df88fedb75e506a9db79ef506050912571330f83bd24766c11d3452d7164a026

General

Target

ed9c562a353c03afa8808ee1bcf84ad0N.exe
Size

80KB
MD5

ed9c562a353c03afa8808ee1bcf84ad0
SHA1

cf3272b5f34b3f78909de5da54cf6545d38c9380
SHA256

df88fedb75e506a9db79ef506050912571330f83bd24766c11d3452d7164a026
SHA512

a2ef381b6830716a337761343803faedd92dc6ef635feb618090a02d8811a396cbe3451aa29594d1bd8e6a92a14214d202812e37b8e6adcd447659e8d39ce449
SSDEEP

1536:Zlr6Pv3cnrXEXRfmlWJaitX9zsvVE8mYbESRQAYJRJJ5R2xOSC4BG:Pr6or0XQIa2svVXmYbDe9rJ5wxO344

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	ed9c562a353c03afa8808ee1bcf84ad0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	ed9c562a353c03afa8808ee1bcf84ad0N.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ccjoli32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ccjoli32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfhkhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cfhkhd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dnpciaef.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dnpciaef.exe

Executes dropped EXE 4 IoCs

pid	Process
2632	Ccjoli32.exe
1304	Cfhkhd32.exe
2156	Dnpciaef.exe
2808	Dpapaj32.exe

Loads dropped DLL 8 IoCs

pid	Process
2988	ed9c562a353c03afa8808ee1bcf84ad0N.exe
2988	ed9c562a353c03afa8808ee1bcf84ad0N.exe
2632	Ccjoli32.exe
2632	Ccjoli32.exe
1304	Cfhkhd32.exe
1304	Cfhkhd32.exe
2156	Dnpciaef.exe
2156	Dnpciaef.exe

Drops file in System32 directory 12 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Ccjoli32.exe	ed9c562a353c03afa8808ee1bcf84ad0N.exe
File opened for modification	C:\Windows\SysWOW64\Ccjoli32.exe	ed9c562a353c03afa8808ee1bcf84ad0N.exe
File opened for modification	C:\Windows\SysWOW64\Cfhkhd32.exe	Ccjoli32.exe
File created	C:\Windows\SysWOW64\Fkdqjn32.dll	Ccjoli32.exe
File created	C:\Windows\SysWOW64\Dnpciaef.exe	Cfhkhd32.exe
File created	C:\Windows\SysWOW64\Dpapaj32.exe	Dnpciaef.exe
File opened for modification	C:\Windows\SysWOW64\Dpapaj32.exe	Dnpciaef.exe
File created	C:\Windows\SysWOW64\Ciohdhad.dll	ed9c562a353c03afa8808ee1bcf84ad0N.exe
File created	C:\Windows\SysWOW64\Cfhkhd32.exe	Ccjoli32.exe
File opened for modification	C:\Windows\SysWOW64\Dnpciaef.exe	Cfhkhd32.exe
File created	C:\Windows\SysWOW64\Pmiljc32.dll	Cfhkhd32.exe
File created	C:\Windows\SysWOW64\Pdkefp32.dll	Dnpciaef.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\system32†Glnbhfak.¾ll	Dpapaj32.exe

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ed9c562a353c03afa8808ee1bcf84ad0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ccjoli32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfhkhd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dnpciaef.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dpapaj32.exe

Modifies registry class 20 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	ed9c562a353c03afa8808ee1bcf84ad0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ciohdhad.dll"	ed9c562a353c03afa8808ee1bcf84ad0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fkdqjn32.dll"	Ccjoli32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmiljc32.dll"	Cfhkhd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CL‰ID	Dpapaj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CL‰ID\ÿs\I´Pro¹Ser¬er3è\ = "C:\\Windows\\system32†Glnbhfak.¾ll"	Dpapaj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	ed9c562a353c03afa8808ee1bcf84ad0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	ed9c562a353c03afa8808ee1bcf84ad0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cfhkhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cfhkhd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dnpciaef.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dnpciaef.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}	ed9c562a353c03afa8808ee1bcf84ad0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdkefp32.dll"	Dnpciaef.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CL‰ID\ÿs\I´Pro¹Ser¬er3è\Th¨ead³ngMµdelÚ = "›par®men®"	Dpapaj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	ed9c562a353c03afa8808ee1bcf84ad0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ccjoli32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ccjoli32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CL‰ID\ÿs\I´Pro¹Ser¬er3è	Dpapaj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CL‰ID\ÿs	Dpapaj32.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2988 wrote to memory of 2632	2988	ed9c562a353c03afa8808ee1bcf84ad0N.exe	31
PID 2988 wrote to memory of 2632	2988	ed9c562a353c03afa8808ee1bcf84ad0N.exe	31
PID 2988 wrote to memory of 2632	2988	ed9c562a353c03afa8808ee1bcf84ad0N.exe	31
PID 2988 wrote to memory of 2632	2988	ed9c562a353c03afa8808ee1bcf84ad0N.exe	31
PID 2632 wrote to memory of 1304	2632	Ccjoli32.exe	32
PID 2632 wrote to memory of 1304	2632	Ccjoli32.exe	32
PID 2632 wrote to memory of 1304	2632	Ccjoli32.exe	32
PID 2632 wrote to memory of 1304	2632	Ccjoli32.exe	32
PID 1304 wrote to memory of 2156	1304	Cfhkhd32.exe	33
PID 1304 wrote to memory of 2156	1304	Cfhkhd32.exe	33
PID 1304 wrote to memory of 2156	1304	Cfhkhd32.exe	33
PID 1304 wrote to memory of 2156	1304	Cfhkhd32.exe	33
PID 2156 wrote to memory of 2808	2156	Dnpciaef.exe	34
PID 2156 wrote to memory of 2808	2156	Dnpciaef.exe	34
PID 2156 wrote to memory of 2808	2156	Dnpciaef.exe	34
PID 2156 wrote to memory of 2808	2156	Dnpciaef.exe	34

C:\Users\Admin\AppData\Local\Temp\ed9c562a353c03afa8808ee1bcf84ad0N.exe
"C:\Users\Admin\AppData\Local\Temp\ed9c562a353c03afa8808ee1bcf84ad0N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2988
- C:\Windows\SysWOW64\Ccjoli32.exe
  C:\Windows\system32\Ccjoli32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2632
- - C:\Windows\SysWOW64\Cfhkhd32.exe
    C:\Windows\system32\Cfhkhd32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1304
  - - C:\Windows\SysWOW64\Dnpciaef.exe
      C:\Windows\system32\Dnpciaef.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2156
    - - C:\Windows\SysWOW64\Dpapaj32.exe
        
        C:\Windows\system32\Dpapaj32.exe
        5⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2808

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Dpapaj32.exe

Filesize
80KB

MD5
da777ee871b5bb58cdaa30eace364dd1

SHA1
d719dbf342e9de3c021e98fb5c8556401c82ae77

SHA256
2591f7b210a927ac89c8d990836c7c406bc0bef8fc3473efbdc9cea9c40d00f5

SHA512
0fe44e8d599ac2b8a50642b79f477ff8d4e42fb9073a7efb04ed2fcc5179e7497957177562920a5382f761e48021f8286740494e8c4adc20f5f18eefe320b749

Download Submit
\Windows\SysWOW64\Ccjoli32.exe

Filesize
80KB

MD5
d34ed5f9310c58f9ad72778f3bd8e0f1

SHA1
873975ebbf63afdd83bd172ebb7e48ccb67d35a0

SHA256
2eb2ac80b3d9e66c63629c301ec6ea099b7112dcf6e0724a150b87ab91b52bd6

SHA512
fedac8f4918c7d7d010084507bcd98b56e4732ee9ad60f18b0541aef98e659cf4956ca08eda52894b6d7d41879f8f4c3d1103180b2e612d3484c56f7c6bcf9f6

Download Submit
\Windows\SysWOW64\Cfhkhd32.exe

Filesize
80KB

MD5
a337213b3b38371be8dd53d7f4ea692c

SHA1
e219394e51c19c3b2165505c5e1af0cbbae6ae4f

SHA256
195cc2595458f2ed1bba3636ba3c5974c1d8b5bd3b7ea353cb3edc0f3366bc0e

SHA512
aa87fd62611891c27dfa390d9882360c6c121229213aa3f7f7bcec25b8c7be24a8cca18f8b3df6277e1144d08e0dffee53ab1e5324b30daa528c6899d0e5fd1b

Download Submit
\Windows\SysWOW64\Dnpciaef.exe

Filesize
80KB

MD5
ced07ea80490c50bb4ebad5d5b26c0d2

SHA1
2307087f8552f349ce5dfb0c28af33de94dc22d8

SHA256
d1c66c8b4c4e15b4755430a9fb608cc024b918b741213bf5164047277c8573ae

SHA512
817481b2e1ddde6dde4d38d06873ea1ee92126e94251eadcc2af4ce96464fa95e4739aa167ba2569dd0330289f95811c1167aac16c5c273ab93695d7760f2ab5

Download Submit
memory/1304-27-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1304-61-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2156-45-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2156-52-0x00000000002F0000-0x0000000000329000-memory.dmp

Filesize
228KB

Download
memory/2632-56-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2632-14-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2808-57-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2808-60-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2988-13-0x00000000002D0000-0x0000000000309000-memory.dmp

Filesize
228KB

Download
memory/2988-12-0x00000000002D0000-0x0000000000309000-memory.dmp

Filesize
228KB

Download
memory/2988-0-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2988-55-0x00000000002D0000-0x0000000000309000-memory.dmp

Filesize
228KB

Download
memory/2988-53-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads