fde01812ed8603e40847b742e4e43996d7b7c30ca52bcd0add0530d22192de32

General

Target

fde01812ed8603e40847b742e4e43996d7b7c30ca52bcd0add0530d22192de32.exe
Size

768KB
MD5

b2979156df25d1cb99f35ed44102a3b7
SHA1

4ea4b2ba711931e39ef47f3498b982747d59f89b
SHA256

fde01812ed8603e40847b742e4e43996d7b7c30ca52bcd0add0530d22192de32
SHA512

5fb3082e664afcb3db2755aa9f36b220161811bf98cb8747481d16da7daf34894ca6fa5e7fabe4597bbc4fba44367bfc60dddc0643d8ea637e7e2a170d182380
SSDEEP

12288:F05LZ0g9evw6IveDVqvQ6IvYvc6IveDVqvQ6IvBaSHaMaZRBEYyqmaf2qwiHPKgV:6d99q5h3q5htaSHFaZRBEYyqmaf2qwiv

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 12 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dlncla32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	fde01812ed8603e40847b742e4e43996d7b7c30ca52bcd0add0530d22192de32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	fde01812ed8603e40847b742e4e43996d7b7c30ca52bcd0add0530d22192de32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmbpjfij.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfjeckpj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfonnk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfonnk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmifkecb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmbpjfij.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfjeckpj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmifkecb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dlncla32.exe

Executes dropped EXE 6 IoCs

pid	Process
3708	Cmbpjfij.exe
3040	Cfjeckpj.exe
2864	Dfonnk32.exe
5080	Dmifkecb.exe
1304	Dlncla32.exe
3024	Dbkhnk32.exe

Drops file in System32 directory 18 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Amkejmgc.dll	fde01812ed8603e40847b742e4e43996d7b7c30ca52bcd0add0530d22192de32.exe
File created	C:\Windows\SysWOW64\Cfjeckpj.exe	Cmbpjfij.exe
File created	C:\Windows\SysWOW64\Dlncla32.exe	Dmifkecb.exe
File created	C:\Windows\SysWOW64\Dbkhnk32.exe	Dlncla32.exe
File opened for modification	C:\Windows\SysWOW64\Dbkhnk32.exe	Dlncla32.exe
File created	C:\Windows\SysWOW64\Cmbpjfij.exe	fde01812ed8603e40847b742e4e43996d7b7c30ca52bcd0add0530d22192de32.exe
File created	C:\Windows\SysWOW64\Qecnjaee.dll	Cmbpjfij.exe
File created	C:\Windows\SysWOW64\Dfonnk32.exe	Cfjeckpj.exe
File created	C:\Windows\SysWOW64\Dmifkecb.exe	Dfonnk32.exe
File opened for modification	C:\Windows\SysWOW64\Cfjeckpj.exe	Cmbpjfij.exe
File created	C:\Windows\SysWOW64\Abbbel32.dll	Dfonnk32.exe
File opened for modification	C:\Windows\SysWOW64\Dlncla32.exe	Dmifkecb.exe
File created	C:\Windows\SysWOW64\Nqbpidem.dll	Dmifkecb.exe
File created	C:\Windows\SysWOW64\Naefjl32.dll	Dlncla32.exe
File opened for modification	C:\Windows\SysWOW64\Cmbpjfij.exe	fde01812ed8603e40847b742e4e43996d7b7c30ca52bcd0add0530d22192de32.exe
File opened for modification	C:\Windows\SysWOW64\Dfonnk32.exe	Cfjeckpj.exe
File created	C:\Windows\SysWOW64\Adlafb32.dll	Cfjeckpj.exe
File opened for modification	C:\Windows\SysWOW64\Dmifkecb.exe	Dfonnk32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4072	3024	WerFault.exe	97

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfonnk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmifkecb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dlncla32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dbkhnk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fde01812ed8603e40847b742e4e43996d7b7c30ca52bcd0add0530d22192de32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmbpjfij.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfjeckpj.exe

Modifies registry class 21 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dlncla32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Naefjl32.dll"	Dlncla32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	fde01812ed8603e40847b742e4e43996d7b7c30ca52bcd0add0530d22192de32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmifkecb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dlncla32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfonnk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nqbpidem.dll"	Dmifkecb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qecnjaee.dll"	Cmbpjfij.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmifkecb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	fde01812ed8603e40847b742e4e43996d7b7c30ca52bcd0add0530d22192de32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmbpjfij.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amkejmgc.dll"	fde01812ed8603e40847b742e4e43996d7b7c30ca52bcd0add0530d22192de32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	fde01812ed8603e40847b742e4e43996d7b7c30ca52bcd0add0530d22192de32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmbpjfij.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cfjeckpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Adlafb32.dll"	Cfjeckpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cfjeckpj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	fde01812ed8603e40847b742e4e43996d7b7c30ca52bcd0add0530d22192de32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	fde01812ed8603e40847b742e4e43996d7b7c30ca52bcd0add0530d22192de32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Abbbel32.dll"	Dfonnk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfonnk32.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 4308 wrote to memory of 3708	4308	fde01812ed8603e40847b742e4e43996d7b7c30ca52bcd0add0530d22192de32.exe	90
PID 4308 wrote to memory of 3708	4308	fde01812ed8603e40847b742e4e43996d7b7c30ca52bcd0add0530d22192de32.exe	90
PID 4308 wrote to memory of 3708	4308	fde01812ed8603e40847b742e4e43996d7b7c30ca52bcd0add0530d22192de32.exe	90
PID 3708 wrote to memory of 3040	3708	Cmbpjfij.exe	91
PID 3708 wrote to memory of 3040	3708	Cmbpjfij.exe	91
PID 3708 wrote to memory of 3040	3708	Cmbpjfij.exe	91
PID 3040 wrote to memory of 2864	3040	Cfjeckpj.exe	92
PID 3040 wrote to memory of 2864	3040	Cfjeckpj.exe	92
PID 3040 wrote to memory of 2864	3040	Cfjeckpj.exe	92
PID 2864 wrote to memory of 5080	2864	Dfonnk32.exe	93
PID 2864 wrote to memory of 5080	2864	Dfonnk32.exe	93
PID 2864 wrote to memory of 5080	2864	Dfonnk32.exe	93
PID 5080 wrote to memory of 1304	5080	Dmifkecb.exe	96
PID 5080 wrote to memory of 1304	5080	Dmifkecb.exe	96
PID 5080 wrote to memory of 1304	5080	Dmifkecb.exe	96
PID 1304 wrote to memory of 3024	1304	Dlncla32.exe	97
PID 1304 wrote to memory of 3024	1304	Dlncla32.exe	97
PID 1304 wrote to memory of 3024	1304	Dlncla32.exe	97

C:\Users\Admin\AppData\Local\Temp\fde01812ed8603e40847b742e4e43996d7b7c30ca52bcd0add0530d22192de32.exe
"C:\Users\Admin\AppData\Local\Temp\fde01812ed8603e40847b742e4e43996d7b7c30ca52bcd0add0530d22192de32.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4308
- C:\Windows\SysWOW64\Cmbpjfij.exe
  C:\Windows\system32\Cmbpjfij.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3708
- - C:\Windows\SysWOW64\Cfjeckpj.exe
    C:\Windows\system32\Cfjeckpj.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3040
  - - C:\Windows\SysWOW64\Dfonnk32.exe
      C:\Windows\system32\Dfonnk32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2864
    - - C:\Windows\SysWOW64\Dmifkecb.exe
        
        C:\Windows\system32\Dmifkecb.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5080
      - C:\Windows\SysWOW64\Dlncla32.exe
        
        C:\Windows\system32\Dlncla32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1304
        
        C:\Windows\SysWOW64\Dbkhnk32.exe
        
        C:\Windows\system32\Dbkhnk32.exe
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3024
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3024 -s 400
        8⤵
        Program crash
        
        PID:4072

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 3024 -ip 3024
1⤵
PID:1156

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=3808,i,3387628439405076340,17957358341235678872,262144 --variations-seed-version --mojo-platform-channel-handle=4148 /prefetch:8
1⤵
PID:3952

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Cfjeckpj.exe

Filesize
768KB

MD5
58305c730ff68aa1647e612783e6393d

SHA1
6afc4acd87e799ab51154bdfbaa0f69e05a002dc

SHA256
3fd97e7f2581bfb82465793b736bc2292263a283bee30bc5f7feed0af3db2111

SHA512
6d5b4723eae4c183b34813582e92ff76c4fca06f654af8cd190584dbb3b4d3ade4275bfd7d1f273eb5bfec7644b94f69b9c637ac05674b5373ef94e9b54bb988

Download Submit
C:\Windows\SysWOW64\Cmbpjfij.exe

Filesize
768KB

MD5
f5fb75947dbb34256169911e2c369ebe

SHA1
68285d176123ae2f260561fe2409d0c83e34ac93

SHA256
0402d0c0be62e56b917bc9545d75a015e43966c4df668c48a4ae9fc02856f23f

SHA512
d3dafa3aaa24ef6faeca5ecc8ba3113f3f89c0b3370f71b5e873e0717d49d587bc1cb7caab2f6ae59544bf764acc99fd9cdad2dce90a13b645cfd1904a97327a

Download Submit
C:\Windows\SysWOW64\Dbkhnk32.exe

Filesize
768KB

MD5
8b5f662b862fdc739ead13a5a7dfc377

SHA1
dec23073ddff6630decbd312c1ec084612c5531f

SHA256
0b99ca32862c00e376f840dac8c3627301110be59b39bd841bd0497faa7a1d63

SHA512
6fb0491fb4e169201490fed7686e1d83ada78636dbac52ff651bb8d522ffe9a6c49bfcfcdd7be0e7c8900a269a6b7c96ad49d76b15a89cfa77708392ace6d77b

Download Submit
C:\Windows\SysWOW64\Dfonnk32.exe

Filesize
768KB

MD5
e56a75d51af8f6c256230334e5f8a50b

SHA1
4cc86b6d058b084061aaed90a4ec4b587dad8e3e

SHA256
34b0e0e050f2aa69bb71022a1e45ae7a8c5ec537c0884dc37f5f289245543e57

SHA512
9a6228a3546f4fffbb3a6702a8fd327cfd1f4fc38721c5a752ddd2670cefa6cb089a8daad064f56d1ade566ae7d1aba6c6398d407a16a9e9ddc889f0b0864251

Download Submit
C:\Windows\SysWOW64\Dlncla32.exe

Filesize
768KB

MD5
10cfb703c729030112ca07489faa0120

SHA1
6274a1fbfae6a1b015013c56fea0a0a9dcd71519

SHA256
bc5736272cde9f6947d97f2e1e0131b8ae03a7417328efc7a44b1e1b42d51327

SHA512
59d4c0fb27fcd621f90458c23919216d2cd2971e908ca5701568ac2ade53070672953a6d8b75c7525ccf50a1f0e5af8a73e13fc8e16ee39c2d87367fe0dc12f3

Download Submit
C:\Windows\SysWOW64\Dmifkecb.exe

Filesize
768KB

MD5
a159ffe90e101a49da065266aa7b245e

SHA1
e6318ec2b2fc156d98301108bbc825f14bdbb09e

SHA256
2768b3e2487b3a15bec4dd39f40e6729a21e590ca73a464d5faeb04a196a5067

SHA512
6f7eeb203ded50fecf30e137a5488cb95031bb827331cae84544f6c01ed38f0d19b6ad0d7d2fcaaca4fa3bf2be5b4240cb58afb3c9b55cf3b653fbbac49bd179

Download Submit
memory/1304-52-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1304-41-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2864-57-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2864-25-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3024-53-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3024-49-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3040-17-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3040-60-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3708-14-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4308-62-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4308-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4308-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/5080-33-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5080-55-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads