c78e508e0d9b8d1ee5c8fc3961e3019153f76c028a594f794ea19840c4ab0b9a

General

Target

033fa9fef6d04d64b04d40946fe41500N.exe
Size

464KB
MD5

033fa9fef6d04d64b04d40946fe41500
SHA1

8f6151a53d8dde717ecec0058c362fe4a2fdb61f
SHA256

c78e508e0d9b8d1ee5c8fc3961e3019153f76c028a594f794ea19840c4ab0b9a
SHA512

44246002a9b15a3cc61f3f5110072d251b031d656ade967414f22ba934eb33f3f420a3dc8b00927dc433b32d1b0d96c5e46cc01745322fa1c306abd0827ec8be
SSDEEP

6144:UoRnSVgowEOIIIPCn4EOIuIPJEOOcHTETKEOIIIPC:hhSiEVI2C4EVu2JEVcBEVI2C

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kkojbf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	033fa9fef6d04d64b04d40946fe41500N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	033fa9fef6d04d64b04d40946fe41500N.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmkihbho.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kmkihbho.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kkojbf32.exe

Executes dropped EXE 3 IoCs

pid	Process
2260	Kmkihbho.exe
2584	Kkojbf32.exe
2704	Lepaccmo.exe

Loads dropped DLL 10 IoCs

pid	Process
2256	033fa9fef6d04d64b04d40946fe41500N.exe
2256	033fa9fef6d04d64b04d40946fe41500N.exe
2260	Kmkihbho.exe
2260	Kmkihbho.exe
2584	Kkojbf32.exe
2584	Kkojbf32.exe
2500	WerFault.exe
2500	WerFault.exe
2500	WerFault.exe
2500	WerFault.exe

Drops file in System32 directory 9 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Kmkihbho.exe	033fa9fef6d04d64b04d40946fe41500N.exe
File opened for modification	C:\Windows\SysWOW64\Kmkihbho.exe	033fa9fef6d04d64b04d40946fe41500N.exe
File created	C:\Windows\SysWOW64\Canhhi32.dll	033fa9fef6d04d64b04d40946fe41500N.exe
File opened for modification	C:\Windows\SysWOW64\Lepaccmo.exe	Kkojbf32.exe
File created	C:\Windows\SysWOW64\Oldhgaef.dll	Kkojbf32.exe
File created	C:\Windows\SysWOW64\Kkojbf32.exe	Kmkihbho.exe
File opened for modification	C:\Windows\SysWOW64\Kkojbf32.exe	Kmkihbho.exe
File created	C:\Windows\SysWOW64\Gffdobll.dll	Kmkihbho.exe
File created	C:\Windows\SysWOW64\Lepaccmo.exe	Kkojbf32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2500	2704	WerFault.exe	32

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kkojbf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lepaccmo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	033fa9fef6d04d64b04d40946fe41500N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kmkihbho.exe

Modifies registry class 12 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Kmkihbho.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gffdobll.dll"	Kmkihbho.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kmkihbho.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Kkojbf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	033fa9fef6d04d64b04d40946fe41500N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oldhgaef.dll"	Kkojbf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kkojbf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	033fa9fef6d04d64b04d40946fe41500N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	033fa9fef6d04d64b04d40946fe41500N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	033fa9fef6d04d64b04d40946fe41500N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}	033fa9fef6d04d64b04d40946fe41500N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Canhhi32.dll"	033fa9fef6d04d64b04d40946fe41500N.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2256 wrote to memory of 2260	2256	033fa9fef6d04d64b04d40946fe41500N.exe	30
PID 2256 wrote to memory of 2260	2256	033fa9fef6d04d64b04d40946fe41500N.exe	30
PID 2256 wrote to memory of 2260	2256	033fa9fef6d04d64b04d40946fe41500N.exe	30
PID 2256 wrote to memory of 2260	2256	033fa9fef6d04d64b04d40946fe41500N.exe	30
PID 2260 wrote to memory of 2584	2260	Kmkihbho.exe	31
PID 2260 wrote to memory of 2584	2260	Kmkihbho.exe	31
PID 2260 wrote to memory of 2584	2260	Kmkihbho.exe	31
PID 2260 wrote to memory of 2584	2260	Kmkihbho.exe	31
PID 2584 wrote to memory of 2704	2584	Kkojbf32.exe	32
PID 2584 wrote to memory of 2704	2584	Kkojbf32.exe	32
PID 2584 wrote to memory of 2704	2584	Kkojbf32.exe	32
PID 2584 wrote to memory of 2704	2584	Kkojbf32.exe	32
PID 2704 wrote to memory of 2500	2704	Lepaccmo.exe	33
PID 2704 wrote to memory of 2500	2704	Lepaccmo.exe	33
PID 2704 wrote to memory of 2500	2704	Lepaccmo.exe	33
PID 2704 wrote to memory of 2500	2704	Lepaccmo.exe	33

C:\Users\Admin\AppData\Local\Temp\033fa9fef6d04d64b04d40946fe41500N.exe
"C:\Users\Admin\AppData\Local\Temp\033fa9fef6d04d64b04d40946fe41500N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2256
- C:\Windows\SysWOW64\Kmkihbho.exe
  C:\Windows\system32\Kmkihbho.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2260
- - C:\Windows\SysWOW64\Kkojbf32.exe
    C:\Windows\system32\Kkojbf32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2584
  - - C:\Windows\SysWOW64\Lepaccmo.exe
      C:\Windows\system32\Lepaccmo.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2704
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2704 -s 140
        5⤵
        Loads dropped DLL
        Program crash
        
        PID:2500

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Kkojbf32.exe

Filesize
464KB

MD5
0f8ce3b6730dcf41e0c0c9f40c2dc1ef

SHA1
3ea3b7be33c7a70bded23ff4d2000c598acf1a8c

SHA256
f65d442f389f4a8b1f11cc27236c1244b7315f9d544ef520fea9579c7d429569

SHA512
84b10056119113207d660d9e33d61d54ccc970a3c1b8b7704c3303ea9a89b7f8f957bd2d589fb8de150f7bd06c6da6dcff9752d007b2b4a8062a0bcab005b617

Download Submit
C:\Windows\SysWOW64\Kmkihbho.exe

Filesize
464KB

MD5
1a534dba852a6cc6eeda1f0adb32c4b2

SHA1
3387068b9fd346a8f7b9ab49f01cffb63bfea7f4

SHA256
cf4948ea26df913c8bafaa246bb45d9c01a3fd26111a9bfd82000848c259d500

SHA512
78667afaea2781dc11bf7d4e90c76b0a9cffd9e42ab95499ec23ac08db83e1c339a278fd8bb693eb539bcdf13478127462b2c92a870cb80794d5efb6307a086a

Download Submit
\Windows\SysWOW64\Lepaccmo.exe

Filesize
464KB

MD5
a4316d87858c9475134c00c4c2907c18

SHA1
ad9a2731121d260eb3391ea182900d87f23a34f1

SHA256
8730528b1549097762e03cb25e3832128719aa5cd6a6072e4bac35e5ea3c2701

SHA512
d48afe14607dde16f09103069b3b9f99276a95ffa7e8560926e668420860738f89619ff82588285c63e6a1c812b3e1c2f7b87e8c9b68448f3d9ef487fa841d29

Download Submit
memory/2256-0-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/2256-12-0x0000000001CF0000-0x0000000001D8D000-memory.dmp

Filesize
628KB

Download
memory/2256-54-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/2260-17-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/2260-56-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/2584-31-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/2584-39-0x0000000000220000-0x00000000002BD000-memory.dmp

Filesize
628KB

Download
memory/2584-60-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/2704-40-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads