e2074cfeeef1ed7ca186771195537736535b952c7ce90c54443568d60270ff86

General

Target

3bacf51602797c96c59fe400fc4db3c0N.exe
Size

94KB
MD5

3bacf51602797c96c59fe400fc4db3c0
SHA1

e0bf8dd4cf28edb2c4c9045c9027d8371f0f6270
SHA256

e2074cfeeef1ed7ca186771195537736535b952c7ce90c54443568d60270ff86
SHA512

968a5918db8dfa4961c1124af7add0b730d12d38e1b459f62694e40a97697bfefc66462e5d4d30204f0bb8319cf24849104d72385f27859f260074486cff02dd
SSDEEP

1536:eRr3pvZbMpC9WwF8mSdF5HUj3elowLLi17BR9L4DT2EnINs:MZhIAF+dFRUjXwvi16+ob

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	3bacf51602797c96c59fe400fc4db3c0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	3bacf51602797c96c59fe400fc4db3c0N.exe

Executes dropped EXE 1 IoCs

pid	Process
804	Dpapaj32.exe

Loads dropped DLL 5 IoCs

pid	Process
2432	3bacf51602797c96c59fe400fc4db3c0N.exe
2432	3bacf51602797c96c59fe400fc4db3c0N.exe
2344	WerFault.exe
2344	WerFault.exe
2344	WerFault.exe

Drops file in System32 directory 5 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\ÿs.e¢e	Dpapaj32.exe
File opened for modification	C:\Windows\SysWOW64\ÿs.e¢e	Dpapaj32.exe
File created	C:\Windows\SysWOW64\Dpapaj32.exe	3bacf51602797c96c59fe400fc4db3c0N.exe
File opened for modification	C:\Windows\SysWOW64\Dpapaj32.exe	3bacf51602797c96c59fe400fc4db3c0N.exe
File created	C:\Windows\SysWOW64\Pdkefp32.dll	3bacf51602797c96c59fe400fc4db3c0N.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2344	804	WerFault.exe	31

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3bacf51602797c96c59fe400fc4db3c0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dpapaj32.exe

Modifies registry class 6 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdkefp32.dll"	3bacf51602797c96c59fe400fc4db3c0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	3bacf51602797c96c59fe400fc4db3c0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	3bacf51602797c96c59fe400fc4db3c0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	3bacf51602797c96c59fe400fc4db3c0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	3bacf51602797c96c59fe400fc4db3c0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}	3bacf51602797c96c59fe400fc4db3c0N.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2432 wrote to memory of 804	2432	3bacf51602797c96c59fe400fc4db3c0N.exe	31
PID 2432 wrote to memory of 804	2432	3bacf51602797c96c59fe400fc4db3c0N.exe	31
PID 2432 wrote to memory of 804	2432	3bacf51602797c96c59fe400fc4db3c0N.exe	31
PID 2432 wrote to memory of 804	2432	3bacf51602797c96c59fe400fc4db3c0N.exe	31
PID 804 wrote to memory of 2344	804	Dpapaj32.exe	32
PID 804 wrote to memory of 2344	804	Dpapaj32.exe	32
PID 804 wrote to memory of 2344	804	Dpapaj32.exe	32
PID 804 wrote to memory of 2344	804	Dpapaj32.exe	32

C:\Users\Admin\AppData\Local\Temp\3bacf51602797c96c59fe400fc4db3c0N.exe
"C:\Users\Admin\AppData\Local\Temp\3bacf51602797c96c59fe400fc4db3c0N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2432
- C:\Windows\SysWOW64\Dpapaj32.exe
  C:\Windows\system32\Dpapaj32.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:804
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 804 -s 144
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:2344

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Dpapaj32.exe

Filesize
94KB

MD5
737ad5cd5fb748e9a860611dcd834b02

SHA1
476e2b7e7c5f2221df9f5d46073c98d74d23bb56

SHA256
3c7bb8452925262e028649fbfe536c82e1ece2bd1c2051cb24febb5061486c05

SHA512
ef88d1ebc1bde99a5c42d357e6f51b37d0cedcab23de0abed0bf6e14195f3d56bd25517109b66f33ca85cf9a960cc1127fb3df3e1a82e26665c90c41844f6b5e

Download Submit
memory/804-17-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2432-0-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2432-15-0x0000000000250000-0x0000000000285000-memory.dmp

Filesize
212KB

Download
memory/2432-16-0x0000000000250000-0x0000000000285000-memory.dmp

Filesize
212KB

Download
memory/2432-21-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads