63ff500a30b4bef71afd949ce5036faf1a909b0725c6dc3fa87d1d4b86010de0

Analysis

max time kernel
92s
max time network
100s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
09/09/2024, 21:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a4898794830422899da4cc3b9e773440N.exe
Size

55KB
MD5

a4898794830422899da4cc3b9e773440
SHA1

8f6dface6b79d62bacc379e7ba98a0f82409a35e
SHA256

63ff500a30b4bef71afd949ce5036faf1a909b0725c6dc3fa87d1d4b86010de0
SHA512

5a3901440a2561a5cf8d4c00713ea75fdc00ae73917f6da6b6b2e11e30852aee979e9352f49ef19e63797c57d7cc67ff5cd965b8692824dabc6eb87994fb855e
SSDEEP

768:nJIfchrIjlkuS15CFVbrXIajwtNSP4CcJHEOPTpC+w41kWmGeISnrH1JZ/1H5TX3:GfchWkfoVHYaY6GWOrpC+wkgfD

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	a4898794830422899da4cc3b9e773440N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	a4898794830422899da4cc3b9e773440N.exe

Executes dropped EXE 1 IoCs

pid	Process
4516	Dmllipeg.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Dmllipeg.exe	a4898794830422899da4cc3b9e773440N.exe
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	a4898794830422899da4cc3b9e773440N.exe
File created	C:\Windows\SysWOW64\Kngpec32.dll	a4898794830422899da4cc3b9e773440N.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2568	4516	WerFault.exe	83

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a4898794830422899da4cc3b9e773440N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe

Modifies registry class 6 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	a4898794830422899da4cc3b9e773440N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	a4898794830422899da4cc3b9e773440N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	a4898794830422899da4cc3b9e773440N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	a4898794830422899da4cc3b9e773440N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	a4898794830422899da4cc3b9e773440N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	a4898794830422899da4cc3b9e773440N.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1956 wrote to memory of 4516	1956	a4898794830422899da4cc3b9e773440N.exe	83
PID 1956 wrote to memory of 4516	1956	a4898794830422899da4cc3b9e773440N.exe	83
PID 1956 wrote to memory of 4516	1956	a4898794830422899da4cc3b9e773440N.exe	83

C:\Users\Admin\AppData\Local\Temp\a4898794830422899da4cc3b9e773440N.exe
"C:\Users\Admin\AppData\Local\Temp\a4898794830422899da4cc3b9e773440N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1956
- C:\Windows\SysWOW64\Dmllipeg.exe
  C:\Windows\system32\Dmllipeg.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4516
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4516 -s 404
    3⤵
    - Program crash
    PID:2568

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4516 -ip 4516
1⤵
PID:4136

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Dmllipeg.exe

Filesize
55KB

MD5
8c3f56364764bd0b18febbd65c1d6d72

SHA1
81f9eeb208f4247f60edcfc955ce0656214ed1a3

SHA256
1db53cca2a1b50779b4466bb2381da1effd31d81d808d5871413e6f19109a934

SHA512
d7095b304d1fe5b4ab8ae1763377fb0951f7563190ee2362ab396c3249209b8f7e95c3659f355f6bf90298c2d94f306424fc753cbc8b685ccb72e41558a58282

Download Submit
memory/1956-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1956-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/1956-13-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4516-8-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4516-12-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads