16d02377dcd7f63c3ce1bc583108ae82eabf4e6bee08455fa5aa3f6e7ac34b5e

General

Target

16d02377dcd7f63c3ce1bc583108ae82eabf4e6bee08455fa5aa3f6e7ac34b5e.exe
Size

89KB
MD5

1d942dc4c3698e52117f4d6ca21b0275
SHA1

5a54b4ab64274f46c8b418ea23490d2cb2984131
SHA256

16d02377dcd7f63c3ce1bc583108ae82eabf4e6bee08455fa5aa3f6e7ac34b5e
SHA512

b05eeb4d8e8a634edefada510dd150e15b539d26617094b58b55fb4be5fef9b32248f8aa8cd57b3159651279a1d0be0bbdc167f02bfdfe158463a65b8ff29c45
SSDEEP

768:WMslOQMe39sTDOjAEjgLTnwYIhD5E5ZHtLejjd/ATn3HTgkwUlxqP0qH5cAv8Q51:yNsXGdjgLTwfo2doQkjy5BcOlExkg8F

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hlhaqogk.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ilknfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ilknfn32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	16d02377dcd7f63c3ce1bc583108ae82eabf4e6bee08455fa5aa3f6e7ac34b5e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	16d02377dcd7f63c3ce1bc583108ae82eabf4e6bee08455fa5aa3f6e7ac34b5e.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hlhaqogk.exe

Executes dropped EXE 3 IoCs

pid	Process
2508	Hlhaqogk.exe
2712	Ilknfn32.exe
864	Iagfoe32.exe

Loads dropped DLL 10 IoCs

pid	Process
2044	16d02377dcd7f63c3ce1bc583108ae82eabf4e6bee08455fa5aa3f6e7ac34b5e.exe
2044	16d02377dcd7f63c3ce1bc583108ae82eabf4e6bee08455fa5aa3f6e7ac34b5e.exe
2508	Hlhaqogk.exe
2508	Hlhaqogk.exe
2712	Ilknfn32.exe
2712	Ilknfn32.exe
2768	WerFault.exe
2768	WerFault.exe
2768	WerFault.exe
2768	WerFault.exe

Drops file in System32 directory 9 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Iagfoe32.exe	Ilknfn32.exe
File created	C:\Windows\SysWOW64\Hlhaqogk.exe	16d02377dcd7f63c3ce1bc583108ae82eabf4e6bee08455fa5aa3f6e7ac34b5e.exe
File opened for modification	C:\Windows\SysWOW64\Hlhaqogk.exe	16d02377dcd7f63c3ce1bc583108ae82eabf4e6bee08455fa5aa3f6e7ac34b5e.exe
File opened for modification	C:\Windows\SysWOW64\Ilknfn32.exe	Hlhaqogk.exe
File created	C:\Windows\SysWOW64\Pdpfph32.dll	Hlhaqogk.exe
File created	C:\Windows\SysWOW64\Iagfoe32.exe	Ilknfn32.exe
File created	C:\Windows\SysWOW64\Gjenmobn.dll	Ilknfn32.exe
File created	C:\Windows\SysWOW64\Pnbgan32.dll	16d02377dcd7f63c3ce1bc583108ae82eabf4e6bee08455fa5aa3f6e7ac34b5e.exe
File created	C:\Windows\SysWOW64\Ilknfn32.exe	Hlhaqogk.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2768	864	WerFault.exe	30

Modifies registry class 12 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pnbgan32.dll"	16d02377dcd7f63c3ce1bc583108ae82eabf4e6bee08455fa5aa3f6e7ac34b5e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	16d02377dcd7f63c3ce1bc583108ae82eabf4e6bee08455fa5aa3f6e7ac34b5e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdpfph32.dll"	Hlhaqogk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	16d02377dcd7f63c3ce1bc583108ae82eabf4e6bee08455fa5aa3f6e7ac34b5e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	16d02377dcd7f63c3ce1bc583108ae82eabf4e6bee08455fa5aa3f6e7ac34b5e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}	16d02377dcd7f63c3ce1bc583108ae82eabf4e6bee08455fa5aa3f6e7ac34b5e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hlhaqogk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hlhaqogk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ilknfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjenmobn.dll"	Ilknfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ilknfn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	16d02377dcd7f63c3ce1bc583108ae82eabf4e6bee08455fa5aa3f6e7ac34b5e.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2044 wrote to memory of 2508	2044	16d02377dcd7f63c3ce1bc583108ae82eabf4e6bee08455fa5aa3f6e7ac34b5e.exe	28
PID 2044 wrote to memory of 2508	2044	16d02377dcd7f63c3ce1bc583108ae82eabf4e6bee08455fa5aa3f6e7ac34b5e.exe	28
PID 2044 wrote to memory of 2508	2044	16d02377dcd7f63c3ce1bc583108ae82eabf4e6bee08455fa5aa3f6e7ac34b5e.exe	28
PID 2044 wrote to memory of 2508	2044	16d02377dcd7f63c3ce1bc583108ae82eabf4e6bee08455fa5aa3f6e7ac34b5e.exe	28
PID 2508 wrote to memory of 2712	2508	Hlhaqogk.exe	29
PID 2508 wrote to memory of 2712	2508	Hlhaqogk.exe	29
PID 2508 wrote to memory of 2712	2508	Hlhaqogk.exe	29
PID 2508 wrote to memory of 2712	2508	Hlhaqogk.exe	29
PID 2712 wrote to memory of 864	2712	Ilknfn32.exe	30
PID 2712 wrote to memory of 864	2712	Ilknfn32.exe	30
PID 2712 wrote to memory of 864	2712	Ilknfn32.exe	30
PID 2712 wrote to memory of 864	2712	Ilknfn32.exe	30
PID 864 wrote to memory of 2768	864	Iagfoe32.exe	31
PID 864 wrote to memory of 2768	864	Iagfoe32.exe	31
PID 864 wrote to memory of 2768	864	Iagfoe32.exe	31
PID 864 wrote to memory of 2768	864	Iagfoe32.exe	31

C:\Users\Admin\AppData\Local\Temp\16d02377dcd7f63c3ce1bc583108ae82eabf4e6bee08455fa5aa3f6e7ac34b5e.exe
"C:\Users\Admin\AppData\Local\Temp\16d02377dcd7f63c3ce1bc583108ae82eabf4e6bee08455fa5aa3f6e7ac34b5e.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2044
- C:\Windows\SysWOW64\Hlhaqogk.exe
  C:\Windows\system32\Hlhaqogk.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2508
- - C:\Windows\SysWOW64\Ilknfn32.exe
    C:\Windows\system32\Ilknfn32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2712
  - - C:\Windows\SysWOW64\Iagfoe32.exe
      C:\Windows\system32\Iagfoe32.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:864
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 864 -s 140
        5⤵
        Loads dropped DLL
        Program crash
        
        PID:2768

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Ilknfn32.exe

Filesize
89KB

MD5
caad3807ef0eb24ef63b066a4da52d3c

SHA1
f76724de3b4fef441d6f9e6d3abef1d98051e2cb

SHA256
3a6c32fcb1d776a3a8c0a83c336b68ee8349f2fe6136f0652c2f3baa3dee5f8a

SHA512
ba6984c0dc14311bf57650dbc5b9668ee56aa839ab5ea62b9d22f7a8afed74384074b8a65ce66e400605b887509510a552bc2e7a1b5c6d468f664b29ca3c1ad0

Download Submit
\Windows\SysWOW64\Hlhaqogk.exe

Filesize
89KB

MD5
3c67b59f666e96ff0480452a59c3ecb8

SHA1
fc4582b03f3bc1da9e6db077ce67dc0af8378628

SHA256
0b1d65b5160e03332e4b1846503272b4c5d880e4e735275f9726b282e0be9634

SHA512
7dc36e6c8ee9923184e41af2eddf9771b2c99105f884b6b8379a6f3e72d0d9fbab980bc7211fa460a857cd6b8bdafdf57d8440d34d7e15dd8ce196c36d595b97

Download Submit
\Windows\SysWOW64\Iagfoe32.exe

Filesize
89KB

MD5
ca42ee15f6929599df68b66fbf327916

SHA1
7380b93fd264213578d2ee655872d78a13d842f8

SHA256
f65783a2b042c6dd2f57ab5466ddb768666c8f3b2ac74189b7ef2aeb407145b0

SHA512
dd433c00a41b06a5183f44b6a8f2f5d443e7c6040013624642ac65c5ee862a84f287da1bdf7d16312293c9f9be9d133ab36ad3e1cb962e54c2d1d4e8d43bdc08

Download Submit
memory/864-40-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2044-0-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2044-12-0x0000000000440000-0x0000000000480000-memory.dmp

Filesize
256KB

Download
memory/2044-6-0x0000000000440000-0x0000000000480000-memory.dmp

Filesize
256KB

Download
memory/2044-45-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2508-19-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2712-27-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2712-46-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads