b1ef017a51d00852a0d5be98d3aea9f1f84c8aad396d61de77358901faf0660e

General

Target

69445e9a758093f0c259d3c447337720N.exe
Size

512KB
MD5

69445e9a758093f0c259d3c447337720
SHA1

8c68e8888cff538e734633f4d2a4391b03ebe3b6
SHA256

b1ef017a51d00852a0d5be98d3aea9f1f84c8aad396d61de77358901faf0660e
SHA512

d8b399de5baa9290e55c2fc0eb18fd3587944bd9f62901c50156894966e48424705223c18b0339ee5545d387ca78f5b8f35db46c05fff401ec241d175057b108
SSDEEP

6144:pijZwDHgKBgrTErdQt383PQ///NR5fKr2n0MO3LPlkUCmVs5bPQ///NR5fjlt01v:pij2dgr1r/Ng1/Nblt01PBExK

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Eclbcj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ecnoijbd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ecnoijbd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	69445e9a758093f0c259d3c447337720N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	69445e9a758093f0c259d3c447337720N.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eclbcj32.exe

Executes dropped EXE 3 IoCs

pid	Process
2092	Eclbcj32.exe
2088	Ecnoijbd.exe
1568	Egikjh32.exe

Loads dropped DLL 10 IoCs

pid	Process
2104	69445e9a758093f0c259d3c447337720N.exe
2104	69445e9a758093f0c259d3c447337720N.exe
2092	Eclbcj32.exe
2092	Eclbcj32.exe
2088	Ecnoijbd.exe
2088	Ecnoijbd.exe
2492	WerFault.exe
2492	WerFault.exe
2492	WerFault.exe
2492	WerFault.exe

Drops file in System32 directory 9 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Eclbcj32.exe	69445e9a758093f0c259d3c447337720N.exe
File created	C:\Windows\SysWOW64\Bkkpkade.dll	69445e9a758093f0c259d3c447337720N.exe
File created	C:\Windows\SysWOW64\Cdfddadf.dll	Eclbcj32.exe
File opened for modification	C:\Windows\SysWOW64\Egikjh32.exe	Ecnoijbd.exe
File opened for modification	C:\Windows\SysWOW64\Eclbcj32.exe	69445e9a758093f0c259d3c447337720N.exe
File created	C:\Windows\SysWOW64\Ecnoijbd.exe	Eclbcj32.exe
File opened for modification	C:\Windows\SysWOW64\Ecnoijbd.exe	Eclbcj32.exe
File created	C:\Windows\SysWOW64\Egikjh32.exe	Ecnoijbd.exe
File created	C:\Windows\SysWOW64\Mihmog32.dll	Ecnoijbd.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2492	1568	WerFault.exe	32

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	69445e9a758093f0c259d3c447337720N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Eclbcj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ecnoijbd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Egikjh32.exe

Modifies registry class 12 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ecnoijbd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	69445e9a758093f0c259d3c447337720N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkkpkade.dll"	69445e9a758093f0c259d3c447337720N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	69445e9a758093f0c259d3c447337720N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Eclbcj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cdfddadf.dll"	Eclbcj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ecnoijbd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	69445e9a758093f0c259d3c447337720N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	69445e9a758093f0c259d3c447337720N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	69445e9a758093f0c259d3c447337720N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Eclbcj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mihmog32.dll"	Ecnoijbd.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2104 wrote to memory of 2092	2104	69445e9a758093f0c259d3c447337720N.exe	30
PID 2104 wrote to memory of 2092	2104	69445e9a758093f0c259d3c447337720N.exe	30
PID 2104 wrote to memory of 2092	2104	69445e9a758093f0c259d3c447337720N.exe	30
PID 2104 wrote to memory of 2092	2104	69445e9a758093f0c259d3c447337720N.exe	30
PID 2092 wrote to memory of 2088	2092	Eclbcj32.exe	31
PID 2092 wrote to memory of 2088	2092	Eclbcj32.exe	31
PID 2092 wrote to memory of 2088	2092	Eclbcj32.exe	31
PID 2092 wrote to memory of 2088	2092	Eclbcj32.exe	31
PID 2088 wrote to memory of 1568	2088	Ecnoijbd.exe	32
PID 2088 wrote to memory of 1568	2088	Ecnoijbd.exe	32
PID 2088 wrote to memory of 1568	2088	Ecnoijbd.exe	32
PID 2088 wrote to memory of 1568	2088	Ecnoijbd.exe	32
PID 1568 wrote to memory of 2492	1568	Egikjh32.exe	33
PID 1568 wrote to memory of 2492	1568	Egikjh32.exe	33
PID 1568 wrote to memory of 2492	1568	Egikjh32.exe	33
PID 1568 wrote to memory of 2492	1568	Egikjh32.exe	33

C:\Users\Admin\AppData\Local\Temp\69445e9a758093f0c259d3c447337720N.exe
"C:\Users\Admin\AppData\Local\Temp\69445e9a758093f0c259d3c447337720N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2104
- C:\Windows\SysWOW64\Eclbcj32.exe
  C:\Windows\system32\Eclbcj32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2092
- - C:\Windows\SysWOW64\Ecnoijbd.exe
    C:\Windows\system32\Ecnoijbd.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2088
  - - C:\Windows\SysWOW64\Egikjh32.exe
      C:\Windows\system32\Egikjh32.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1568
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1568 -s 140
        5⤵
        Loads dropped DLL
        Program crash
        
        PID:2492

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Egikjh32.exe

Filesize
512KB

MD5
e729ee634002283621af137910f090ff

SHA1
aa27248602e835a6dc553b0e8fb568f353e38320

SHA256
5709cce3cf84fd0bc6ebd12a640cc00f4c3c774b0be871ce529ebee5fd677758

SHA512
c03decf8678b94c27d71112f41bde09f6b93adb79a7b5543bceb255dce88575c5cfde7b8582432d4ef1c9bf101a609f3bd302c41cf3f050d7d988a0d49897901

Download Submit
\Windows\SysWOW64\Eclbcj32.exe

Filesize
512KB

MD5
d5c18ee982a8b99a8449794905d9b9ce

SHA1
8669a2fc1e1db2972de5fa2706d55be7d1d158e4

SHA256
daf2a9ca4a15f302ebc5ae74a2cef1830f15a51da9b4c3710b6a78fdff1999a3

SHA512
6bba071c5f18299100f82e7dcd8f367640783eb588eda668bfbc7fd841dd5929cd997dabf8ab2e8fd1344f60b8996b6b242a9938efb2f4996357e41f9ff9df10

Download Submit
\Windows\SysWOW64\Ecnoijbd.exe

Filesize
512KB

MD5
e3901ce182f5ae3dd8669c331523033d

SHA1
18029253e9b91cf1933c62a239087b1270e93577

SHA256
8de8d03832aa5c96f505f76942eb8a1ad8da68c105f14ce8803552b677bbb7ba

SHA512
92b4611e1f72efe6c0df129d885f72f8ee2dba30383a943da67bfc23d22538f3bea1874e2e8547e058010def222e7c3bca5fe39831db7a65384200669e0451e9

Download Submit
memory/1568-39-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2088-31-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2092-13-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2092-45-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2104-4-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2104-12-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2104-44-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads