c591e4b2a6a197e45ffdb456c9d1e289b4599803ca7e8d70d79ed86d3ffeee22

General

Target

4b443d3e714b3c2da5bec8b6a27c8100N.exe
Size

73KB
MD5

4b443d3e714b3c2da5bec8b6a27c8100
SHA1

7c14d5938cb01f52cb31c2a6192e850670a25cc1
SHA256

c591e4b2a6a197e45ffdb456c9d1e289b4599803ca7e8d70d79ed86d3ffeee22
SHA512

89591a1a99c12a9bc11a0f32dac62ccdc1f2bb0ba1da18665f122bd9535250e58dc6357a7f2f0aac4d8c37f39ae448a295576c099d4be5a8dffbc18199c05607
SSDEEP

1536:ChJB+GyIEZWUosqxSsHlHH888Hf1oEafH2LodryyA:QYIECsbsHlHH888Hfsso5C

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	4b443d3e714b3c2da5bec8b6a27c8100N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	4b443d3e714b3c2da5bec8b6a27c8100N.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ladebd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ladebd32.exe

Executes dropped EXE 2 IoCs

pid	Process
2192	Ladebd32.exe
2692	Lepaccmo.exe

Loads dropped DLL 8 IoCs

pid	Process
3044	4b443d3e714b3c2da5bec8b6a27c8100N.exe
3044	4b443d3e714b3c2da5bec8b6a27c8100N.exe
2192	Ladebd32.exe
2192	Ladebd32.exe
2064	WerFault.exe
2064	WerFault.exe
2064	WerFault.exe
2064	WerFault.exe

Drops file in System32 directory 6 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Ladebd32.exe	4b443d3e714b3c2da5bec8b6a27c8100N.exe
File opened for modification	C:\Windows\SysWOW64\Ladebd32.exe	4b443d3e714b3c2da5bec8b6a27c8100N.exe
File created	C:\Windows\SysWOW64\Hbppfnao.dll	4b443d3e714b3c2da5bec8b6a27c8100N.exe
File created	C:\Windows\SysWOW64\Lepaccmo.exe	Ladebd32.exe
File opened for modification	C:\Windows\SysWOW64\Lepaccmo.exe	Ladebd32.exe
File created	C:\Windows\SysWOW64\Oldhgaef.dll	Ladebd32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2064	2692	WerFault.exe	31

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lepaccmo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4b443d3e714b3c2da5bec8b6a27c8100N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ladebd32.exe

Modifies registry class 9 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	4b443d3e714b3c2da5bec8b6a27c8100N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	4b443d3e714b3c2da5bec8b6a27c8100N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbppfnao.dll"	4b443d3e714b3c2da5bec8b6a27c8100N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oldhgaef.dll"	Ladebd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ladebd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	4b443d3e714b3c2da5bec8b6a27c8100N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	4b443d3e714b3c2da5bec8b6a27c8100N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	4b443d3e714b3c2da5bec8b6a27c8100N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ladebd32.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3044 wrote to memory of 2192	3044	4b443d3e714b3c2da5bec8b6a27c8100N.exe	30
PID 3044 wrote to memory of 2192	3044	4b443d3e714b3c2da5bec8b6a27c8100N.exe	30
PID 3044 wrote to memory of 2192	3044	4b443d3e714b3c2da5bec8b6a27c8100N.exe	30
PID 3044 wrote to memory of 2192	3044	4b443d3e714b3c2da5bec8b6a27c8100N.exe	30
PID 2192 wrote to memory of 2692	2192	Ladebd32.exe	31
PID 2192 wrote to memory of 2692	2192	Ladebd32.exe	31
PID 2192 wrote to memory of 2692	2192	Ladebd32.exe	31
PID 2192 wrote to memory of 2692	2192	Ladebd32.exe	31
PID 2692 wrote to memory of 2064	2692	Lepaccmo.exe	32
PID 2692 wrote to memory of 2064	2692	Lepaccmo.exe	32
PID 2692 wrote to memory of 2064	2692	Lepaccmo.exe	32
PID 2692 wrote to memory of 2064	2692	Lepaccmo.exe	32

C:\Users\Admin\AppData\Local\Temp\4b443d3e714b3c2da5bec8b6a27c8100N.exe
"C:\Users\Admin\AppData\Local\Temp\4b443d3e714b3c2da5bec8b6a27c8100N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3044
- C:\Windows\SysWOW64\Ladebd32.exe
  C:\Windows\system32\Ladebd32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2192
- - C:\Windows\SysWOW64\Lepaccmo.exe
    C:\Windows\system32\Lepaccmo.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2692
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2692 -s 140
      4⤵
      Loads dropped DLL
      Program crash
      PID:2064

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Lepaccmo.exe

Filesize
73KB

MD5
aad74e9029a9b7226016762d64feb91b

SHA1
d517a84907d0ee5182c9059616d1e80066c6582e

SHA256
6d1b88b41c64cc88ebe190920cff62b7cac7311173143d6c186c8074b8e66d35

SHA512
c6b0e8519cb72ca7361c48de9ca0d866b782cf659acfb1366f3481ce40d42b50e9a9300cf35911c05463f963d2afe93d4d645515738e17eddd04d8d3815ce5b1

Download Submit
\Windows\SysWOW64\Ladebd32.exe

Filesize
73KB

MD5
7fb206d3c6505d050b2b020787db4116

SHA1
6a522796c5118830ef47c3df04dcf629b18b2a23

SHA256
e51b2a839906df70273deff111637e8a10d7272a4fca1a4b834217f28bad1f30

SHA512
7597fddeb0baa1cd52f56aa09dd0bf6f151a0dcfce3a867e1dea25a29038f0db20258f07a6a87eae1a8784fbb4fc324fa42fdd9ca9c5c8e97fa408ff82f97267

Download Submit
memory/2192-14-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2192-27-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2192-34-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2692-28-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3044-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3044-13-0x0000000000260000-0x0000000000293000-memory.dmp

Filesize
204KB

Download
memory/3044-12-0x0000000000260000-0x0000000000293000-memory.dmp

Filesize
204KB

Download
memory/3044-33-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads