c8a7af2d91f1b22cc8bc59070e246f6d7bd1a91a45d9729db3a373fb6ce4b198

General

Target

c8a7af2d91f1b22cc8bc59070e246f6d7bd1a91a45d9729db3a373fb6ce4b198.exe
Size

45KB
MD5

3e70d9a82e68af43f27dbde3a7492490
SHA1

4e46ebea70e6fbecdba8d274daeb43f9b9bdf9f3
SHA256

c8a7af2d91f1b22cc8bc59070e246f6d7bd1a91a45d9729db3a373fb6ce4b198
SHA512

5e0aed6c743535aba1470149da064f9a9cd18d57202479cc552181687969fd2949a438f74358a0ac63c053ef7fdb6c38040660cfbd078f73ac6ac07e89e9c1b6
SSDEEP

768:XZwb9TV5ZDzu83AqN1LZNneGcRnks/iaeS9rmJIga9/U/1H5:XZwb9TvZ3wqnL67RnkMVmeq

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

c8a7af2d91f1b22cc8bc59070e246f6d7bd1a91a45d9729db3a373fb6ce4b198.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	c8a7af2d91f1b22cc8bc59070e246f6d7bd1a91a45d9729db3a373fb6ce4b198.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	c8a7af2d91f1b22cc8bc59070e246f6d7bd1a91a45d9729db3a373fb6ce4b198.exe

Executes dropped EXE 1 IoCs

Processes:

Gbmqkm32.exe

pid process

1940 Gbmqkm32.exe

pid	process
1940	Gbmqkm32.exe

Loads dropped DLL 2 IoCs

Processes:

c8a7af2d91f1b22cc8bc59070e246f6d7bd1a91a45d9729db3a373fb6ce4b198.exe

pid	process
1760	c8a7af2d91f1b22cc8bc59070e246f6d7bd1a91a45d9729db3a373fb6ce4b198.exe
1760	c8a7af2d91f1b22cc8bc59070e246f6d7bd1a91a45d9729db3a373fb6ce4b198.exe

Drops file in System32 directory 3 IoCs

Processes:

c8a7af2d91f1b22cc8bc59070e246f6d7bd1a91a45d9729db3a373fb6ce4b198.exe

description	ioc	process
File created	C:\Windows\SysWOW64\Gbmqkm32.exe	c8a7af2d91f1b22cc8bc59070e246f6d7bd1a91a45d9729db3a373fb6ce4b198.exe
File opened for modification	C:\Windows\SysWOW64\Gbmqkm32.exe	c8a7af2d91f1b22cc8bc59070e246f6d7bd1a91a45d9729db3a373fb6ce4b198.exe
File created	C:\Windows\SysWOW64\Cmnakm32.dll	c8a7af2d91f1b22cc8bc59070e246f6d7bd1a91a45d9729db3a373fb6ce4b198.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

Gbmqkm32.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BrowseNewProcess	Gbmqkm32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BrowseNewProcess\BrowseNewProcess = "yes"	Gbmqkm32.exe

Modifies registry class 6 IoCs

Processes:

c8a7af2d91f1b22cc8bc59070e246f6d7bd1a91a45d9729db3a373fb6ce4b198.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	c8a7af2d91f1b22cc8bc59070e246f6d7bd1a91a45d9729db3a373fb6ce4b198.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	c8a7af2d91f1b22cc8bc59070e246f6d7bd1a91a45d9729db3a373fb6ce4b198.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	c8a7af2d91f1b22cc8bc59070e246f6d7bd1a91a45d9729db3a373fb6ce4b198.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	c8a7af2d91f1b22cc8bc59070e246f6d7bd1a91a45d9729db3a373fb6ce4b198.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmnakm32.dll"	c8a7af2d91f1b22cc8bc59070e246f6d7bd1a91a45d9729db3a373fb6ce4b198.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	c8a7af2d91f1b22cc8bc59070e246f6d7bd1a91a45d9729db3a373fb6ce4b198.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Gbmqkm32.exe

pid process

1940 Gbmqkm32.exe

pid	process
1940	Gbmqkm32.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

c8a7af2d91f1b22cc8bc59070e246f6d7bd1a91a45d9729db3a373fb6ce4b198.exe

description	pid	process	target process
PID 1760 wrote to memory of 1940	1760	c8a7af2d91f1b22cc8bc59070e246f6d7bd1a91a45d9729db3a373fb6ce4b198.exe	Gbmqkm32.exe
PID 1760 wrote to memory of 1940	1760	c8a7af2d91f1b22cc8bc59070e246f6d7bd1a91a45d9729db3a373fb6ce4b198.exe	Gbmqkm32.exe
PID 1760 wrote to memory of 1940	1760	c8a7af2d91f1b22cc8bc59070e246f6d7bd1a91a45d9729db3a373fb6ce4b198.exe	Gbmqkm32.exe
PID 1760 wrote to memory of 1940	1760	c8a7af2d91f1b22cc8bc59070e246f6d7bd1a91a45d9729db3a373fb6ce4b198.exe	Gbmqkm32.exe

C:\Users\Admin\AppData\Local\Temp\c8a7af2d91f1b22cc8bc59070e246f6d7bd1a91a45d9729db3a373fb6ce4b198.exe
"C:\Users\Admin\AppData\Local\Temp\c8a7af2d91f1b22cc8bc59070e246f6d7bd1a91a45d9729db3a373fb6ce4b198.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1760

C:\Windows\SysWOW64\Gbmqkm32.exe
C:\Windows\system32\Gbmqkm32.exe
2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious behavior: GetForegroundWindowSpam
PID:1940

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Gbmqkm32.exe
Filesize
45KB

MD5
27adae0e6d1afa6486ccf76472d385f7

SHA1
43ca9be623bf125311669f5b26cf4e1596af4313

SHA256
6989f7207253208d93763281e91ce9d74f8a1b0163f80dcbd6cb0069f0c91f8c

SHA512
2465107d16ac40afb7aeedf48172a0d80bdc4377d1bca4d246920a8f461d0556c5f852d40cebc47d3bc3dd85ae49c8f4adbafe083c89e8026432ab6a2b96f64c

Download Submit
\Windows\SysWOW64\Gbmqkm32.exe
Filesize
45KB

MD5
27adae0e6d1afa6486ccf76472d385f7

SHA1
43ca9be623bf125311669f5b26cf4e1596af4313

SHA256
6989f7207253208d93763281e91ce9d74f8a1b0163f80dcbd6cb0069f0c91f8c

SHA512
2465107d16ac40afb7aeedf48172a0d80bdc4377d1bca4d246920a8f461d0556c5f852d40cebc47d3bc3dd85ae49c8f4adbafe083c89e8026432ab6a2b96f64c

Download Submit
\Windows\SysWOW64\Gbmqkm32.exe
Filesize
45KB

MD5
27adae0e6d1afa6486ccf76472d385f7

SHA1
43ca9be623bf125311669f5b26cf4e1596af4313

SHA256
6989f7207253208d93763281e91ce9d74f8a1b0163f80dcbd6cb0069f0c91f8c

SHA512
2465107d16ac40afb7aeedf48172a0d80bdc4377d1bca4d246920a8f461d0556c5f852d40cebc47d3bc3dd85ae49c8f4adbafe083c89e8026432ab6a2b96f64c

Download Submit
memory/1760-59-0x0000000000430000-0x000000000045F000-memory.dmp

Filesize
188KB

Download
memory/1760-58-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1940-56-0x0000000000000000-mapping.dmp

Download
memory/1940-60-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1940-61-0x0000000076181000-0x0000000076183000-memory.dmp

Filesize
8KB

Download
memory/1940-62-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads