0ae38722cdb8998ce9d0f4a3239d6d2d6cd9477d3104f5dd6ff66e1c95a3192c

General

Target

0ae38722cdb8998ce9d0f4a3239d6d2d6cd9477d3104f5dd6ff66e1c95a3192c.exe
Size

104KB
MD5

6bacdfd9a81359ac22fdcbffaae3c7c2
SHA1

853c55e57ad60eee946ab55a42f26de473093772
SHA256

0ae38722cdb8998ce9d0f4a3239d6d2d6cd9477d3104f5dd6ff66e1c95a3192c
SHA512

9c23eddc68a0afbb66c0c8c8f49218002704fd5c59ad7492a4f8a234c0a729d51cea283583aa5203f56d79ec22b4fb3c95ef44c07f08faf1f3ac9b8549649ad1
SSDEEP

3072:zmQ6l7V/b48afH5Ae5nx7cEGrhkngpDvchkqbAIQ:zmDl7VTUfR5nx4brq2Ah

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 10 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	0ae38722cdb8998ce9d0f4a3239d6d2d6cd9477d3104f5dd6ff66e1c95a3192c.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Olehbh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ofklpa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Oepianef.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	0ae38722cdb8998ce9d0f4a3239d6d2d6cd9477d3104f5dd6ff66e1c95a3192c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Olehbh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ofklpa32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Opcaiggo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Opcaiggo.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oepianef.exe

Executes dropped EXE 5 IoCs

pid	Process
2304	Olehbh32.exe
1372	Ofklpa32.exe
2428	Opcaiggo.exe
2820	Oepianef.exe
2888	Ohnemidj.exe

Loads dropped DLL 14 IoCs

pid	Process
1068	0ae38722cdb8998ce9d0f4a3239d6d2d6cd9477d3104f5dd6ff66e1c95a3192c.exe
1068	0ae38722cdb8998ce9d0f4a3239d6d2d6cd9477d3104f5dd6ff66e1c95a3192c.exe
2304	Olehbh32.exe
2304	Olehbh32.exe
1372	Ofklpa32.exe
1372	Ofklpa32.exe
2428	Opcaiggo.exe
2428	Opcaiggo.exe
2820	Oepianef.exe
2820	Oepianef.exe
2896	WerFault.exe
2896	WerFault.exe
2896	WerFault.exe
2896	WerFault.exe

Drops file in System32 directory 15 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Oepianef.exe	Opcaiggo.exe
File opened for modification	C:\Windows\SysWOW64\Ohnemidj.exe	Oepianef.exe
File created	C:\Windows\SysWOW64\Imfkindn.dll	0ae38722cdb8998ce9d0f4a3239d6d2d6cd9477d3104f5dd6ff66e1c95a3192c.exe
File created	C:\Windows\SysWOW64\Oepianef.exe	Opcaiggo.exe
File opened for modification	C:\Windows\SysWOW64\Olehbh32.exe	0ae38722cdb8998ce9d0f4a3239d6d2d6cd9477d3104f5dd6ff66e1c95a3192c.exe
File created	C:\Windows\SysWOW64\Keniknoh.dll	Olehbh32.exe
File created	C:\Windows\SysWOW64\Pbbfhefe.dll	Ofklpa32.exe
File created	C:\Windows\SysWOW64\Nafbcl32.dll	Opcaiggo.exe
File created	C:\Windows\SysWOW64\Fifjgemj.dll	Oepianef.exe
File opened for modification	C:\Windows\SysWOW64\Ofklpa32.exe	Olehbh32.exe
File created	C:\Windows\SysWOW64\Opcaiggo.exe	Ofklpa32.exe
File opened for modification	C:\Windows\SysWOW64\Opcaiggo.exe	Ofklpa32.exe
File created	C:\Windows\SysWOW64\Ohnemidj.exe	Oepianef.exe
File created	C:\Windows\SysWOW64\Olehbh32.exe	0ae38722cdb8998ce9d0f4a3239d6d2d6cd9477d3104f5dd6ff66e1c95a3192c.exe
File created	C:\Windows\SysWOW64\Ofklpa32.exe	Olehbh32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2896	2888	WerFault.exe	33

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Opcaiggo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oepianef.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ohnemidj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0ae38722cdb8998ce9d0f4a3239d6d2d6cd9477d3104f5dd6ff66e1c95a3192c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olehbh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofklpa32.exe

Modifies registry class 18 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ofklpa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nafbcl32.dll"	Opcaiggo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	0ae38722cdb8998ce9d0f4a3239d6d2d6cd9477d3104f5dd6ff66e1c95a3192c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	0ae38722cdb8998ce9d0f4a3239d6d2d6cd9477d3104f5dd6ff66e1c95a3192c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imfkindn.dll"	0ae38722cdb8998ce9d0f4a3239d6d2d6cd9477d3104f5dd6ff66e1c95a3192c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Olehbh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	0ae38722cdb8998ce9d0f4a3239d6d2d6cd9477d3104f5dd6ff66e1c95a3192c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Olehbh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pbbfhefe.dll"	Ofklpa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Opcaiggo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}	0ae38722cdb8998ce9d0f4a3239d6d2d6cd9477d3104f5dd6ff66e1c95a3192c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Keniknoh.dll"	Olehbh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ofklpa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fifjgemj.dll"	Oepianef.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	0ae38722cdb8998ce9d0f4a3239d6d2d6cd9477d3104f5dd6ff66e1c95a3192c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Opcaiggo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Oepianef.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Oepianef.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 1068 wrote to memory of 2304	1068	0ae38722cdb8998ce9d0f4a3239d6d2d6cd9477d3104f5dd6ff66e1c95a3192c.exe	29
PID 1068 wrote to memory of 2304	1068	0ae38722cdb8998ce9d0f4a3239d6d2d6cd9477d3104f5dd6ff66e1c95a3192c.exe	29
PID 1068 wrote to memory of 2304	1068	0ae38722cdb8998ce9d0f4a3239d6d2d6cd9477d3104f5dd6ff66e1c95a3192c.exe	29
PID 1068 wrote to memory of 2304	1068	0ae38722cdb8998ce9d0f4a3239d6d2d6cd9477d3104f5dd6ff66e1c95a3192c.exe	29
PID 2304 wrote to memory of 1372	2304	Olehbh32.exe	30
PID 2304 wrote to memory of 1372	2304	Olehbh32.exe	30
PID 2304 wrote to memory of 1372	2304	Olehbh32.exe	30
PID 2304 wrote to memory of 1372	2304	Olehbh32.exe	30
PID 1372 wrote to memory of 2428	1372	Ofklpa32.exe	31
PID 1372 wrote to memory of 2428	1372	Ofklpa32.exe	31
PID 1372 wrote to memory of 2428	1372	Ofklpa32.exe	31
PID 1372 wrote to memory of 2428	1372	Ofklpa32.exe	31
PID 2428 wrote to memory of 2820	2428	Opcaiggo.exe	32
PID 2428 wrote to memory of 2820	2428	Opcaiggo.exe	32
PID 2428 wrote to memory of 2820	2428	Opcaiggo.exe	32
PID 2428 wrote to memory of 2820	2428	Opcaiggo.exe	32
PID 2820 wrote to memory of 2888	2820	Oepianef.exe	33
PID 2820 wrote to memory of 2888	2820	Oepianef.exe	33
PID 2820 wrote to memory of 2888	2820	Oepianef.exe	33
PID 2820 wrote to memory of 2888	2820	Oepianef.exe	33
PID 2888 wrote to memory of 2896	2888	Ohnemidj.exe	34
PID 2888 wrote to memory of 2896	2888	Ohnemidj.exe	34
PID 2888 wrote to memory of 2896	2888	Ohnemidj.exe	34
PID 2888 wrote to memory of 2896	2888	Ohnemidj.exe	34

C:\Users\Admin\AppData\Local\Temp\0ae38722cdb8998ce9d0f4a3239d6d2d6cd9477d3104f5dd6ff66e1c95a3192c.exe
"C:\Users\Admin\AppData\Local\Temp\0ae38722cdb8998ce9d0f4a3239d6d2d6cd9477d3104f5dd6ff66e1c95a3192c.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1068
- C:\Windows\SysWOW64\Olehbh32.exe
  C:\Windows\system32\Olehbh32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2304
- - C:\Windows\SysWOW64\Ofklpa32.exe
    C:\Windows\system32\Ofklpa32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1372
  - - C:\Windows\SysWOW64\Opcaiggo.exe
      C:\Windows\system32\Opcaiggo.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2428
    - - C:\Windows\SysWOW64\Oepianef.exe
        
        C:\Windows\system32\Oepianef.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2820
      - C:\Windows\SysWOW64\Ohnemidj.exe
        
        C:\Windows\system32\Ohnemidj.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2888
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2888 -s 140
        7⤵
        Loads dropped DLL
        Program crash
        
        PID:2896

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Fifjgemj.dll

Filesize
7KB

MD5
9ece5bfbbd313b23ad7651f430e43d38

SHA1
aa501683ced504b6f2e5f493a5b3b25c6add1e3e

SHA256
2e17c8ae4d41fb952ebd90621481c2857ed6adf313ff096f7c86bf4582a60562

SHA512
3ab2bfe0bf6a1d0d24d4dac83bf7a463851a440850a9fa24135608c6fef92c7f8fe898e15c40f7554b67d4d6f01a634419e3180c65bee4fc5f42e9d4d718f779

Download Submit
C:\Windows\SysWOW64\Ohnemidj.exe

Filesize
104KB

MD5
57104e497d5ca1f28437ac6cd85925ed

SHA1
ec1611043e29c01380b2b101c1953bf125fb19ec

SHA256
8c19277626b367b342744d66f1998486fd0ae0af14996d6578d117d3e7f250ac

SHA512
055cc0af4c078ae5464352fdc451beb3190bf1029f12e2fdda024151b10ee8a702f65ad24d58d2fb69698e0109d45a14c75fda0112aaa7d5183a994e1116b49a

Download Submit
C:\Windows\SysWOW64\Olehbh32.exe

Filesize
104KB

MD5
fb34a001ccb3d6f83ae6595447e2a927

SHA1
988ff6818057348bc753069a989b6beb1eb667f6

SHA256
9bcae2254747c996322967b275e37be8f4a39deafb2fb2a0b8cb662ad11e59c2

SHA512
7f5fb2da08883de28c0b65c31a940b8b4080a55c8557846525f76035492339a6e67192ecb4aad7b9e1486340cac636a9fdd04c6b73b6fb7217f278022354f19b

Download Submit
\Windows\SysWOW64\Oepianef.exe

Filesize
104KB

MD5
fb6cae70e45fbec9a37fa5c36b376e93

SHA1
86c22ab2ce653366e29d6058737e3511cbeb0d7f

SHA256
2122894779e3618f00387f6c526fac587c04116ded954d26242acf78aa5480c7

SHA512
15709f6eb45272ff7456aaa9fa1a239b30e3c0f0da852139afe85a2774b81f18c2b49200be2ce747294e9ebc25d6d6bd9c2efc4ae676fb11213cbeff94928b0f

Download Submit
\Windows\SysWOW64\Ofklpa32.exe

Filesize
104KB

MD5
b87769293676932bcf7ff419e8f2ae71

SHA1
2c90e273336111e993d895270aea5fc0f31321a4

SHA256
b6f2ef9bfe18286e5d6b6b42cd2986973543c61f20fefd6bb212621a3aca4e71

SHA512
113305db45da202a448cd7a98cd2eb02a7c403300758988707936139982beee63726e56208feeef2d27ff1d03350e003ff612f0955fdb4dd669326b282163410

Download Submit
\Windows\SysWOW64\Opcaiggo.exe

Filesize
104KB

MD5
b9aba8579e0489b71fdfa06ee3bf2734

SHA1
8f775c89e8ca8b67ddcb25ddb0c0084cb42bd8dc

SHA256
06943c8465b6ecf2fd9041d4985694dea5a38564c32a43ad6d20149d9d589df1

SHA512
16025bdf9bdbbbfc38121c1a23c594ae1d7e7c69853bea68ed28f7e9c1eab327d1be1a46424a969aff797efda001eed6e95ffeb98bed5fc91a42045c3a6e00da

Download Submit
memory/1068-4-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1068-12-0x00000000002C0000-0x0000000000303000-memory.dmp

Filesize
268KB

Download
memory/1372-73-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1372-27-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1372-39-0x0000000000280000-0x00000000002C3000-memory.dmp

Filesize
268KB

Download
memory/2304-26-0x0000000000280000-0x00000000002C3000-memory.dmp

Filesize
268KB

Download
memory/2304-72-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2304-13-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2428-41-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2428-74-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2820-54-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2820-75-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2888-67-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads