afa3b8587115cae7fab1bb8f2647a080742178186419c500ffb6fd87f17a7a29

General

Target

0cd2ef0d79985ec8899bdcc36273e420N.exe
Size

81KB
MD5

0cd2ef0d79985ec8899bdcc36273e420
SHA1

5b686a2355520c7a71f5af26c278f92365cf6101
SHA256

afa3b8587115cae7fab1bb8f2647a080742178186419c500ffb6fd87f17a7a29
SHA512

02bf935ba157ea7c87ca73501cdc1890b52b50f761634ad79375926d382a4c88be96d66e70cfbb34fdecb4ca3d0fa3585f9971ef7b05495fd5c9dced0c0a91ae
SSDEEP

1536:B4Jx8gDltPaWrzXr+w+cSp+f2BZNiJQ+54cocoS7m4LO++/+1m6KadhYxU33HX0L:yx7fPfb+rps2+Q+54nS/LrCimBaH8UHc

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aehmoh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aehmoh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	0cd2ef0d79985ec8899bdcc36273e420N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	0cd2ef0d79985ec8899bdcc36273e420N.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Agdlfd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Agdlfd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aalaoipc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aalaoipc.exe

Executes dropped EXE 4 IoCs

pid	Process
2288	Agdlfd32.exe
2800	Aalaoipc.exe
2880	Aehmoh32.exe
2704	Bmenijcd.exe

Loads dropped DLL 12 IoCs

pid	Process
1872	0cd2ef0d79985ec8899bdcc36273e420N.exe
1872	0cd2ef0d79985ec8899bdcc36273e420N.exe
2288	Agdlfd32.exe
2288	Agdlfd32.exe
2800	Aalaoipc.exe
2800	Aalaoipc.exe
2880	Aehmoh32.exe
2880	Aehmoh32.exe
2812	WerFault.exe
2812	WerFault.exe
2812	WerFault.exe
2812	WerFault.exe

Drops file in System32 directory 12 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Jichkb32.dll	0cd2ef0d79985ec8899bdcc36273e420N.exe
File created	C:\Windows\SysWOW64\Aalaoipc.exe	Agdlfd32.exe
File created	C:\Windows\SysWOW64\Kagbmg32.dll	Agdlfd32.exe
File created	C:\Windows\SysWOW64\Aehmoh32.exe	Aalaoipc.exe
File opened for modification	C:\Windows\SysWOW64\Aehmoh32.exe	Aalaoipc.exe
File created	C:\Windows\SysWOW64\Jgelak32.dll	Aalaoipc.exe
File created	C:\Windows\SysWOW64\Diflambo.dll	Aehmoh32.exe
File created	C:\Windows\SysWOW64\Agdlfd32.exe	0cd2ef0d79985ec8899bdcc36273e420N.exe
File opened for modification	C:\Windows\SysWOW64\Agdlfd32.exe	0cd2ef0d79985ec8899bdcc36273e420N.exe
File opened for modification	C:\Windows\SysWOW64\Aalaoipc.exe	Agdlfd32.exe
File created	C:\Windows\SysWOW64\Bmenijcd.exe	Aehmoh32.exe
File opened for modification	C:\Windows\SysWOW64\Bmenijcd.exe	Aehmoh32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2812	2704	WerFault.exe	33

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0cd2ef0d79985ec8899bdcc36273e420N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agdlfd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aalaoipc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aehmoh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmenijcd.exe

Modifies registry class 15 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	0cd2ef0d79985ec8899bdcc36273e420N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Agdlfd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	0cd2ef0d79985ec8899bdcc36273e420N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kagbmg32.dll"	Agdlfd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aehmoh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgelak32.dll"	Aalaoipc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Diflambo.dll"	Aehmoh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aehmoh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jichkb32.dll"	0cd2ef0d79985ec8899bdcc36273e420N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Agdlfd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aalaoipc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aalaoipc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	0cd2ef0d79985ec8899bdcc36273e420N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	0cd2ef0d79985ec8899bdcc36273e420N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	0cd2ef0d79985ec8899bdcc36273e420N.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 1872 wrote to memory of 2288	1872	0cd2ef0d79985ec8899bdcc36273e420N.exe	30
PID 1872 wrote to memory of 2288	1872	0cd2ef0d79985ec8899bdcc36273e420N.exe	30
PID 1872 wrote to memory of 2288	1872	0cd2ef0d79985ec8899bdcc36273e420N.exe	30
PID 1872 wrote to memory of 2288	1872	0cd2ef0d79985ec8899bdcc36273e420N.exe	30
PID 2288 wrote to memory of 2800	2288	Agdlfd32.exe	31
PID 2288 wrote to memory of 2800	2288	Agdlfd32.exe	31
PID 2288 wrote to memory of 2800	2288	Agdlfd32.exe	31
PID 2288 wrote to memory of 2800	2288	Agdlfd32.exe	31
PID 2800 wrote to memory of 2880	2800	Aalaoipc.exe	32
PID 2800 wrote to memory of 2880	2800	Aalaoipc.exe	32
PID 2800 wrote to memory of 2880	2800	Aalaoipc.exe	32
PID 2800 wrote to memory of 2880	2800	Aalaoipc.exe	32
PID 2880 wrote to memory of 2704	2880	Aehmoh32.exe	33
PID 2880 wrote to memory of 2704	2880	Aehmoh32.exe	33
PID 2880 wrote to memory of 2704	2880	Aehmoh32.exe	33
PID 2880 wrote to memory of 2704	2880	Aehmoh32.exe	33
PID 2704 wrote to memory of 2812	2704	Bmenijcd.exe	34
PID 2704 wrote to memory of 2812	2704	Bmenijcd.exe	34
PID 2704 wrote to memory of 2812	2704	Bmenijcd.exe	34
PID 2704 wrote to memory of 2812	2704	Bmenijcd.exe	34

C:\Users\Admin\AppData\Local\Temp\0cd2ef0d79985ec8899bdcc36273e420N.exe
"C:\Users\Admin\AppData\Local\Temp\0cd2ef0d79985ec8899bdcc36273e420N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1872
- C:\Windows\SysWOW64\Agdlfd32.exe
  C:\Windows\system32\Agdlfd32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2288
- - C:\Windows\SysWOW64\Aalaoipc.exe
    C:\Windows\system32\Aalaoipc.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2800
  - - C:\Windows\SysWOW64\Aehmoh32.exe
      C:\Windows\system32\Aehmoh32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2880
    - - C:\Windows\SysWOW64\Bmenijcd.exe
        
        C:\Windows\system32\Bmenijcd.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2704
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2704 -s 140
        6⤵
        Loads dropped DLL
        Program crash
        
        PID:2812

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aalaoipc.exe

Filesize
81KB

MD5
3d48a14e6cfc3fcd5d821e9f85b662d6

SHA1
b06b5b11def8f02a9c0603d0832e3c9efdcb63d5

SHA256
0b390f37bf7bd06ac413d5b635437029b5e5ed68844443ecee2a21a4b0dc8f13

SHA512
fdd7598d229a3de6b2fe0929a3f555bb11d63591efa059f3df0945b9dfe5a12d3b1b8e377a085f4baa54111649e037958821d624aa87aed31b0666e3db6d55f1

Download Submit
C:\Windows\SysWOW64\Agdlfd32.exe

Filesize
81KB

MD5
5d3afdf45fde1bd226cb76cc0207028f

SHA1
93240fd5a744262f3a6e7fd20fa13e464de6645a

SHA256
545d574669d4e30396a4bc808f22bdbb2c5aead0868db790e1801430d7e3fd63

SHA512
a55794d9d1298370a7c52a53855dc8f9aea3707647f1b99fadadabd4aa9bc7af88e0a11dcfd1c465c8d72a04ef82415c4b5d9d5c1099d836ac6a4cdd10009cb6

Download Submit
\Windows\SysWOW64\Aehmoh32.exe

Filesize
81KB

MD5
472c6f14b43f4adf433697cc26505555

SHA1
313363915f019efedd358565ddbf2d794c82bf42

SHA256
62387eb8fdab9714881ff9a814304ec0d393a93dbc51610f406411b7823faaa1

SHA512
2e6fadd8a774be41d9ceddd62c0e7860c3a488d85deb6bad61c40faeb11978564724483ea03f49742e0f35a063e06302227b57d7e6fb25cab35d15099f567e54

Download Submit
\Windows\SysWOW64\Bmenijcd.exe

Filesize
81KB

MD5
59618fdf41b3a5c21f0ddaea6faa6e40

SHA1
43a5a090bac4f694f55d0ad0082a8665908a856e

SHA256
c1de055f09db2334ca7f252df1d43c558697e09262d551fed8eeb7e3ae3021cd

SHA512
302f660f6aaf39fcda8a1a4cc238370a3b180131b6dc7cb8ae2227cdf93fd89a4e2bad5e54b6923bec95e9c3a275d9ee5fe7c49e66625fbe929ecb02c8b121ed

Download Submit
memory/1872-25-0x00000000003A0000-0x00000000003D4000-memory.dmp

Filesize
208KB

Download
memory/1872-24-0x00000000003A0000-0x00000000003D4000-memory.dmp

Filesize
208KB

Download
memory/1872-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1872-58-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2288-26-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2704-62-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2800-27-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2800-60-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2880-40-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2880-48-0x0000000000220000-0x0000000000254000-memory.dmp

Filesize
208KB

Download
memory/2880-61-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads