644b555ad8e3ee9a5b0d111bf704cb3f68c902c616eda6ef83bfc86369d4fbb8

General

Target

c1c984e2d804a70addd1960a82461a90N.exe
Size

78KB
MD5

c1c984e2d804a70addd1960a82461a90
SHA1

9439344328f5c3c4072e42dab5bfe3d7864258e1
SHA256

644b555ad8e3ee9a5b0d111bf704cb3f68c902c616eda6ef83bfc86369d4fbb8
SHA512

3e2f5a26f1c9eadf282581607090ff81825e3ff185e3d29d8ee830d931c7e3556567f859ce118c4ef24fb7d8f6233a9fbb6666dba6391cfdb353d11bede11e25
SSDEEP

1536:ROXyQ0+xQTKTrHT8BpXlYZ1MtniV3N+zL20gJi1ie:RYyQ32Azwp10qtniV3gzL20WKt

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	c1c984e2d804a70addd1960a82461a90N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	c1c984e2d804a70addd1960a82461a90N.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fbfjkj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fbfjkj32.exe

Executes dropped EXE 2 IoCs

pid	Process
2224	Fbfjkj32.exe
2732	Flnndp32.exe

Loads dropped DLL 8 IoCs

pid	Process
1368	c1c984e2d804a70addd1960a82461a90N.exe
1368	c1c984e2d804a70addd1960a82461a90N.exe
2224	Fbfjkj32.exe
2224	Fbfjkj32.exe
2828	WerFault.exe
2828	WerFault.exe
2828	WerFault.exe
2828	WerFault.exe

Drops file in System32 directory 6 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Fbfjkj32.exe	c1c984e2d804a70addd1960a82461a90N.exe
File opened for modification	C:\Windows\SysWOW64\Fbfjkj32.exe	c1c984e2d804a70addd1960a82461a90N.exe
File created	C:\Windows\SysWOW64\Fiakeijo.dll	c1c984e2d804a70addd1960a82461a90N.exe
File created	C:\Windows\SysWOW64\Flnndp32.exe	Fbfjkj32.exe
File opened for modification	C:\Windows\SysWOW64\Flnndp32.exe	Fbfjkj32.exe
File created	C:\Windows\SysWOW64\Onndkg32.dll	Fbfjkj32.exe

Program crash 1 IoCs

pid	pid_target	Process
2828	2732	WerFault.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c1c984e2d804a70addd1960a82461a90N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fbfjkj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Flnndp32.exe

Modifies registry class 9 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fbfjkj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	c1c984e2d804a70addd1960a82461a90N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	c1c984e2d804a70addd1960a82461a90N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	c1c984e2d804a70addd1960a82461a90N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fiakeijo.dll"	c1c984e2d804a70addd1960a82461a90N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	c1c984e2d804a70addd1960a82461a90N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	c1c984e2d804a70addd1960a82461a90N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fbfjkj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Onndkg32.dll"	Fbfjkj32.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1368 wrote to memory of 2224	1368	c1c984e2d804a70addd1960a82461a90N.exe	30
PID 1368 wrote to memory of 2224	1368	c1c984e2d804a70addd1960a82461a90N.exe	30
PID 1368 wrote to memory of 2224	1368	c1c984e2d804a70addd1960a82461a90N.exe	30
PID 1368 wrote to memory of 2224	1368	c1c984e2d804a70addd1960a82461a90N.exe	30
PID 2224 wrote to memory of 2732	2224	Fbfjkj32.exe	31
PID 2224 wrote to memory of 2732	2224	Fbfjkj32.exe	31
PID 2224 wrote to memory of 2732	2224	Fbfjkj32.exe	31
PID 2224 wrote to memory of 2732	2224	Fbfjkj32.exe	31
PID 2732 wrote to memory of 2828	2732	Flnndp32.exe	32
PID 2732 wrote to memory of 2828	2732	Flnndp32.exe	32
PID 2732 wrote to memory of 2828	2732	Flnndp32.exe	32
PID 2732 wrote to memory of 2828	2732	Flnndp32.exe	32

C:\Users\Admin\AppData\Local\Temp\c1c984e2d804a70addd1960a82461a90N.exe
"C:\Users\Admin\AppData\Local\Temp\c1c984e2d804a70addd1960a82461a90N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1368
- C:\Windows\SysWOW64\Fbfjkj32.exe
  C:\Windows\system32\Fbfjkj32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2224
- - C:\Windows\SysWOW64\Flnndp32.exe
    C:\Windows\system32\Flnndp32.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2732
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2732 -s 140
      4⤵
      Loads dropped DLL
      Program crash
      PID:2828

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Flnndp32.exe

Filesize
78KB

MD5
7af4345c66fca04ae4607e0123b7fa7a

SHA1
c639fa43f5eafd37fc400df6a7ed1183e038345f

SHA256
640c9cd35f7fd46102c66f434f2afa99b6dbfe84f42c0a1ef7500dd7b3b1b175

SHA512
45735279e1c91be4eb757a5636462ea623093248ed772af25befe23def8775552a8186514f24f77a70a227a6854cdb4e9c95e4817ca65b6a2133db6695b95f2a

Download Submit
\Windows\SysWOW64\Fbfjkj32.exe

Filesize
78KB

MD5
41be70fead5900e380ea140bf8f00e84

SHA1
a7f83ec5f2dec5976d6c6ff25bb7b9b033417c04

SHA256
ff1f2f864ff7690b3a7d6edcf74334a2103426fc57de02fe82f2eddcf08d3338

SHA512
d00eeb124d3845a9aed57d00d36918ebdfad0d57e4808501ff9a9489120ca91b7b0d904e39dbe3220df1cc46e9584ab685d1230ff856ee26e50601a8c52b8827

Download Submit
memory/1368-0-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1368-13-0x00000000002F0000-0x0000000000331000-memory.dmp

Filesize
260KB

Download
memory/1368-12-0x00000000002F0000-0x0000000000331000-memory.dmp

Filesize
260KB

Download
memory/1368-32-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1368-33-0x00000000002F0000-0x0000000000331000-memory.dmp

Filesize
260KB

Download
memory/2224-19-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2224-34-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2732-27-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2732-35-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads