0b247ed322275156fbd7ad46c49dea585cb0adad17ea4413fd6275cdccb3de9a

Analysis

max time kernel
94s
max time network
96s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
03/09/2024, 02:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3cbb5415a6c882b1e8a71d93ab6c0ac0N.exe
Size

91KB
MD5

3cbb5415a6c882b1e8a71d93ab6c0ac0
SHA1

ebd21de777e7420f85f8b94bb8f7bb80e5038366
SHA256

0b247ed322275156fbd7ad46c49dea585cb0adad17ea4413fd6275cdccb3de9a
SHA512

bee18e0626f4ea74bdd3bbe0b01cd145848b6e21a25ea1435aa99ed78b14fcf4fe9c13dd18243d024e06bf80bfd18b3c7aa510d2363ca084f482c0e57abe9eed
SSDEEP

1536:jgBFU4PvuQzDUgbhv6zg2w7wutk6NdPCMwdghkOe+TMI:jWFru41hiz+htjHwihEP

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	3cbb5415a6c882b1e8a71d93ab6c0ac0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	3cbb5415a6c882b1e8a71d93ab6c0ac0N.exe

Executes dropped EXE 1 IoCs

pid	Process
1088	Dmllipeg.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	3cbb5415a6c882b1e8a71d93ab6c0ac0N.exe
File created	C:\Windows\SysWOW64\Kngpec32.dll	3cbb5415a6c882b1e8a71d93ab6c0ac0N.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	3cbb5415a6c882b1e8a71d93ab6c0ac0N.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
640	1088	WerFault.exe	83

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3cbb5415a6c882b1e8a71d93ab6c0ac0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe

Modifies registry class 6 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	3cbb5415a6c882b1e8a71d93ab6c0ac0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	3cbb5415a6c882b1e8a71d93ab6c0ac0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	3cbb5415a6c882b1e8a71d93ab6c0ac0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	3cbb5415a6c882b1e8a71d93ab6c0ac0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	3cbb5415a6c882b1e8a71d93ab6c0ac0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	3cbb5415a6c882b1e8a71d93ab6c0ac0N.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1284 wrote to memory of 1088	1284	3cbb5415a6c882b1e8a71d93ab6c0ac0N.exe	83
PID 1284 wrote to memory of 1088	1284	3cbb5415a6c882b1e8a71d93ab6c0ac0N.exe	83
PID 1284 wrote to memory of 1088	1284	3cbb5415a6c882b1e8a71d93ab6c0ac0N.exe	83

C:\Users\Admin\AppData\Local\Temp\3cbb5415a6c882b1e8a71d93ab6c0ac0N.exe
"C:\Users\Admin\AppData\Local\Temp\3cbb5415a6c882b1e8a71d93ab6c0ac0N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1284
- C:\Windows\SysWOW64\Dmllipeg.exe
  C:\Windows\system32\Dmllipeg.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1088
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1088 -s 396
    3⤵
    - Program crash
    PID:640

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 1088 -ip 1088
1⤵
PID:3112

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Dmllipeg.exe

Filesize
91KB

MD5
99d53b63d2575ec04d7f2d41067c43d7

SHA1
97106bf78231a39f5c34e083ec19dbbb99677d4d

SHA256
ba8ad991732c87ed0d6ff0b4e1443afce8aae0f8688a841ef9edfc656626a992

SHA512
124be2cb7210e99b53a13b63a7c769dafb2c959e887e50411be4fa1f086b3ae6db5c82cbc3f9de2904b27d222cd35bf61c5cb3fecb7d658430bb1c3be20e4baf

Download Submit
memory/1088-8-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1088-11-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1284-0-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1284-12-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads