi32.exe	31
PID 2648 wrote to memory of 2740	2648	Icbimi32.exe	31
PID 2740 wrote to memory of 2564	2740	Ilknfn32.exe	32
PID 2740 wrote to memory of 2564	2740	Ilknfn32.exe	32
PID 2740 wrote to memory of 2564	2740	Ilknfn32.exe	32
PID 2740 wrote to memory of 2564	2740	Ilknfn32.exe	32
PID 2564 wrote to memory of 2640	2564	Iagfoe32.exe	33
PID 2564 wrote to memory of 2640	2564	Iagfoe32.exe	33
PID 2564 wrote to memory of 2640	2564	Iagfoe32.exe	33
PID 2564 wrote to memory of 2640	2564	Iagfoe32.exe	33

C:\Users\Admin\AppData\Local\Temp\8dbba95008edf4fba7bf229ab780a033160b87934b301f74643eaebe8b3c6029.exe
"C:\Users\Admin\AppData\Local\Temp\8dbba95008edf4fba7bf229ab780a033160b87934b301f74643eaebe8b3c6029.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2012
- C:\Windows\SysWOW64\Hodpgjha.exe
  C:\Windows\system32\Hodpgjha.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2220
- - C:\Windows\SysWOW64\Hkkalk32.exe
    C:\Windows\system32\Hkkalk32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2004
  - - C:\Windows\SysWOW64\Icbimi32.exe
      C:\Windows\system32\Icbimi32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2648
    - - C:\Windows\SysWOW64\Ilknfn32.exe
        
        C:\Windows\system32\Ilknfn32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2740
      - C:\Windows\SysWOW64\Iagfoe32.exe
        
        C:\Windows\system32\Iagfoe32.exe
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2564
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2564 -s 140
        7⤵
        Loads dropped DLL
        Program crash
        
        PID:2640

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Hkkalk32.exe

Filesize
89KB

MD5
ff33464cb2f3388de25b1f84f1802471

SHA1
aa0c61ee030758009ac40b67ee101ef6ef181e42

SHA256
0f78b10e367564548592417056f020699685dd56c328b40b03ae484c926f884d

SHA512
b605400eacaf5e11ec6c159e4cb7de2dabc41e67c91e9e5c73b4dbfcb49a593e726abc444180f0167248b236615e0c9b8236838126455bf5b8caba69821ca877

Download Submit
C:\Windows\SysWOW64\Icbimi32.exe

Filesize
89KB

MD5
5fccb102c70cc805a070751a82f6fbf5

SHA1
d9d5107c3ba4cc32fd24cddc1e32648862397e89

SHA256
dcba2c36224086b2749bb00f54c83a7d86b3868715d795e20650b2f08b317fe9

SHA512
e7808960f1059e97d1eeeaea6a6411df3d61e56edcc2c30532b71b99abe0cba5734ea9ff7ce6ff8eddfc7c0e04665a86961b7c39b7ac02c1ea8c477fdad23a94

Download Submit
\Windows\SysWOW64\Hodpgjha.exe

Filesize
89KB

MD5
aadc018b818f23b3dfa13f0b9b26e39e

SHA1
d8269312e34e3dde2695e4ec252026ed0c29bfa4

SHA256
9a479ac4d11c5f436e5917f3548d49804064ea3a1485f73dd73e97743d4a6b5b

SHA512
54cab615eb30a7a7387916bf25de572c67734a0a780259c1bd5a8d0f83e000baf108a7c3b5b5cb58ee08b72ef1b640887d21980976364750f2b5c6af36444483

Download Submit
\Windows\SysWOW64\Iagfoe32.exe

Filesize
89KB

MD5
482d159a1fb01e28a3ba64e36b04c12c

SHA1
6c2c702a2fc2900146332cb8c56cac1d5819d62b

SHA256
94f10ce9bcb40a2ccc5fdc1faa1bfd26347a7adfb8cc54d6f2addb0b726e1b78

SHA512
670badc096b512613c9f90c2c989e2977031990f66218aba0460a4c10889c342637b26a50e27d1c1348dd7d51f8a183610b41ea55a928e40a131aaa6f188af44

Download Submit
\Windows\SysWOW64\Ilknfn32.exe

Filesize
89KB

MD5
b1f80f75a8f9d39de1dc744f675fafd8

SHA1
adca92e5be94cd17952dfccdcfa2b74f6f46c468

SHA256
a12eadcd7f569451fa7498be64a908b29b12007e42aeacea16ff8fe562bdd83f

SHA512
72a29b272eff5fd5d0a178aec01092979c80b54246b942921085252a4a5747d656c33fefdf5f00c805ce2aabbf7fc9ab1edd74a9cf75d17a9161e2c0bdbaa53f

Download Submit
memory/2004-37-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2012-0-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2012-6-0x0000000000250000-0x000000000028E000-memory.dmp

Filesize
248KB

Download
memory/2012-70-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2220-25-0x0000000000250000-0x000000000028E000-memory.dmp

Filesize
248KB

Download
memory/2220-71-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2564-65-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2648-63-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2740-51-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2740-72-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads