a5874adcc55c4e9c38e271104f14b60baabef353c6845637bbf115b17823b712

General

Target

1eb39db482886dc022ff27de79da2520N.exe
Size

57KB
MD5

1eb39db482886dc022ff27de79da2520
SHA1

e31946a85e07823072bcf7dd5d541ab3f58db65e
SHA256

a5874adcc55c4e9c38e271104f14b60baabef353c6845637bbf115b17823b712
SHA512

06deb84939e70fee60eabf89c0e234206f924d6bc94cfb42cf9f10a966bd65f72d406984d320d3f2e6c790597a406b2132609ead00d45768975fe50c8d48da4b
SSDEEP

1536:thpF5di8ALgnh4qHBSFUwmPGhlQCuGQd:pbhAVz6w4GhD16

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kgcnahoo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kgcnahoo.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kkojbf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kkojbf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	1eb39db482886dc022ff27de79da2520N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	1eb39db482886dc022ff27de79da2520N.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kageia32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kageia32.exe

Executes dropped EXE 4 IoCs

pid	Process
2844	Kageia32.exe
2696	Kgcnahoo.exe
2588	Kkojbf32.exe
1488	Lbjofi32.exe

Loads dropped DLL 13 IoCs

pid	Process
2096	1eb39db482886dc022ff27de79da2520N.exe
2096	1eb39db482886dc022ff27de79da2520N.exe
2844	Kageia32.exe
2844	Kageia32.exe
2696	Kgcnahoo.exe
2696	Kgcnahoo.exe
2588	Kkojbf32.exe
2588	Kkojbf32.exe
2624	WerFault.exe
2624	WerFault.exe
2624	WerFault.exe
2624	WerFault.exe
2624	WerFault.exe

Drops file in System32 directory 12 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Kageia32.exe	1eb39db482886dc022ff27de79da2520N.exe
File opened for modification	C:\Windows\SysWOW64\Kageia32.exe	1eb39db482886dc022ff27de79da2520N.exe
File created	C:\Windows\SysWOW64\Jlflfm32.dll	1eb39db482886dc022ff27de79da2520N.exe
File created	C:\Windows\SysWOW64\Kgcnahoo.exe	Kageia32.exe
File opened for modification	C:\Windows\SysWOW64\Kgcnahoo.exe	Kageia32.exe
File created	C:\Windows\SysWOW64\Pgodelnq.dll	Kageia32.exe
File created	C:\Windows\SysWOW64\Gffdobll.dll	Kgcnahoo.exe
File created	C:\Windows\SysWOW64\Kkojbf32.exe	Kgcnahoo.exe
File opened for modification	C:\Windows\SysWOW64\Kkojbf32.exe	Kgcnahoo.exe
File created	C:\Windows\SysWOW64\Lbjofi32.exe	Kkojbf32.exe
File opened for modification	C:\Windows\SysWOW64\Lbjofi32.exe	Kkojbf32.exe
File created	C:\Windows\SysWOW64\Ipafocdg.dll	Kkojbf32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2624	1488	WerFault.exe	33

Modifies registry class 15 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlflfm32.dll"	1eb39db482886dc022ff27de79da2520N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	1eb39db482886dc022ff27de79da2520N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kageia32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	1eb39db482886dc022ff27de79da2520N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	1eb39db482886dc022ff27de79da2520N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kageia32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipafocdg.dll"	Kkojbf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kgcnahoo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kkojbf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pgodelnq.dll"	Kageia32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kgcnahoo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gffdobll.dll"	Kgcnahoo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kkojbf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	1eb39db482886dc022ff27de79da2520N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	1eb39db482886dc022ff27de79da2520N.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2096 wrote to memory of 2844	2096	1eb39db482886dc022ff27de79da2520N.exe	30
PID 2096 wrote to memory of 2844	2096	1eb39db482886dc022ff27de79da2520N.exe	30
PID 2096 wrote to memory of 2844	2096	1eb39db482886dc022ff27de79da2520N.exe	30
PID 2096 wrote to memory of 2844	2096	1eb39db482886dc022ff27de79da2520N.exe	30
PID 2844 wrote to memory of 2696	2844	Kageia32.exe	31
PID 2844 wrote to memory of 2696	2844	Kageia32.exe	31
PID 2844 wrote to memory of 2696	2844	Kageia32.exe	31
PID 2844 wrote to memory of 2696	2844	Kageia32.exe	31
PID 2696 wrote to memory of 2588	2696	Kgcnahoo.exe	32
PID 2696 wrote to memory of 2588	2696	Kgcnahoo.exe	32
PID 2696 wrote to memory of 2588	2696	Kgcnahoo.exe	32
PID 2696 wrote to memory of 2588	2696	Kgcnahoo.exe	32
PID 2588 wrote to memory of 1488	2588	Kkojbf32.exe	33
PID 2588 wrote to memory of 1488	2588	Kkojbf32.exe	33
PID 2588 wrote to memory of 1488	2588	Kkojbf32.exe	33
PID 2588 wrote to memory of 1488	2588	Kkojbf32.exe	33
PID 1488 wrote to memory of 2624	1488	Lbjofi32.exe	34
PID 1488 wrote to memory of 2624	1488	Lbjofi32.exe	34
PID 1488 wrote to memory of 2624	1488	Lbjofi32.exe	34
PID 1488 wrote to memory of 2624	1488	Lbjofi32.exe	34

C:\Users\Admin\AppData\Local\Temp\1eb39db482886dc022ff27de79da2520N.exe
"C:\Users\Admin\AppData\Local\Temp\1eb39db482886dc022ff27de79da2520N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2096
- C:\Windows\SysWOW64\Kageia32.exe
  C:\Windows\system32\Kageia32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2844
- - C:\Windows\SysWOW64\Kgcnahoo.exe
    C:\Windows\system32\Kgcnahoo.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2696
  - - C:\Windows\SysWOW64\Kkojbf32.exe
      C:\Windows\system32\Kkojbf32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2588
    - - C:\Windows\SysWOW64\Lbjofi32.exe
        
        C:\Windows\system32\Lbjofi32.exe
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1488
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1488 -s 140
        6⤵
        Loads dropped DLL
        Program crash
        
        PID:2624

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Kageia32.exe

Filesize
57KB

MD5
fd7fb4739c372e7f5a5c530ff08ec623

SHA1
7fc9bb27a6c61dc21e5f5ad99195098e3ea47fac

SHA256
b41c211e5309d7ff99d5e2dcb3c5423becceeb8ad4033ac482802c2d350c3d24

SHA512
93376fca47348ecedfd3381e77df04b386125d8412128509da668ba797e78ee833f3fc72b4cba478cc1c57bdfaaf4ddd45cb01cc7c2f844eb7e61d841d643d90

Download Submit
C:\Windows\SysWOW64\Kgcnahoo.exe

Filesize
57KB

MD5
120babc4eba4068fea4ad25f9e34cb5f

SHA1
fd9943d2f72ff3289942b371435e56fe9f7f2a44

SHA256
ffbacbeb86325b99a702f89d1938a342c69879311159a7d6157c058611277e8b

SHA512
6d59b97548da477c54b69e0aa7d0b06f659f4106994f8aed728d99b11b5ef15a8f3e5548ea62ad5bc2b65bdc46be777614ddade90350eb2b91e166cd2aaf5fe8

Download Submit
\Windows\SysWOW64\Kkojbf32.exe

Filesize
57KB

MD5
e461bd5abc16fc2f87b98615d5769791

SHA1
c632a6d81a7dd4b73346dedf2f633c9560f31f54

SHA256
91fd8562d932227dd0af555cdfc4c5f36e81b9d97bf20c057e0ba46b1fd049e4

SHA512
1bb079638d53f5d32799bd1500f769e65c9f776f971d1f85f4ff58e8929cb5b57b97e2cf34ac81f5caf7da18874b610986e2b147870699d8db66fcb93be3c11b

Download Submit
\Windows\SysWOW64\Lbjofi32.exe

Filesize
57KB

MD5
4926aebddb0ea5fe207fbcf63339f6be

SHA1
35b4601492ea47db0c40edcebe82f715beb5eed9

SHA256
6e13e001075e1b1266bbf4192da36609a7af8fe66316aff34ab665b4877e565c

SHA512
e65a73733fcb141abf9df5783598c622ef4e9be95340875af50f2648b88a940a129aede7db956a87c75a42563aa16657819e5a96f9859e95a5c2d9bc6175844b

Download Submit
memory/1488-53-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2096-12-0x0000000000250000-0x0000000000285000-memory.dmp

Filesize
212KB

Download
memory/2096-0-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2096-59-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2588-40-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2588-61-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2696-32-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2844-26-0x00000000002F0000-0x0000000000325000-memory.dmp

Filesize
212KB

Download
memory/2844-13-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2844-60-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads