5983abd65865ee5685fd78718adc05131d003737d80c9ded49e56ef8b0172a40

General

Target

5983abd65865ee5685fd78718adc05131d003737d80c9ded49e56ef8b0172a40.exe
Size

295KB
MD5

64495369fbd2056b65464e32659b9c50
SHA1

420d9d23077df435ff45b655387fa2aaaa50c4d0
SHA256

5983abd65865ee5685fd78718adc05131d003737d80c9ded49e56ef8b0172a40
SHA512

a7781bada599e86d627a3b2992e98567806aa70dd190068d971e3c7ebf020832a4fdaf5f6e3da8113f88920785fe9bb27d3611135067440e047392ab8f4bdb8c
SSDEEP

6144:7o+mlpuj5Fd1PY1PRe19V+tbFOLM77OLY:8jp+6fe0tsN0

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 10 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	5983abd65865ee5685fd78718adc05131d003737d80c9ded49e56ef8b0172a40.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eddjhb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eqkjmcmq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Eqkjmcmq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Egebjmdn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fnjnkkbk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fnjnkkbk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	5983abd65865ee5685fd78718adc05131d003737d80c9ded49e56ef8b0172a40.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Eddjhb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Egebjmdn.exe

Executes dropped EXE 5 IoCs

pid	Process
2908	Eddjhb32.exe
2944	Eqkjmcmq.exe
2848	Egebjmdn.exe
2676	Fnjnkkbk.exe
2180	Flnndp32.exe

Loads dropped DLL 14 IoCs

pid	Process
1680	5983abd65865ee5685fd78718adc05131d003737d80c9ded49e56ef8b0172a40.exe
1680	5983abd65865ee5685fd78718adc05131d003737d80c9ded49e56ef8b0172a40.exe
2908	Eddjhb32.exe
2908	Eddjhb32.exe
2944	Eqkjmcmq.exe
2944	Eqkjmcmq.exe
2848	Egebjmdn.exe
2848	Egebjmdn.exe
2676	Fnjnkkbk.exe
2676	Fnjnkkbk.exe
2412	WerFault.exe
2412	WerFault.exe
2412	WerFault.exe
2412	WerFault.exe

Drops file in System32 directory 15 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Flnndp32.exe	Fnjnkkbk.exe
File created	C:\Windows\SysWOW64\Onndkg32.dll	Fnjnkkbk.exe
File created	C:\Windows\SysWOW64\Eddjhb32.exe	5983abd65865ee5685fd78718adc05131d003737d80c9ded49e56ef8b0172a40.exe
File opened for modification	C:\Windows\SysWOW64\Eddjhb32.exe	5983abd65865ee5685fd78718adc05131d003737d80c9ded49e56ef8b0172a40.exe
File created	C:\Windows\SysWOW64\Eqkjmcmq.exe	Eddjhb32.exe
File opened for modification	C:\Windows\SysWOW64\Egebjmdn.exe	Eqkjmcmq.exe
File opened for modification	C:\Windows\SysWOW64\Fnjnkkbk.exe	Egebjmdn.exe
File created	C:\Windows\SysWOW64\Olahgd32.dll	5983abd65865ee5685fd78718adc05131d003737d80c9ded49e56ef8b0172a40.exe
File created	C:\Windows\SysWOW64\Jacgio32.dll	Eddjhb32.exe
File created	C:\Windows\SysWOW64\Egebjmdn.exe	Eqkjmcmq.exe
File created	C:\Windows\SysWOW64\Ngbpoo32.dll	Eqkjmcmq.exe
File created	C:\Windows\SysWOW64\Odlkfk32.dll	Egebjmdn.exe
File opened for modification	C:\Windows\SysWOW64\Eqkjmcmq.exe	Eddjhb32.exe
File created	C:\Windows\SysWOW64\Fnjnkkbk.exe	Egebjmdn.exe
File created	C:\Windows\SysWOW64\Flnndp32.exe	Fnjnkkbk.exe

Program crash 1 IoCs

pid	pid_target	Process
2412	2180	WerFault.exe

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Eqkjmcmq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Egebjmdn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fnjnkkbk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Flnndp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5983abd65865ee5685fd78718adc05131d003737d80c9ded49e56ef8b0172a40.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Eddjhb32.exe

Modifies registry class 18 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	5983abd65865ee5685fd78718adc05131d003737d80c9ded49e56ef8b0172a40.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olahgd32.dll"	5983abd65865ee5685fd78718adc05131d003737d80c9ded49e56ef8b0172a40.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Eqkjmcmq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ngbpoo32.dll"	Eqkjmcmq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Egebjmdn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odlkfk32.dll"	Egebjmdn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Fnjnkkbk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	5983abd65865ee5685fd78718adc05131d003737d80c9ded49e56ef8b0172a40.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}	5983abd65865ee5685fd78718adc05131d003737d80c9ded49e56ef8b0172a40.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Eddjhb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Eddjhb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Eqkjmcmq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Egebjmdn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	5983abd65865ee5685fd78718adc05131d003737d80c9ded49e56ef8b0172a40.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	5983abd65865ee5685fd78718adc05131d003737d80c9ded49e56ef8b0172a40.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jacgio32.dll"	Eddjhb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Onndkg32.dll"	Fnjnkkbk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Fnjnkkbk.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 1680 wrote to memory of 2908	1680	5983abd65865ee5685fd78718adc05131d003737d80c9ded49e56ef8b0172a40.exe	30
PID 1680 wrote to memory of 2908	1680	5983abd65865ee5685fd78718adc05131d003737d80c9ded49e56ef8b0172a40.exe	30
PID 1680 wrote to memory of 2908	1680	5983abd65865ee5685fd78718adc05131d003737d80c9ded49e56ef8b0172a40.exe	30
PID 1680 wrote to memory of 2908	1680	5983abd65865ee5685fd78718adc05131d003737d80c9ded49e56ef8b0172a40.exe	30
PID 2908 wrote to memory of 2944	2908	Eddjhb32.exe	31
PID 2908 wrote to memory of 2944	2908	Eddjhb32.exe	31
PID 2908 wrote to memory of 2944	2908	Eddjhb32.exe	31
PID 2908 wrote to memory of 2944	2908	Eddjhb32.exe	31
PID 2944 wrote to memory of 2848	2944	Eqkjmcmq.exe	32
PID 2944 wrote to memory of 2848	2944	Eqkjmcmq.exe	32
PID 2944 wrote to memory of 2848	2944	Eqkjmcmq.exe	32
PID 2944 wrote to memory of 2848	2944	Eqkjmcmq.exe	32
PID 2848 wrote to memory of 2676	2848	Egebjmdn.exe	33
PID 2848 wrote to memory of 2676	2848	Egebjmdn.exe	33
PID 2848 wrote to memory of 2676	2848	Egebjmdn.exe	33
PID 2848 wrote to memory of 2676	2848	Egebjmdn.exe	33
PID 2676 wrote to memory of 2180	2676	Fnjnkkbk.exe	34
PID 2676 wrote to memory of 2180	2676	Fnjnkkbk.exe	34
PID 2676 wrote to memory of 2180	2676	Fnjnkkbk.exe	34
PID 2676 wrote to memory of 2180	2676	Fnjnkkbk.exe	34
PID 2180 wrote to memory of 2412	2180	Flnndp32.exe	35
PID 2180 wrote to memory of 2412	2180	Flnndp32.exe	35
PID 2180 wrote to memory of 2412	2180	Flnndp32.exe	35
PID 2180 wrote to memory of 2412	2180	Flnndp32.exe	35

C:\Users\Admin\AppData\Local\Temp\5983abd65865ee5685fd78718adc05131d003737d80c9ded49e56ef8b0172a40.exe
"C:\Users\Admin\AppData\Local\Temp\5983abd65865ee5685fd78718adc05131d003737d80c9ded49e56ef8b0172a40.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1680
- C:\Windows\SysWOW64\Eddjhb32.exe
  C:\Windows\system32\Eddjhb32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2908
- - C:\Windows\SysWOW64\Eqkjmcmq.exe
    C:\Windows\system32\Eqkjmcmq.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2944
  - - C:\Windows\SysWOW64\Egebjmdn.exe
      C:\Windows\system32\Egebjmdn.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2848
    - - C:\Windows\SysWOW64\Fnjnkkbk.exe
        
        C:\Windows\system32\Fnjnkkbk.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2676
      - C:\Windows\SysWOW64\Flnndp32.exe
        
        C:\Windows\system32\Flnndp32.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2180
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2180 -s 140
        7⤵
        Loads dropped DLL
        Program crash
        
        PID:2412

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Eqkjmcmq.exe

Filesize
295KB

MD5
fa856d1348698030f0aba8fc24bd74a8

SHA1
ad08f1e518bd8afc39a198f79bd8603411f3cc27

SHA256
a67256bcf4fa6b9ceefb50b932a9975b492bc7e69cb1303c31cade04a2ba71ec

SHA512
364063f3bab34d9320b1558485b0d96157c4d07a51ce1f878a78e7d872019fccdb0ec64e74129f418fb0735a13bcac8b73f5b839801912fa638fde3e4ae67960

Download Submit
C:\Windows\SysWOW64\Flnndp32.exe

Filesize
295KB

MD5
d2043711cfe78fbc0b1b96c4edf5d3e6

SHA1
5d35af0f504c6b5a7db8ba53f4efcf56dfc75fca

SHA256
12fb096bc188c3137e964957839acd15c0dd727b703c16a6a9ed758c4ef2f24b

SHA512
75b6eaafca0152905ea2b2e7141ce5ef43d9bbc53d4f1e497745b55922e904a8512b68e4885fde05d5400ceaee0ad8698d80f81d67d89fbf19b7a0f34fc6dca3

Download Submit
C:\Windows\SysWOW64\Onndkg32.dll

Filesize
7KB

MD5
e8abd37c7677702cae6b16d4e95dee0b

SHA1
1acaae2ab49139ceb145e5dc30c72f99f71dfb1f

SHA256
479ae86b6b876183ff15ada6c06bd1b418eb88ee9efb2be50360aa408e430aec

SHA512
088ff95daec8139871ef7794e91f2a7daa156e27f0c4d861d204e87c666daead40635c5af92c36250cc762431d0a0b0825921515ff2d594e256d9591184a1fe8

Download Submit
\Windows\SysWOW64\Eddjhb32.exe

Filesize
295KB

MD5
1ad3e6a83cdfc89869d270563cb85708

SHA1
732ecc346303eeda81f35e79a2d666c19ec40c6e

SHA256
64f33c4b8ba6f4d3a3b72554a567b6d6c793f93dd8cfae758f5365a6e64ffa51

SHA512
e5bd6fd5f665bf88a29c2915158c7829dcfbaaac73b24967f766fa64c7d3d2fdde463be4ceec904e0a4e14723f737c23729486c2b446cf899141d70c6638987d

Download Submit
\Windows\SysWOW64\Egebjmdn.exe

Filesize
295KB

MD5
fa847967818b71f0539d17459188505b

SHA1
e5354da4212c86a61812bf0fef337648065cb656

SHA256
4ec9d45e6f6cf8d435912c720138c8da04f779e1d5719ff2bd6203a6e48a076d

SHA512
3dda8c0caf40cb8b3f8be6f85a1652c6dcf547ba1c42f34a19580142b8245ab71cc7c5ec55b5539494c2e12fef3e8c9fea32598417c7ea070d2606097efb8dd9

Download Submit
\Windows\SysWOW64\Fnjnkkbk.exe

Filesize
295KB

MD5
786f16f72b4fc7774dcca326f671b997

SHA1
9a8cf2b925e5389c6a405c49c0ac4aa086f77206

SHA256
42952913afa93291d58c441a9bfa01661c5122098370620098ee7170a838221b

SHA512
e2d415227e7a6b005d1cffb6b7598be166c3bb719ad0a6c665628fd74cac895a08c676049c7220a7a13b05168b20bb4d1a35d2002c0f2107b224292cfffe61f0

Download Submit
memory/1680-0-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/1680-12-0x0000000000220000-0x000000000027F000-memory.dmp

Filesize
380KB

Download
memory/1680-76-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/1680-11-0x0000000000220000-0x000000000027F000-memory.dmp

Filesize
380KB

Download
memory/2180-67-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/2180-72-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/2180-74-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/2676-80-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/2848-40-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/2848-53-0x0000000001BF0000-0x0000000001C4F000-memory.dmp

Filesize
380KB

Download
memory/2848-52-0x0000000001BF0000-0x0000000001C4F000-memory.dmp

Filesize
380KB

Download
memory/2848-77-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/2908-81-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/2908-19-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/2944-39-0x00000000002D0000-0x000000000032F000-memory.dmp

Filesize
380KB

Download
memory/2944-83-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads