88c27ca547bad331ac0c3cf2338c0dc8bc4d234d4c3c55ce457f4e554406ac6b

General

Target

de7ce19c8341904799dccbd8675910c0_exe32.exe
Size

96KB
MD5

de7ce19c8341904799dccbd8675910c0
SHA1

573aa718f5e8620e7061414328e0012fa7a581e8
SHA256

88c27ca547bad331ac0c3cf2338c0dc8bc4d234d4c3c55ce457f4e554406ac6b
SHA512

ea309345672e370cc7425826406592ffacc34df8faa4fe6aa93470d255f0dbd1deb14582870f650ccd1c9324e9acc196a13dd29a154871db50becd3ed748358a
SSDEEP

1536:7fohG8uKPcVj32TozffpH4KVcdZ2JVQBKoC/CKniTCvVAva61hLDnePhVsWzRADL:7foF82TozffpH4KVqZ2fQkbn1vVAva61

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	de7ce19c8341904799dccbd8675910c0_exe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	de7ce19c8341904799dccbd8675910c0_exe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cgqlcg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cgqlcg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dahmfpap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dahmfpap.exe

Executes dropped EXE 3 IoCs

pid	Process
264	Cgqlcg32.exe
4540	Dahmfpap.exe
4708	Dkqaoe32.exe

Drops file in System32 directory 9 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Dahmfpap.exe	Cgqlcg32.exe
File created	C:\Windows\SysWOW64\Dkqaoe32.exe	Dahmfpap.exe
File created	C:\Windows\SysWOW64\Glfdiedd.dll	Dahmfpap.exe
File opened for modification	C:\Windows\SysWOW64\Cgqlcg32.exe	de7ce19c8341904799dccbd8675910c0_exe32.exe
File created	C:\Windows\SysWOW64\Dahmfpap.exe	Cgqlcg32.exe
File created	C:\Windows\SysWOW64\Ipjijkpg.dll	Cgqlcg32.exe
File opened for modification	C:\Windows\SysWOW64\Dkqaoe32.exe	Dahmfpap.exe
File created	C:\Windows\SysWOW64\Cgqlcg32.exe	de7ce19c8341904799dccbd8675910c0_exe32.exe
File created	C:\Windows\SysWOW64\Jhijep32.dll	de7ce19c8341904799dccbd8675910c0_exe32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5008	4708	WerFault.exe	38

Modifies registry class 12 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	de7ce19c8341904799dccbd8675910c0_exe32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	de7ce19c8341904799dccbd8675910c0_exe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	de7ce19c8341904799dccbd8675910c0_exe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipjijkpg.dll"	Cgqlcg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dahmfpap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dahmfpap.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	de7ce19c8341904799dccbd8675910c0_exe32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	de7ce19c8341904799dccbd8675910c0_exe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhijep32.dll"	de7ce19c8341904799dccbd8675910c0_exe32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cgqlcg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cgqlcg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Glfdiedd.dll"	Dahmfpap.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4196 wrote to memory of 264	4196	de7ce19c8341904799dccbd8675910c0_exe32.exe	43
PID 4196 wrote to memory of 264	4196	de7ce19c8341904799dccbd8675910c0_exe32.exe	43
PID 4196 wrote to memory of 264	4196	de7ce19c8341904799dccbd8675910c0_exe32.exe	43
PID 264 wrote to memory of 4540	264	Cgqlcg32.exe	41
PID 264 wrote to memory of 4540	264	Cgqlcg32.exe	41
PID 264 wrote to memory of 4540	264	Cgqlcg32.exe	41
PID 4540 wrote to memory of 4708	4540	Dahmfpap.exe	38
PID 4540 wrote to memory of 4708	4540	Dahmfpap.exe	38
PID 4540 wrote to memory of 4708	4540	Dahmfpap.exe	38

C:\Users\Admin\AppData\Local\Temp\de7ce19c8341904799dccbd8675910c0_exe32.exe
"C:\Users\Admin\AppData\Local\Temp\de7ce19c8341904799dccbd8675910c0_exe32.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4196
- C:\Windows\SysWOW64\Cgqlcg32.exe
  C:\Windows\system32\Cgqlcg32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:264

C:\Windows\SysWOW64\Dkqaoe32.exe
C:\Windows\system32\Dkqaoe32.exe
1⤵
- Executes dropped EXE
PID:4708
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4708 -s 408
  2⤵
  - Program crash
  PID:5008

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4708 -ip 4708
1⤵
PID:1536

C:\Windows\SysWOW64\Dahmfpap.exe
C:\Windows\system32\Dahmfpap.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4540

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Cgqlcg32.exe

Filesize
96KB

MD5
d9af94775a3423e95c68552b0601e665

SHA1
9e5d919a6d093b7995b41ea77afac17d4f35271c

SHA256
23cdfd5e7946d0450aea0ac69b187cca9854f17d8385ab15745925116f05e9ba

SHA512
dd9de2059fabf80f3aab58c9c0335a52a35cba225cfe656d877b7ba68c4e959f4fe01b6c4af20502347ec83afcda25c6258a0d2d00b32951c2a812fc29c48313

Download Submit
C:\Windows\SysWOW64\Cgqlcg32.exe

Filesize
96KB

MD5
d9af94775a3423e95c68552b0601e665

SHA1
9e5d919a6d093b7995b41ea77afac17d4f35271c

SHA256
23cdfd5e7946d0450aea0ac69b187cca9854f17d8385ab15745925116f05e9ba

SHA512
dd9de2059fabf80f3aab58c9c0335a52a35cba225cfe656d877b7ba68c4e959f4fe01b6c4af20502347ec83afcda25c6258a0d2d00b32951c2a812fc29c48313

Download Submit
C:\Windows\SysWOW64\Dahmfpap.exe

Filesize
96KB

MD5
d424d6fcafae8ea93adb242c34bd398f

SHA1
ec29fd51b8fbd8aaa6643d1afceecb0556d86241

SHA256
1ef4fb754cea168ca5a71611dd0a7659e27c719c0e4c0094ada17084a07a0e4f

SHA512
521da7ec481cebc569e1655a6ddb81c0f8be2dd647bcdf5792511ed2b688c1a41f3975fbdf3cdaea11781e7dfbc859705ca6f021647cb25e5c5840ab22ff895c

Download Submit
C:\Windows\SysWOW64\Dahmfpap.exe

Filesize
96KB

MD5
d424d6fcafae8ea93adb242c34bd398f

SHA1
ec29fd51b8fbd8aaa6643d1afceecb0556d86241

SHA256
1ef4fb754cea168ca5a71611dd0a7659e27c719c0e4c0094ada17084a07a0e4f

SHA512
521da7ec481cebc569e1655a6ddb81c0f8be2dd647bcdf5792511ed2b688c1a41f3975fbdf3cdaea11781e7dfbc859705ca6f021647cb25e5c5840ab22ff895c

Download Submit
C:\Windows\SysWOW64\Dkqaoe32.exe

Filesize
96KB

MD5
8b03159ba79af4ee8522241c9a26619b

SHA1
80b3aacbb764afd5e7eb63a4e31da2947f9089b3

SHA256
cb51a4e212be5c2e1d77498f6f0cc55f9e3dbadf0111a8c8461dd0a4cdda21a9

SHA512
50091ae9f667795eba49532447195dfde3a9c7eb86a0a9ae67c318b2b9bf1f7cb0f82cec50fc880437c6619be9f5222191d2c66886da1b838a080d4f87c9290f

Download Submit
C:\Windows\SysWOW64\Dkqaoe32.exe

Filesize
96KB

MD5
8b03159ba79af4ee8522241c9a26619b

SHA1
80b3aacbb764afd5e7eb63a4e31da2947f9089b3

SHA256
cb51a4e212be5c2e1d77498f6f0cc55f9e3dbadf0111a8c8461dd0a4cdda21a9

SHA512
50091ae9f667795eba49532447195dfde3a9c7eb86a0a9ae67c318b2b9bf1f7cb0f82cec50fc880437c6619be9f5222191d2c66886da1b838a080d4f87c9290f

Download Submit
memory/264-8-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/264-29-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4196-0-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4196-1-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4196-26-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4540-16-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4540-27-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4708-25-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4708-28-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads