192df1cf8bfd1f098bb8dd377a3cfbc1c044a70ed43a08296e10479745df9bf1

General

Target

192df1cf8bfd1f098bb8dd377a3cfbc1c044a70ed43a08296e10479745df9bf1.exe
Size

92KB
MD5

b7934fc82c60483bcae850ec901b3f30
SHA1

39e02876ed59c0c59120f771ac85cf7d5daffd11
SHA256

192df1cf8bfd1f098bb8dd377a3cfbc1c044a70ed43a08296e10479745df9bf1
SHA512

438ae69932376dc7febd2117d6503295c881ad4c1eb078e42ff6a33a62f626b354a2187151d980abbf33d950194daf32f5b9b758b795cef78fbac138709232d5
SSDEEP

1536:/hvShuPrPjsu8a9/g3Oc4naGTaA7H1tFoqDOvnKQrUoR24HsUs:/JguPF9/g3Oc4nVTaA7H1t9DB6THsR

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hhmepp32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ieqeidnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ieqeidnl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ihoafpmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ihoafpmp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	192df1cf8bfd1f098bb8dd377a3cfbc1c044a70ed43a08296e10479745df9bf1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	192df1cf8bfd1f098bb8dd377a3cfbc1c044a70ed43a08296e10479745df9bf1.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hhmepp32.exe

Executes dropped EXE 4 IoCs

pid	Process
2032	Hhmepp32.exe
1044	Ieqeidnl.exe
2744	Ihoafpmp.exe
2776	Iagfoe32.exe

Loads dropped DLL 12 IoCs

pid	Process
1216	192df1cf8bfd1f098bb8dd377a3cfbc1c044a70ed43a08296e10479745df9bf1.exe
1216	192df1cf8bfd1f098bb8dd377a3cfbc1c044a70ed43a08296e10479745df9bf1.exe
2032	Hhmepp32.exe
2032	Hhmepp32.exe
1044	Ieqeidnl.exe
1044	Ieqeidnl.exe
2744	Ihoafpmp.exe
2744	Ihoafpmp.exe
2688	WerFault.exe
2688	WerFault.exe
2688	WerFault.exe
2688	WerFault.exe

Drops file in System32 directory 12 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Hhmepp32.exe	192df1cf8bfd1f098bb8dd377a3cfbc1c044a70ed43a08296e10479745df9bf1.exe
File created	C:\Windows\SysWOW64\Bdhaablp.dll	192df1cf8bfd1f098bb8dd377a3cfbc1c044a70ed43a08296e10479745df9bf1.exe
File created	C:\Windows\SysWOW64\Nfmjcmjd.dll	Hhmepp32.exe
File created	C:\Windows\SysWOW64\Iagfoe32.exe	Ihoafpmp.exe
File opened for modification	C:\Windows\SysWOW64\Iagfoe32.exe	Ihoafpmp.exe
File created	C:\Windows\SysWOW64\Gjenmobn.dll	Ihoafpmp.exe
File created	C:\Windows\SysWOW64\Hhmepp32.exe	192df1cf8bfd1f098bb8dd377a3cfbc1c044a70ed43a08296e10479745df9bf1.exe
File created	C:\Windows\SysWOW64\Ieqeidnl.exe	Hhmepp32.exe
File opened for modification	C:\Windows\SysWOW64\Ieqeidnl.exe	Hhmepp32.exe
File created	C:\Windows\SysWOW64\Ihoafpmp.exe	Ieqeidnl.exe
File opened for modification	C:\Windows\SysWOW64\Ihoafpmp.exe	Ieqeidnl.exe
File created	C:\Windows\SysWOW64\Amammd32.dll	Ieqeidnl.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2688	2776	WerFault.exe	31

Modifies registry class 15 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hhmepp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	192df1cf8bfd1f098bb8dd377a3cfbc1c044a70ed43a08296e10479745df9bf1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}	192df1cf8bfd1f098bb8dd377a3cfbc1c044a70ed43a08296e10479745df9bf1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hhmepp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	192df1cf8bfd1f098bb8dd377a3cfbc1c044a70ed43a08296e10479745df9bf1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ieqeidnl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ihoafpmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amammd32.dll"	Ieqeidnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ieqeidnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjenmobn.dll"	Ihoafpmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ihoafpmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	192df1cf8bfd1f098bb8dd377a3cfbc1c044a70ed43a08296e10479745df9bf1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdhaablp.dll"	192df1cf8bfd1f098bb8dd377a3cfbc1c044a70ed43a08296e10479745df9bf1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	192df1cf8bfd1f098bb8dd377a3cfbc1c044a70ed43a08296e10479745df9bf1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nfmjcmjd.dll"	Hhmepp32.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 1216 wrote to memory of 2032	1216	192df1cf8bfd1f098bb8dd377a3cfbc1c044a70ed43a08296e10479745df9bf1.exe	28
PID 1216 wrote to memory of 2032	1216	192df1cf8bfd1f098bb8dd377a3cfbc1c044a70ed43a08296e10479745df9bf1.exe	28
PID 1216 wrote to memory of 2032	1216	192df1cf8bfd1f098bb8dd377a3cfbc1c044a70ed43a08296e10479745df9bf1.exe	28
PID 1216 wrote to memory of 2032	1216	192df1cf8bfd1f098bb8dd377a3cfbc1c044a70ed43a08296e10479745df9bf1.exe	28
PID 2032 wrote to memory of 1044	2032	Hhmepp32.exe	29
PID 2032 wrote to memory of 1044	2032	Hhmepp32.exe	29
PID 2032 wrote to memory of 1044	2032	Hhmepp32.exe	29
PID 2032 wrote to memory of 1044	2032	Hhmepp32.exe	29
PID 1044 wrote to memory of 2744	1044	Ieqeidnl.exe	30
PID 1044 wrote to memory of 2744	1044	Ieqeidnl.exe	30
PID 1044 wrote to memory of 2744	1044	Ieqeidnl.exe	30
PID 1044 wrote to memory of 2744	1044	Ieqeidnl.exe	30
PID 2744 wrote to memory of 2776	2744	Ihoafpmp.exe	31
PID 2744 wrote to memory of 2776	2744	Ihoafpmp.exe	31
PID 2744 wrote to memory of 2776	2744	Ihoafpmp.exe	31
PID 2744 wrote to memory of 2776	2744	Ihoafpmp.exe	31
PID 2776 wrote to memory of 2688	2776	Iagfoe32.exe	32
PID 2776 wrote to memory of 2688	2776	Iagfoe32.exe	32
PID 2776 wrote to memory of 2688	2776	Iagfoe32.exe	32
PID 2776 wrote to memory of 2688	2776	Iagfoe32.exe	32

C:\Users\Admin\AppData\Local\Temp\192df1cf8bfd1f098bb8dd377a3cfbc1c044a70ed43a08296e10479745df9bf1.exe
"C:\Users\Admin\AppData\Local\Temp\192df1cf8bfd1f098bb8dd377a3cfbc1c044a70ed43a08296e10479745df9bf1.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1216
- C:\Windows\SysWOW64\Hhmepp32.exe
  C:\Windows\system32\Hhmepp32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2032
- - C:\Windows\SysWOW64\Ieqeidnl.exe
    C:\Windows\system32\Ieqeidnl.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1044
  - - C:\Windows\SysWOW64\Ihoafpmp.exe
      C:\Windows\system32\Ihoafpmp.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2744
    - - C:\Windows\SysWOW64\Iagfoe32.exe
        
        C:\Windows\system32\Iagfoe32.exe
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2776
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2776 -s 140
        6⤵
        Loads dropped DLL
        Program crash
        
        PID:2688

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Hhmepp32.exe

Filesize
92KB

MD5
2c01679376d1c0af5b937910e76280e2

SHA1
a8a685f285b2d674d4a99bd2174965b771a618e0

SHA256
65670f30109314d6a18ef39681cd8c556df1aad2386fd9971116a30f5cfd2c23

SHA512
2fdf25078a5f358d1a2785055ec4e7f7b335e93c4e5240c995b00b761e658aab505c973b5169dfb5be6edf61a0c43f467732d768884e327d19c7d012e4b9a35e

Download Submit
\Windows\SysWOW64\Iagfoe32.exe

Filesize
92KB

MD5
bbbba50b82128b076a50271e84b77e6c

SHA1
fbc8def8e12c52cb0bf0d6c894b20414b81ebefc

SHA256
150bba729dd4177eca61327d4b13bdfca40cbcc3a9c826a3b5b52c2a830aba7a

SHA512
772f8c3a52eaf388c42e981d0c0846cb64c32e040d93c6bbabbbbd7749596c710b9c8d1741c29cc705ff37f9a305e8fcae8d48e6af9864431cca64b17dacba46

Download Submit
\Windows\SysWOW64\Ieqeidnl.exe

Filesize
92KB

MD5
e2e4ccdf03e636f30fcfc2a0e9596d1e

SHA1
84c6c2dbc09ab0f55715aa07ab9438dd787f52df

SHA256
43f466042e0a48fe4cfbe27f3bc9c4d997832c17fe670332d545cc7aaf3f2420

SHA512
76063645b0180be41c0bf1150c1ebe43f29ab25acd814c632be03598dd1c083bdacafc82a99be64e0bc685dd4d385f99c6c2b8fa16a51627637dc9c4cf35519d

Download Submit
\Windows\SysWOW64\Ihoafpmp.exe

Filesize
92KB

MD5
bd854dfcf22f2661ffbbedacd5c76021

SHA1
323e850ab61c49e075bf340ed0120d0cfd33881b

SHA256
1caaf7f27b1068fb32ed934a9ca28002c77c82122386b525702feb6afe8b6d9c

SHA512
071e68442a8b5c6766722b661c5967e4fa5a471c435c3370e61b1c24963970f3cedef1baaf8c540a89d7b6ed50016bc5bb5e8525799ae0e2dfa857fb541d3486

Download Submit
memory/1044-34-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1216-12-0x00000000002F0000-0x000000000032F000-memory.dmp

Filesize
252KB

Download
memory/1216-61-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1216-11-0x00000000002F0000-0x000000000032F000-memory.dmp

Filesize
252KB

Download
memory/1216-0-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2032-27-0x0000000000250000-0x000000000028F000-memory.dmp

Filesize
252KB

Download
memory/2032-24-0x0000000000250000-0x000000000028F000-memory.dmp

Filesize
252KB

Download
memory/2032-14-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2032-62-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2744-47-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2744-55-0x0000000000360000-0x000000000039F000-memory.dmp

Filesize
252KB

Download
memory/2744-63-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2776-56-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads