bd09809c049826a08b9fcd29f29ee4c48b46ec1c3bdfd2e303582d6525211098

Analysis

max time kernel
141s
max time network
122s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
06/03/2024, 00:36

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

bd09809c049826a08b9fcd29f29ee4c48b46ec1c3bdfd2e303582d6525211098.exe
Size

64KB
MD5

b8d22f9ed899b1b5f96dd72889593ee4
SHA1

568483f92dc116a846735e5639b714ecc1bd0417
SHA256

bd09809c049826a08b9fcd29f29ee4c48b46ec1c3bdfd2e303582d6525211098
SHA512

2857a9839e0f8f550b17f49652f62759e19547dd3977edcad6ccd26815eb830893b1f5b34a3074573eef370e7e6eb134b8aee7976888f82a063722c96561e860
SSDEEP

768:p+u8QoY1OHjkAfsKEAIa7mbMaVBMd3F18flVsa/1H599e6XJ1IwEGp9ThfzyYsHv:wuOYWjkTKbybSF18NVsglXUwXfzwv

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 28 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ghoegl32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hdfflm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hkpnhgge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iknnbklc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hdfflm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hnojdcfi.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hnagjbdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hlfdkoin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	bd09809c049826a08b9fcd29f29ee4c48b46ec1c3bdfd2e303582d6525211098.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hcnpbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hcnpbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hellne32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hpapln32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hejoiedd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hejoiedd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hpapln32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hkkalk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hogmmjfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hkpnhgge.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hlfdkoin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hkkalk32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ghoegl32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hnojdcfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hnagjbdf.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hogmmjfo.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	bd09809c049826a08b9fcd29f29ee4c48b46ec1c3bdfd2e303582d6525211098.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hellne32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iknnbklc.exe

Executes dropped EXE 14 IoCs

pid	Process
2264	Ghoegl32.exe
2228	Hdfflm32.exe
2500	Hkpnhgge.exe
2324	Hnojdcfi.exe
2628	Hejoiedd.exe
2496	Hnagjbdf.exe
2896	Hcnpbi32.exe
2564	Hellne32.exe
1188	Hlfdkoin.exe
348	Hpapln32.exe
2168	Hkkalk32.exe
2780	Hogmmjfo.exe
568	Iknnbklc.exe
848	Iagfoe32.exe

Loads dropped DLL 32 IoCs

pid	Process
1220	bd09809c049826a08b9fcd29f29ee4c48b46ec1c3bdfd2e303582d6525211098.exe
1220	bd09809c049826a08b9fcd29f29ee4c48b46ec1c3bdfd2e303582d6525211098.exe
2264	Ghoegl32.exe
2264	Ghoegl32.exe
2228	Hdfflm32.exe
2228	Hdfflm32.exe
2500	Hkpnhgge.exe
2500	Hkpnhgge.exe
2324	Hnojdcfi.exe
2324	Hnojdcfi.exe
2628	Hejoiedd.exe
2628	Hejoiedd.exe
2496	Hnagjbdf.exe
2496	Hnagjbdf.exe
2896	Hcnpbi32.exe
2896	Hcnpbi32.exe
2564	Hellne32.exe
2564	Hellne32.exe
1188	Hlfdkoin.exe
1188	Hlfdkoin.exe
348	Hpapln32.exe
348	Hpapln32.exe
2168	Hkkalk32.exe
2168	Hkkalk32.exe
2780	Hogmmjfo.exe
2780	Hogmmjfo.exe
568	Iknnbklc.exe
568	Iknnbklc.exe
2892	WerFault.exe
2892	WerFault.exe
2892	WerFault.exe
2892	WerFault.exe

Drops file in System32 directory 42 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Hkkalk32.exe	Hpapln32.exe
File created	C:\Windows\SysWOW64\Ejdmpb32.dll	Hpapln32.exe
File opened for modification	C:\Windows\SysWOW64\Iagfoe32.exe	Iknnbklc.exe
File created	C:\Windows\SysWOW64\Enlbgc32.dll	Hejoiedd.exe
File created	C:\Windows\SysWOW64\Hellne32.exe	Hcnpbi32.exe
File created	C:\Windows\SysWOW64\Pffgja32.dll	Hdfflm32.exe
File created	C:\Windows\SysWOW64\Hnojdcfi.exe	Hkpnhgge.exe
File created	C:\Windows\SysWOW64\Odpegjpg.dll	Hkpnhgge.exe
File created	C:\Windows\SysWOW64\Hnagjbdf.exe	Hejoiedd.exe
File created	C:\Windows\SysWOW64\Ojhcelga.dll	Hkkalk32.exe
File created	C:\Windows\SysWOW64\Gjenmobn.dll	Iknnbklc.exe
File created	C:\Windows\SysWOW64\Gpekfank.dll	bd09809c049826a08b9fcd29f29ee4c48b46ec1c3bdfd2e303582d6525211098.exe
File created	C:\Windows\SysWOW64\Hkpnhgge.exe	Hdfflm32.exe
File opened for modification	C:\Windows\SysWOW64\Hejoiedd.exe	Hnojdcfi.exe
File opened for modification	C:\Windows\SysWOW64\Hnagjbdf.exe	Hejoiedd.exe
File created	C:\Windows\SysWOW64\Khejeajg.dll	Hnagjbdf.exe
File created	C:\Windows\SysWOW64\Oiogaqdb.dll	Hellne32.exe
File created	C:\Windows\SysWOW64\Glqllcbf.dll	Hlfdkoin.exe
File opened for modification	C:\Windows\SysWOW64\Ghoegl32.exe	bd09809c049826a08b9fcd29f29ee4c48b46ec1c3bdfd2e303582d6525211098.exe
File opened for modification	C:\Windows\SysWOW64\Hdfflm32.exe	Ghoegl32.exe
File opened for modification	C:\Windows\SysWOW64\Hnojdcfi.exe	Hkpnhgge.exe
File opened for modification	C:\Windows\SysWOW64\Hlfdkoin.exe	Hellne32.exe
File opened for modification	C:\Windows\SysWOW64\Iknnbklc.exe	Hogmmjfo.exe
File created	C:\Windows\SysWOW64\Eqpofkjo.dll	Hogmmjfo.exe
File created	C:\Windows\SysWOW64\Iagfoe32.exe	Iknnbklc.exe
File created	C:\Windows\SysWOW64\Hdfflm32.exe	Ghoegl32.exe
File opened for modification	C:\Windows\SysWOW64\Hkpnhgge.exe	Hdfflm32.exe
File created	C:\Windows\SysWOW64\Hogmmjfo.exe	Hkkalk32.exe
File opened for modification	C:\Windows\SysWOW64\Hcnpbi32.exe	Hnagjbdf.exe
File opened for modification	C:\Windows\SysWOW64\Hellne32.exe	Hcnpbi32.exe
File created	C:\Windows\SysWOW64\Hlfdkoin.exe	Hellne32.exe
File created	C:\Windows\SysWOW64\Hejoiedd.exe	Hnojdcfi.exe
File created	C:\Windows\SysWOW64\Hcnpbi32.exe	Hnagjbdf.exe
File created	C:\Windows\SysWOW64\Pljpdpao.dll	Hcnpbi32.exe
File created	C:\Windows\SysWOW64\Hpapln32.exe	Hlfdkoin.exe
File created	C:\Windows\SysWOW64\Hkkalk32.exe	Hpapln32.exe
File opened for modification	C:\Windows\SysWOW64\Hogmmjfo.exe	Hkkalk32.exe
File created	C:\Windows\SysWOW64\Ghoegl32.exe	bd09809c049826a08b9fcd29f29ee4c48b46ec1c3bdfd2e303582d6525211098.exe
File created	C:\Windows\SysWOW64\Hepmggig.dll	Hnojdcfi.exe
File created	C:\Windows\SysWOW64\Iknnbklc.exe	Hogmmjfo.exe
File created	C:\Windows\SysWOW64\Phofkg32.dll	Ghoegl32.exe
File opened for modification	C:\Windows\SysWOW64\Hpapln32.exe	Hlfdkoin.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2892	848	WerFault.exe	41

Modifies registry class 45 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Iknnbklc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ghoegl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ghoegl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odpegjpg.dll"	Hkpnhgge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hkpnhgge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Glqllcbf.dll"	Hlfdkoin.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	bd09809c049826a08b9fcd29f29ee4c48b46ec1c3bdfd2e303582d6525211098.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hdfflm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hejoiedd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pljpdpao.dll"	Hcnpbi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	bd09809c049826a08b9fcd29f29ee4c48b46ec1c3bdfd2e303582d6525211098.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hlfdkoin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ojhcelga.dll"	Hkkalk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hogmmjfo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hnojdcfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hepmggig.dll"	Hnojdcfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hnojdcfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Enlbgc32.dll"	Hejoiedd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hpapln32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	bd09809c049826a08b9fcd29f29ee4c48b46ec1c3bdfd2e303582d6525211098.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hellne32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejdmpb32.dll"	Hpapln32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hkkalk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hogmmjfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hcnpbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oiogaqdb.dll"	Hellne32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hlfdkoin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpekfank.dll"	bd09809c049826a08b9fcd29f29ee4c48b46ec1c3bdfd2e303582d6525211098.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Phofkg32.dll"	Ghoegl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pffgja32.dll"	Hdfflm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hejoiedd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hcnpbi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hkkalk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Iknnbklc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hdfflm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eqpofkjo.dll"	Hogmmjfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjenmobn.dll"	Iknnbklc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hnagjbdf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hellne32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hpapln32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	bd09809c049826a08b9fcd29f29ee4c48b46ec1c3bdfd2e303582d6525211098.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	bd09809c049826a08b9fcd29f29ee4c48b46ec1c3bdfd2e303582d6525211098.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hkpnhgge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hnagjbdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khejeajg.dll"	Hnagjbdf.exe

Suspicious use of WriteProcessMemory 60 IoCs

description	pid	Process	procid_target
PID 1220 wrote to memory of 2264	1220	bd09809c049826a08b9fcd29f29ee4c48b46ec1c3bdfd2e303582d6525211098.exe	28
PID 1220 wrote to memory of 2264	1220	bd09809c049826a08b9fcd29f29ee4c48b46ec1c3bdfd2e303582d6525211098.exe	28
PID 1220 wrote to memory of 2264	1220	bd09809c049826a08b9fcd29f29ee4c48b46ec1c3bdfd2e303582d6525211098.exe	28
PID 1220 wrote to memory of 2264	1220	bd09809c049826a08b9fcd29f29ee4c48b46ec1c3bdfd2e303582d6525211098.exe	28
PID 2264 wrote to memory of 2228	2264	Ghoegl32.exe	29
PID 2264 wrote to memory of 2228	2264	Ghoegl32.exe	29
PID 2264 wrote to memory of 2228	2264	Ghoegl32.exe	29
PID 2264 wrote to memory of 2228	2264	Ghoegl32.exe	29
PID 2228 wrote to memory of 2500	2228	Hdfflm32.exe	30
PID 2228 wrote to memory of 2500	2228	Hdfflm32.exe	30
PID 2228 wrote to memory of 2500	2228	Hdfflm32.exe	30
PID 2228 wrote to memory of 2500	2228	Hdfflm32.exe	30
PID 2500 wrote to memory of 2324	2500	Hkpnhgge.exe	31
PID 2500 wrote to memory of 2324	2500	Hkpnhgge.exe	31
PID 2500 wrote to memory of 2324	2500	Hkpnhgge.exe	31
PID 2500 wrote to memory of 2324	2500	Hkpnhgge.exe	31
PID 2324 wrote to memory of 2628	2324	Hnojdcfi.exe	32
PID 2324 wrote to memory of 2628	2324	Hnojdcfi.exe	32
PID 2324 wrote to memory of 2628	2324	Hnojdcfi.exe	32
PID 2324 wrote to memory of 2628	2324	Hnojdcfi.exe	32
PID 2628 wrote to memory of 2496	2628	Hejoiedd.exe	33
PID 2628 wrote to memory of 2496	2628	Hejoiedd.exe	33
PID 2628 wrote to memory of 2496	2628	Hejoiedd.exe	33
PID 2628 wrote to memory of 2496	2628	Hejoiedd.exe	33
PID 2496 wrote to memory of 2896	2496	Hnagjbdf.exe	34
PID 2496 wrote to memory of 2896	2496	Hnagjbdf.exe	34
PID 2496 wrote to memory of 2896	2496	Hnagjbdf.exe	34
PID 2496 wrote to memory of 2896	2496	Hnagjbdf.exe	34
PID 2896 wrote to memory of 2564	2896	Hcnpbi32.exe	35
PID 2896 wrote to memory of 2564	2896	Hcnpbi32.exe	35
PID 2896 wrote to memory of 2564	2896	Hcnpbi32.exe	35
PID 2896 wrote to memory of 2564	2896	Hcnpbi32.exe	35
PID 2564 wrote to memory of 1188	2564	Hellne32.exe	36
PID 2564 wrote to memory of 1188	2564	Hellne32.exe	36
PID 2564 wrote to memory of 1188	2564	Hellne32.exe	36
PID 2564 wrote to memory of 1188	2564	Hellne32.exe	36
PID 1188 wrote to memory of 348	1188	Hlfdkoin.exe	37
PID 1188 wrote to memory of 348	1188	Hlfdkoin.exe	37
PID 1188 wrote to memory of 348	1188	Hlfdkoin.exe	37
PID 1188 wrote to memory of 348	1188	Hlfdkoin.exe	37
PID 348 wrote to memory of 2168	348	Hpapln32.exe	38
PID 348 wrote to memory of 2168	348	Hpapln32.exe	38
PID 348 wrote to memory of 2168	348	Hpapln32.exe	38
PID 348 wrote to memory of 2168	348	Hpapln32.exe	38
PID 2168 wrote to memory of 2780	2168	Hkkalk32.exe	39
PID 2168 wrote to memory of 2780	2168	Hkkalk32.exe	39
PID 2168 wrote to memory of 2780	2168	Hkkalk32.exe	39
PID 2168 wrote to memory of 2780	2168	Hkkalk32.exe	39
PID 2780 wrote to memory of 568	2780	Hogmmjfo.exe	40
PID 2780 wrote to memory of 568	2780	Hogmmjfo.exe	40
PID 2780 wrote to memory of 568	2780	Hogmmjfo.exe	40
PID 2780 wrote to memory of 568	2780	Hogmmjfo.exe	40
PID 568 wrote to memory of 848	568	Iknnbklc.exe	41
PID 568 wrote to memory of 848	568	Iknnbklc.exe	41
PID 568 wrote to memory of 848	568	Iknnbklc.exe	41
PID 568 wrote to memory of 848	568	Iknnbklc.exe	41
PID 848 wrote to memory of 2892	848	Iagfoe32.exe	42
PID 848 wrote to memory of 2892	848	Iagfoe32.exe	42
PID 848 wrote to memory of 2892	848	Iagfoe32.exe	42
PID 848 wrote to memory of 2892	848	Iagfoe32.exe	42

C:\Users\Admin\AppData\Local\Temp\bd09809c049826a08b9fcd29f29ee4c48b46ec1c3bdfd2e303582d6525211098.exe
"C:\Users\Admin\AppData\Local\Temp\bd09809c049826a08b9fcd29f29ee4c48b46ec1c3bdfd2e303582d6525211098.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1220
- C:\Windows\SysWOW64\Ghoegl32.exe
  C:\Windows\system32\Ghoegl32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2264
- - C:\Windows\SysWOW64\Hdfflm32.exe
    C:\Windows\system32\Hdfflm32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2228
  - - C:\Windows\SysWOW64\Hkpnhgge.exe
      C:\Windows\system32\Hkpnhgge.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2500
    - - C:\Windows\SysWOW64\Hnojdcfi.exe
        
        C:\Windows\system32\Hnojdcfi.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2324
      - C:\Windows\SysWOW64\Hejoiedd.exe
        
        C:\Windows\system32\Hejoiedd.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2628
        
        C:\Windows\SysWOW64\Hnagjbdf.exe
        
        C:\Windows\system32\Hnagjbdf.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2496
        
        C:\Windows\SysWOW64\Hcnpbi32.exe
        
        C:\Windows\system32\Hcnpbi32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2896
        
        C:\Windows\SysWOW64\Hellne32.exe
        
        C:\Windows\system32\Hellne32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2564
        
        C:\Windows\SysWOW64\Hlfdkoin.exe
        
        C:\Windows\system32\Hlfdkoin.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1188
        
        C:\Windows\SysWOW64\Hpapln32.exe
        
        C:\Windows\system32\Hpapln32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:348
        
        C:\Windows\SysWOW64\Hkkalk32.exe
        
        C:\Windows\system32\Hkkalk32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2168
        
        C:\Windows\SysWOW64\Hogmmjfo.exe
        
        C:\Windows\system32\Hogmmjfo.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2780
        
        C:\Windows\SysWOW64\Iknnbklc.exe
        
        C:\Windows\system32\Iknnbklc.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:568
        
        C:\Windows\SysWOW64\Iagfoe32.exe
        
        C:\Windows\system32\Iagfoe32.exe
        15⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:848
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 848 -s 140
        16⤵
        Loads dropped DLL
        Program crash
        
        PID:2892

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Hellne32.exe

Filesize
64KB

MD5
25626006843daf262bf52c3d4ed2b1fc

SHA1
748e25fa9d978ad97bc6a05acb7f9ca615957320

SHA256
6b6dcfc1be1ae88df10439f25cbfad380bb4c578fbcdb24b24eb64972b28a3e6

SHA512
1beadd7c770d236aae434c6b69ce87129c85d07fb646334615bb9d301d1cde3c809a6b105c24e4dec7a754e32c8cf524032362d66833ff453d3e457e20e349e3

Download Submit
C:\Windows\SysWOW64\Hnagjbdf.exe

Filesize
64KB

MD5
5081206e6ad196143fb6dd5ca1eb8474

SHA1
44b08cfbcac74b65016688c6c4dda44988154641

SHA256
c1616324a4a28376e20fa3630f5191fa9792a5158d2d1c8fca2f54240d069cce

SHA512
822733764030c97e69ab2def9e3c2b6445bdbf56aa5f56c8a208619ef7780e5f9d6c53b7a45d51ee9058bcd1ed897afec86e7c8857ef43e32c296c1c054df838

Download Submit
C:\Windows\SysWOW64\Hnojdcfi.exe

Filesize
64KB

MD5
a33d774d8a282b763523228a2825a761

SHA1
4f4f419a304e7a9fd4f697c94890bcd2444ddb91

SHA256
f68a7eb0dbe22b53a0bad60e6786612c471bdf9360da1a23b90929988729ed06

SHA512
7c9c86cf89174a213fbb960bfdb341891ab01888b6f5043f5fed668073b3bb34ffca935e495e3b6013b93b3bde9c7e021ea062978a8b7127cdee11c126995364

Download Submit
C:\Windows\SysWOW64\Hogmmjfo.exe

Filesize
64KB

MD5
096641ba87f02c3aca724952412cc635

SHA1
47be519e128a8ec4424b81faea79e43a9cdb6e89

SHA256
2d05914eb69db4e8889d1df14f61da0aae541f8f1afcc34a1c9fa4c19e61b4c4

SHA512
905a24c6aad862d8fa311ee67368464b6a84a0d41fd0dabf346b3319f081cc40dc7872d06b1296ab154e864372a3bb2ca5aabc1e45f8f5a1ba3b718db3c3d7e9

Download Submit
C:\Windows\SysWOW64\Hpapln32.exe

Filesize
64KB

MD5
b3927fadc66e74a463b50f77de7b7e6d

SHA1
3da9c5f0eaac3615041dcf2e89a2bf745ebf7858

SHA256
b7ec7ba0638510ff6b96f0f3e6683e25d4733cb1eaa7430c9b7c710313e6368d

SHA512
8a887f31215fc6552d527a98b5041d97a96a14ce6eae2e4a3ee498f153321bc3723970d5ab3b1295ab9a874be9ca7528a0a1efbfde224d5886879cc67d1df3ac

Download Submit
C:\Windows\SysWOW64\Iagfoe32.exe

Filesize
64KB

MD5
d9413e4ca30591ceaffe826b8e228439

SHA1
172419fd6683f69cf7b1003efcd9ffdf15c9cfd3

SHA256
867a4c52ceafa89bbbf0a2ef90d531bc1e7b781e7432b7537f4c89cc8efd8855

SHA512
f48af59f0661c4523381d0c4c6838dae1336a9150a32d2c487e563f591a7e6bc7456b147f426cb8809830efc1794bc43834ce8847c09b4ea106175bf648aad17

Download Submit
\Windows\SysWOW64\Ghoegl32.exe

Filesize
64KB

MD5
276243bbaab19f4b797730a1feefce0a

SHA1
ec9ab66bbb3c31efef419703d119dffd1f117eb1

SHA256
fdcd3a319fff5a5dd2e1a3a6c7de419684982cfd88ae284c2f64d3d26076b2fc

SHA512
42428b0d40fed57b7257af450e2aee880c6129d6597f8f96abb3ca53ef9b4bb512e19739b6a9a375a0d0b16894c379a06e49fcf34b35a26d1ff94fb0a5ad9f1f

Download Submit
\Windows\SysWOW64\Hcnpbi32.exe

Filesize
64KB

MD5
3d52392beb966fe078a464ed01699183

SHA1
4e522f3f8f2cf92499349105dfff984dfdb117e3

SHA256
ac56a6650a9037e1d09ea84f9384135998323204a99d036d38fde39a3c43245c

SHA512
2dbad7ae0220a112c206b120251526d00721b2d63f839559121c4a30dad35515c64002a686b128a7d2f39ada2214180e712093d9dd854d4dd56a31beba6203f6

Download Submit
\Windows\SysWOW64\Hdfflm32.exe

Filesize
64KB

MD5
58063dda22151d965c48252895b89b7e

SHA1
5b3ae731d4cdc18dc562ad55c6627ba9fa51dbed

SHA256
60b75385a6e80034463300f4d42222b08b500a90fa0640696f6dfd2c716a7152

SHA512
9bca3fa74b9f84a00b0c820a93e6d46a5cfa7543175d5b4573cdbeb00c6a8ffa799fc8d3af3a8e9bf1c4014b20da167caf89668b89d95ae2f093985b52cb2969

Download Submit
\Windows\SysWOW64\Hejoiedd.exe

Filesize
64KB

MD5
c60df1dc65cae58cba6270d048d73974

SHA1
d0db93526a3613b55447a210449ee3e3a35c2151

SHA256
de874e86ee8c6726f8305ebbb67dcc9bad405f9fa1dd313cda07ef5d9ac8ec48

SHA512
4e34e5988f8688e41849a6482c923bb2b5ed3510365cf0bf3fb698dd840b2585bdf910411e51099a64a2199a020f898806bd4c7dbdae77b57b5418427e922312

Download Submit
\Windows\SysWOW64\Hkkalk32.exe

Filesize
64KB

MD5
5060943eef537d0f07c034f225e0d122

SHA1
e446bb979ba49ae6dede41e027299ddb4a2c4cd7

SHA256
0580992ce5f5948dba90a44d6f054a3007dc242b41394e438339eea6902eccea

SHA512
70653a3a4b3d81bf8e1c8567d1da1c9a2bd5c4c2d65baaf7c160b4c2ecd30f97f3d7d41fde361f18d7401e418cc19c7e00d856dda1011aec3af06254d4821ab4

Download Submit
\Windows\SysWOW64\Hkpnhgge.exe

Filesize
64KB

MD5
97e82efe9e83e7ebd59f02273ed2c5e3

SHA1
8ad61c07747c1a7f1a5ba8df0f81736b048360cf

SHA256
0f84be8a184a399b01f2f3a4d847df770c11e4e4d99bc8b78bedc50c3f5747e5

SHA512
c8d282232437a0ba427d770809ce44d26d757db910ffb74beff24a780b3aefcb74601fcd5cfa316de95553cabda87fd18f39bfe80073bcf8b8ebe18d6a274122

Download Submit
\Windows\SysWOW64\Hlfdkoin.exe

Filesize
64KB

MD5
8a7b9c037382ab5dbd76164808288427

SHA1
23cbe68f0d97a2ed7597f1702ce5186e17654658

SHA256
7fa99e812449f4581397c36dee29d03faa93f33937e3c173eab3c4d5f4353d84

SHA512
c6496f66c7f1ff2ae87a3948caf0c6402dd4833935361d613509333852517ad963e6fc7911d73902e70f6b421848bb550f1051a3f44b4f5f7083b7710951a80c

Download Submit
\Windows\SysWOW64\Iknnbklc.exe

Filesize
64KB

MD5
a4c56e89177df028a00530fcedc5b670

SHA1
f0064f8571cda972fc1a20c12129ceaf68283ac2

SHA256
a987f83c4491bf7ed38fbae918a2a9201e3ca260c77279076fa98c79e34b788a

SHA512
2a4a2c484b94cf6b543c94cadf01553520228c64b4ccca2f33bb1968de2100759aa6c1e306bba0817287b41ed13d3dcbe4cd2729a03fa05e0f525cf46377f049

Download Submit
memory/348-185-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/568-182-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/848-187-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1188-133-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1220-0-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1220-6-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/1220-12-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/1220-192-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2168-170-0x00000000002D0000-0x00000000002FF000-memory.dmp

Filesize
188KB

Download
memory/2168-156-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2228-33-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2264-26-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/2264-19-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2324-111-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2496-92-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2500-52-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2564-130-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2564-184-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/2628-71-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2628-79-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/2780-186-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2896-104-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads