805fcf8bd06fac72fd8f59ce910e2305941997b0335548b2b13874a46b1b60d0

General

Target

c6531a7b5a57dd5192930a18b61eb890N.exe
Size

1.4MB
MD5

c6531a7b5a57dd5192930a18b61eb890
SHA1

b735ccae52f5dad13c86caf5ba9005a34b543e00
SHA256

805fcf8bd06fac72fd8f59ce910e2305941997b0335548b2b13874a46b1b60d0
SHA512

54c4c91800b019e6497cf7b6fdad455f6716674180d5678ec861cf55ce85f9a6aae05abcb95d47d014394212fcecd3255aef33a1fa461ae7bf4a66340700cda4
SSDEEP

24576:ejGia2+3apPNC+BNts9a2+3aGP5/fCpJa2+3apPNC+BNts9a2+3aC:++l+f/fen+l+l

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	c6531a7b5a57dd5192930a18b61eb890N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	c6531a7b5a57dd5192930a18b61eb890N.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Khnapkjg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Khnapkjg.exe

Executes dropped EXE 2 IoCs

pid	Process
2344	Khnapkjg.exe
2680	Lbjofi32.exe

Loads dropped DLL 8 IoCs

pid	Process
3004	c6531a7b5a57dd5192930a18b61eb890N.exe
3004	c6531a7b5a57dd5192930a18b61eb890N.exe
2344	Khnapkjg.exe
2344	Khnapkjg.exe
2744	WerFault.exe
2744	WerFault.exe
2744	WerFault.exe
2744	WerFault.exe

Drops file in System32 directory 6 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Khnapkjg.exe	c6531a7b5a57dd5192930a18b61eb890N.exe
File opened for modification	C:\Windows\SysWOW64\Khnapkjg.exe	c6531a7b5a57dd5192930a18b61eb890N.exe
File created	C:\Windows\SysWOW64\Jkbcekmn.dll	c6531a7b5a57dd5192930a18b61eb890N.exe
File created	C:\Windows\SysWOW64\Lbjofi32.exe	Khnapkjg.exe
File opened for modification	C:\Windows\SysWOW64\Lbjofi32.exe	Khnapkjg.exe
File created	C:\Windows\SysWOW64\Ipafocdg.dll	Khnapkjg.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2744	2680	WerFault.exe	31

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c6531a7b5a57dd5192930a18b61eb890N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Khnapkjg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lbjofi32.exe

Modifies registry class 9 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	c6531a7b5a57dd5192930a18b61eb890N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	c6531a7b5a57dd5192930a18b61eb890N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}	c6531a7b5a57dd5192930a18b61eb890N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkbcekmn.dll"	c6531a7b5a57dd5192930a18b61eb890N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	c6531a7b5a57dd5192930a18b61eb890N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Khnapkjg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipafocdg.dll"	Khnapkjg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Khnapkjg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	c6531a7b5a57dd5192930a18b61eb890N.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3004 wrote to memory of 2344	3004	c6531a7b5a57dd5192930a18b61eb890N.exe	30
PID 3004 wrote to memory of 2344	3004	c6531a7b5a57dd5192930a18b61eb890N.exe	30
PID 3004 wrote to memory of 2344	3004	c6531a7b5a57dd5192930a18b61eb890N.exe	30
PID 3004 wrote to memory of 2344	3004	c6531a7b5a57dd5192930a18b61eb890N.exe	30
PID 2344 wrote to memory of 2680	2344	Khnapkjg.exe	31
PID 2344 wrote to memory of 2680	2344	Khnapkjg.exe	31
PID 2344 wrote to memory of 2680	2344	Khnapkjg.exe	31
PID 2344 wrote to memory of 2680	2344	Khnapkjg.exe	31
PID 2680 wrote to memory of 2744	2680	Lbjofi32.exe	32
PID 2680 wrote to memory of 2744	2680	Lbjofi32.exe	32
PID 2680 wrote to memory of 2744	2680	Lbjofi32.exe	32
PID 2680 wrote to memory of 2744	2680	Lbjofi32.exe	32

C:\Users\Admin\AppData\Local\Temp\c6531a7b5a57dd5192930a18b61eb890N.exe
"C:\Users\Admin\AppData\Local\Temp\c6531a7b5a57dd5192930a18b61eb890N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3004
- C:\Windows\SysWOW64\Khnapkjg.exe
  C:\Windows\system32\Khnapkjg.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2344
- - C:\Windows\SysWOW64\Lbjofi32.exe
    C:\Windows\system32\Lbjofi32.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2680
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2680 -s 140
      4⤵
      Loads dropped DLL
      Program crash
      PID:2744

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Windows\SysWOW64\Khnapkjg.exe

Filesize
1.4MB

MD5
b4f81fdcc67d57bc195b4939002347e6

SHA1
8701a4da7f53d2b838ec21caec330f1e66b6695b

SHA256
d9bf79689aa6ba7b35db13c817cb26e337b5de59a4d45d0eaa9f4301def07a2a

SHA512
5caca6e06da4771c3678c7a3f11ef28066f73aba024a54c76a972102f0955239039323006cfea5df7b8923ff427fdd04778a2e16e5c4c133424e558494a073cf

Download Submit
\Windows\SysWOW64\Lbjofi32.exe

Filesize
1.4MB

MD5
656d19cab8fed46ebce9d5cae128cbcb

SHA1
313ddd8ff1eb8db5864a9ab430000d690b9458bc

SHA256
81e5e265b6319655757056c1347aeeaa7e402442f33ae8bc733522cade8159d5

SHA512
84ec262e498ec4061c0a69975e5a050459d46b68058ddc3a3d11d7df20b65d4cc3e1be4b3ddd7982bf384e3b7cf0c26c7186699a0036a71857709a6366bf765d

Download Submit
memory/2344-26-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2344-33-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2680-27-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2680-34-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3004-4-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3004-12-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/3004-11-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads