1eee45e0e9ddb162ecde34af94d8a56e1b50f7df7873fea872f7292a3f482463

Analysis

max time kernel
141s
max time network
126s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
23/07/2024, 19:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1eee45e0e9ddb162ecde34af94d8a56e1b50f7df7873fea872f7292a3f482463.exe
Size

96KB
MD5

52627935e8abda8ef27f08f254bae507
SHA1

02ce76db9f4d79f6c1798742869804244379b6c7
SHA256

1eee45e0e9ddb162ecde34af94d8a56e1b50f7df7873fea872f7292a3f482463
SHA512

ef7eddaf94c1a8bf388603e10a07e07b47b2b0fdb7c0a2d7e46afebb4fb983dcc74f9cbe004be7400c6e2a0e523335b0ee8117a5fee9b76ced0ccc9cab406c7c
SSDEEP

1536:7l4cFzHPEE3d2nbIeMCTnLD39pmDc2L57RZObZUUWaegPYA:B4cFzHBkBMID3A5ClUUWae

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 16 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kadica32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kfaalh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmkihbho.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kbhbai32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lmmfnb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kfodfh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kfodfh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kfaalh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kmkihbho.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kbhbai32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kkojbf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	1eee45e0e9ddb162ecde34af94d8a56e1b50f7df7873fea872f7292a3f482463.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lmmfnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	1eee45e0e9ddb162ecde34af94d8a56e1b50f7df7873fea872f7292a3f482463.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kadica32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kkojbf32.exe

Executes dropped EXE 8 IoCs

pid	Process
2388	Kfodfh32.exe
2796	Kadica32.exe
3040	Kfaalh32.exe
2676	Kmkihbho.exe
2560	Kbhbai32.exe
1956	Kkojbf32.exe
2256	Lmmfnb32.exe
852	Lbjofi32.exe

Loads dropped DLL 20 IoCs

pid	Process
2852	1eee45e0e9ddb162ecde34af94d8a56e1b50f7df7873fea872f7292a3f482463.exe
2852	1eee45e0e9ddb162ecde34af94d8a56e1b50f7df7873fea872f7292a3f482463.exe
2388	Kfodfh32.exe
2388	Kfodfh32.exe
2796	Kadica32.exe
2796	Kadica32.exe
3040	Kfaalh32.exe
3040	Kfaalh32.exe
2676	Kmkihbho.exe
2676	Kmkihbho.exe
2560	Kbhbai32.exe
2560	Kbhbai32.exe
1956	Kkojbf32.exe
1956	Kkojbf32.exe
2256	Lmmfnb32.exe
2256	Lmmfnb32.exe
2872	WerFault.exe
2872	WerFault.exe
2872	WerFault.exe
2872	WerFault.exe

Drops file in System32 directory 24 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Lmmfnb32.exe	Kkojbf32.exe
File opened for modification	C:\Windows\SysWOW64\Lmmfnb32.exe	Kkojbf32.exe
File created	C:\Windows\SysWOW64\Lbjofi32.exe	Lmmfnb32.exe
File opened for modification	C:\Windows\SysWOW64\Kmkihbho.exe	Kfaalh32.exe
File created	C:\Windows\SysWOW64\Kbhbai32.exe	Kmkihbho.exe
File created	C:\Windows\SysWOW64\Bndneq32.dll	Kmkihbho.exe
File opened for modification	C:\Windows\SysWOW64\Kkojbf32.exe	Kbhbai32.exe
File created	C:\Windows\SysWOW64\Gffdobll.dll	Kbhbai32.exe
File created	C:\Windows\SysWOW64\Ipafocdg.dll	Lmmfnb32.exe
File created	C:\Windows\SysWOW64\Kcjeje32.dll	1eee45e0e9ddb162ecde34af94d8a56e1b50f7df7873fea872f7292a3f482463.exe
File created	C:\Windows\SysWOW64\Hhhamf32.dll	Kfodfh32.exe
File opened for modification	C:\Windows\SysWOW64\Kfaalh32.exe	Kadica32.exe
File created	C:\Windows\SysWOW64\Phblkn32.dll	Kadica32.exe
File opened for modification	C:\Windows\SysWOW64\Kbhbai32.exe	Kmkihbho.exe
File created	C:\Windows\SysWOW64\Pigckoki.dll	Kkojbf32.exe
File created	C:\Windows\SysWOW64\Kadica32.exe	Kfodfh32.exe
File opened for modification	C:\Windows\SysWOW64\Kadica32.exe	Kfodfh32.exe
File created	C:\Windows\SysWOW64\Kmkihbho.exe	Kfaalh32.exe
File created	C:\Windows\SysWOW64\Canhhi32.dll	Kfaalh32.exe
File created	C:\Windows\SysWOW64\Kkojbf32.exe	Kbhbai32.exe
File created	C:\Windows\SysWOW64\Kfodfh32.exe	1eee45e0e9ddb162ecde34af94d8a56e1b50f7df7873fea872f7292a3f482463.exe
File opened for modification	C:\Windows\SysWOW64\Kfodfh32.exe	1eee45e0e9ddb162ecde34af94d8a56e1b50f7df7873fea872f7292a3f482463.exe
File created	C:\Windows\SysWOW64\Kfaalh32.exe	Kadica32.exe
File opened for modification	C:\Windows\SysWOW64\Lbjofi32.exe	Lmmfnb32.exe

Program crash 1 IoCs

pid	pid_target	Process
2872	852	WerFault.exe

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kfaalh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kmkihbho.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lmmfnb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1eee45e0e9ddb162ecde34af94d8a56e1b50f7df7873fea872f7292a3f482463.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kadica32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kbhbai32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kkojbf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lbjofi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kfodfh32.exe

Modifies registry class 27 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kcjeje32.dll"	1eee45e0e9ddb162ecde34af94d8a56e1b50f7df7873fea872f7292a3f482463.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kfodfh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Canhhi32.dll"	Kfaalh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	1eee45e0e9ddb162ecde34af94d8a56e1b50f7df7873fea872f7292a3f482463.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kmkihbho.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kbhbai32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kkojbf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lmmfnb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	1eee45e0e9ddb162ecde34af94d8a56e1b50f7df7873fea872f7292a3f482463.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kfaalh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bndneq32.dll"	Kmkihbho.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gffdobll.dll"	Kbhbai32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pigckoki.dll"	Kkojbf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kadica32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kfaalh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kmkihbho.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kbhbai32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kkojbf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhhamf32.dll"	Kfodfh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipafocdg.dll"	Lmmfnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	1eee45e0e9ddb162ecde34af94d8a56e1b50f7df7873fea872f7292a3f482463.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kadica32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	1eee45e0e9ddb162ecde34af94d8a56e1b50f7df7873fea872f7292a3f482463.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	1eee45e0e9ddb162ecde34af94d8a56e1b50f7df7873fea872f7292a3f482463.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Phblkn32.dll"	Kadica32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lmmfnb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kfodfh32.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 2852 wrote to memory of 2388	2852	1eee45e0e9ddb162ecde34af94d8a56e1b50f7df7873fea872f7292a3f482463.exe	30
PID 2852 wrote to memory of 2388	2852	1eee45e0e9ddb162ecde34af94d8a56e1b50f7df7873fea872f7292a3f482463.exe	30
PID 2852 wrote to memory of 2388	2852	1eee45e0e9ddb162ecde34af94d8a56e1b50f7df7873fea872f7292a3f482463.exe	30
PID 2852 wrote to memory of 2388	2852	1eee45e0e9ddb162ecde34af94d8a56e1b50f7df7873fea872f7292a3f482463.exe	30
PID 2388 wrote to memory of 2796	2388	Kfodfh32.exe	31
PID 2388 wrote to memory of 2796	2388	Kfodfh32.exe	31
PID 2388 wrote to memory of 2796	2388	Kfodfh32.exe	31
PID 2388 wrote to memory of 2796	2388	Kfodfh32.exe	31
PID 2796 wrote to memory of 3040	2796	Kadica32.exe	32
PID 2796 wrote to memory of 3040	2796	Kadica32.exe	32
PID 2796 wrote to memory of 3040	2796	Kadica32.exe	32
PID 2796 wrote to memory of 3040	2796	Kadica32.exe	32
PID 3040 wrote to memory of 2676	3040	Kfaalh32.exe	33
PID 3040 wrote to memory of 2676	3040	Kfaalh32.exe	33
PID 3040 wrote to memory of 2676	3040	Kfaalh32.exe	33
PID 3040 wrote to memory of 2676	3040	Kfaalh32.exe	33
PID 2676 wrote to memory of 2560	2676	Kmkihbho.exe	34
PID 2676 wrote to memory of 2560	2676	Kmkihbho.exe	34
PID 2676 wrote to memory of 2560	2676	Kmkihbho.exe	34
PID 2676 wrote to memory of 2560	2676	Kmkihbho.exe	34
PID 2560 wrote to memory of 1956	2560	Kbhbai32.exe	35
PID 2560 wrote to memory of 1956	2560	Kbhbai32.exe	35
PID 2560 wrote to memory of 1956	2560	Kbhbai32.exe	35
PID 2560 wrote to memory of 1956	2560	Kbhbai32.exe	35
PID 1956 wrote to memory of 2256	1956	Kkojbf32.exe	36
PID 1956 wrote to memory of 2256	1956	Kkojbf32.exe	36
PID 1956 wrote to memory of 2256	1956	Kkojbf32.exe	36
PID 1956 wrote to memory of 2256	1956	Kkojbf32.exe	36
PID 2256 wrote to memory of 852	2256	Lmmfnb32.exe	37
PID 2256 wrote to memory of 852	2256	Lmmfnb32.exe	37
PID 2256 wrote to memory of 852	2256	Lmmfnb32.exe	37
PID 2256 wrote to memory of 852	2256	Lmmfnb32.exe	37
PID 852 wrote to memory of 2872	852	Lbjofi32.exe	38
PID 852 wrote to memory of 2872	852	Lbjofi32.exe	38
PID 852 wrote to memory of 2872	852	Lbjofi32.exe	38
PID 852 wrote to memory of 2872	852	Lbjofi32.exe	38

C:\Users\Admin\AppData\Local\Temp\1eee45e0e9ddb162ecde34af94d8a56e1b50f7df7873fea872f7292a3f482463.exe
"C:\Users\Admin\AppData\Local\Temp\1eee45e0e9ddb162ecde34af94d8a56e1b50f7df7873fea872f7292a3f482463.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2852
- C:\Windows\SysWOW64\Kfodfh32.exe
  C:\Windows\system32\Kfodfh32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2388
- - C:\Windows\SysWOW64\Kadica32.exe
    C:\Windows\system32\Kadica32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2796
  - - C:\Windows\SysWOW64\Kfaalh32.exe
      C:\Windows\system32\Kfaalh32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3040
    - - C:\Windows\SysWOW64\Kmkihbho.exe
        
        C:\Windows\system32\Kmkihbho.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2676
      - C:\Windows\SysWOW64\Kbhbai32.exe
        
        C:\Windows\system32\Kbhbai32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2560
        
        C:\Windows\SysWOW64\Kkojbf32.exe
        
        C:\Windows\system32\Kkojbf32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1956
        
        C:\Windows\SysWOW64\Lmmfnb32.exe
        
        C:\Windows\system32\Lmmfnb32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2256
        
        C:\Windows\SysWOW64\Lbjofi32.exe
        
        C:\Windows\system32\Lbjofi32.exe
        9⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:852
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 852 -s 140
        10⤵
        Loads dropped DLL
        Program crash
        
        PID:2872

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Kadica32.exe

Filesize
96KB

MD5
a9db386ce78a145261fc59e3d0eb27b9

SHA1
7bd0e8bc54481126c110f8d8e7503463f6118a89

SHA256
946a26492d272b62fe9135bfafeef006842a9237bd78a30f78d5972b3c040b85

SHA512
dd5b4305acf5d4f551216bf4e13cd46e73f36437f8a79e53cfc0f43b9f1687a55e113890d13dfcb35e9d2fb6dd3c44b075fca7f26c2d3d7d92c1a6d16da12f5d

Download Submit
C:\Windows\SysWOW64\Kbhbai32.exe

Filesize
96KB

MD5
addeeecfd4ff08fac398b58f2b8e3880

SHA1
3d46677bab6dad61d6c380fd513a5d9280a38a0b

SHA256
b89ca4ab6a016d037baebdf955f014ea5d1fc412a5e79f1ff0d8e1bdac360f57

SHA512
8f6adfee9f796469705409cc4e0b1f1f72cca60ccc95922f19f05439f0b9b4f9945f821d8045fd1abe1a381e3c3f62f4d11643a25956d6a18208951386c7930b

Download Submit
C:\Windows\SysWOW64\Kfaalh32.exe

Filesize
96KB

MD5
86b29e6ca24e56e220fb7fff878bfe1d

SHA1
4284e58332e34fdf0bbb1f0dbd36502c6c599109

SHA256
6c65becedcf69bda8d2f7dc8108c4b9b4f9abc92bd5c4644aaf684cab6006dc6

SHA512
055703df5607ed7e0659759c9201def58e6a46cfdae3115e7409b6b9bb52a08a0d7b8bccbdbfc9dd84fa1ebf6b6763648eeab2df89efa27f48e08dec98997c18

Download Submit
C:\Windows\SysWOW64\Kfodfh32.exe

Filesize
96KB

MD5
251b44bff84d6aa1eda9d1f33a587eb0

SHA1
76e0a077b7a52c178c59d3bf8b9087ba472577ed

SHA256
c49bdea03b9001fe61708cd82996e8c2b4d59a1f91ca0a4e32556bf22b7bf7bf

SHA512
36e6903ef9d32e61d892f762d13432897641e73bf724f2e4b9fcfb460bf01325dd3127f79f52abb673662522060b33e66e27a698471e07039711e2ddb7b2a15f

Download Submit
C:\Windows\SysWOW64\Kkojbf32.exe

Filesize
96KB

MD5
bdb885153f23d5b4634d4733247ca174

SHA1
a74d51ddef04220fb3b91605373beac5e81713e4

SHA256
7fe9ccb87660adff8543008348cd73b9a617c0794862c7b154ecc758aac70084

SHA512
9651899054820edb5b976a91c4e54e0e03a9f5c643468d735d45f2c3721df8a1668183deaa3c873c957e80149a6dd59e9bca01e7313761294d9cdc38159cea56

Download Submit
C:\Windows\SysWOW64\Kmkihbho.exe

Filesize
96KB

MD5
4d33cbc116914680a87d3b6d87806d8a

SHA1
3530dc6c9624a88bb43893bce9968c6f4f2ce279

SHA256
d9d1fea4d6351540e827faae58a569fa5c3154a72c36e2ed4840d1d9cbef0d3d

SHA512
5efcffa30592b270efca718bd19d148d51237ce3c420cfaf9dc01378b895c6943c4593e2474ca9eed1c973c1abf92f9d453680cf6426fc4d173d2ebe7ead3358

Download Submit
C:\Windows\SysWOW64\Lmmfnb32.exe

Filesize
96KB

MD5
13f6fea25cba6294c821d204e5c0736e

SHA1
d8b2f53d15a4eec1b42e420f6bd454d6db1dfab2

SHA256
edaf9029c105ed349b600e50c6458ff0cf8c04a2318c52e2ff122825c82ad9ab

SHA512
3256d404b69fbe6e72f064826ca99d5c7703fc6af5dee6968bb81643da2d9b90cd0d3dc104b274f4c59ade803178c5e0c68e1684ed84ad969496b852a7ae7a71

Download Submit
\Windows\SysWOW64\Lbjofi32.exe

Filesize
96KB

MD5
9ce1727d1a9eb2cac5250129166aea3c

SHA1
e3fcd0183132e14aace2763c1f54e69f53ef584e

SHA256
85636d50437a70a1567d35520f74d58e115243eb6e322b9ab474e375f8fa3b8b

SHA512
c1d946bfca1086278d55611d498969afadbe6783a1e690da648844b433f5db70afbd02745db7f7b1df6ba1ad1c210c5ad6059af512edf1661a2c16b4acb84578

Download Submit
memory/852-109-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1956-87-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2256-121-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2256-95-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2256-108-0x0000000001F70000-0x0000000001FA3000-memory.dmp

Filesize
204KB

Download
memory/2388-19-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2560-80-0x00000000002D0000-0x0000000000303000-memory.dmp

Filesize
204KB

Download
memory/2560-68-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2560-119-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2676-55-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2676-118-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2796-116-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2796-40-0x0000000000300000-0x0000000000333000-memory.dmp

Filesize
204KB

Download
memory/2796-27-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2852-17-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2852-18-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2852-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2852-114-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3040-117-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3040-53-0x0000000000270000-0x00000000002A3000-memory.dmp

Filesize
204KB

Download
memory/3040-41-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads