3c1a0c0de5fc10f04f102231b4abfad6d9ec0a75a357bfe6f1d417d84874adeb

General

Target

3c1a0c0de5fc10f04f102231b4abfad6d9ec0a75a357bfe6f1d417d84874adebN.exe
Size

402KB
MD5

0bc4342411eae9826a9c7fd3ba5df510
SHA1

01b2babe273c2d9c11e25170df26a27040e96113
SHA256

3c1a0c0de5fc10f04f102231b4abfad6d9ec0a75a357bfe6f1d417d84874adeb
SHA512

c414c7e36cdcc4528b94c2ea3e629eca6e05d4f698701f11cc58343cbc2d2607d2bc0fdba3ee344c29bac05ad0492d61f84fdf5cbb73877fa6720f60a7cf3f1c
SSDEEP

6144:fJgF/oHdGFv/t3FPvTpN0xHuwdkAj51VezfHZ3neNZpGkXo+TCCYOs5PHdC:SdwdG1nU

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dnpciaef.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Danpemej.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Danpemej.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	3c1a0c0de5fc10f04f102231b4abfad6d9ec0a75a357bfe6f1d417d84874adebN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	3c1a0c0de5fc10f04f102231b4abfad6d9ec0a75a357bfe6f1d417d84874adebN.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dnpciaef.exe

Executes dropped EXE 3 IoCs

pid	Process
2188	Dnpciaef.exe
2076	Danpemej.exe
2644	Dpapaj32.exe

Loads dropped DLL 6 IoCs

pid	Process
2340	3c1a0c0de5fc10f04f102231b4abfad6d9ec0a75a357bfe6f1d417d84874adebN.exe
2340	3c1a0c0de5fc10f04f102231b4abfad6d9ec0a75a357bfe6f1d417d84874adebN.exe
2188	Dnpciaef.exe
2188	Dnpciaef.exe
2076	Danpemej.exe
2076	Danpemej.exe

Drops file in System32 directory 9 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Dnpciaef.exe	3c1a0c0de5fc10f04f102231b4abfad6d9ec0a75a357bfe6f1d417d84874adebN.exe
File opened for modification	C:\Windows\SysWOW64\Dnpciaef.exe	3c1a0c0de5fc10f04f102231b4abfad6d9ec0a75a357bfe6f1d417d84874adebN.exe
File created	C:\Windows\SysWOW64\Danpemej.exe	Dnpciaef.exe
File created	C:\Windows\SysWOW64\Cbehjc32.dll	Dnpciaef.exe
File created	C:\Windows\SysWOW64\Pmiljc32.dll	3c1a0c0de5fc10f04f102231b4abfad6d9ec0a75a357bfe6f1d417d84874adebN.exe
File opened for modification	C:\Windows\SysWOW64\Danpemej.exe	Dnpciaef.exe
File created	C:\Windows\SysWOW64\Dpapaj32.exe	Danpemej.exe
File opened for modification	C:\Windows\SysWOW64\Dpapaj32.exe	Danpemej.exe
File created	C:\Windows\SysWOW64\Pdkefp32.dll	Danpemej.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\system32†Edggmg32.¾ll	Dpapaj32.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dpapaj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3c1a0c0de5fc10f04f102231b4abfad6d9ec0a75a357bfe6f1d417d84874adebN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dnpciaef.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Danpemej.exe

Modifies registry class 17 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	3c1a0c0de5fc10f04f102231b4abfad6d9ec0a75a357bfe6f1d417d84874adebN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Danpemej.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CL‰ID\ÿs\I´Pro¹Ser¬er3è\ = "C:\\Windows\\system32†Edggmg32.¾ll"	Dpapaj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Danpemej.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CL‰ID	Dpapaj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CL‰ID\ÿs\I´Pro¹Ser¬er3è\Th¨ead³ngMµdelÚ = "›par®men®"	Dpapaj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}	3c1a0c0de5fc10f04f102231b4abfad6d9ec0a75a357bfe6f1d417d84874adebN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cbehjc32.dll"	Dnpciaef.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dnpciaef.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmiljc32.dll"	3c1a0c0de5fc10f04f102231b4abfad6d9ec0a75a357bfe6f1d417d84874adebN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dnpciaef.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CL‰ID\ÿs	Dpapaj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdkefp32.dll"	Danpemej.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CL‰ID\ÿs\I´Pro¹Ser¬er3è	Dpapaj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	3c1a0c0de5fc10f04f102231b4abfad6d9ec0a75a357bfe6f1d417d84874adebN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	3c1a0c0de5fc10f04f102231b4abfad6d9ec0a75a357bfe6f1d417d84874adebN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	3c1a0c0de5fc10f04f102231b4abfad6d9ec0a75a357bfe6f1d417d84874adebN.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2340 wrote to memory of 2188	2340	3c1a0c0de5fc10f04f102231b4abfad6d9ec0a75a357bfe6f1d417d84874adebN.exe	31
PID 2340 wrote to memory of 2188	2340	3c1a0c0de5fc10f04f102231b4abfad6d9ec0a75a357bfe6f1d417d84874adebN.exe	31
PID 2340 wrote to memory of 2188	2340	3c1a0c0de5fc10f04f102231b4abfad6d9ec0a75a357bfe6f1d417d84874adebN.exe	31
PID 2340 wrote to memory of 2188	2340	3c1a0c0de5fc10f04f102231b4abfad6d9ec0a75a357bfe6f1d417d84874adebN.exe	31
PID 2188 wrote to memory of 2076	2188	Dnpciaef.exe	32
PID 2188 wrote to memory of 2076	2188	Dnpciaef.exe	32
PID 2188 wrote to memory of 2076	2188	Dnpciaef.exe	32
PID 2188 wrote to memory of 2076	2188	Dnpciaef.exe	32
PID 2076 wrote to memory of 2644	2076	Danpemej.exe	33
PID 2076 wrote to memory of 2644	2076	Danpemej.exe	33
PID 2076 wrote to memory of 2644	2076	Danpemej.exe	33
PID 2076 wrote to memory of 2644	2076	Danpemej.exe	33

C:\Users\Admin\AppData\Local\Temp\3c1a0c0de5fc10f04f102231b4abfad6d9ec0a75a357bfe6f1d417d84874adebN.exe
"C:\Users\Admin\AppData\Local\Temp\3c1a0c0de5fc10f04f102231b4abfad6d9ec0a75a357bfe6f1d417d84874adebN.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2340
- C:\Windows\SysWOW64\Dnpciaef.exe
  C:\Windows\system32\Dnpciaef.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2188
- - C:\Windows\SysWOW64\Danpemej.exe
    C:\Windows\system32\Danpemej.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2076
  - - C:\Windows\SysWOW64\Dpapaj32.exe
      C:\Windows\system32\Dpapaj32.exe
      4⤵
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      PID:2644

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Danpemej.exe

Filesize
402KB

MD5
52dafde00421fd48890af2bc3f9815e8

SHA1
57d45031b853c68be08dd784d0e610dc9dd1af49

SHA256
ce84ccfd36417d8d6e14f78ed24528f8338faa6b884742a27979c156c651a265

SHA512
03035bbb3e8449cd7b4855aab2c454483a7bb94d92b20a240c103a3c3807e825d18944980a3d1fc77d10ef44d32b9f9709f1d80b07bddc8dd578d0a34df17e15

Download Submit
C:\Windows\SysWOW64\Dpapaj32.exe

Filesize
402KB

MD5
301bfafe83c320525cad00e22f7c7279

SHA1
f67ce09b3c50bba8c49fd4fc4e831c176cc0e426

SHA256
0de01eff121e1ca14a887869c107d9e41982dfa1749b3c04360350913909e673

SHA512
7c7a50f45c28e54ea73d918bcb3db55577cd0135ff5fc4c208f2937f7dac013970e79097276986b6a6e81fd3c0c8b09d455eaebcc0e5c706e5ec2266ae3ea9d9

Download Submit
\Windows\SysWOW64\Dnpciaef.exe

Filesize
402KB

MD5
225137d0fe93ab89bd873b5aba0106b2

SHA1
8d98f80e94c3b5344e9408ecc4d9d81138f913ac

SHA256
41ff603013f02d49b6023233840b630b04028a9a8cc060e8ffd505878d5d5b94

SHA512
098d2b6282765a5a317f30ab71ad044eeaaf4c4730841deb0ff18c9a4baa02795a1f50b199819ce39537acd4b10cffad2f37db73b5a9e9accc5e550bdef5a6db

Download Submit
memory/2076-41-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/2188-43-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/2340-0-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/2340-45-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/2340-46-0x0000000000310000-0x000000000039C000-memory.dmp

Filesize
560KB

Download
memory/2644-39-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads