93f2a69e1353a93f899e08fa496d3c0fc4e5ae38a3880b25571aa8be0d883718

General

Target

9483da7817d7df10a624ebb1fc8fe530N.exe
Size

164KB
MD5

9483da7817d7df10a624ebb1fc8fe530
SHA1

6173df6d54a84e17b9bcaeac977c95e0dafd8fea
SHA256

93f2a69e1353a93f899e08fa496d3c0fc4e5ae38a3880b25571aa8be0d883718
SHA512

222063d920d8eefa77ddd627aa361946316691d58240f3fdbee74998b4dfe2145e8b9fdf5f77f2ac2460c76c7457fa68a535c349ae66b2c88fb665879f2107b9
SSDEEP

3072:p+mIPu1YyLLKG+WaZUsHq08uFafmHURHAVgnvedh6DRyU:GWey3p16q08uF8YU8gnve7GR

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kdeaelok.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kbhbai32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kbhbai32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	9483da7817d7df10a624ebb1fc8fe530N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	9483da7817d7df10a624ebb1fc8fe530N.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kkmmlgik.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kkmmlgik.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdeaelok.exe

Executes dropped EXE 4 IoCs

pid	Process
2688	Kkmmlgik.exe
2652	Kdeaelok.exe
3040	Kbhbai32.exe
2660	Lbjofi32.exe

Loads dropped DLL 12 IoCs

pid	Process
2640	9483da7817d7df10a624ebb1fc8fe530N.exe
2640	9483da7817d7df10a624ebb1fc8fe530N.exe
2688	Kkmmlgik.exe
2688	Kkmmlgik.exe
2652	Kdeaelok.exe
2652	Kdeaelok.exe
3040	Kbhbai32.exe
3040	Kbhbai32.exe
2576	WerFault.exe
2576	WerFault.exe
2576	WerFault.exe
2576	WerFault.exe

Drops file in System32 directory 12 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Kdeaelok.exe	Kkmmlgik.exe
File opened for modification	C:\Windows\SysWOW64\Kdeaelok.exe	Kkmmlgik.exe
File created	C:\Windows\SysWOW64\Mbbhfl32.dll	Kkmmlgik.exe
File opened for modification	C:\Windows\SysWOW64\Kbhbai32.exe	Kdeaelok.exe
File opened for modification	C:\Windows\SysWOW64\Lbjofi32.exe	Kbhbai32.exe
File created	C:\Windows\SysWOW64\Ipafocdg.dll	Kbhbai32.exe
File opened for modification	C:\Windows\SysWOW64\Kkmmlgik.exe	9483da7817d7df10a624ebb1fc8fe530N.exe
File created	C:\Windows\SysWOW64\Onpeobjf.dll	9483da7817d7df10a624ebb1fc8fe530N.exe
File created	C:\Windows\SysWOW64\Kbhbai32.exe	Kdeaelok.exe
File created	C:\Windows\SysWOW64\Bndneq32.dll	Kdeaelok.exe
File created	C:\Windows\SysWOW64\Lbjofi32.exe	Kbhbai32.exe
File created	C:\Windows\SysWOW64\Kkmmlgik.exe	9483da7817d7df10a624ebb1fc8fe530N.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2576	2660	WerFault.exe	33

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kbhbai32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lbjofi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9483da7817d7df10a624ebb1fc8fe530N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kkmmlgik.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kdeaelok.exe

Modifies registry class 15 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kkmmlgik.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kkmmlgik.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	9483da7817d7df10a624ebb1fc8fe530N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	9483da7817d7df10a624ebb1fc8fe530N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	9483da7817d7df10a624ebb1fc8fe530N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kbhbai32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	9483da7817d7df10a624ebb1fc8fe530N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bndneq32.dll"	Kdeaelok.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Onpeobjf.dll"	9483da7817d7df10a624ebb1fc8fe530N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbbhfl32.dll"	Kkmmlgik.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kdeaelok.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kdeaelok.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipafocdg.dll"	Kbhbai32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kbhbai32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}	9483da7817d7df10a624ebb1fc8fe530N.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2640 wrote to memory of 2688	2640	9483da7817d7df10a624ebb1fc8fe530N.exe	30
PID 2640 wrote to memory of 2688	2640	9483da7817d7df10a624ebb1fc8fe530N.exe	30
PID 2640 wrote to memory of 2688	2640	9483da7817d7df10a624ebb1fc8fe530N.exe	30
PID 2640 wrote to memory of 2688	2640	9483da7817d7df10a624ebb1fc8fe530N.exe	30
PID 2688 wrote to memory of 2652	2688	Kkmmlgik.exe	31
PID 2688 wrote to memory of 2652	2688	Kkmmlgik.exe	31
PID 2688 wrote to memory of 2652	2688	Kkmmlgik.exe	31
PID 2688 wrote to memory of 2652	2688	Kkmmlgik.exe	31
PID 2652 wrote to memory of 3040	2652	Kdeaelok.exe	32
PID 2652 wrote to memory of 3040	2652	Kdeaelok.exe	32
PID 2652 wrote to memory of 3040	2652	Kdeaelok.exe	32
PID 2652 wrote to memory of 3040	2652	Kdeaelok.exe	32
PID 3040 wrote to memory of 2660	3040	Kbhbai32.exe	33
PID 3040 wrote to memory of 2660	3040	Kbhbai32.exe	33
PID 3040 wrote to memory of 2660	3040	Kbhbai32.exe	33
PID 3040 wrote to memory of 2660	3040	Kbhbai32.exe	33
PID 2660 wrote to memory of 2576	2660	Lbjofi32.exe	34
PID 2660 wrote to memory of 2576	2660	Lbjofi32.exe	34
PID 2660 wrote to memory of 2576	2660	Lbjofi32.exe	34
PID 2660 wrote to memory of 2576	2660	Lbjofi32.exe	34

C:\Users\Admin\AppData\Local\Temp\9483da7817d7df10a624ebb1fc8fe530N.exe
"C:\Users\Admin\AppData\Local\Temp\9483da7817d7df10a624ebb1fc8fe530N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2640
- C:\Windows\SysWOW64\Kkmmlgik.exe
  C:\Windows\system32\Kkmmlgik.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2688
- - C:\Windows\SysWOW64\Kdeaelok.exe
    C:\Windows\system32\Kdeaelok.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2652
  - - C:\Windows\SysWOW64\Kbhbai32.exe
      C:\Windows\system32\Kbhbai32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3040
    - - C:\Windows\SysWOW64\Lbjofi32.exe
        
        C:\Windows\system32\Lbjofi32.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2660
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2660 -s 140
        6⤵
        Loads dropped DLL
        Program crash
        
        PID:2576

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Kbhbai32.exe

Filesize
164KB

MD5
f9c8859351f6a712671df1a6be3b212e

SHA1
a386af6596633ff1458f61262eb6bd61434ab76e

SHA256
f36f4ca41b0ea2ac8a71213b64f7adf74b00c238ceb5c79cb42962384d72c1c7

SHA512
af54c333e8d5fe24a8cd37527f980d2fb92704ecd238401ebb20948be3bbd94fe5d04fef2f4f156a1a5cbf55a7b48cec60ae8d6168fa051f63730d81f4d71eba

Download Submit
\Windows\SysWOW64\Kdeaelok.exe

Filesize
164KB

MD5
3a0e7b39c4e1870be0a4f8db576778d9

SHA1
c923e7f82c2dbe7060b90eb5daee400430191765

SHA256
f4523d95e55b4c10f22238ac2436e6cb6f04c90c58f3f4517bd5eb5f02d427a5

SHA512
a33dc96c034475c349d2808bdda73033e8672ca8aea74f0ec76a54dbf0ea7b0fa0d9ec521368dc1c8d81efa5eac3c6802d2856c059f27386054e319cb58645a7

Download Submit
\Windows\SysWOW64\Kkmmlgik.exe

Filesize
164KB

MD5
2166fe46d190042cd9c1de6d8e780d19

SHA1
9bc7f147a35fa7f08f961dd92e4ef114d89ecd86

SHA256
ecc197554ec749da7654e37261ab8d89c9dd37f9f5da181d9b95739a7033759d

SHA512
14b50222716c6d7739052dabeaab006d4164ddd04a59a5442f34096a983898e2e06a773c3622cf26d7a6ed50d466c076dc72975b54a18151c3245f6ee792aa42

Download Submit
\Windows\SysWOW64\Lbjofi32.exe

Filesize
164KB

MD5
38f3176cd0e65433c615f8f9dcc62e3b

SHA1
1921801c13aa86899f2abc34157ac821c488bd27

SHA256
737c4501a943a7cd6fa0e368d1886c06620492dd86bd5ae02bf84f79047b57a9

SHA512
407d4514ff806b2cbc18bee2e611a592f500f16e3b2acc92fa04cd05abb191ce63240a6f651c25ca24f2883ccf4a8c0a7acc2b6aa2ccb1124655386558f2991e

Download Submit
memory/2640-11-0x0000000000260000-0x00000000002A5000-memory.dmp

Filesize
276KB

Download
memory/2640-61-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2640-12-0x0000000000260000-0x00000000002A5000-memory.dmp

Filesize
276KB

Download
memory/2640-0-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2652-34-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2660-56-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2660-64-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2688-14-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2688-27-0x0000000000260000-0x00000000002A5000-memory.dmp

Filesize
276KB

Download
memory/2688-28-0x0000000000260000-0x00000000002A5000-memory.dmp

Filesize
276KB

Download
memory/2688-62-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/3040-42-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/3040-63-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/3040-49-0x0000000000290000-0x00000000002D5000-memory.dmp

Filesize
276KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads