87f4c2ef72ded1c675c542e7c652e598c1972e682f5f4aa152646740b7f8b20d

General

Target

b9468fb9f47112597f2e90e691123140N.exe
Size

76KB
MD5

b9468fb9f47112597f2e90e691123140
SHA1

00f8e977db083238aac1c3f0a7746cab817ee196
SHA256

87f4c2ef72ded1c675c542e7c652e598c1972e682f5f4aa152646740b7f8b20d
SHA512

18a3ca53ad765988dc7c7a00b5648c65aecda184ceb237cbc98142ad48350fb5d9f1e6e29b423f159a13603d21e7dcde3bf96a3f0739eb42bb0843ed87b529e1
SSDEEP

1536:KHb/0TApR43r0TDFl2MgzCgthPC7HioQV+/eCeyvCQ:aVjfDFl2MgGgtha7Hrk+

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 10 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Calcpm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djdgic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Djdgic32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Danpemej.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Danpemej.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	b9468fb9f47112597f2e90e691123140N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Calcpm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ccjoli32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ccjoli32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	b9468fb9f47112597f2e90e691123140N.exe

Executes dropped EXE 5 IoCs

pid	Process
896	Calcpm32.exe
2744	Ccjoli32.exe
2752	Djdgic32.exe
2676	Danpemej.exe
2808	Dpapaj32.exe

Loads dropped DLL 13 IoCs

pid	Process
2336	b9468fb9f47112597f2e90e691123140N.exe
2336	b9468fb9f47112597f2e90e691123140N.exe
896	Calcpm32.exe
896	Calcpm32.exe
2744	Ccjoli32.exe
2744	Ccjoli32.exe
2752	Djdgic32.exe
2752	Djdgic32.exe
2676	Danpemej.exe
2676	Danpemej.exe
2720	WerFault.exe
2720	WerFault.exe
2720	WerFault.exe

Drops file in System32 directory 17 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Djdgic32.exe	Ccjoli32.exe
File created	C:\Windows\SysWOW64\Pdkefp32.dll	Danpemej.exe
File opened for modification	C:\Windows\SysWOW64\Dpapaj32.exe	Danpemej.exe
File created	C:\Windows\SysWOW64\Calcpm32.exe	b9468fb9f47112597f2e90e691123140N.exe
File opened for modification	C:\Windows\SysWOW64\Calcpm32.exe	b9468fb9f47112597f2e90e691123140N.exe
File created	C:\Windows\SysWOW64\Ccjoli32.exe	Calcpm32.exe
File created	C:\Windows\SysWOW64\Ciohdhad.dll	Calcpm32.exe
File created	C:\Windows\SysWOW64\ÿs.e¢e	Dpapaj32.exe
File created	C:\Windows\SysWOW64\Ofaejacl.dll	b9468fb9f47112597f2e90e691123140N.exe
File opened for modification	C:\Windows\SysWOW64\Ccjoli32.exe	Calcpm32.exe
File created	C:\Windows\SysWOW64\Ccofjipn.dll	Ccjoli32.exe
File created	C:\Windows\SysWOW64\Cbehjc32.dll	Djdgic32.exe
File opened for modification	C:\Windows\SysWOW64\ÿs.e¢e	Dpapaj32.exe
File created	C:\Windows\SysWOW64\Djdgic32.exe	Ccjoli32.exe
File created	C:\Windows\SysWOW64\Danpemej.exe	Djdgic32.exe
File opened for modification	C:\Windows\SysWOW64\Danpemej.exe	Djdgic32.exe
File created	C:\Windows\SysWOW64\Dpapaj32.exe	Danpemej.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2720	2808	WerFault.exe	35

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Calcpm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ccjoli32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djdgic32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Danpemej.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dpapaj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b9468fb9f47112597f2e90e691123140N.exe

Modifies registry class 18 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	b9468fb9f47112597f2e90e691123140N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	b9468fb9f47112597f2e90e691123140N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ofaejacl.dll"	b9468fb9f47112597f2e90e691123140N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	b9468fb9f47112597f2e90e691123140N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Calcpm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ciohdhad.dll"	Calcpm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Djdgic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Djdgic32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	b9468fb9f47112597f2e90e691123140N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Calcpm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ccjoli32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ccofjipn.dll"	Ccjoli32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ccjoli32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdkefp32.dll"	Danpemej.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Danpemej.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	b9468fb9f47112597f2e90e691123140N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cbehjc32.dll"	Djdgic32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Danpemej.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2336 wrote to memory of 896	2336	b9468fb9f47112597f2e90e691123140N.exe	31
PID 2336 wrote to memory of 896	2336	b9468fb9f47112597f2e90e691123140N.exe	31
PID 2336 wrote to memory of 896	2336	b9468fb9f47112597f2e90e691123140N.exe	31
PID 2336 wrote to memory of 896	2336	b9468fb9f47112597f2e90e691123140N.exe	31
PID 896 wrote to memory of 2744	896	Calcpm32.exe	32
PID 896 wrote to memory of 2744	896	Calcpm32.exe	32
PID 896 wrote to memory of 2744	896	Calcpm32.exe	32
PID 896 wrote to memory of 2744	896	Calcpm32.exe	32
PID 2744 wrote to memory of 2752	2744	Ccjoli32.exe	33
PID 2744 wrote to memory of 2752	2744	Ccjoli32.exe	33
PID 2744 wrote to memory of 2752	2744	Ccjoli32.exe	33
PID 2744 wrote to memory of 2752	2744	Ccjoli32.exe	33
PID 2752 wrote to memory of 2676	2752	Djdgic32.exe	34
PID 2752 wrote to memory of 2676	2752	Djdgic32.exe	34
PID 2752 wrote to memory of 2676	2752	Djdgic32.exe	34
PID 2752 wrote to memory of 2676	2752	Djdgic32.exe	34
PID 2676 wrote to memory of 2808	2676	Danpemej.exe	35
PID 2676 wrote to memory of 2808	2676	Danpemej.exe	35
PID 2676 wrote to memory of 2808	2676	Danpemej.exe	35
PID 2676 wrote to memory of 2808	2676	Danpemej.exe	35
PID 2808 wrote to memory of 2720	2808	Dpapaj32.exe	36
PID 2808 wrote to memory of 2720	2808	Dpapaj32.exe	36
PID 2808 wrote to memory of 2720	2808	Dpapaj32.exe	36
PID 2808 wrote to memory of 2720	2808	Dpapaj32.exe	36

C:\Users\Admin\AppData\Local\Temp\b9468fb9f47112597f2e90e691123140N.exe
"C:\Users\Admin\AppData\Local\Temp\b9468fb9f47112597f2e90e691123140N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2336
- C:\Windows\SysWOW64\Calcpm32.exe
  C:\Windows\system32\Calcpm32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:896
- - C:\Windows\SysWOW64\Ccjoli32.exe
    C:\Windows\system32\Ccjoli32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2744
  - - C:\Windows\SysWOW64\Djdgic32.exe
      C:\Windows\system32\Djdgic32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2752
    - - C:\Windows\SysWOW64\Danpemej.exe
        
        C:\Windows\system32\Danpemej.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2676
      - C:\Windows\SysWOW64\Dpapaj32.exe
        
        C:\Windows\system32\Dpapaj32.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2808
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2808 -s 144
        7⤵
        Loads dropped DLL
        Program crash
        
        PID:2720

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Danpemej.exe

Filesize
76KB

MD5
6296ac738f00360b5054a21a3434dae0

SHA1
417ac16e18e9f91007d4579072ade099b21d22e3

SHA256
2107f6b2f9e239eedb03ba6d6414696a337b1ae284746bf227291360dc9e384b

SHA512
48f3c0097e6cf02af9c104f74b89c267b0caeb07a6cb42bdcfd7377772f3f5022a4cffcae9274859b41a99c83c6469c29063d39b9af9d1cab84535bc79d71d92

Download Submit
C:\Windows\SysWOW64\Djdgic32.exe

Filesize
76KB

MD5
3d998b1041df46dc9f5d95332f600c69

SHA1
fa006941f1b595b9363416a32faf1cfe1a455e7f

SHA256
81aace9af379646476079533d66ec22a92894918032490346087837b5bf6a14d

SHA512
975de92891c32cd10bcb40fa410dfc5feda52dcc2b214fa1111f96bb062e62e5ac4dfacf94786dd064f617fe54cc105c7bd6772beaf585bd12c42ca99194a4b7

Download Submit
C:\Windows\SysWOW64\Dpapaj32.exe

Filesize
76KB

MD5
688bba21830b0d568da7f6169ffe7c78

SHA1
a91eb6d473fb28bd6f519d364113cfc95b7a65a8

SHA256
9e9bd65825381af4dc19b03fc5b8207572f261fbf1fb93ceefa57b719af441d4

SHA512
e02ed9d391c7bfcba187be40d1bf7842c2dabe4e0c9c2086415751f48813ad39b1c433e7e82b93ab7af70ab2994d492d5f9c326a57e8900cec9c314b734d1bab

Download Submit
\Windows\SysWOW64\Calcpm32.exe

Filesize
76KB

MD5
81e9ddd548e9e9f6ac1cc9e61415cb41

SHA1
5f800f5cb85cd9907c0a20249dccc69659b70871

SHA256
0f100c1414ce17a662fa5b8ab9fa7d5d870b729532b682bab57361e6287cbf95

SHA512
83b1ef58bef761530df21c8ee80d6bb979f5490ccb63cc52b2ea9251ea29da9330d76024fdc70c153576786cbe871065634aa5443a7456f094435dac76b296f1

Download Submit
\Windows\SysWOW64\Ccjoli32.exe

Filesize
76KB

MD5
06dd22f47a82293520574c26113c0185

SHA1
f50864fdd9ec5c6e02418519b06d0a49bcf35c25

SHA256
01402c6f01d4c8855faf1448baa6998c1d5e751542670ee57930fd14678795af

SHA512
ad87d96dba976eaf0b0c0ed2641e627bbe833031c534be30f41cdd31f337509f15d81916efd7fa215eb298e6221d71a430c2c16b5a785954b5931a4e3442272b

Download Submit
memory/896-18-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2336-17-0x0000000000260000-0x00000000002A0000-memory.dmp

Filesize
256KB

Download
memory/2336-73-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2336-0-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2676-65-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2744-26-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2744-74-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2752-52-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/2752-39-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2752-75-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2808-66-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2808-76-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads