a73878cb18feee7556abdeb08b5e2ab0d15d3d6f04ff5a1f40fd110a05d1b6df

General

Target

797065569cecd6926a4c04d9430c6cb0N.exe
Size

81KB
MD5

797065569cecd6926a4c04d9430c6cb0
SHA1

d914fce11cf870d604c3f7bf5620f1edbfd9cc1f
SHA256

a73878cb18feee7556abdeb08b5e2ab0d15d3d6f04ff5a1f40fd110a05d1b6df
SHA512

0b9a1452f4dce43d3a82451bbbb4b4f746b84d27bf5fe7affb04f3fa6ab07203bd957b80f8bf43992fabeb8874c1cc80350a3a395e7a18205ce3e04dda49e25a
SSDEEP

1536:BCzyZU9m8/aTZkdfiG50KY6C8zqrmu127m4LO++/+1m6KadhYxU33HX0L:+zcBZGKGY61Xu12/LrCimBaH8UH30L

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	797065569cecd6926a4c04d9430c6cb0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	797065569cecd6926a4c04d9430c6cb0N.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fedfgejh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fedfgejh.exe

Executes dropped EXE 2 IoCs

pid	Process
1500	Fedfgejh.exe
2168	Flnndp32.exe

Loads dropped DLL 8 IoCs

pid	Process
2688	797065569cecd6926a4c04d9430c6cb0N.exe
2688	797065569cecd6926a4c04d9430c6cb0N.exe
1500	Fedfgejh.exe
1500	Fedfgejh.exe
2800	WerFault.exe
2800	WerFault.exe
2800	WerFault.exe
2800	WerFault.exe

Drops file in System32 directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Flnndp32.exe	Fedfgejh.exe
File created	C:\Windows\SysWOW64\Onndkg32.dll	Fedfgejh.exe
File created	C:\Windows\SysWOW64\Fedfgejh.exe	797065569cecd6926a4c04d9430c6cb0N.exe
File opened for modification	C:\Windows\SysWOW64\Fedfgejh.exe	797065569cecd6926a4c04d9430c6cb0N.exe
File created	C:\Windows\SysWOW64\Kmpnop32.dll	797065569cecd6926a4c04d9430c6cb0N.exe
File created	C:\Windows\SysWOW64\Flnndp32.exe	Fedfgejh.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2800	2168	WerFault.exe	31

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	797065569cecd6926a4c04d9430c6cb0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fedfgejh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Flnndp32.exe

Modifies registry class 9 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmpnop32.dll"	797065569cecd6926a4c04d9430c6cb0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	797065569cecd6926a4c04d9430c6cb0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Onndkg32.dll"	Fedfgejh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	797065569cecd6926a4c04d9430c6cb0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	797065569cecd6926a4c04d9430c6cb0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	797065569cecd6926a4c04d9430c6cb0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	797065569cecd6926a4c04d9430c6cb0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fedfgejh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fedfgejh.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2688 wrote to memory of 1500	2688	797065569cecd6926a4c04d9430c6cb0N.exe	30
PID 2688 wrote to memory of 1500	2688	797065569cecd6926a4c04d9430c6cb0N.exe	30
PID 2688 wrote to memory of 1500	2688	797065569cecd6926a4c04d9430c6cb0N.exe	30
PID 2688 wrote to memory of 1500	2688	797065569cecd6926a4c04d9430c6cb0N.exe	30
PID 1500 wrote to memory of 2168	1500	Fedfgejh.exe	31
PID 1500 wrote to memory of 2168	1500	Fedfgejh.exe	31
PID 1500 wrote to memory of 2168	1500	Fedfgejh.exe	31
PID 1500 wrote to memory of 2168	1500	Fedfgejh.exe	31
PID 2168 wrote to memory of 2800	2168	Flnndp32.exe	32
PID 2168 wrote to memory of 2800	2168	Flnndp32.exe	32
PID 2168 wrote to memory of 2800	2168	Flnndp32.exe	32
PID 2168 wrote to memory of 2800	2168	Flnndp32.exe	32

C:\Users\Admin\AppData\Local\Temp\797065569cecd6926a4c04d9430c6cb0N.exe
"C:\Users\Admin\AppData\Local\Temp\797065569cecd6926a4c04d9430c6cb0N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2688
- C:\Windows\SysWOW64\Fedfgejh.exe
  C:\Windows\system32\Fedfgejh.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1500
- - C:\Windows\SysWOW64\Flnndp32.exe
    C:\Windows\system32\Flnndp32.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2168
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2168 -s 140
      4⤵
      Loads dropped DLL
      Program crash
      PID:2800

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Windows\SysWOW64\Fedfgejh.exe

Filesize
81KB

MD5
23dc4119aab1075e082891ed0808b785

SHA1
0b4d41951533d56fbc8197eb1bfa798b990a6918

SHA256
7e5436cdd143f0a96367eb00b08003a1a8c69fd07fb10a20b68150e13f0b809e

SHA512
14a86f5cf338ea3ddb5d835d28cde2baed833c299ba5297050089e0520dd516c220d1a07a0dca3446cf28efbe55176ba8fc5a86decde5a6457f42295c078d18a

Download Submit
\Windows\SysWOW64\Flnndp32.exe

Filesize
81KB

MD5
efd15d9ade8dfa4b40167c4338521193

SHA1
1f94a638a2d92078f99115811986ffc34f2b6d91

SHA256
587ae6258ba6b8438ab7fcfde34f36ac7b3c8293504b3816bf8948c5a0441e8d

SHA512
d974ea2846eb2c3d08afc8e63d99e1728c2fec8889a5c65525e7f684dd510b5aea4de2563473f44fd9914a2e4e9cf4c4ef745e9620659b9d3d6c9a4d2b524f49

Download Submit
memory/1500-18-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1500-26-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2168-27-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2168-34-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2688-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2688-11-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2688-32-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads