e3e0b21e41ffb95f19c166a2115f706168a67f2ca5e6b9505f3d9ec13c94165a

General

Target

e3e0b21e41ffb95f19c166a2115f706168a67f2ca5e6b9505f3d9ec13c94165a.exe
Size

470KB
MD5

ca479ab5caa15ac6c9e8e1daa88a45ba
SHA1

815cb07ab2418be4fbf2f073f38659567e1b9980
SHA256

e3e0b21e41ffb95f19c166a2115f706168a67f2ca5e6b9505f3d9ec13c94165a
SHA512

034fe5da2458c983b91f4574d3511208241d8dec37725f08f88400ab7684101ebd85ff95dbdc678dd70da3fd438207127efa8d9471c42a9e6199b85ba839853d
SSDEEP

12288:t/Qc8QVj94nLiFzN3b7CUq1u2ztB1XQKTQInqyS6Rm6TIJ3l7DurTG9c8QVj94n8:t4

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dnpciaef.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dnpciaef.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	e3e0b21e41ffb95f19c166a2115f706168a67f2ca5e6b9505f3d9ec13c94165a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	e3e0b21e41ffb95f19c166a2115f706168a67f2ca5e6b9505f3d9ec13c94165a.exe

Executes dropped EXE 2 IoCs

pid	Process
1960	Dnpciaef.exe
2068	Dpapaj32.exe

Loads dropped DLL 4 IoCs

pid	Process
2572	e3e0b21e41ffb95f19c166a2115f706168a67f2ca5e6b9505f3d9ec13c94165a.exe
2572	e3e0b21e41ffb95f19c166a2115f706168a67f2ca5e6b9505f3d9ec13c94165a.exe
1960	Dnpciaef.exe
1960	Dnpciaef.exe

Drops file in System32 directory 6 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Dnpciaef.exe	e3e0b21e41ffb95f19c166a2115f706168a67f2ca5e6b9505f3d9ec13c94165a.exe
File opened for modification	C:\Windows\SysWOW64\Dnpciaef.exe	e3e0b21e41ffb95f19c166a2115f706168a67f2ca5e6b9505f3d9ec13c94165a.exe
File created	C:\Windows\SysWOW64\Pmiljc32.dll	e3e0b21e41ffb95f19c166a2115f706168a67f2ca5e6b9505f3d9ec13c94165a.exe
File created	C:\Windows\SysWOW64\Dpapaj32.exe	Dnpciaef.exe
File opened for modification	C:\Windows\SysWOW64\Dpapaj32.exe	Dnpciaef.exe
File created	C:\Windows\SysWOW64\Pdkefp32.dll	Dnpciaef.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\system32†Lpjldb32.¾ll	Dpapaj32.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e3e0b21e41ffb95f19c166a2115f706168a67f2ca5e6b9505f3d9ec13c94165a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dnpciaef.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dpapaj32.exe

Modifies registry class 14 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmiljc32.dll"	e3e0b21e41ffb95f19c166a2115f706168a67f2ca5e6b9505f3d9ec13c94165a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdkefp32.dll"	Dnpciaef.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CL‰ID\ÿs\I´Pro¹Ser¬er3è	Dpapaj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CL‰ID	Dpapaj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CL‰ID\ÿs	Dpapaj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	e3e0b21e41ffb95f19c166a2115f706168a67f2ca5e6b9505f3d9ec13c94165a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	e3e0b21e41ffb95f19c166a2115f706168a67f2ca5e6b9505f3d9ec13c94165a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dnpciaef.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CL‰ID\ÿs\I´Pro¹Ser¬er3è\Th¨ead³ngMµdelÚ = "›par®men®"	Dpapaj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	e3e0b21e41ffb95f19c166a2115f706168a67f2ca5e6b9505f3d9ec13c94165a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}	e3e0b21e41ffb95f19c166a2115f706168a67f2ca5e6b9505f3d9ec13c94165a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CL‰ID\ÿs\I´Pro¹Ser¬er3è\ = "C:\\Windows\\system32†Lpjldb32.¾ll"	Dpapaj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	e3e0b21e41ffb95f19c166a2115f706168a67f2ca5e6b9505f3d9ec13c94165a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dnpciaef.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2572 wrote to memory of 1960	2572	e3e0b21e41ffb95f19c166a2115f706168a67f2ca5e6b9505f3d9ec13c94165a.exe	31
PID 2572 wrote to memory of 1960	2572	e3e0b21e41ffb95f19c166a2115f706168a67f2ca5e6b9505f3d9ec13c94165a.exe	31
PID 2572 wrote to memory of 1960	2572	e3e0b21e41ffb95f19c166a2115f706168a67f2ca5e6b9505f3d9ec13c94165a.exe	31
PID 2572 wrote to memory of 1960	2572	e3e0b21e41ffb95f19c166a2115f706168a67f2ca5e6b9505f3d9ec13c94165a.exe	31
PID 1960 wrote to memory of 2068	1960	Dnpciaef.exe	32
PID 1960 wrote to memory of 2068	1960	Dnpciaef.exe	32
PID 1960 wrote to memory of 2068	1960	Dnpciaef.exe	32
PID 1960 wrote to memory of 2068	1960	Dnpciaef.exe	32

C:\Users\Admin\AppData\Local\Temp\e3e0b21e41ffb95f19c166a2115f706168a67f2ca5e6b9505f3d9ec13c94165a.exe
"C:\Users\Admin\AppData\Local\Temp\e3e0b21e41ffb95f19c166a2115f706168a67f2ca5e6b9505f3d9ec13c94165a.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2572
- C:\Windows\SysWOW64\Dnpciaef.exe
  C:\Windows\system32\Dnpciaef.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1960
- - C:\Windows\SysWOW64\Dpapaj32.exe
    C:\Windows\system32\Dpapaj32.exe
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    PID:2068

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Dpapaj32.exe

Filesize
470KB

MD5
a9358beaa82af4569f98f6808cae8fd4

SHA1
f3c8d3d9e3c2cfe3943e42db80c84049e96a0f57

SHA256
2e2fab72d6622c112375491a16bf38e223333ad63cf7a49d4d1e47137e8da5e7

SHA512
ed32c5494d41bb4b16e49ecf71772ff076bb07d00c72cf9d820c2f512811ed90f6096af90e43d07e283c147f7661e2f2b6d694337542eeb4ee04c0b9ea74af61

Download Submit
\Windows\SysWOW64\Dnpciaef.exe

Filesize
470KB

MD5
cb83606dd37e8ace450c48cfa8aa860b

SHA1
9242db33d0bb7854527f77a54c83c74ec006f537

SHA256
c8185fd29e36b692df130df79909012a9989a233c54f5d0f30fe2956c4eb1f28

SHA512
2fabacd72efa898893081139bb04dd316adf9a5081a06c64c32755586c411bf606ae4898686f63a09acfce564dfbe0e72105af5da89a31972a3a0fcba978300d

Download Submit
memory/1960-25-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/1960-34-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/2068-27-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/2068-32-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/2572-0-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/2572-24-0x0000000000330000-0x00000000003CE000-memory.dmp

Filesize
632KB

Download
memory/2572-23-0x0000000000330000-0x00000000003CE000-memory.dmp

Filesize
632KB

Download
memory/2572-33-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/2572-35-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads