3b0c6ce1e273c29273d1532e2034cee75f99ea6561f066f47b72bb7c0f1f231d

Analysis

max time kernel
144s
max time network
127s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
25/12/2023, 05:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

07efac55eb14475c7d6244d92bf1dc0c.exe
Size

4.0MB
MD5

07efac55eb14475c7d6244d92bf1dc0c
SHA1

9c1d84e21f09bec9febb3e5fb9537f0d6b5885c6
SHA256

3b0c6ce1e273c29273d1532e2034cee75f99ea6561f066f47b72bb7c0f1f231d
SHA512

fee957507d3537e60b40ed0faa1f31121aead7d13aea2611364a524db4183b5a004c5be715921ed1c98cf66f2dc0a756d62872627ba93031472893fddcf5df80
SSDEEP

24576:13ArGnin67HfcwiZnirGni5jVg7nirGniNejffGni5jVg7nirGnin67HfcwiZniN:13V/9yOedy7/9y

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bobhal32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bobhal32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	07efac55eb14475c7d6244d92bf1dc0c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	07efac55eb14475c7d6244d92bf1dc0c.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bphbeplm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bphbeplm.exe

Executes dropped EXE 3 IoCs

pid	Process
2288	Bphbeplm.exe
2840	Bobhal32.exe
2864	Cacacg32.exe

Loads dropped DLL 10 IoCs

pid	Process
2964	07efac55eb14475c7d6244d92bf1dc0c.exe
2964	07efac55eb14475c7d6244d92bf1dc0c.exe
2288	Bphbeplm.exe
2288	Bphbeplm.exe
2840	Bobhal32.exe
2840	Bobhal32.exe
2524	WerFault.exe
2524	WerFault.exe
2524	WerFault.exe
2524	WerFault.exe

Drops file in System32 directory 9 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Cacacg32.exe	Bobhal32.exe
File created	C:\Windows\SysWOW64\Fdlpjk32.dll	Bobhal32.exe
File opened for modification	C:\Windows\SysWOW64\Bphbeplm.exe	07efac55eb14475c7d6244d92bf1dc0c.exe
File created	C:\Windows\SysWOW64\Ldhfglad.dll	07efac55eb14475c7d6244d92bf1dc0c.exe
File created	C:\Windows\SysWOW64\Bobhal32.exe	Bphbeplm.exe
File opened for modification	C:\Windows\SysWOW64\Bobhal32.exe	Bphbeplm.exe
File created	C:\Windows\SysWOW64\Bphbeplm.exe	07efac55eb14475c7d6244d92bf1dc0c.exe
File created	C:\Windows\SysWOW64\Imklkg32.dll	Bphbeplm.exe
File opened for modification	C:\Windows\SysWOW64\Cacacg32.exe	Bobhal32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2524	2864	WerFault.exe	30

Modifies registry class 12 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bobhal32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	07efac55eb14475c7d6244d92bf1dc0c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	07efac55eb14475c7d6244d92bf1dc0c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldhfglad.dll"	07efac55eb14475c7d6244d92bf1dc0c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	07efac55eb14475c7d6244d92bf1dc0c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bphbeplm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdlpjk32.dll"	Bobhal32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	07efac55eb14475c7d6244d92bf1dc0c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}	07efac55eb14475c7d6244d92bf1dc0c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bphbeplm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imklkg32.dll"	Bphbeplm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bobhal32.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2964 wrote to memory of 2288	2964	07efac55eb14475c7d6244d92bf1dc0c.exe	28
PID 2964 wrote to memory of 2288	2964	07efac55eb14475c7d6244d92bf1dc0c.exe	28
PID 2964 wrote to memory of 2288	2964	07efac55eb14475c7d6244d92bf1dc0c.exe	28
PID 2964 wrote to memory of 2288	2964	07efac55eb14475c7d6244d92bf1dc0c.exe	28
PID 2288 wrote to memory of 2840	2288	Bphbeplm.exe	29
PID 2288 wrote to memory of 2840	2288	Bphbeplm.exe	29
PID 2288 wrote to memory of 2840	2288	Bphbeplm.exe	29
PID 2288 wrote to memory of 2840	2288	Bphbeplm.exe	29
PID 2840 wrote to memory of 2864	2840	Bobhal32.exe	30
PID 2840 wrote to memory of 2864	2840	Bobhal32.exe	30
PID 2840 wrote to memory of 2864	2840	Bobhal32.exe	30
PID 2840 wrote to memory of 2864	2840	Bobhal32.exe	30
PID 2864 wrote to memory of 2524	2864	Cacacg32.exe	31
PID 2864 wrote to memory of 2524	2864	Cacacg32.exe	31
PID 2864 wrote to memory of 2524	2864	Cacacg32.exe	31
PID 2864 wrote to memory of 2524	2864	Cacacg32.exe	31

C:\Users\Admin\AppData\Local\Temp\07efac55eb14475c7d6244d92bf1dc0c.exe
"C:\Users\Admin\AppData\Local\Temp\07efac55eb14475c7d6244d92bf1dc0c.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2964
- C:\Windows\SysWOW64\Bphbeplm.exe
  C:\Windows\system32\Bphbeplm.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2288
- - C:\Windows\SysWOW64\Bobhal32.exe
    C:\Windows\system32\Bobhal32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2840
  - - C:\Windows\SysWOW64\Cacacg32.exe
      C:\Windows\system32\Cacacg32.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:2864
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2864 -s 140
        5⤵
        Loads dropped DLL
        Program crash
        
        PID:2524

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Bobhal32.exe

Filesize
3.9MB

MD5
fd2980059f677a9d878680449b93df09

SHA1
94f8cd21feddd923334003d3bdffc0a87e263c21

SHA256
3440d6a92d4da5531339fa7f4fb3fb123f0a50d7287ab6a4eca5ec41a15e2b43

SHA512
d0bf68cf70e61ee23a59aab2add6f0dbb999b589a14f4260d22466b3ede4bdabf4b03a81d75944a24845353894656569504d52cfc8be1d5e9c516df6c72b224a

Download Submit
C:\Windows\SysWOW64\Bobhal32.exe

Filesize
3.4MB

MD5
af3962d1101efb9b746af2ff082f7ac6

SHA1
2c2e0fabcd153f1e7da4463021b31b89bc4c2791

SHA256
c8af4d8852976f1382a5253f79dc4af4a072146766652316a296272cfc2b5755

SHA512
1fa3efad58668a867ac5343c60dc84e8ee3ecddc933d1010feeef50727d5f8928bd020552ca0301352cc0efe7b26256629aca5fe82e2536e5a3b9f601ce7889f

Download Submit
C:\Windows\SysWOW64\Bobhal32.exe

Filesize
4.0MB

MD5
d5ee169c83996abae261c79d88fcc57b

SHA1
51fff3936f6c419be1f0710d0fd0b7c8d10f839a

SHA256
ae50713e603c1658139fca4190370b5194a5cfc83597d4a36889d9184a22f37d

SHA512
3c7dac74d8046449fa0688ba375987f0f556c5f6d1d34123b6c64f06b0b4006eddce7e28ba38b3cf84acf631387a2e259dee7f2bd3ef0ea06a9ecc8c49c09832

Download Submit
C:\Windows\SysWOW64\Bphbeplm.exe

Filesize
3.2MB

MD5
e3dc3d31023a1c5e20da3c7600e4569f

SHA1
033e2124dbc8b1845aab44eaecaab50114c1e294

SHA256
7f04f926533507433dd2140f6906ae1f68fa39aa81bbad2a4138748efed64b4e

SHA512
cf9bdcaff1d08877744520f88e69195319845f0fc59d368b6cfbd18fa496a5720f4ffea7e55ce78badc20fe79617b23e99894a329d9817b27d962903c22e75ad

Download Submit
C:\Windows\SysWOW64\Bphbeplm.exe

Filesize
2.5MB

MD5
869b5af22657cf6c879e7bf9abcab5d4

SHA1
50dd9f9d4e1aef2358c798b09f4011fd6dd433da

SHA256
4006cf9c49dfc6b4cab53aab912a2560810da2e613d3e09a270cfcf25ce03acf

SHA512
c01f1210d8ed7f4999737473ba63f9d8f46ed1f63d609875e17312b812fbcfdc33e44d5e2adfa89eac124e3c532e01a4b36e054f31f2df613ac45da18737a728

Download Submit
C:\Windows\SysWOW64\Bphbeplm.exe

Filesize
2.8MB

MD5
d6397ede44133fc953d729bf855c7156

SHA1
063225ccb0c5979e9bd4a013c9ca886cb526c296

SHA256
a03a1905b4187b126ebc464a934655faf0680e679fff92adb01150c0ac5dc2c4

SHA512
ab05a710b1b38bd3eea961f3968dfe30c0a25b44a08648cd5acb3eee3ed5909e2fc8b310f7f54def0882f3bc59e9aec79c0bc3c7595ea39dbafc920760ff005f

Download Submit
C:\Windows\SysWOW64\Cacacg32.exe

Filesize
1.3MB

MD5
7ba18efc76b410116124d8892bf8e5d8

SHA1
2782cadf033cb677b26104cf55acf078bf2b2195

SHA256
cd87cb7deed85ee2fbe9a14ffecb329602683f1f02b84d4375f60c75db24d2bb

SHA512
1e88cac74cceb0212909ed41afb2406e8c410f768c49492bec965df238ae5fe9c9dd46bd2d333921ca2a920dd8186eb41c2026248027d2cd946d5cbca7321b14

Download Submit
C:\Windows\SysWOW64\Cacacg32.exe

Filesize
1.2MB

MD5
1d5b8eaf20ea520f438df84d06a430da

SHA1
49747ca241857659f10f75130440d056ca3f0c13

SHA256
8111e8cd64c3cbbc36e5f6a2c900387604eeb19e48fe399c82ca6a2b74bd2970

SHA512
56e9d8cc3e0d6e35d2f7909f73cbd0902ff93c7db7d0cade2bdbcd87b246b2aee2140d266fc1146c46c6ff9f1b7e46ef9bd7eef4ed23713c3170f8102610e372

Download Submit
\Windows\SysWOW64\Bobhal32.exe

Filesize
3.1MB

MD5
d100b83cd500e59c37813ae36f51cd5f

SHA1
d341668264ff339170f39de8b549bce7c5c8874d

SHA256
d3145638b0e8daa844160efdbef36f6686aca4ca0321c23f3ef647e718e6dd61

SHA512
e27c69d40f189f583e819497db66baa23ea1e738fca35c88c63e50a4204e3251893d590bf10800c4674dbb3f03fc1b6da70494ebfce35947ae8b06c9ed67a07c

Download Submit
\Windows\SysWOW64\Bobhal32.exe

Filesize
3.4MB

MD5
060319e5ae5d0e56c207871083497f02

SHA1
43298fb9451a7dea7800005e7010daf83a4f8b83

SHA256
fe3e5f4450d30b9ef526851ac57a770402068029a6e1b03049a34d608a3f05a3

SHA512
12be82e66bc7d4d0f2fdbff0aae79dcf28fb37a500ad3309e9ae7ac57b4dd8ca22f060c26b027eb4daf9fcd467289fc1623f0d5dc11d0ae3d7e15b42ec551b86

Download Submit
\Windows\SysWOW64\Bphbeplm.exe

Filesize
4.0MB

MD5
7d9c6ed358638e3369038fe6f7b620cf

SHA1
9f310c0e7b3249ff87f3e708aa1e921c4ab950f5

SHA256
3bfebdd868c86babddbe87f77d28fa082429053a5e448a5010332a0806ed165a

SHA512
5aa199664c460a59f0805a3dadd53b13726ea96e317876392523be12baa65c786fff3feba6115cef7ab7f7acbf68846a1d3cc3b0419dcd7df46c3c9d3bc9fcca

Download Submit
\Windows\SysWOW64\Bphbeplm.exe

Filesize
2.6MB

MD5
cada9b9649a95759bcccce34706df8fc

SHA1
c0868c1ceeb3df9507f81d119e092b36437f76c1

SHA256
886d8ebb01572aad9a1f43db31a2d7c24f84f66f736b81093370ccace7113fc7

SHA512
7f90058783e67610ba7aec032d9cf60461c9e9ffc2712e15f0c77af7f550db324d816f23aa0deb07435d75fbe1d565ded6224407e123d89b285eb32d8916af33

Download Submit
\Windows\SysWOW64\Cacacg32.exe

Filesize
2.6MB

MD5
a6cc486e929db4fcaa249e760616e645

SHA1
df0273380a8aa466201ebb98dbbc9e5a1ee31d17

SHA256
df3ea237729169d84c305fd11b53a4243c106b52beec47250a4e0fc455077deb

SHA512
583e9816e6bd1c4d3adee3cd782c4b99334956a3fd0932e20826aae4c10b41ee3a79c9bb14da9bae87ef381a7ad966fdea4c841b2cab878e0a179d83411e8195

Download Submit
\Windows\SysWOW64\Cacacg32.exe

Filesize
1.4MB

MD5
1934f6a1bfc9fde3567f853ff0f083a0

SHA1
210756fc39ff00ff83bd69733496f7bbea951268

SHA256
cac55fcf32a09683013c2e5985362ba12e7c93122e0e25b1baff50dfc4ed7fce

SHA512
df02642ad97311240a5ed11110b987c96efd3f8fb03dbc8d24b03be919c4bce27b5fdbaa94fd4e4f27ef595a0083c0f95928b4cd0712734e312ab6ec96265810

Download Submit
\Windows\SysWOW64\Cacacg32.exe

Filesize
1.2MB

MD5
4872f9972b550e8592f7b8bee1f55cf9

SHA1
5e330c6b07f5283d4d48ac89b940d24e7179163b

SHA256
0466f4ab65045a236c46597870bfa455a1c5210e6b7f88d32e7b2a7274aef173

SHA512
56dd47de70809f12708ea385f808d9d021606f6d0fa25897af3e98bddc42f05967194e9761937745549d848e67ba8dbad96877c8e25a93d1d874c6939669a176

Download Submit
\Windows\SysWOW64\Cacacg32.exe

Filesize
1024KB

MD5
7d02eb8aaabb34d0c242aa00a606829d

SHA1
bdcc5dc8aa80abf2b22149be5c16209c9d075618

SHA256
0fc4e95fbc2acdf5a114c06f92a448d1b2d744f175cc922268617b567935e56b

SHA512
02b88cd48a9eb9239a6f4042c890c8b7a6dff5616491657119620a11f2d7e41892ca9b6ac44b5ee149fffb782d727cb1ee2d6e48079ed2a01a263e53261c9601

Download Submit
\Windows\SysWOW64\Cacacg32.exe

Filesize
832KB

MD5
3fb3702b7c138921e05f1a7cc6f1f655

SHA1
3ac49013f4bdeea359401135aa7c13b8f0034a0f

SHA256
a3d7acad5c59c7c7aa21ee09408ee5b465a14da8a07257984b71393c4bb03c10

SHA512
830db12f148d69b1cda68d7cb4c05b476ac96a548c66ee3c8ba630b24de0d8fc869f1d7cf10e0d4ec46285dc8fe3407efe587876ac544d75f5bb26344af84e1b

Download Submit
\Windows\SysWOW64\Cacacg32.exe

Filesize
4.0MB

MD5
6d59acf9b3d1ab5ed8209be4c7562214

SHA1
c54dac3b6427cf370b1bbf852cecbcad00f3e56a

SHA256
a5496434cf840043970734e705fc81aca3dbb4cb9ec6804f7a3798d81c08091b

SHA512
cfc2090b8bef22dfaa247f6b5bd60ba53adc6193988069c450ba4d96786c188bac5209bb826fdf38f9b8f21ba837079aae00da5383c9e1a7941e4da6de2e459c

Download Submit
memory/2288-32-0x00000000002A0000-0x00000000002D4000-memory.dmp

Filesize
208KB

Download
memory/2288-25-0x00000000002A0000-0x00000000002D4000-memory.dmp

Filesize
208KB

Download
memory/2288-13-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2288-47-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2840-33-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2864-41-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2964-6-0x0000000000220000-0x0000000000254000-memory.dmp

Filesize
208KB

Download
memory/2964-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2964-46-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads