3bb524dc4395c2f68be8c8e05bf7fbc651c0ca570b7b98a6b95d6a700c623ee0

General

Target

3bb524dc4395c2f68be8c8e05bf7fbc651c0ca570b7b98a6b95d6a700c623ee0.exe
Size

96KB
MD5

40ba8d92932e52ffd6a0e97920fb0d76
SHA1

99edf29b953c27a8f4d8ef5eebcde30bec60f40f
SHA256

3bb524dc4395c2f68be8c8e05bf7fbc651c0ca570b7b98a6b95d6a700c623ee0
SHA512

3904590ed6e24ec1455346e36b36f9343db5ccb7807d7b00e2bf87f8583140ed1d3b892b3c23b4d657c1af3f4cdb156086ae84050b8a4e247a60dba33498c4a8
SSDEEP

1536:HvUlSZFJ32m2ysQ2Lk1iPXuhiTMuZXGTIVefVDkryyAyqX:Hv5AmWaiPXuhuXGQmVDeCyqX

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iaeiieeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iaeiieeb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	3bb524dc4395c2f68be8c8e05bf7fbc651c0ca570b7b98a6b95d6a700c623ee0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	3bb524dc4395c2f68be8c8e05bf7fbc651c0ca570b7b98a6b95d6a700c623ee0.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Henidd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Henidd32.exe

Executes dropped EXE 3 IoCs

pid	Process
1704	Henidd32.exe
3064	Iaeiieeb.exe
2620	Iagfoe32.exe

Loads dropped DLL 10 IoCs

pid	Process
2188	3bb524dc4395c2f68be8c8e05bf7fbc651c0ca570b7b98a6b95d6a700c623ee0.exe
2188	3bb524dc4395c2f68be8c8e05bf7fbc651c0ca570b7b98a6b95d6a700c623ee0.exe
1704	Henidd32.exe
1704	Henidd32.exe
3064	Iaeiieeb.exe
3064	Iaeiieeb.exe
3068	WerFault.exe
3068	WerFault.exe
3068	WerFault.exe
3068	WerFault.exe

Drops file in System32 directory 9 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Polebcgg.dll	3bb524dc4395c2f68be8c8e05bf7fbc651c0ca570b7b98a6b95d6a700c623ee0.exe
File opened for modification	C:\Windows\SysWOW64\Iaeiieeb.exe	Henidd32.exe
File created	C:\Windows\SysWOW64\Gmibbifn.dll	Henidd32.exe
File opened for modification	C:\Windows\SysWOW64\Henidd32.exe	3bb524dc4395c2f68be8c8e05bf7fbc651c0ca570b7b98a6b95d6a700c623ee0.exe
File created	C:\Windows\SysWOW64\Iaeiieeb.exe	Henidd32.exe
File created	C:\Windows\SysWOW64\Iagfoe32.exe	Iaeiieeb.exe
File opened for modification	C:\Windows\SysWOW64\Iagfoe32.exe	Iaeiieeb.exe
File created	C:\Windows\SysWOW64\Gjenmobn.dll	Iaeiieeb.exe
File created	C:\Windows\SysWOW64\Henidd32.exe	3bb524dc4395c2f68be8c8e05bf7fbc651c0ca570b7b98a6b95d6a700c623ee0.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3068	2620	WerFault.exe	30

Modifies registry class 12 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjenmobn.dll"	Iaeiieeb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	3bb524dc4395c2f68be8c8e05bf7fbc651c0ca570b7b98a6b95d6a700c623ee0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Henidd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmibbifn.dll"	Henidd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Henidd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	3bb524dc4395c2f68be8c8e05bf7fbc651c0ca570b7b98a6b95d6a700c623ee0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Iaeiieeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Iaeiieeb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	3bb524dc4395c2f68be8c8e05bf7fbc651c0ca570b7b98a6b95d6a700c623ee0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	3bb524dc4395c2f68be8c8e05bf7fbc651c0ca570b7b98a6b95d6a700c623ee0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	3bb524dc4395c2f68be8c8e05bf7fbc651c0ca570b7b98a6b95d6a700c623ee0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Polebcgg.dll"	3bb524dc4395c2f68be8c8e05bf7fbc651c0ca570b7b98a6b95d6a700c623ee0.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2188 wrote to memory of 1704	2188	3bb524dc4395c2f68be8c8e05bf7fbc651c0ca570b7b98a6b95d6a700c623ee0.exe	28
PID 2188 wrote to memory of 1704	2188	3bb524dc4395c2f68be8c8e05bf7fbc651c0ca570b7b98a6b95d6a700c623ee0.exe	28
PID 2188 wrote to memory of 1704	2188	3bb524dc4395c2f68be8c8e05bf7fbc651c0ca570b7b98a6b95d6a700c623ee0.exe	28
PID 2188 wrote to memory of 1704	2188	3bb524dc4395c2f68be8c8e05bf7fbc651c0ca570b7b98a6b95d6a700c623ee0.exe	28
PID 1704 wrote to memory of 3064	1704	Henidd32.exe	29
PID 1704 wrote to memory of 3064	1704	Henidd32.exe	29
PID 1704 wrote to memory of 3064	1704	Henidd32.exe	29
PID 1704 wrote to memory of 3064	1704	Henidd32.exe	29
PID 3064 wrote to memory of 2620	3064	Iaeiieeb.exe	30
PID 3064 wrote to memory of 2620	3064	Iaeiieeb.exe	30
PID 3064 wrote to memory of 2620	3064	Iaeiieeb.exe	30
PID 3064 wrote to memory of 2620	3064	Iaeiieeb.exe	30
PID 2620 wrote to memory of 3068	2620	Iagfoe32.exe	31
PID 2620 wrote to memory of 3068	2620	Iagfoe32.exe	31
PID 2620 wrote to memory of 3068	2620	Iagfoe32.exe	31
PID 2620 wrote to memory of 3068	2620	Iagfoe32.exe	31

C:\Users\Admin\AppData\Local\Temp\3bb524dc4395c2f68be8c8e05bf7fbc651c0ca570b7b98a6b95d6a700c623ee0.exe
"C:\Users\Admin\AppData\Local\Temp\3bb524dc4395c2f68be8c8e05bf7fbc651c0ca570b7b98a6b95d6a700c623ee0.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2188
- C:\Windows\SysWOW64\Henidd32.exe
  C:\Windows\system32\Henidd32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1704
- - C:\Windows\SysWOW64\Iaeiieeb.exe
    C:\Windows\system32\Iaeiieeb.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3064
  - - C:\Windows\SysWOW64\Iagfoe32.exe
      C:\Windows\system32\Iagfoe32.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:2620
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2620 -s 140
        5⤵
        Loads dropped DLL
        Program crash
        
        PID:3068

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Windows\SysWOW64\Henidd32.exe

Filesize
96KB

MD5
b265ef9034085137a0a98e0dd8ca7a58

SHA1
a8c59ed40253cd58ab61bc8706e3bcca16ffd60f

SHA256
28667495f443030d4fd0de9355b942d71d3dc4eeb9554d4cda8baa9102cd31a2

SHA512
f98be6b1beab55dc77753ee031b5938c91d1f559369709ea0abfc346ca300014d53c78369ea0a51c5dd59bf0e66225687a7db7fb6e2baf9a5b9283a7c207cadb

Download Submit
\Windows\SysWOW64\Iaeiieeb.exe

Filesize
96KB

MD5
5719e76639fa6909fe49922e451befc4

SHA1
3a2c8ddd60d628535c391a3a13a0804cdfa3507c

SHA256
2bc8d4a65ce4e71d04c2280a1087bd906d17e6be77d536f8cf410bf06661a091

SHA512
2f16ca31218119327e3121047a599cbe9302ef9b447b06ec4c041a74bcde56b407737f79880f6b0d769076160d14c243eac9e2bd6484e017bbe81d656382a7a5

Download Submit
\Windows\SysWOW64\Iagfoe32.exe

Filesize
96KB

MD5
4c0c9688237d9855092eb326d3158b05

SHA1
cc3dd4e2ff29eeac04732ac96d47c95544fdd297

SHA256
3defa24c142a56327086d1db96d42956b1b0df83969092486b4c54b99f5b4bd1

SHA512
e268dcc19f2d588191fb8c86499d40b1bd817b9245ae5847ebdfb659ede80a1e17621c4a8182e1adef5e8c243d2eae5b096a5c6a914ea9ee5c819d3c691f19fa

Download Submit
memory/1704-24-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/1704-45-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2188-0-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2188-6-0x0000000000260000-0x00000000002A0000-memory.dmp

Filesize
256KB

Download
memory/2188-44-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3064-26-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3064-34-0x00000000002E0000-0x0000000000320000-memory.dmp

Filesize
256KB

Download
memory/3064-46-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads