a6e1e582ff2ac3d450c87c7fa7c016ea6ce568d81cc4ae03e5e81730f5a0889a

General

Target

a7b773ee116682401be678d36b073850N.exe
Size

384KB
MD5

a7b773ee116682401be678d36b073850
SHA1

d4d1385bdf9fe1839a40af071c38dc7ace1fde75
SHA256

a6e1e582ff2ac3d450c87c7fa7c016ea6ce568d81cc4ae03e5e81730f5a0889a
SHA512

f314d079922790dfe3f85e82020e255fe6d82f95afd740fe47dda38dc28f0f53db944c7f3721dbcef13520ba832ef365b0beb047db7b9e5ef50fed417bbfae60
SSDEEP

6144:xdgo+vo0G9GyZ6YugQdjGG1wsKm6eBgdQbkoKTBEAz/6DG1ETdqvZNemWrsiLk6:Ao+vfGGyXu1jGG1wsGeBgRTGAzciETdP

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	a7b773ee116682401be678d36b073850N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	a7b773ee116682401be678d36b073850N.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfhkhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cfhkhd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dnpciaef.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dnpciaef.exe

Executes dropped EXE 3 IoCs

pid	Process
2828	Cfhkhd32.exe
2728	Dnpciaef.exe
2684	Dpapaj32.exe

Loads dropped DLL 9 IoCs

pid	Process
2172	a7b773ee116682401be678d36b073850N.exe
2172	a7b773ee116682401be678d36b073850N.exe
2828	Cfhkhd32.exe
2828	Cfhkhd32.exe
2728	Dnpciaef.exe
2728	Dnpciaef.exe
2748	WerFault.exe
2748	WerFault.exe
2748	WerFault.exe

Drops file in System32 directory 11 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Dnpciaef.exe	Cfhkhd32.exe
File opened for modification	C:\Windows\SysWOW64\Dnpciaef.exe	Cfhkhd32.exe
File created	C:\Windows\SysWOW64\Pmiljc32.dll	Cfhkhd32.exe
File created	C:\Windows\SysWOW64\Cfhkhd32.exe	a7b773ee116682401be678d36b073850N.exe
File created	C:\Windows\SysWOW64\Fkdqjn32.dll	a7b773ee116682401be678d36b073850N.exe
File opened for modification	C:\Windows\SysWOW64\Dpapaj32.exe	Dnpciaef.exe
File created	C:\Windows\SysWOW64\Pdkefp32.dll	Dnpciaef.exe
File created	C:\Windows\SysWOW64\ÿs.e¢e	Dpapaj32.exe
File opened for modification	C:\Windows\SysWOW64\ÿs.e¢e	Dpapaj32.exe
File opened for modification	C:\Windows\SysWOW64\Cfhkhd32.exe	a7b773ee116682401be678d36b073850N.exe
File created	C:\Windows\SysWOW64\Dpapaj32.exe	Dnpciaef.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2748	2684	WerFault.exe	33

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a7b773ee116682401be678d36b073850N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfhkhd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dnpciaef.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dpapaj32.exe

Modifies registry class 12 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	a7b773ee116682401be678d36b073850N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fkdqjn32.dll"	a7b773ee116682401be678d36b073850N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	a7b773ee116682401be678d36b073850N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdkefp32.dll"	Dnpciaef.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dnpciaef.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	a7b773ee116682401be678d36b073850N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}	a7b773ee116682401be678d36b073850N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cfhkhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmiljc32.dll"	Cfhkhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cfhkhd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dnpciaef.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	a7b773ee116682401be678d36b073850N.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2172 wrote to memory of 2828	2172	a7b773ee116682401be678d36b073850N.exe	31
PID 2172 wrote to memory of 2828	2172	a7b773ee116682401be678d36b073850N.exe	31
PID 2172 wrote to memory of 2828	2172	a7b773ee116682401be678d36b073850N.exe	31
PID 2172 wrote to memory of 2828	2172	a7b773ee116682401be678d36b073850N.exe	31
PID 2828 wrote to memory of 2728	2828	Cfhkhd32.exe	32
PID 2828 wrote to memory of 2728	2828	Cfhkhd32.exe	32
PID 2828 wrote to memory of 2728	2828	Cfhkhd32.exe	32
PID 2828 wrote to memory of 2728	2828	Cfhkhd32.exe	32
PID 2728 wrote to memory of 2684	2728	Dnpciaef.exe	33
PID 2728 wrote to memory of 2684	2728	Dnpciaef.exe	33
PID 2728 wrote to memory of 2684	2728	Dnpciaef.exe	33
PID 2728 wrote to memory of 2684	2728	Dnpciaef.exe	33
PID 2684 wrote to memory of 2748	2684	Dpapaj32.exe	34
PID 2684 wrote to memory of 2748	2684	Dpapaj32.exe	34
PID 2684 wrote to memory of 2748	2684	Dpapaj32.exe	34
PID 2684 wrote to memory of 2748	2684	Dpapaj32.exe	34

C:\Users\Admin\AppData\Local\Temp\a7b773ee116682401be678d36b073850N.exe
"C:\Users\Admin\AppData\Local\Temp\a7b773ee116682401be678d36b073850N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2172
- C:\Windows\SysWOW64\Cfhkhd32.exe
  C:\Windows\system32\Cfhkhd32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2828
- - C:\Windows\SysWOW64\Dnpciaef.exe
    C:\Windows\system32\Dnpciaef.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2728
  - - C:\Windows\SysWOW64\Dpapaj32.exe
      C:\Windows\system32\Dpapaj32.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2684
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2684 -s 144
        5⤵
        Loads dropped DLL
        Program crash
        
        PID:2748

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Dpapaj32.exe

Filesize
384KB

MD5
471a4629b2e4f0a1d9b2f89b12116d59

SHA1
8f81c210de4b88d9a65ed8fa465e678a4c0feb8d

SHA256
0e44b0d61d0c99b2dea644a3ca4bd1dc878f393e8fea42b1879d234fa9c80558

SHA512
373f5cd88f0344caf21cc96d54c2069e1bee850d4769ae10618542593a1696d1034cd7b8d84e17bc2c236b3efcbf47a821a0dd2a87ac0538c7b7ca32cb2cebc1

Download Submit
\Windows\SysWOW64\Cfhkhd32.exe

Filesize
384KB

MD5
5c07d6c2cf680c0182e1b6a7963bb8ea

SHA1
93f872cec2bc6838c66598b1f5922998722f591d

SHA256
098e16c42ce5773eb17b80d258d9487e91b3226335ee45b7bf49a427458ae133

SHA512
8f644009642816de5371859abbc2af18b839bb987b30f12f6bdf2cd26227f057eb26fb4c1252f7c2bc4171703e0197424737516d065745f07bd4b9b6d41b41e3

Download Submit
\Windows\SysWOW64\Dnpciaef.exe

Filesize
384KB

MD5
20993d6a07d1e1d9b80bd50ae19752ab

SHA1
343e31a9c7efc63adfd829270eff42bf7801bd51

SHA256
12b154668a3b7a9d9be1e8b0f791523d930002789e79c5bb7d394644806591b6

SHA512
eb20dce883a5aa789591275d1d031126ccf2ac91e96886088f4ee3d79c560f9d9dcc15247b7d453b301bc4bb72aa0fa991a03932b0bc1a955d62da1d79703b9f

Download Submit
memory/2172-48-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2172-13-0x00000000002D0000-0x0000000000304000-memory.dmp

Filesize
208KB

Download
memory/2172-12-0x00000000002D0000-0x0000000000304000-memory.dmp

Filesize
208KB

Download
memory/2172-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2684-51-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2684-44-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2728-32-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2728-43-0x0000000000310000-0x0000000000344000-memory.dmp

Filesize
208KB

Download
memory/2828-14-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2828-49-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads