3b9b76d7c7ec9adc838a31c597603f2b2dc8177dd1ad38342bf2290886c389cb

General

Target

3b9b76d7c7ec9adc838a31c597603f2b2dc8177dd1ad38342bf2290886c389cb.exe
Size

259KB
MD5

d0fa9f486d1db55000b597c1876f13da
SHA1

fda0a715e5d2d95cfa769c31bd84ec1b6df6e591
SHA256

3b9b76d7c7ec9adc838a31c597603f2b2dc8177dd1ad38342bf2290886c389cb
SHA512

625d8772c7787a59ff4741774a2fda99a9721738b95ea39f06378fbbdc1a355cc6937de4f2deadbadeb42e2ea0b0891383c69fec1e9c5f37dd2ee2a5185fc153
SSDEEP

6144:OBFE6XJame/QEg9opBsDshsrYIcm4FmowdHoSa:+30hssO4wFHoSa

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ladebd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	3b9b76d7c7ec9adc838a31c597603f2b2dc8177dd1ad38342bf2290886c389cb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	3b9b76d7c7ec9adc838a31c597603f2b2dc8177dd1ad38342bf2290886c389cb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ladebd32.exe

Executes dropped EXE 2 IoCs

pid	Process
2192	Ladebd32.exe
2740	Lepaccmo.exe

Loads dropped DLL 8 IoCs

pid	Process
3044	3b9b76d7c7ec9adc838a31c597603f2b2dc8177dd1ad38342bf2290886c389cb.exe
3044	3b9b76d7c7ec9adc838a31c597603f2b2dc8177dd1ad38342bf2290886c389cb.exe
2192	Ladebd32.exe
2192	Ladebd32.exe
2544	WerFault.exe
2544	WerFault.exe
2544	WerFault.exe
2544	WerFault.exe

Drops file in System32 directory 6 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Ladebd32.exe	3b9b76d7c7ec9adc838a31c597603f2b2dc8177dd1ad38342bf2290886c389cb.exe
File opened for modification	C:\Windows\SysWOW64\Ladebd32.exe	3b9b76d7c7ec9adc838a31c597603f2b2dc8177dd1ad38342bf2290886c389cb.exe
File created	C:\Windows\SysWOW64\Hbppfnao.dll	3b9b76d7c7ec9adc838a31c597603f2b2dc8177dd1ad38342bf2290886c389cb.exe
File created	C:\Windows\SysWOW64\Lepaccmo.exe	Ladebd32.exe
File opened for modification	C:\Windows\SysWOW64\Lepaccmo.exe	Ladebd32.exe
File created	C:\Windows\SysWOW64\Oldhgaef.dll	Ladebd32.exe

Program crash 1 IoCs

pid	pid_target	Process
2544	2740	WerFault.exe

Modifies registry class 9 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	3b9b76d7c7ec9adc838a31c597603f2b2dc8177dd1ad38342bf2290886c389cb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbppfnao.dll"	3b9b76d7c7ec9adc838a31c597603f2b2dc8177dd1ad38342bf2290886c389cb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ladebd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ladebd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	3b9b76d7c7ec9adc838a31c597603f2b2dc8177dd1ad38342bf2290886c389cb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	3b9b76d7c7ec9adc838a31c597603f2b2dc8177dd1ad38342bf2290886c389cb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	3b9b76d7c7ec9adc838a31c597603f2b2dc8177dd1ad38342bf2290886c389cb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	3b9b76d7c7ec9adc838a31c597603f2b2dc8177dd1ad38342bf2290886c389cb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oldhgaef.dll"	Ladebd32.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3044 wrote to memory of 2192	3044	3b9b76d7c7ec9adc838a31c597603f2b2dc8177dd1ad38342bf2290886c389cb.exe	30
PID 3044 wrote to memory of 2192	3044	3b9b76d7c7ec9adc838a31c597603f2b2dc8177dd1ad38342bf2290886c389cb.exe	30
PID 3044 wrote to memory of 2192	3044	3b9b76d7c7ec9adc838a31c597603f2b2dc8177dd1ad38342bf2290886c389cb.exe	30
PID 3044 wrote to memory of 2192	3044	3b9b76d7c7ec9adc838a31c597603f2b2dc8177dd1ad38342bf2290886c389cb.exe	30
PID 2192 wrote to memory of 2740	2192	Ladebd32.exe	31
PID 2192 wrote to memory of 2740	2192	Ladebd32.exe	31
PID 2192 wrote to memory of 2740	2192	Ladebd32.exe	31
PID 2192 wrote to memory of 2740	2192	Ladebd32.exe	31
PID 2740 wrote to memory of 2544	2740	Lepaccmo.exe	32
PID 2740 wrote to memory of 2544	2740	Lepaccmo.exe	32
PID 2740 wrote to memory of 2544	2740	Lepaccmo.exe	32
PID 2740 wrote to memory of 2544	2740	Lepaccmo.exe	32

C:\Users\Admin\AppData\Local\Temp\3b9b76d7c7ec9adc838a31c597603f2b2dc8177dd1ad38342bf2290886c389cb.exe
"C:\Users\Admin\AppData\Local\Temp\3b9b76d7c7ec9adc838a31c597603f2b2dc8177dd1ad38342bf2290886c389cb.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3044
- C:\Windows\SysWOW64\Ladebd32.exe
  C:\Windows\system32\Ladebd32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2192
- - C:\Windows\SysWOW64\Lepaccmo.exe
    C:\Windows\system32\Lepaccmo.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2740
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2740 -s 140
      4⤵
      Loads dropped DLL
      Program crash
      PID:2544

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Ladebd32.exe

Filesize
259KB

MD5
c711f2bdb5f24d567956fa9bc09d2702

SHA1
421baba67acf68652974fe4f445df2849fad24e7

SHA256
4fc64672b1918cf88d441c28aa02608ebd32cef7f421075dae24bf3ebede70be

SHA512
5970b512cf2e32643c8069266217d0233ee712eb3fea63dfa980ac9bc06dbee0c661cda6953f34c76abe7bfd91e7e5bb911687f664172a91c96135593662c682

Download Submit
\Windows\SysWOW64\Lepaccmo.exe

Filesize
259KB

MD5
c335e80fbbed8c20e2cd0059d14dea07

SHA1
95a4110d381d716dc90925b5a58a97bbe5f658b2

SHA256
0e73b4b59f0d05d0f3c4070121f6c6f33624d8437a802d9450bc28efdb985a92

SHA512
4de27c73043825c6ec3e3fe633b0a314c4d6d64777db2f0953a4c10dfec7c7d1113ac9098a48da9ad442fd160741d1916688d2c4ef38a17bd5727bf0d1281cc3

Download Submit
memory/2192-19-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2740-27-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3044-18-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/3044-17-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/3044-4-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3044-32-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads