9598c7d47b3c8f2ac0299700e2ce5d7a7f8e6eeadb1eea753356abcd754fcaf0

General

Target

9598c7d47b3c8f2ac0299700e2ce5d7a7f8e6eeadb1eea753356abcd754fcaf0.exe
Size

376KB
MD5

cfedb049de2adb3dc581b2596a648821
SHA1

3c77bbcdbef14f539374b93b686c763a04099522
SHA256

9598c7d47b3c8f2ac0299700e2ce5d7a7f8e6eeadb1eea753356abcd754fcaf0
SHA512

40699cbea8380a7f1fd91464509a0f05fc56058c7ced16d056de94fd2e346e0fa1fa6496a5eb607e10b09a75efca7134c90b1734e1e46e682a6aaa4b268ff843
SSDEEP

6144:8Fbl1TeC7oQ0IV/Atl/AtW1OE43V1+25CzRoQ0Ibl4HdE43V1+2:8FB1V50I2mi4lCzb0IF4

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	9598c7d47b3c8f2ac0299700e2ce5d7a7f8e6eeadb1eea753356abcd754fcaf0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	9598c7d47b3c8f2ac0299700e2ce5d7a7f8e6eeadb1eea753356abcd754fcaf0.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ihoafpmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ihoafpmp.exe

Executes dropped EXE 2 IoCs

pid	Process
2104	Ihoafpmp.exe
2712	Iagfoe32.exe

Loads dropped DLL 8 IoCs

pid	Process
2476	9598c7d47b3c8f2ac0299700e2ce5d7a7f8e6eeadb1eea753356abcd754fcaf0.exe
2476	9598c7d47b3c8f2ac0299700e2ce5d7a7f8e6eeadb1eea753356abcd754fcaf0.exe
2104	Ihoafpmp.exe
2104	Ihoafpmp.exe
2000	WerFault.exe
2000	WerFault.exe
2000	WerFault.exe
2000	WerFault.exe

Drops file in System32 directory 6 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Gjenmobn.dll	Ihoafpmp.exe
File created	C:\Windows\SysWOW64\Ihoafpmp.exe	9598c7d47b3c8f2ac0299700e2ce5d7a7f8e6eeadb1eea753356abcd754fcaf0.exe
File opened for modification	C:\Windows\SysWOW64\Ihoafpmp.exe	9598c7d47b3c8f2ac0299700e2ce5d7a7f8e6eeadb1eea753356abcd754fcaf0.exe
File created	C:\Windows\SysWOW64\Amammd32.dll	9598c7d47b3c8f2ac0299700e2ce5d7a7f8e6eeadb1eea753356abcd754fcaf0.exe
File created	C:\Windows\SysWOW64\Iagfoe32.exe	Ihoafpmp.exe
File opened for modification	C:\Windows\SysWOW64\Iagfoe32.exe	Ihoafpmp.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2000	2712	WerFault.exe	29

Modifies registry class 9 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ihoafpmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjenmobn.dll"	Ihoafpmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	9598c7d47b3c8f2ac0299700e2ce5d7a7f8e6eeadb1eea753356abcd754fcaf0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	9598c7d47b3c8f2ac0299700e2ce5d7a7f8e6eeadb1eea753356abcd754fcaf0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	9598c7d47b3c8f2ac0299700e2ce5d7a7f8e6eeadb1eea753356abcd754fcaf0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	9598c7d47b3c8f2ac0299700e2ce5d7a7f8e6eeadb1eea753356abcd754fcaf0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	9598c7d47b3c8f2ac0299700e2ce5d7a7f8e6eeadb1eea753356abcd754fcaf0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amammd32.dll"	9598c7d47b3c8f2ac0299700e2ce5d7a7f8e6eeadb1eea753356abcd754fcaf0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ihoafpmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2476 wrote to memory of 2104	2476	9598c7d47b3c8f2ac0299700e2ce5d7a7f8e6eeadb1eea753356abcd754fcaf0.exe	28
PID 2476 wrote to memory of 2104	2476	9598c7d47b3c8f2ac0299700e2ce5d7a7f8e6eeadb1eea753356abcd754fcaf0.exe	28
PID 2476 wrote to memory of 2104	2476	9598c7d47b3c8f2ac0299700e2ce5d7a7f8e6eeadb1eea753356abcd754fcaf0.exe	28
PID 2476 wrote to memory of 2104	2476	9598c7d47b3c8f2ac0299700e2ce5d7a7f8e6eeadb1eea753356abcd754fcaf0.exe	28
PID 2104 wrote to memory of 2712	2104	Ihoafpmp.exe	29
PID 2104 wrote to memory of 2712	2104	Ihoafpmp.exe	29
PID 2104 wrote to memory of 2712	2104	Ihoafpmp.exe	29
PID 2104 wrote to memory of 2712	2104	Ihoafpmp.exe	29
PID 2712 wrote to memory of 2000	2712	Iagfoe32.exe	30
PID 2712 wrote to memory of 2000	2712	Iagfoe32.exe	30
PID 2712 wrote to memory of 2000	2712	Iagfoe32.exe	30
PID 2712 wrote to memory of 2000	2712	Iagfoe32.exe	30

C:\Users\Admin\AppData\Local\Temp\9598c7d47b3c8f2ac0299700e2ce5d7a7f8e6eeadb1eea753356abcd754fcaf0.exe
"C:\Users\Admin\AppData\Local\Temp\9598c7d47b3c8f2ac0299700e2ce5d7a7f8e6eeadb1eea753356abcd754fcaf0.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2476
- C:\Windows\SysWOW64\Ihoafpmp.exe
  C:\Windows\system32\Ihoafpmp.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2104
- - C:\Windows\SysWOW64\Iagfoe32.exe
    C:\Windows\system32\Iagfoe32.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2712
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2712 -s 140
      4⤵
      Loads dropped DLL
      Program crash
      PID:2000

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Windows\SysWOW64\Iagfoe32.exe

Filesize
376KB

MD5
df9eb837fe8c39fc10347a2c44ec7959

SHA1
45f853027133ab91b945d2a3ba6c66d88212cfc7

SHA256
9e993f46c5982742448018725c51d7bcd53a8ed639ef2909abfa4150ed123e81

SHA512
2a4d05db168a8d451d03eef0e6769749bfe8382a14297119b03cec2a83afce5df06662ec39309f75ecabbd58fe8e9f74ec3ae027cea3d7dca59bc44c86cb0178

Download Submit
\Windows\SysWOW64\Ihoafpmp.exe

Filesize
376KB

MD5
718a5f9ee805109d635273a7b5f835ff

SHA1
e2565d1125ad5ee5d4036354a3035f57f77d06fb

SHA256
e94e8aadb088eefcc858a2ad7b4521833f49af0ea4ede9dd13a92e020ffa03e0

SHA512
f85a9a05ff3618c7ab36bc8a0c865707c79db4fbc66e8849f2537bc006623f8ffba1ee36ceaf6d45de48c1ef6c5a33f71f584967488e3393e9f7b688c96bf285

Download Submit
memory/2104-19-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/2104-43-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/2476-4-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/2476-6-0x0000000000250000-0x00000000002AE000-memory.dmp

Filesize
376KB

Download
memory/2476-12-0x0000000000250000-0x00000000002AE000-memory.dmp

Filesize
376KB

Download
memory/2476-39-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/2712-27-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads