65e787bbec2a22f00ba0044a289439c6f97a18bfdfe6d2334bfe3080425f0b21

General

Target

65e787bbec2a22f00ba0044a289439c6f97a18bfdfe6d2334bfe3080425f0b21N.exe
Size

256KB
MD5

b2703a3fb49840dd7ec83d0b62091750
SHA1

c858403d15b4695247285811a98a454141cf6e6d
SHA256

65e787bbec2a22f00ba0044a289439c6f97a18bfdfe6d2334bfe3080425f0b21
SHA512

21683e9435ee8710da636ace701f8031fd91a3d2aef36549eec7a77ca6d3a4e0e8a6d37ebc83f82315d17d6bcb81f0e1ecd0bbddcbb43b111880cb06dcb1683b
SSDEEP

6144:Nx5aPXuapoaCPXbo92ynnZlVrtv35CPXbo92ynnH:guqFHRD

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	65e787bbec2a22f00ba0044a289439c6f97a18bfdfe6d2334bfe3080425f0b21N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	65e787bbec2a22f00ba0044a289439c6f97a18bfdfe6d2334bfe3080425f0b21N.exe

Executes dropped EXE 1 IoCs

pid	Process
2300	Jppedg32.exe

Loads dropped DLL 6 IoCs

pid	Process
1736	65e787bbec2a22f00ba0044a289439c6f97a18bfdfe6d2334bfe3080425f0b21N.exe
1736	65e787bbec2a22f00ba0044a289439c6f97a18bfdfe6d2334bfe3080425f0b21N.exe
2076	WerFault.exe
2076	WerFault.exe
2076	WerFault.exe
2076	WerFault.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Jppedg32.exe	65e787bbec2a22f00ba0044a289439c6f97a18bfdfe6d2334bfe3080425f0b21N.exe
File opened for modification	C:\Windows\SysWOW64\Jppedg32.exe	65e787bbec2a22f00ba0044a289439c6f97a18bfdfe6d2334bfe3080425f0b21N.exe
File created	C:\Windows\SysWOW64\Lmnennln.dll	65e787bbec2a22f00ba0044a289439c6f97a18bfdfe6d2334bfe3080425f0b21N.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2076	2300	WerFault.exe	29

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	65e787bbec2a22f00ba0044a289439c6f97a18bfdfe6d2334bfe3080425f0b21N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jppedg32.exe

Modifies registry class 6 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	65e787bbec2a22f00ba0044a289439c6f97a18bfdfe6d2334bfe3080425f0b21N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	65e787bbec2a22f00ba0044a289439c6f97a18bfdfe6d2334bfe3080425f0b21N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	65e787bbec2a22f00ba0044a289439c6f97a18bfdfe6d2334bfe3080425f0b21N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmnennln.dll"	65e787bbec2a22f00ba0044a289439c6f97a18bfdfe6d2334bfe3080425f0b21N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	65e787bbec2a22f00ba0044a289439c6f97a18bfdfe6d2334bfe3080425f0b21N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	65e787bbec2a22f00ba0044a289439c6f97a18bfdfe6d2334bfe3080425f0b21N.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1736 wrote to memory of 2300	1736	65e787bbec2a22f00ba0044a289439c6f97a18bfdfe6d2334bfe3080425f0b21N.exe	29
PID 1736 wrote to memory of 2300	1736	65e787bbec2a22f00ba0044a289439c6f97a18bfdfe6d2334bfe3080425f0b21N.exe	29
PID 1736 wrote to memory of 2300	1736	65e787bbec2a22f00ba0044a289439c6f97a18bfdfe6d2334bfe3080425f0b21N.exe	29
PID 1736 wrote to memory of 2300	1736	65e787bbec2a22f00ba0044a289439c6f97a18bfdfe6d2334bfe3080425f0b21N.exe	29
PID 2300 wrote to memory of 2076	2300	Jppedg32.exe	30
PID 2300 wrote to memory of 2076	2300	Jppedg32.exe	30
PID 2300 wrote to memory of 2076	2300	Jppedg32.exe	30
PID 2300 wrote to memory of 2076	2300	Jppedg32.exe	30

C:\Users\Admin\AppData\Local\Temp\65e787bbec2a22f00ba0044a289439c6f97a18bfdfe6d2334bfe3080425f0b21N.exe
"C:\Users\Admin\AppData\Local\Temp\65e787bbec2a22f00ba0044a289439c6f97a18bfdfe6d2334bfe3080425f0b21N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1736
- C:\Windows\SysWOW64\Jppedg32.exe
  C:\Windows\system32\Jppedg32.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2300
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2300 -s 140
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:2076

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Jppedg32.exe

Filesize
256KB

MD5
9198180439f70c8b6080f1268e648e82

SHA1
4924f813f122821ad61c89c06310a17844aa11e8

SHA256
edf477996f6d09f9cf2c80d8aa773acc75d9a7d577599c6c2912d938f86ddd23

SHA512
0b8da7313e6e205de71be2bd534afcaf605350d018e3324993d11a9660aad2dfa5bf197261fbd9e655632552cbd0cd964b132c48aa30e6df2858f09bc5bfe275

Download Submit
memory/1736-4-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1736-12-0x0000000000260000-0x00000000002A0000-memory.dmp

Filesize
256KB

Download
memory/2300-13-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads