Analysis

  • max time kernel
    143s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    10-03-2024 20:45

General

  • Target

    425e73bbd2749aa3c677d502d3e20464af65831769d74d3280b96d65a2a912a8.exe

  • Size

    427KB

  • MD5

    f8660b3e04c705edefbd1502dc6544b4

  • SHA1

    cb5774d1e2a70f0a130ffa4af8ee9e4c81306289

  • SHA256

    425e73bbd2749aa3c677d502d3e20464af65831769d74d3280b96d65a2a912a8

  • SHA512

    d5d8be773ccb1e1be6f350fa75f08c7acd8579227f6da9829360fcd1ba99073f54906a39309845a369217d7f6c7663a807249a4d3cd03ff5d1da64b104791131

  • SSDEEP

    6144:twmi+7GXeSTYaT15f7o+STYaT15fAK8yfMx/D4LJZPlVcxqy1:uK7sTYapJoTYapz8ye49vWq

Score
10/10

Malware Config

Signatures

  • Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 28 IoCs
  • Executes dropped EXE 14 IoCs
  • Loads dropped DLL 32 IoCs
  • Drops file in System32 directory 42 IoCs
  • Program crash 1 IoCs
  • Modifies registry class 45 IoCs
  • Suspicious use of WriteProcessMemory 60 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\425e73bbd2749aa3c677d502d3e20464af65831769d74d3280b96d65a2a912a8.exe
    "C:\Users\Admin\AppData\Local\Temp\425e73bbd2749aa3c677d502d3e20464af65831769d74d3280b96d65a2a912a8.exe"
    1⤵
    • Adds autorun key to be loaded by Explorer.exe on startup
    • Loads dropped DLL
    • Drops file in System32 directory
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:2856
    • C:\Windows\SysWOW64\Epieghdk.exe
      C:\Windows\system32\Epieghdk.exe
      2⤵
      • Adds autorun key to be loaded by Explorer.exe on startup
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in System32 directory
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:1556
      • C:\Windows\SysWOW64\Ealnephf.exe
        C:\Windows\system32\Ealnephf.exe
        3⤵
        • Adds autorun key to be loaded by Explorer.exe on startup
        • Executes dropped EXE
        • Loads dropped DLL
        • Drops file in System32 directory
        • Modifies registry class
        • Suspicious use of WriteProcessMemory
        PID:2480
        • C:\Windows\SysWOW64\Fcmgfkeg.exe
          C:\Windows\system32\Fcmgfkeg.exe
          4⤵
          • Adds autorun key to be loaded by Explorer.exe on startup
          • Executes dropped EXE
          • Loads dropped DLL
          • Drops file in System32 directory
          • Modifies registry class
          • Suspicious use of WriteProcessMemory
          PID:2576
          • C:\Windows\SysWOW64\Fmhheqje.exe
            C:\Windows\system32\Fmhheqje.exe
            5⤵
            • Adds autorun key to be loaded by Explorer.exe on startup
            • Executes dropped EXE
            • Loads dropped DLL
            • Drops file in System32 directory
            • Modifies registry class
            • Suspicious use of WriteProcessMemory
            PID:2488
            • C:\Windows\SysWOW64\Fjlhneio.exe
              C:\Windows\system32\Fjlhneio.exe
              6⤵
              • Adds autorun key to be loaded by Explorer.exe on startup
              • Executes dropped EXE
              • Loads dropped DLL
              • Drops file in System32 directory
              • Modifies registry class
              • Suspicious use of WriteProcessMemory
              PID:2536
              • C:\Windows\SysWOW64\Fmlapp32.exe
                C:\Windows\system32\Fmlapp32.exe
                7⤵
                • Adds autorun key to be loaded by Explorer.exe on startup
                • Executes dropped EXE
                • Loads dropped DLL
                • Drops file in System32 directory
                • Modifies registry class
                • Suspicious use of WriteProcessMemory
                PID:2296
                • C:\Windows\SysWOW64\Gopkmhjk.exe
                  C:\Windows\system32\Gopkmhjk.exe
                  8⤵
                  • Adds autorun key to be loaded by Explorer.exe on startup
                  • Executes dropped EXE
                  • Loads dropped DLL
                  • Drops file in System32 directory
                  • Modifies registry class
                  • Suspicious use of WriteProcessMemory
                  PID:2716
                  • C:\Windows\SysWOW64\Goddhg32.exe
                    C:\Windows\system32\Goddhg32.exe
                    9⤵
                    • Adds autorun key to be loaded by Explorer.exe on startup
                    • Executes dropped EXE
                    • Loads dropped DLL
                    • Drops file in System32 directory
                    • Modifies registry class
                    • Suspicious use of WriteProcessMemory
                    PID:2776
                    • C:\Windows\SysWOW64\Ggpimica.exe
                      C:\Windows\system32\Ggpimica.exe
                      10⤵
                      • Adds autorun key to be loaded by Explorer.exe on startup
                      • Executes dropped EXE
                      • Loads dropped DLL
                      • Drops file in System32 directory
                      • Modifies registry class
                      • Suspicious use of WriteProcessMemory
                      PID:1176
                      • C:\Windows\SysWOW64\Hgdbhi32.exe
                        C:\Windows\system32\Hgdbhi32.exe
                        11⤵
                        • Adds autorun key to be loaded by Explorer.exe on startup
                        • Executes dropped EXE
                        • Loads dropped DLL
                        • Drops file in System32 directory
                        • Modifies registry class
                        • Suspicious use of WriteProcessMemory
                        PID:2128
                        • C:\Windows\SysWOW64\Hpmgqnfl.exe
                          C:\Windows\system32\Hpmgqnfl.exe
                          12⤵
                          • Adds autorun key to be loaded by Explorer.exe on startup
                          • Executes dropped EXE
                          • Loads dropped DLL
                          • Drops file in System32 directory
                          • Modifies registry class
                          • Suspicious use of WriteProcessMemory
                          PID:2552
                          • C:\Windows\SysWOW64\Hjhhocjj.exe
                            C:\Windows\system32\Hjhhocjj.exe
                            13⤵
                            • Adds autorun key to be loaded by Explorer.exe on startup
                            • Executes dropped EXE
                            • Loads dropped DLL
                            • Drops file in System32 directory
                            • Modifies registry class
                            • Suspicious use of WriteProcessMemory
                            PID:2292
                            • C:\Windows\SysWOW64\Hjjddchg.exe
                              C:\Windows\system32\Hjjddchg.exe
                              14⤵
                              • Adds autorun key to be loaded by Explorer.exe on startup
                              • Executes dropped EXE
                              • Loads dropped DLL
                              • Drops file in System32 directory
                              • Modifies registry class
                              • Suspicious use of WriteProcessMemory
                              PID:2952
                              • C:\Windows\SysWOW64\Iagfoe32.exe
                                C:\Windows\system32\Iagfoe32.exe
                                15⤵
                                • Executes dropped EXE
                                • Suspicious use of WriteProcessMemory
                                PID:2260
                                • C:\Windows\SysWOW64\WerFault.exe
                                  C:\Windows\SysWOW64\WerFault.exe -u -p 2260 -s 140
                                  16⤵
                                  • Loads dropped DLL
                                  • Program crash
                                  PID:1948

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\SysWOW64\Fjlhneio.exe

    Filesize

    427KB

    MD5

    4a4b06b89981403129b4b0132b5aaa6a

    SHA1

    63bbba3973f02b33ba32c3e2c548a4216466c22f

    SHA256

    b2fb88526d5403ad1689f788b860e6856d7a86cdfc12fe5af8251256bea59cdc

    SHA512

    40487c48914040ccfa128f3753955f39cc1a7843d4e6c270a76fb8741be782bdca45100421635bb22d2e28586da95f2482eb33ff59f935079aab25b5da25e3f8

  • C:\Windows\SysWOW64\Ggpimica.exe

    Filesize

    427KB

    MD5

    31a620a661c6104ee56e25c34c934148

    SHA1

    6f918cc4079c793e8cc24815515d995e29cc835d

    SHA256

    20c7b9bf19b423a8b65b23f12d083fe2fbd370f7c1ad56557f39606951ecaf4b

    SHA512

    7ff99318509e0eee60c1ebcd339bc48d62613bc7f9c212141ac6e0eb81eae92cca7d977bbb18d12b4beea46baeac12bb3dbb41a9e483625324e9e006ccd8ce78

  • C:\Windows\SysWOW64\Gopkmhjk.exe

    Filesize

    427KB

    MD5

    b990ce8a464644d30a2db7708c0ab504

    SHA1

    36384b2c150c464d96bc1d7a5296da2a03e4f30e

    SHA256

    d8cd06ed8895ef546dba78c436bb6dfd6ea681b242cfcf022594b7504c722a34

    SHA512

    a0cc5f80d0bdabe8612c400dfb50faae7e3942e392238ee04d3ef491c6f59349f59c1be79fd93a32dcdbe69918c6ea9a93d467aa88c79d8c3c65a55c989462d1

  • C:\Windows\SysWOW64\Hgdbhi32.exe

    Filesize

    427KB

    MD5

    48d0e00bf6ce3f822b98f6e43f4fb8ea

    SHA1

    6651990852fb144409791da3f431b09ccf5bedfa

    SHA256

    ddf759bcb51cc34916981dbeeea8f9cd0712a0a1f3385a261bd3c88fd4194b07

    SHA512

    c831769dd2b401690fec1b5e912f561ebfd4ac32907c0163542c966980b6fe1d7270b06f419c11b0591d7dfd414bafd05e9a38a95898d23d56de4d5d7f91cec5

  • \Windows\SysWOW64\Ealnephf.exe

    Filesize

    427KB

    MD5

    a8d63308cd082987ace04db66a01d952

    SHA1

    d269e524f865db411abe2490e614ec1cd7884276

    SHA256

    cc2fd2f2277e3a1ae3799300f35c0da88e32074a164784630c7929997fd0a503

    SHA512

    6df144e35c127978577f083aa654dc03f5bb851533b99ee42c1ae97e7cadaa7db45dc2f64a2e96d31493c536eb309378ccf0140e4246a560fc61f9ae5463f3c6

  • \Windows\SysWOW64\Epieghdk.exe

    Filesize

    427KB

    MD5

    a82e8a527804ab309c63d1baa2f02c91

    SHA1

    25bb01b563819f0d82a6f5f0c72d914ddd998ce7

    SHA256

    671f6cfe2b5b1471c2a97cbac018e4d4e9166fde783bccc96489a4ff3b053d26

    SHA512

    439fc7b873be18f0d2dc3dec177a8a3237e3b6748361d184838db9a5ec25c60a806eefb98716bac8f8b31e8c60d2237c8880212de775d39c08a9832e6f434541

  • \Windows\SysWOW64\Fcmgfkeg.exe

    Filesize

    427KB

    MD5

    7d8cbf65bdabd4ea1e3cf36e820c81b1

    SHA1

    0608b25cf56780be1c3ea509a9138752a16fa4a7

    SHA256

    eadc1ccd30617cb5b66e94d02c3e4b842f9e8ef5520ffa37a5153d5cad9391ae

    SHA512

    863506ffa27826a767e08ac715a7a7729f7e9f14420bdb990b2a2c0d110816d7de4b572afa92748c2c51e2f0d38b3912fa99d7fed5e3f1361d0dd1b24e42a14e

  • \Windows\SysWOW64\Fmhheqje.exe

    Filesize

    427KB

    MD5

    3a7a3623f0225fc0c1244da799b05b65

    SHA1

    779089b95b573a9835c8ce677758741fe370212a

    SHA256

    8b605031ad526a95a7f3e21e4b6aaacf817fcf32ca52fce940c681913b60a433

    SHA512

    d7afc5e27fab50ec12a67916953d8c1dbcad91486cd256d03f293855f2f91a17b739fc0b9e1af5bf1bc32658e3df0d3a6e56f15dfe053dc826428d9e20215405

  • \Windows\SysWOW64\Fmlapp32.exe

    Filesize

    427KB

    MD5

    157b5483d6f24215921e9171d7e4701d

    SHA1

    4b3f234406b0ecaf556947aac4080af942c82a11

    SHA256

    de1de4590c20bd02b6b8c9c69f5e70a985699bad1f923e22ddfe7ba229f4a6e9

    SHA512

    86856dbfc1139f3c5630e6b725365f7448ccbcf0cb4979d03ce56fa991ce0a1e37242840fcd2962003af5340ab1bcad8009f718884f9dbe976fe41d49f51c53e

  • \Windows\SysWOW64\Goddhg32.exe

    Filesize

    427KB

    MD5

    0d4c19168523ae97089275d644b5eb33

    SHA1

    3ae986af5a34b8e04295ef08ce857fd10f38fcfe

    SHA256

    49a0bd96a76e2456a04f82f411deef24703ab3248ab61c14e37eb7d00194919a

    SHA512

    86fcf4265db544ed751b1f77f2a24e5bba345e729309978a9d9d24eb4b99ba5de90774faab7c55a4723cf394cf26d884041cfd8426ee0cb204feb4a15bf11274

  • \Windows\SysWOW64\Hjhhocjj.exe

    Filesize

    427KB

    MD5

    a7d6f128018f41f19984fa8a99a5455f

    SHA1

    b3640be33e71d958fa6f005b904f01b9382e8e34

    SHA256

    589d411d0906d3e67a40d4252223fbd135e38ff611413de41bc701d9b5f89b7d

    SHA512

    ec9420ee35163f4929a736eaf2e46a66a7355d68662f0834ec3709e32072230ae20bc3cf8f60b076aebe3be903c2de1260e76ad49ea6e30fdbb8bc3c59a686ff

  • \Windows\SysWOW64\Hjjddchg.exe

    Filesize

    427KB

    MD5

    6a3853c79e649d44c08f7d0b1cf1e373

    SHA1

    a9b564bb1bff5f9d04500fd8f145cc5f27a24c6d

    SHA256

    d900262de59c6cb35b9ecd19b55584caef202d6175fcc5716fd451d1520f073e

    SHA512

    9a03254bead763adbbe17e05043dfa43c22096179fae82768a5a7a518962153f911a5c9e6958895983b9b4938bfa14787361b32e68207aa9ea71d3eeecc0974b

  • \Windows\SysWOW64\Hpmgqnfl.exe

    Filesize

    427KB

    MD5

    9a7f13564147e35526847ade4a6d2acb

    SHA1

    81090353dd95d47d73addc6a44c26439c844db01

    SHA256

    1ab13f801bdf07d6e77bc8123f6139349591a489722ea678092bbc63c74c3c7a

    SHA512

    bd7c830c82ed2b6766998f24998be9c607de2a25b31123152b286a7e17ffda1d822d7f8aad68a208c91300ef9fc70e24020ecce261346eee503e08ac6bdaebf5

  • \Windows\SysWOW64\Iagfoe32.exe

    Filesize

    427KB

    MD5

    6344574a0d1fd4ce547bcd5941db8d6d

    SHA1

    c404fff7637122d87d35a1ef3f1223e0882eed8f

    SHA256

    b3b7c7e5d2d066de09ee33792e2178d27811fbe53aae589dc42bd607d195ba8a

    SHA512

    1793a5b0eb528f1e6cd4c144af99a126934e1932ee0ab12a3cc91c964ce774d3e057127b8731e37867493aca91be03623f95ace32887747598705705f75c2ec0

  • memory/1176-131-0x0000000000400000-0x0000000000433000-memory.dmp

    Filesize

    204KB

  • memory/1176-223-0x0000000000250000-0x0000000000283000-memory.dmp

    Filesize

    204KB

  • memory/1176-225-0x0000000000250000-0x0000000000283000-memory.dmp

    Filesize

    204KB

  • memory/1556-132-0x0000000000250000-0x0000000000283000-memory.dmp

    Filesize

    204KB

  • memory/1556-19-0x0000000000400000-0x0000000000433000-memory.dmp

    Filesize

    204KB

  • memory/1556-26-0x0000000000250000-0x0000000000283000-memory.dmp

    Filesize

    204KB

  • memory/2128-151-0x0000000000400000-0x0000000000433000-memory.dmp

    Filesize

    204KB

  • memory/2128-226-0x0000000000440000-0x0000000000473000-memory.dmp

    Filesize

    204KB

  • memory/2128-224-0x0000000000440000-0x0000000000473000-memory.dmp

    Filesize

    204KB

  • memory/2128-160-0x0000000000440000-0x0000000000473000-memory.dmp

    Filesize

    204KB

  • memory/2128-158-0x0000000000440000-0x0000000000473000-memory.dmp

    Filesize

    204KB

  • memory/2260-198-0x0000000000400000-0x0000000000433000-memory.dmp

    Filesize

    204KB

  • memory/2292-176-0x0000000000400000-0x0000000000433000-memory.dmp

    Filesize

    204KB

  • memory/2296-103-0x0000000000400000-0x0000000000433000-memory.dmp

    Filesize

    204KB

  • memory/2296-205-0x0000000000260000-0x0000000000293000-memory.dmp

    Filesize

    204KB

  • memory/2480-40-0x0000000000400000-0x0000000000433000-memory.dmp

    Filesize

    204KB

  • memory/2488-56-0x0000000000400000-0x0000000000433000-memory.dmp

    Filesize

    204KB

  • memory/2488-203-0x0000000000440000-0x0000000000473000-memory.dmp

    Filesize

    204KB

  • memory/2488-68-0x0000000000440000-0x0000000000473000-memory.dmp

    Filesize

    204KB

  • memory/2488-197-0x0000000000400000-0x0000000000433000-memory.dmp

    Filesize

    204KB

  • memory/2536-74-0x0000000000400000-0x0000000000433000-memory.dmp

    Filesize

    204KB

  • memory/2536-96-0x0000000000250000-0x0000000000283000-memory.dmp

    Filesize

    204KB

  • memory/2536-204-0x0000000000250000-0x0000000000283000-memory.dmp

    Filesize

    204KB

  • memory/2536-102-0x0000000000250000-0x0000000000283000-memory.dmp

    Filesize

    204KB

  • memory/2552-175-0x0000000000280000-0x00000000002B3000-memory.dmp

    Filesize

    204KB

  • memory/2552-169-0x0000000000280000-0x00000000002B3000-memory.dmp

    Filesize

    204KB

  • memory/2552-161-0x0000000000400000-0x0000000000433000-memory.dmp

    Filesize

    204KB

  • memory/2552-235-0x0000000000280000-0x00000000002B3000-memory.dmp

    Filesize

    204KB

  • memory/2576-46-0x0000000000400000-0x0000000000433000-memory.dmp

    Filesize

    204KB

  • memory/2576-159-0x0000000000260000-0x0000000000293000-memory.dmp

    Filesize

    204KB

  • memory/2576-49-0x0000000000260000-0x0000000000293000-memory.dmp

    Filesize

    204KB

  • memory/2716-206-0x0000000000250000-0x0000000000283000-memory.dmp

    Filesize

    204KB

  • memory/2716-112-0x0000000000250000-0x0000000000283000-memory.dmp

    Filesize

    204KB

  • memory/2716-104-0x0000000000400000-0x0000000000433000-memory.dmp

    Filesize

    204KB

  • memory/2716-219-0x0000000000250000-0x0000000000283000-memory.dmp

    Filesize

    204KB

  • memory/2776-125-0x0000000000400000-0x0000000000433000-memory.dmp

    Filesize

    204KB

  • memory/2856-6-0x0000000000250000-0x0000000000283000-memory.dmp

    Filesize

    204KB

  • memory/2856-12-0x0000000000250000-0x0000000000283000-memory.dmp

    Filesize

    204KB

  • memory/2856-83-0x0000000000400000-0x0000000000433000-memory.dmp

    Filesize

    204KB

  • memory/2856-84-0x0000000000250000-0x0000000000283000-memory.dmp

    Filesize

    204KB

  • memory/2856-4-0x0000000000400000-0x0000000000433000-memory.dmp

    Filesize

    204KB

  • memory/2952-221-0x0000000000400000-0x0000000000433000-memory.dmp

    Filesize

    204KB

  • memory/2952-184-0x0000000000400000-0x0000000000433000-memory.dmp

    Filesize

    204KB

  • memory/2952-243-0x0000000000280000-0x00000000002B3000-memory.dmp

    Filesize

    204KB