b1ef017a51d00852a0d5be98d3aea9f1f84c8aad396d61de77358901faf0660e

General

Target

69445e9a758093f0c259d3c447337720N.exe
Size

512KB
MD5

69445e9a758093f0c259d3c447337720
SHA1

8c68e8888cff538e734633f4d2a4391b03ebe3b6
SHA256

b1ef017a51d00852a0d5be98d3aea9f1f84c8aad396d61de77358901faf0660e
SHA512

d8b399de5baa9290e55c2fc0eb18fd3587944bd9f62901c50156894966e48424705223c18b0339ee5545d387ca78f5b8f35db46c05fff401ec241d175057b108
SSDEEP

6144:pijZwDHgKBgrTErdQt383PQ///NR5fKr2n0MO3LPlkUCmVs5bPQ///NR5fjlt01v:pij2dgr1r/Ng1/Nblt01PBExK

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	69445e9a758093f0c259d3c447337720N.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jilnqqbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jilnqqbj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Joffnk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Joffnk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	69445e9a758093f0c259d3c447337720N.exe

Executes dropped EXE 3 IoCs

pid	Process
4924	Jilnqqbj.exe
4132	Joffnk32.exe
4112	Jbgoof32.exe

Drops file in System32 directory 9 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Jbgoof32.exe	Joffnk32.exe
File created	C:\Windows\SysWOW64\Jilnqqbj.exe	69445e9a758093f0c259d3c447337720N.exe
File created	C:\Windows\SysWOW64\Jdljmf32.dll	69445e9a758093f0c259d3c447337720N.exe
File opened for modification	C:\Windows\SysWOW64\Joffnk32.exe	Jilnqqbj.exe
File created	C:\Windows\SysWOW64\Ibcllpfj.dll	Jilnqqbj.exe
File opened for modification	C:\Windows\SysWOW64\Jilnqqbj.exe	69445e9a758093f0c259d3c447337720N.exe
File created	C:\Windows\SysWOW64\Joffnk32.exe	Jilnqqbj.exe
File created	C:\Windows\SysWOW64\Jbgoof32.exe	Joffnk32.exe
File created	C:\Windows\SysWOW64\Aaccdk32.dll	Joffnk32.exe

Program crash 2 IoCs

pid	pid_target	Process	procid_target
3116	4112	WerFault.exe	86
1436	4112	WerFault.exe	86

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	69445e9a758093f0c259d3c447337720N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jilnqqbj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Joffnk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jbgoof32.exe

Modifies registry class 12 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	69445e9a758093f0c259d3c447337720N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	69445e9a758093f0c259d3c447337720N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdljmf32.dll"	69445e9a758093f0c259d3c447337720N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	69445e9a758093f0c259d3c447337720N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jilnqqbj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Joffnk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	69445e9a758093f0c259d3c447337720N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	69445e9a758093f0c259d3c447337720N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibcllpfj.dll"	Jilnqqbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jilnqqbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aaccdk32.dll"	Joffnk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Joffnk32.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4844 wrote to memory of 4924	4844	69445e9a758093f0c259d3c447337720N.exe	84
PID 4844 wrote to memory of 4924	4844	69445e9a758093f0c259d3c447337720N.exe	84
PID 4844 wrote to memory of 4924	4844	69445e9a758093f0c259d3c447337720N.exe	84
PID 4924 wrote to memory of 4132	4924	Jilnqqbj.exe	85
PID 4924 wrote to memory of 4132	4924	Jilnqqbj.exe	85
PID 4924 wrote to memory of 4132	4924	Jilnqqbj.exe	85
PID 4132 wrote to memory of 4112	4132	Joffnk32.exe	86
PID 4132 wrote to memory of 4112	4132	Joffnk32.exe	86
PID 4132 wrote to memory of 4112	4132	Joffnk32.exe	86

C:\Users\Admin\AppData\Local\Temp\69445e9a758093f0c259d3c447337720N.exe
"C:\Users\Admin\AppData\Local\Temp\69445e9a758093f0c259d3c447337720N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4844
- C:\Windows\SysWOW64\Jilnqqbj.exe
  C:\Windows\system32\Jilnqqbj.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4924
- - C:\Windows\SysWOW64\Joffnk32.exe
    C:\Windows\system32\Joffnk32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4132
  - - C:\Windows\SysWOW64\Jbgoof32.exe
      C:\Windows\system32\Jbgoof32.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:4112
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4112 -s 400
        5⤵
        Program crash
        
        PID:3116
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4112 -s 404
        5⤵
        Program crash
        
        PID:1436

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 4112 -ip 4112
1⤵
PID:3992

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4112 -ip 4112
1⤵
PID:4884

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Jbgoof32.exe

Filesize
512KB

MD5
78d895a10527ff7e9a736c7543cf0826

SHA1
352ffb6a4a8876e85872e272ae92b6ef845c693c

SHA256
d751546b45be10c1f25ce0561f98a87e45e434d48c12e18963dec20d2f712725

SHA512
1e404d1b97d0c1556233829c2a2fb866ebea40ee57653220aa4beefb907c3f0b4d7ed6c1be3feeb9def604f3109bb3e1e8f708d3c453c3d5d84d87893de6c5f2

Download Submit
C:\Windows\SysWOW64\Jilnqqbj.exe

Filesize
512KB

MD5
f23eb851f63bfd06a6d35f3aea293931

SHA1
82fd24a80004475170e4de11a5716d34378bbf98

SHA256
292a168aabffb650a0c3f6bf274a50548455f2258f8a2ce9d35bffa967f413b1

SHA512
6132adbc236b1598ca89a2e0cf9b78b02f685b14903d3f30d901269ad5aca212b0d3b9eb105519f6734dbbda52940a9148bdb37000990196fab60dfc9e767592

Download Submit
C:\Windows\SysWOW64\Joffnk32.exe

Filesize
512KB

MD5
15d133202b48a06a34e33669aea4fc40

SHA1
dd758f414dd970aa3f0e0926f033bb22189c7da3

SHA256
029f056e67ccc3f5b4703c6d7aad6f226505c6e1638066cc0e2beff93698c75f

SHA512
286b4198583bbb93d3b4fc154a597689d8dfcaf2fbd347b3de1edf084c55ecf1eac0b564f2d4280c2db6216aa9032d3ad23b33a7f4d19226af07cf83e72d8619

Download Submit
memory/4112-25-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4112-27-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4132-16-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4132-29-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4844-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4844-1-0x0000000000432000-0x0000000000433000-memory.dmp

Filesize
4KB

Download
memory/4844-33-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4924-8-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4924-31-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads