6470cfd167ce1ab6d408b035c9099eacdce157c2624ee8073da300e0a4e2875b

General

Target

6470cfd167ce1ab6d408b035c9099eacdce157c2624ee8073da300e0a4e2875b.exe
Size

96KB
MD5

8de2bd5c40fc29b36a64134572041abd
SHA1

29c1feff93b0da078a197ab0bd1c05aa268c1216
SHA256

6470cfd167ce1ab6d408b035c9099eacdce157c2624ee8073da300e0a4e2875b
SHA512

0982640a4c3a7acbd229d2e76f57b624a315e17813eb260184b1442c8d62be5de41b16a21059ebb0da1226b5ad9e7ec7d444d5f9809e1a8d3b6e9365efc2afe8
SSDEEP

1536:jJN7FRcmnfn2n+PcYAUX/3iJLI1pQ7f5Cub52Lk1RPXuhiTMuZXGTIVefVDkryy6:jJNxRcmfG+j3vMTOaRPXuhuXGQmVDeCv

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fedfgejh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fedfgejh.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	6470cfd167ce1ab6d408b035c9099eacdce157c2624ee8073da300e0a4e2875b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	6470cfd167ce1ab6d408b035c9099eacdce157c2624ee8073da300e0a4e2875b.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Faijggao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Faijggao.exe

Executes dropped EXE 3 IoCs

pid	Process
2380	Faijggao.exe
2172	Fedfgejh.exe
2752	Flnndp32.exe

Loads dropped DLL 10 IoCs

pid	Process
1232	6470cfd167ce1ab6d408b035c9099eacdce157c2624ee8073da300e0a4e2875b.exe
1232	6470cfd167ce1ab6d408b035c9099eacdce157c2624ee8073da300e0a4e2875b.exe
2380	Faijggao.exe
2380	Faijggao.exe
2172	Fedfgejh.exe
2172	Fedfgejh.exe
3016	WerFault.exe
3016	WerFault.exe
3016	WerFault.exe
3016	WerFault.exe

Drops file in System32 directory 9 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Onndkg32.dll	Fedfgejh.exe
File opened for modification	C:\Windows\SysWOW64\Faijggao.exe	6470cfd167ce1ab6d408b035c9099eacdce157c2624ee8073da300e0a4e2875b.exe
File created	C:\Windows\SysWOW64\Kfadkk32.dll	6470cfd167ce1ab6d408b035c9099eacdce157c2624ee8073da300e0a4e2875b.exe
File opened for modification	C:\Windows\SysWOW64\Fedfgejh.exe	Faijggao.exe
File created	C:\Windows\SysWOW64\Flnndp32.exe	Fedfgejh.exe
File opened for modification	C:\Windows\SysWOW64\Flnndp32.exe	Fedfgejh.exe
File created	C:\Windows\SysWOW64\Faijggao.exe	6470cfd167ce1ab6d408b035c9099eacdce157c2624ee8073da300e0a4e2875b.exe
File created	C:\Windows\SysWOW64\Fedfgejh.exe	Faijggao.exe
File created	C:\Windows\SysWOW64\Kmpnop32.dll	Faijggao.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3016	2752	WerFault.exe	32

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fedfgejh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Flnndp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6470cfd167ce1ab6d408b035c9099eacdce157c2624ee8073da300e0a4e2875b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Faijggao.exe

Modifies registry class 12 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Faijggao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Onndkg32.dll"	Fedfgejh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	6470cfd167ce1ab6d408b035c9099eacdce157c2624ee8073da300e0a4e2875b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	6470cfd167ce1ab6d408b035c9099eacdce157c2624ee8073da300e0a4e2875b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kfadkk32.dll"	6470cfd167ce1ab6d408b035c9099eacdce157c2624ee8073da300e0a4e2875b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	6470cfd167ce1ab6d408b035c9099eacdce157c2624ee8073da300e0a4e2875b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Faijggao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmpnop32.dll"	Faijggao.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fedfgejh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fedfgejh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	6470cfd167ce1ab6d408b035c9099eacdce157c2624ee8073da300e0a4e2875b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	6470cfd167ce1ab6d408b035c9099eacdce157c2624ee8073da300e0a4e2875b.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1232 wrote to memory of 2380	1232	6470cfd167ce1ab6d408b035c9099eacdce157c2624ee8073da300e0a4e2875b.exe	30
PID 1232 wrote to memory of 2380	1232	6470cfd167ce1ab6d408b035c9099eacdce157c2624ee8073da300e0a4e2875b.exe	30
PID 1232 wrote to memory of 2380	1232	6470cfd167ce1ab6d408b035c9099eacdce157c2624ee8073da300e0a4e2875b.exe	30
PID 1232 wrote to memory of 2380	1232	6470cfd167ce1ab6d408b035c9099eacdce157c2624ee8073da300e0a4e2875b.exe	30
PID 2380 wrote to memory of 2172	2380	Faijggao.exe	31
PID 2380 wrote to memory of 2172	2380	Faijggao.exe	31
PID 2380 wrote to memory of 2172	2380	Faijggao.exe	31
PID 2380 wrote to memory of 2172	2380	Faijggao.exe	31
PID 2172 wrote to memory of 2752	2172	Fedfgejh.exe	32
PID 2172 wrote to memory of 2752	2172	Fedfgejh.exe	32
PID 2172 wrote to memory of 2752	2172	Fedfgejh.exe	32
PID 2172 wrote to memory of 2752	2172	Fedfgejh.exe	32
PID 2752 wrote to memory of 3016	2752	Flnndp32.exe	33
PID 2752 wrote to memory of 3016	2752	Flnndp32.exe	33
PID 2752 wrote to memory of 3016	2752	Flnndp32.exe	33
PID 2752 wrote to memory of 3016	2752	Flnndp32.exe	33

C:\Users\Admin\AppData\Local\Temp\6470cfd167ce1ab6d408b035c9099eacdce157c2624ee8073da300e0a4e2875b.exe
"C:\Users\Admin\AppData\Local\Temp\6470cfd167ce1ab6d408b035c9099eacdce157c2624ee8073da300e0a4e2875b.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1232
- C:\Windows\SysWOW64\Faijggao.exe
  C:\Windows\system32\Faijggao.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2380
- - C:\Windows\SysWOW64\Fedfgejh.exe
    C:\Windows\system32\Fedfgejh.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2172
  - - C:\Windows\SysWOW64\Flnndp32.exe
      C:\Windows\system32\Flnndp32.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2752
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2752 -s 140
        5⤵
        Loads dropped DLL
        Program crash
        
        PID:3016

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Fedfgejh.exe

Filesize
96KB

MD5
a81ff44a38c68c76aedb6f9d3972341e

SHA1
0d353192ab1d3ac1cbf78d579e3499ac236fde13

SHA256
4d637c3d99d24b82994a81024d0004fc202586e38bd6b0ae1360e9eb2e73474e

SHA512
a4d013c3f8994c3268936682d2661c552b0c4b821bddad0cfab308e90ab830203cd4a50975852a84697ed96d904ee4ae04e16c86c7cbb6328e5375f2ff557324

Download Submit
\Windows\SysWOW64\Faijggao.exe

Filesize
96KB

MD5
a9d67e93d75b643e7eedb0a2f98b685a

SHA1
fc14f8c4d32b0c4de567b3e1f0323d8b61964606

SHA256
51e950c3a74eeb75728abb7ab4f82c0c273b33b843ab6343daf9597f6cac85b7

SHA512
11aa5dcba41ace21742378d45b7b9641750566842e9a322ecdc44c216bb7ac7f8c5d771e4440784877cf17e92ec204f61571e7e3ef34f8ed1bdd2e10944560b2

Download Submit
\Windows\SysWOW64\Flnndp32.exe

Filesize
96KB

MD5
4f465b41c9e40d1180f732a85fb41575

SHA1
48a15a59e485c44746121056ca3efdcb1d1bf377

SHA256
1b33001173ef41c70288ddf7ddbf1712ef7eea3998a5862ed9b3afce9c6968ec

SHA512
8eab8f295262cd1cbc675ab0d9c1bc96ba89e03f521eecd8915d63ce2a1105fbd8d0ad89c08d73e1fe52a97d48ca80b57f11e8e131b7241e7829b08724f8a9a9

Download Submit
memory/1232-46-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1232-13-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/1232-12-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/1232-0-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2172-32-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2172-48-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2380-14-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2380-45-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2752-40-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2752-47-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads