641b288df8be4bd2cd06929640b3c648c5ad9e3e2d9cd0af0e86dc75ad0fb960

General

Target

96400cba9d39ce54826c99c26a540990N.exe
Size

55KB
MD5

96400cba9d39ce54826c99c26a540990
SHA1

13a408d94bd656f6d63eec40b1844456abb48f45
SHA256

641b288df8be4bd2cd06929640b3c648c5ad9e3e2d9cd0af0e86dc75ad0fb960
SHA512

c4b241a86e8afb3038ca62ef481ceded68f1d40aa938b7483496c61d7c2b3983a8bc5f096374c6df9db7274a965b16a4943e4ebbe7c7d6eaacdc8949f558bf99
SSDEEP

768:G5lnI2vwHv5gd2c3ObuFCBKnflh1ziOPEbvWGCJZ/1H5pXdnh:0vzhMbWZV

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Calcpm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfhkhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfhkhd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmbcen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmbcen32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	96400cba9d39ce54826c99c26a540990N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	96400cba9d39ce54826c99c26a540990N.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Calcpm32.exe

Executes dropped EXE 4 IoCs

pid	Process
2848	Calcpm32.exe
2964	Cfhkhd32.exe
3060	Dmbcen32.exe
2616	Dpapaj32.exe

Loads dropped DLL 11 IoCs

pid	Process
2704	96400cba9d39ce54826c99c26a540990N.exe
2704	96400cba9d39ce54826c99c26a540990N.exe
2848	Calcpm32.exe
2848	Calcpm32.exe
2964	Cfhkhd32.exe
2964	Cfhkhd32.exe
3060	Dmbcen32.exe
3060	Dmbcen32.exe
2636	WerFault.exe
2636	WerFault.exe
2636	WerFault.exe

Drops file in System32 directory 14 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\ÿs.e¢e	Dpapaj32.exe
File opened for modification	C:\Windows\SysWOW64\Dpapaj32.exe	Dmbcen32.exe
File created	C:\Windows\SysWOW64\Ofaejacl.dll	96400cba9d39ce54826c99c26a540990N.exe
File created	C:\Windows\SysWOW64\Cfhkhd32.exe	Calcpm32.exe
File created	C:\Windows\SysWOW64\Dmbcen32.exe	Cfhkhd32.exe
File opened for modification	C:\Windows\SysWOW64\Dmbcen32.exe	Cfhkhd32.exe
File created	C:\Windows\SysWOW64\Dpapaj32.exe	Dmbcen32.exe
File created	C:\Windows\SysWOW64\Pdkefp32.dll	Dmbcen32.exe
File created	C:\Windows\SysWOW64\Calcpm32.exe	96400cba9d39ce54826c99c26a540990N.exe
File opened for modification	C:\Windows\SysWOW64\Cfhkhd32.exe	Calcpm32.exe
File created	C:\Windows\SysWOW64\Fkdqjn32.dll	Calcpm32.exe
File created	C:\Windows\SysWOW64\Fikbiheg.dll	Cfhkhd32.exe
File opened for modification	C:\Windows\SysWOW64\Calcpm32.exe	96400cba9d39ce54826c99c26a540990N.exe
File created	C:\Windows\SysWOW64\ÿs.e¢e	Dpapaj32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2636	2616	WerFault.exe	34

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmbcen32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dpapaj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	96400cba9d39ce54826c99c26a540990N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Calcpm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfhkhd32.exe

Modifies registry class 15 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Calcpm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	96400cba9d39ce54826c99c26a540990N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmbcen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdkefp32.dll"	Dmbcen32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	96400cba9d39ce54826c99c26a540990N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	96400cba9d39ce54826c99c26a540990N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ofaejacl.dll"	96400cba9d39ce54826c99c26a540990N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Calcpm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cfhkhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fikbiheg.dll"	Cfhkhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmbcen32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	96400cba9d39ce54826c99c26a540990N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	96400cba9d39ce54826c99c26a540990N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fkdqjn32.dll"	Calcpm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cfhkhd32.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2704 wrote to memory of 2848	2704	96400cba9d39ce54826c99c26a540990N.exe	31
PID 2704 wrote to memory of 2848	2704	96400cba9d39ce54826c99c26a540990N.exe	31
PID 2704 wrote to memory of 2848	2704	96400cba9d39ce54826c99c26a540990N.exe	31
PID 2704 wrote to memory of 2848	2704	96400cba9d39ce54826c99c26a540990N.exe	31
PID 2848 wrote to memory of 2964	2848	Calcpm32.exe	32
PID 2848 wrote to memory of 2964	2848	Calcpm32.exe	32
PID 2848 wrote to memory of 2964	2848	Calcpm32.exe	32
PID 2848 wrote to memory of 2964	2848	Calcpm32.exe	32
PID 2964 wrote to memory of 3060	2964	Cfhkhd32.exe	33
PID 2964 wrote to memory of 3060	2964	Cfhkhd32.exe	33
PID 2964 wrote to memory of 3060	2964	Cfhkhd32.exe	33
PID 2964 wrote to memory of 3060	2964	Cfhkhd32.exe	33
PID 3060 wrote to memory of 2616	3060	Dmbcen32.exe	34
PID 3060 wrote to memory of 2616	3060	Dmbcen32.exe	34
PID 3060 wrote to memory of 2616	3060	Dmbcen32.exe	34
PID 3060 wrote to memory of 2616	3060	Dmbcen32.exe	34
PID 2616 wrote to memory of 2636	2616	Dpapaj32.exe	35
PID 2616 wrote to memory of 2636	2616	Dpapaj32.exe	35
PID 2616 wrote to memory of 2636	2616	Dpapaj32.exe	35
PID 2616 wrote to memory of 2636	2616	Dpapaj32.exe	35

C:\Users\Admin\AppData\Local\Temp\96400cba9d39ce54826c99c26a540990N.exe
"C:\Users\Admin\AppData\Local\Temp\96400cba9d39ce54826c99c26a540990N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2704
- C:\Windows\SysWOW64\Calcpm32.exe
  C:\Windows\system32\Calcpm32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2848
- - C:\Windows\SysWOW64\Cfhkhd32.exe
    C:\Windows\system32\Cfhkhd32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2964
  - - C:\Windows\SysWOW64\Dmbcen32.exe
      C:\Windows\system32\Dmbcen32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3060
    - - C:\Windows\SysWOW64\Dpapaj32.exe
        
        C:\Windows\system32\Dpapaj32.exe
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2616
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2616 -s 144
        6⤵
        Loads dropped DLL
        Program crash
        
        PID:2636

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Dmbcen32.exe

Filesize
55KB

MD5
193f6b11c2f91da8346c6f9a9ca7b035

SHA1
5aa9c3f285d21ef6530b794c358d13d05a347c7c

SHA256
1f634ad6e841516bf7b2a26f1314490a3ebb6820a0ffbdc9d33e0719032decbe

SHA512
acc687e52613d5c7aa7f5776703c836884e7e0971d2f29bbbf708f6d82523b3c6f7c0295eeaad9e5087e2d9493dedc3b7fe21309e2a0577a50d15c1da1bc186e

Download Submit
C:\Windows\SysWOW64\Dpapaj32.exe

Filesize
55KB

MD5
1a2dbcdf88d33cc8a58997c5d03d476c

SHA1
369a663ffe02962b5cfbe71e33cc3bcbab163692

SHA256
3c4b054426b5ff1e7e341e139c23047a14ff8965212e5c67942f84f976d78866

SHA512
9e081c8bd014c4603a4a0b86756a2104e45bce1d6c5a6db902e98a1270fb8cfd11fd1db3b7d84a74087ac5cf1721d0ef05630b373aca29c6fcf1f3f3379132e9

Download Submit
\Windows\SysWOW64\Calcpm32.exe

Filesize
55KB

MD5
8d179f9b3ab104c79885673bf3a81cad

SHA1
fefaa40159f383856ad61a9b8cc9aaed2e5949ee

SHA256
f33eb6f70298a799d896c6ea4c4d00f35f3811bee4211853d28bddfab33859de

SHA512
aa78484a590767accac536a398d75e99bf8fd69349dbe21ccb33d6de9e4eff54b7285e6cf0028f3c33eb0ea49634cf923c7ff1bf2e50cd5a22f16eb1997bd1ec

Download Submit
\Windows\SysWOW64\Cfhkhd32.exe

Filesize
55KB

MD5
36df1544cfc6a0a20254b7da677238a5

SHA1
f7a93b9702bab82bf2e668d2bdf975b2d32b9bac

SHA256
72e53c0ac1207cc6cae39916ff26b58d0f5edf574d3a49ccd9a9b19a16031182

SHA512
104b85073dc2c80622190b954b73060dd1f05bbbb79a73bf352be45a3d9cacb269c2106779b47f6de20cb27acb922b391bc22090f61eda7699875f32066fb4e8

Download Submit
memory/2616-65-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2616-54-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2704-61-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2704-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2704-11-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2848-20-0x0000000001F30000-0x0000000001F63000-memory.dmp

Filesize
204KB

Download
memory/2848-13-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2848-62-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2964-35-0x0000000000440000-0x0000000000473000-memory.dmp

Filesize
204KB

Download
memory/2964-27-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2964-63-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3060-50-0x00000000002D0000-0x0000000000303000-memory.dmp

Filesize
204KB

Download
memory/3060-64-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads