adbbbf091ac3a6217491a5d9c27ed8102d0d1863430cf5cc65739c82989dbc71

General

Target

adbbbf091ac3a6217491a5d9c27ed8102d0d1863430cf5cc65739c82989dbc71.exe
Size

512KB
MD5

cf22a3e5b2f2dd682f11d8409a394eef
SHA1

301ce368805add8882318075725f5b0780981070
SHA256

adbbbf091ac3a6217491a5d9c27ed8102d0d1863430cf5cc65739c82989dbc71
SHA512

6192783dc64570ad7ce4ce1277f9f74d0d18693c29b43334f1d8d5b8c6d7f9a775f1964237c3953c1ce08ed118ab246f73e654c01d5321eb268cf66ffb5105ab
SSDEEP

6144:fqS1+B0UZP8VU5tTO/ENURQPTlyl48pArv8kEVS1aHr:RAJUG5t1sI5yl48pArv8o4L

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lcmklh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lekghdad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lekghdad.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	adbbbf091ac3a6217491a5d9c27ed8102d0d1863430cf5cc65739c82989dbc71.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	adbbbf091ac3a6217491a5d9c27ed8102d0d1863430cf5cc65739c82989dbc71.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpnopm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lpnopm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcmklh32.exe

Executes dropped EXE 4 IoCs

pid	Process
2736	Lpnopm32.exe
3012	Lcmklh32.exe
2820	Lekghdad.exe
2628	Lepaccmo.exe

Loads dropped DLL 12 IoCs

pid	Process
2412	adbbbf091ac3a6217491a5d9c27ed8102d0d1863430cf5cc65739c82989dbc71.exe
2412	adbbbf091ac3a6217491a5d9c27ed8102d0d1863430cf5cc65739c82989dbc71.exe
2736	Lpnopm32.exe
2736	Lpnopm32.exe
3012	Lcmklh32.exe
3012	Lcmklh32.exe
2820	Lekghdad.exe
2820	Lekghdad.exe
2640	WerFault.exe
2640	WerFault.exe
2640	WerFault.exe
2640	WerFault.exe

Drops file in System32 directory 12 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Lpnopm32.exe	adbbbf091ac3a6217491a5d9c27ed8102d0d1863430cf5cc65739c82989dbc71.exe
File created	C:\Windows\SysWOW64\Dllqqh32.dll	adbbbf091ac3a6217491a5d9c27ed8102d0d1863430cf5cc65739c82989dbc71.exe
File created	C:\Windows\SysWOW64\Hnanlhmd.dll	Lpnopm32.exe
File opened for modification	C:\Windows\SysWOW64\Lekghdad.exe	Lcmklh32.exe
File opened for modification	C:\Windows\SysWOW64\Lepaccmo.exe	Lekghdad.exe
File created	C:\Windows\SysWOW64\Oldhgaef.dll	Lekghdad.exe
File created	C:\Windows\SysWOW64\Lpnopm32.exe	adbbbf091ac3a6217491a5d9c27ed8102d0d1863430cf5cc65739c82989dbc71.exe
File opened for modification	C:\Windows\SysWOW64\Lcmklh32.exe	Lpnopm32.exe
File created	C:\Windows\SysWOW64\Lekghdad.exe	Lcmklh32.exe
File created	C:\Windows\SysWOW64\Qaamhelq.dll	Lcmklh32.exe
File created	C:\Windows\SysWOW64\Lepaccmo.exe	Lekghdad.exe
File created	C:\Windows\SysWOW64\Lcmklh32.exe	Lpnopm32.exe

Program crash 1 IoCs

pid	pid_target	Process
2640	2628	WerFault.exe

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lekghdad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lepaccmo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	adbbbf091ac3a6217491a5d9c27ed8102d0d1863430cf5cc65739c82989dbc71.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lpnopm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lcmklh32.exe

Modifies registry class 15 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dllqqh32.dll"	adbbbf091ac3a6217491a5d9c27ed8102d0d1863430cf5cc65739c82989dbc71.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	adbbbf091ac3a6217491a5d9c27ed8102d0d1863430cf5cc65739c82989dbc71.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnanlhmd.dll"	Lpnopm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lpnopm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lcmklh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lekghdad.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	adbbbf091ac3a6217491a5d9c27ed8102d0d1863430cf5cc65739c82989dbc71.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	adbbbf091ac3a6217491a5d9c27ed8102d0d1863430cf5cc65739c82989dbc71.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lpnopm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lcmklh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	adbbbf091ac3a6217491a5d9c27ed8102d0d1863430cf5cc65739c82989dbc71.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	adbbbf091ac3a6217491a5d9c27ed8102d0d1863430cf5cc65739c82989dbc71.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oldhgaef.dll"	Lekghdad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qaamhelq.dll"	Lcmklh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lekghdad.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2412 wrote to memory of 2736	2412	adbbbf091ac3a6217491a5d9c27ed8102d0d1863430cf5cc65739c82989dbc71.exe	30
PID 2412 wrote to memory of 2736	2412	adbbbf091ac3a6217491a5d9c27ed8102d0d1863430cf5cc65739c82989dbc71.exe	30
PID 2412 wrote to memory of 2736	2412	adbbbf091ac3a6217491a5d9c27ed8102d0d1863430cf5cc65739c82989dbc71.exe	30
PID 2412 wrote to memory of 2736	2412	adbbbf091ac3a6217491a5d9c27ed8102d0d1863430cf5cc65739c82989dbc71.exe	30
PID 2736 wrote to memory of 3012	2736	Lpnopm32.exe	31
PID 2736 wrote to memory of 3012	2736	Lpnopm32.exe	31
PID 2736 wrote to memory of 3012	2736	Lpnopm32.exe	31
PID 2736 wrote to memory of 3012	2736	Lpnopm32.exe	31
PID 3012 wrote to memory of 2820	3012	Lcmklh32.exe	32
PID 3012 wrote to memory of 2820	3012	Lcmklh32.exe	32
PID 3012 wrote to memory of 2820	3012	Lcmklh32.exe	32
PID 3012 wrote to memory of 2820	3012	Lcmklh32.exe	32
PID 2820 wrote to memory of 2628	2820	Lekghdad.exe	33
PID 2820 wrote to memory of 2628	2820	Lekghdad.exe	33
PID 2820 wrote to memory of 2628	2820	Lekghdad.exe	33
PID 2820 wrote to memory of 2628	2820	Lekghdad.exe	33
PID 2628 wrote to memory of 2640	2628	Lepaccmo.exe	34
PID 2628 wrote to memory of 2640	2628	Lepaccmo.exe	34
PID 2628 wrote to memory of 2640	2628	Lepaccmo.exe	34
PID 2628 wrote to memory of 2640	2628	Lepaccmo.exe	34

C:\Users\Admin\AppData\Local\Temp\adbbbf091ac3a6217491a5d9c27ed8102d0d1863430cf5cc65739c82989dbc71.exe
"C:\Users\Admin\AppData\Local\Temp\adbbbf091ac3a6217491a5d9c27ed8102d0d1863430cf5cc65739c82989dbc71.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2412
- C:\Windows\SysWOW64\Lpnopm32.exe
  C:\Windows\system32\Lpnopm32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2736
- - C:\Windows\SysWOW64\Lcmklh32.exe
    C:\Windows\system32\Lcmklh32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3012
  - - C:\Windows\SysWOW64\Lekghdad.exe
      C:\Windows\system32\Lekghdad.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2820
    - - C:\Windows\SysWOW64\Lepaccmo.exe
        
        C:\Windows\system32\Lepaccmo.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2628
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2628 -s 140
        6⤵
        Loads dropped DLL
        Program crash
        
        PID:2640

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Lcmklh32.exe

Filesize
512KB

MD5
bc0d7460ddb553049ee405ddf62b4a33

SHA1
90e477bd72092f4639ad1ac7b7ff5fe7ae8e83da

SHA256
99eed6fb2f80a82ad880f4da255df0bbf7ded52680a1a4e6e7d1106c2c90c769

SHA512
806c07173acc411725f1b97401bc4e541270ee7502b31fa9946efba1560ebd358bf6c5e1d869e49e60141eccc34e713969c2c0e0d4786043fe4d83d25461b4ad

Download Submit
C:\Windows\SysWOW64\Lekghdad.exe

Filesize
512KB

MD5
8bacdf5884f03d8fea4ec1b2b75286ba

SHA1
833dff68b3f0e989baedbc9a724793129fb2f14a

SHA256
375faa07c48837551f8a0cadf5d4da5d807da8aa2fff3ea94859e2cc4b5bf24f

SHA512
422d6bbf887c29255feaadf7faaca85aa2746b2e765307f35111476bcf7ed55bd9bcaba91160aa2e1fd3eb25d817de21f6e82ab52e9e67d1b471033b4fe30c8a

Download Submit
C:\Windows\SysWOW64\Lpnopm32.exe

Filesize
512KB

MD5
4801bde7fc2a8ada045751675492ddb4

SHA1
ca2a84f8c8bca5b6d860489b32c581ddce5e0743

SHA256
4737896be65e348f2ff26b3993ad666083ac9b586d9102a73c7a4a783c63ae32

SHA512
61cafa9306f6953177302600aec53cfeb94143d2ad182e3e35623b9bb3dd9d6426b2c2a7ad219d5089c903e3afbd660f51ece7606376a3a346e58355b2d059d7

Download Submit
\Windows\SysWOW64\Lepaccmo.exe

Filesize
512KB

MD5
87f729dabb236bb39d59797bcceca502

SHA1
a2552c58ef6109cfa424ca62a4c247910f6f17e1

SHA256
942760ca50e8333f5f4c0215bb26c9f238ffa595f562037f4246c8b341e0edd6

SHA512
336503a416c80e46c71c314ad7cc5a95081f1ece4dfb0abec0760ee880c5716d69a317c240a2ec68e9fc30f56ad8d6328c80bc773a488f345a96c10aaecc3401

Download Submit
memory/2412-17-0x0000000000290000-0x00000000002BF000-memory.dmp

Filesize
188KB

Download
memory/2412-0-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2412-62-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2412-18-0x0000000000290000-0x00000000002BF000-memory.dmp

Filesize
188KB

Download
memory/2628-57-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2628-66-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2736-27-0x00000000001E0000-0x000000000020F000-memory.dmp

Filesize
188KB

Download
memory/2736-19-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2820-43-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2820-51-0x00000000002D0000-0x00000000002FF000-memory.dmp

Filesize
188KB

Download
memory/2820-65-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3012-29-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3012-42-0x0000000000300000-0x000000000032F000-memory.dmp

Filesize
188KB

Download
memory/3012-41-0x0000000000300000-0x000000000032F000-memory.dmp

Filesize
188KB

Download
memory/3012-64-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads