ea24a37f68c0074687e015ef2212a055f4a0b14e563571cede0b20ff2d4b5d6e

Analysis

max time kernel
122s
max time network
125s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
15-03-2024 00:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ea24a37f68c0074687e015ef2212a055f4a0b14e563571cede0b20ff2d4b5d6e.exe
Size

399KB
MD5

e86ce14050b3a91928232e842b5027eb
SHA1

04d3d410adfd67c25493fd188b2fee7010c90322
SHA256

ea24a37f68c0074687e015ef2212a055f4a0b14e563571cede0b20ff2d4b5d6e
SHA512

ce67bdf35cc865a539db8b8846250b9d4a1a33099f98f00f45a67d1e66daccfe353389a4897eebdacd969a08570b8b037e9cab7515de027e45db68ca5ab079bd
SSDEEP

6144:bqi3rPQ///NR5fLYG3eujPQ///NR5fuTFzAJxf4zh8J7iTv+GwN/:bj6/NcZ7/NG+nf4SiTv+Ga

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Edpmjj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	ea24a37f68c0074687e015ef2212a055f4a0b14e563571cede0b20ff2d4b5d6e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	ea24a37f68c0074687e015ef2212a055f4a0b14e563571cede0b20ff2d4b5d6e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmmiij32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dpbheh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dbfabp32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dknekeef.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dknekeef.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bghjhp32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Clilkfnb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Clilkfnb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dpbheh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Edpmjj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bghjhp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chbjffad.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dbfabp32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkqbaecc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dkqbaecc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ejobhppq.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmmiij32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chbjffad.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ejobhppq.exe

Executes dropped EXE 11 IoCs

pid	Process
2972	Bmmiij32.exe
2156	Bghjhp32.exe
2548	Clilkfnb.exe
2724	Chbjffad.exe
2456	Dpbheh32.exe
1580	Dbfabp32.exe
2740	Dknekeef.exe
2780	Dkqbaecc.exe
1848	Edpmjj32.exe
1820	Ejobhppq.exe
1608	Fkckeh32.exe

Loads dropped DLL 26 IoCs

pid	Process
3044	ea24a37f68c0074687e015ef2212a055f4a0b14e563571cede0b20ff2d4b5d6e.exe
3044	ea24a37f68c0074687e015ef2212a055f4a0b14e563571cede0b20ff2d4b5d6e.exe
2972	Bmmiij32.exe
2972	Bmmiij32.exe
2156	Bghjhp32.exe
2156	Bghjhp32.exe
2548	Clilkfnb.exe
2548	Clilkfnb.exe
2724	Chbjffad.exe
2724	Chbjffad.exe
2456	Dpbheh32.exe
2456	Dpbheh32.exe
1580	Dbfabp32.exe
1580	Dbfabp32.exe
2740	Dknekeef.exe
2740	Dknekeef.exe
2780	Dkqbaecc.exe
2780	Dkqbaecc.exe
1848	Edpmjj32.exe
1848	Edpmjj32.exe
1820	Ejobhppq.exe
1820	Ejobhppq.exe
1752	WerFault.exe
1752	WerFault.exe
1752	WerFault.exe
1752	WerFault.exe

Drops file in System32 directory 33 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Bmmiij32.exe	ea24a37f68c0074687e015ef2212a055f4a0b14e563571cede0b20ff2d4b5d6e.exe
File created	C:\Windows\SysWOW64\Dkqbaecc.exe	Dknekeef.exe
File created	C:\Windows\SysWOW64\Pmdgmd32.dll	Dkqbaecc.exe
File opened for modification	C:\Windows\SysWOW64\Ejobhppq.exe	Edpmjj32.exe
File created	C:\Windows\SysWOW64\Ckgkkllh.dll	Dknekeef.exe
File created	C:\Windows\SysWOW64\Bghjhp32.exe	Bmmiij32.exe
File created	C:\Windows\SysWOW64\Kclhicjn.dll	Bmmiij32.exe
File created	C:\Windows\SysWOW64\Mecbia32.dll	Bghjhp32.exe
File created	C:\Windows\SysWOW64\Chbjffad.exe	Clilkfnb.exe
File opened for modification	C:\Windows\SysWOW64\Chbjffad.exe	Clilkfnb.exe
File opened for modification	C:\Windows\SysWOW64\Dpbheh32.exe	Chbjffad.exe
File opened for modification	C:\Windows\SysWOW64\Dkqbaecc.exe	Dknekeef.exe
File created	C:\Windows\SysWOW64\Edpmjj32.exe	Dkqbaecc.exe
File created	C:\Windows\SysWOW64\Ekgednng.dll	Edpmjj32.exe
File created	C:\Windows\SysWOW64\Dknekeef.exe	Dbfabp32.exe
File created	C:\Windows\SysWOW64\Fkckeh32.exe	Ejobhppq.exe
File created	C:\Windows\SysWOW64\Bmmiij32.exe	ea24a37f68c0074687e015ef2212a055f4a0b14e563571cede0b20ff2d4b5d6e.exe
File opened for modification	C:\Windows\SysWOW64\Dknekeef.exe	Dbfabp32.exe
File created	C:\Windows\SysWOW64\Egqdeaqb.dll	Dbfabp32.exe
File created	C:\Windows\SysWOW64\Ejobhppq.exe	Edpmjj32.exe
File created	C:\Windows\SysWOW64\Fnnkng32.dll	ea24a37f68c0074687e015ef2212a055f4a0b14e563571cede0b20ff2d4b5d6e.exe
File created	C:\Windows\SysWOW64\Clilkfnb.exe	Bghjhp32.exe
File opened for modification	C:\Windows\SysWOW64\Clilkfnb.exe	Bghjhp32.exe
File created	C:\Windows\SysWOW64\Dbfabp32.exe	Dpbheh32.exe
File opened for modification	C:\Windows\SysWOW64\Dbfabp32.exe	Dpbheh32.exe
File opened for modification	C:\Windows\SysWOW64\Fkckeh32.exe	Ejobhppq.exe
File created	C:\Windows\SysWOW64\Clkmne32.dll	Ejobhppq.exe
File opened for modification	C:\Windows\SysWOW64\Bghjhp32.exe	Bmmiij32.exe
File created	C:\Windows\SysWOW64\Cgjcijfp.dll	Clilkfnb.exe
File created	C:\Windows\SysWOW64\Dpbheh32.exe	Chbjffad.exe
File created	C:\Windows\SysWOW64\Joliff32.dll	Chbjffad.exe
File created	C:\Windows\SysWOW64\Ecdjal32.dll	Dpbheh32.exe
File opened for modification	C:\Windows\SysWOW64\Edpmjj32.exe	Dkqbaecc.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1752	1608	WerFault.exe	38

Modifies registry class 36 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kclhicjn.dll"	Bmmiij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dknekeef.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clkmne32.dll"	Ejobhppq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bmmiij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mecbia32.dll"	Bghjhp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Clilkfnb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dkqbaecc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cgjcijfp.dll"	Clilkfnb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Joliff32.dll"	Chbjffad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egqdeaqb.dll"	Dbfabp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Edpmjj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekgednng.dll"	Edpmjj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bmmiij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bghjhp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Clilkfnb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Chbjffad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dbfabp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dkqbaecc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Edpmjj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ejobhppq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	ea24a37f68c0074687e015ef2212a055f4a0b14e563571cede0b20ff2d4b5d6e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	ea24a37f68c0074687e015ef2212a055f4a0b14e563571cede0b20ff2d4b5d6e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnnkng32.dll"	ea24a37f68c0074687e015ef2212a055f4a0b14e563571cede0b20ff2d4b5d6e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	ea24a37f68c0074687e015ef2212a055f4a0b14e563571cede0b20ff2d4b5d6e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	ea24a37f68c0074687e015ef2212a055f4a0b14e563571cede0b20ff2d4b5d6e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Chbjffad.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dpbheh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dknekeef.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bghjhp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ecdjal32.dll"	Dpbheh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckgkkllh.dll"	Dknekeef.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ejobhppq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	ea24a37f68c0074687e015ef2212a055f4a0b14e563571cede0b20ff2d4b5d6e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dpbheh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dbfabp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmdgmd32.dll"	Dkqbaecc.exe

Suspicious use of WriteProcessMemory 48 IoCs

description	pid	Process	procid_target
PID 3044 wrote to memory of 2972	3044	ea24a37f68c0074687e015ef2212a055f4a0b14e563571cede0b20ff2d4b5d6e.exe	28
PID 3044 wrote to memory of 2972	3044	ea24a37f68c0074687e015ef2212a055f4a0b14e563571cede0b20ff2d4b5d6e.exe	28
PID 3044 wrote to memory of 2972	3044	ea24a37f68c0074687e015ef2212a055f4a0b14e563571cede0b20ff2d4b5d6e.exe	28
PID 3044 wrote to memory of 2972	3044	ea24a37f68c0074687e015ef2212a055f4a0b14e563571cede0b20ff2d4b5d6e.exe	28
PID 2972 wrote to memory of 2156	2972	Bmmiij32.exe	29
PID 2972 wrote to memory of 2156	2972	Bmmiij32.exe	29
PID 2972 wrote to memory of 2156	2972	Bmmiij32.exe	29
PID 2972 wrote to memory of 2156	2972	Bmmiij32.exe	29
PID 2156 wrote to memory of 2548	2156	Bghjhp32.exe	30
PID 2156 wrote to memory of 2548	2156	Bghjhp32.exe	30
PID 2156 wrote to memory of 2548	2156	Bghjhp32.exe	30
PID 2156 wrote to memory of 2548	2156	Bghjhp32.exe	30
PID 2548 wrote to memory of 2724	2548	Clilkfnb.exe	31
PID 2548 wrote to memory of 2724	2548	Clilkfnb.exe	31
PID 2548 wrote to memory of 2724	2548	Clilkfnb.exe	31
PID 2548 wrote to memory of 2724	2548	Clilkfnb.exe	31
PID 2724 wrote to memory of 2456	2724	Chbjffad.exe	32
PID 2724 wrote to memory of 2456	2724	Chbjffad.exe	32
PID 2724 wrote to memory of 2456	2724	Chbjffad.exe	32
PID 2724 wrote to memory of 2456	2724	Chbjffad.exe	32
PID 2456 wrote to memory of 1580	2456	Dpbheh32.exe	33
PID 2456 wrote to memory of 1580	2456	Dpbheh32.exe	33
PID 2456 wrote to memory of 1580	2456	Dpbheh32.exe	33
PID 2456 wrote to memory of 1580	2456	Dpbheh32.exe	33
PID 1580 wrote to memory of 2740	1580	Dbfabp32.exe	34
PID 1580 wrote to memory of 2740	1580	Dbfabp32.exe	34
PID 1580 wrote to memory of 2740	1580	Dbfabp32.exe	34
PID 1580 wrote to memory of 2740	1580	Dbfabp32.exe	34
PID 2740 wrote to memory of 2780	2740	Dknekeef.exe	35
PID 2740 wrote to memory of 2780	2740	Dknekeef.exe	35
PID 2740 wrote to memory of 2780	2740	Dknekeef.exe	35
PID 2740 wrote to memory of 2780	2740	Dknekeef.exe	35
PID 2780 wrote to memory of 1848	2780	Dkqbaecc.exe	36
PID 2780 wrote to memory of 1848	2780	Dkqbaecc.exe	36
PID 2780 wrote to memory of 1848	2780	Dkqbaecc.exe	36
PID 2780 wrote to memory of 1848	2780	Dkqbaecc.exe	36
PID 1848 wrote to memory of 1820	1848	Edpmjj32.exe	37
PID 1848 wrote to memory of 1820	1848	Edpmjj32.exe	37
PID 1848 wrote to memory of 1820	1848	Edpmjj32.exe	37
PID 1848 wrote to memory of 1820	1848	Edpmjj32.exe	37
PID 1820 wrote to memory of 1608	1820	Ejobhppq.exe	38
PID 1820 wrote to memory of 1608	1820	Ejobhppq.exe	38
PID 1820 wrote to memory of 1608	1820	Ejobhppq.exe	38
PID 1820 wrote to memory of 1608	1820	Ejobhppq.exe	38
PID 1608 wrote to memory of 1752	1608	Fkckeh32.exe	39
PID 1608 wrote to memory of 1752	1608	Fkckeh32.exe	39
PID 1608 wrote to memory of 1752	1608	Fkckeh32.exe	39
PID 1608 wrote to memory of 1752	1608	Fkckeh32.exe	39

C:\Users\Admin\AppData\Local\Temp\ea24a37f68c0074687e015ef2212a055f4a0b14e563571cede0b20ff2d4b5d6e.exe
"C:\Users\Admin\AppData\Local\Temp\ea24a37f68c0074687e015ef2212a055f4a0b14e563571cede0b20ff2d4b5d6e.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3044
- C:\Windows\SysWOW64\Bmmiij32.exe
  C:\Windows\system32\Bmmiij32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2972
- - C:\Windows\SysWOW64\Bghjhp32.exe
    C:\Windows\system32\Bghjhp32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2156
  - - C:\Windows\SysWOW64\Clilkfnb.exe
      C:\Windows\system32\Clilkfnb.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2548
    - - C:\Windows\SysWOW64\Chbjffad.exe
        
        C:\Windows\system32\Chbjffad.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2724
      - C:\Windows\SysWOW64\Dpbheh32.exe
        
        C:\Windows\system32\Dpbheh32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2456
        
        C:\Windows\SysWOW64\Dbfabp32.exe
        
        C:\Windows\system32\Dbfabp32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1580
        
        C:\Windows\SysWOW64\Dknekeef.exe
        
        C:\Windows\system32\Dknekeef.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2740
        
        C:\Windows\SysWOW64\Dkqbaecc.exe
        
        C:\Windows\system32\Dkqbaecc.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2780
        
        C:\Windows\SysWOW64\Edpmjj32.exe
        
        C:\Windows\system32\Edpmjj32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1848
        
        C:\Windows\SysWOW64\Ejobhppq.exe
        
        C:\Windows\system32\Ejobhppq.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1820
        
        C:\Windows\SysWOW64\Fkckeh32.exe
        
        C:\Windows\system32\Fkckeh32.exe
        12⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1608
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1608 -s 140
        13⤵
        Loads dropped DLL
        Program crash
        
        PID:1752

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Chbjffad.exe

Filesize
320KB

MD5
2e1b58f284ede4620cab4bfb9b871028

SHA1
0eae2d7166d156d3f8ddb4f719c4e0ed1b16ae9d

SHA256
853061374b18b74419338a0122265b626ad0508b8e0b946963d9ed0165f3c0c0

SHA512
36014f0f19601c03c7e3a4853745de82f94970602eca2d1a2d53ad735a05d6c510066528ea02bf30f58f9785619d33c74fa51018d88231186b56004b01ab6d3e

Download Submit
C:\Windows\SysWOW64\Chbjffad.exe

Filesize
64KB

MD5
4dbc7498ec712e3b11549f061243e4af

SHA1
d8f7a9a2782d3d3b4752861990284f93954fc15e

SHA256
df31a9834aca7efd115e0fcff77470b0c071671ed64e77ec38442236fbef148d

SHA512
41799310cdb6fbca8762457bfd2ef10f9b7762966e5bb149478e5e977077d66c420ca4c8b573894ac7641d669c6f7938063ae38c3fe463add49627124b368e40

Download Submit
C:\Windows\SysWOW64\Chbjffad.exe

Filesize
399KB

MD5
eccda970c0738fc176600b82c588b29c

SHA1
a75698fb8c0400f39af73d38271b11be29c1c4ce

SHA256
09cf07b3ba87cbf5378191b501a5aeedd432a87c6202a2fd66be453cd1c12863

SHA512
c7a9769485c32df0dfc1d970dbc9242ed255fa7ae1e12a162c20ca534b73e3c93e5ca496c8e9459891db499482cfa034270bee21aebe43883dc0e56a4b415974

Download Submit
C:\Windows\SysWOW64\Clilkfnb.exe

Filesize
384KB

MD5
c82eb85301a2c14136963920c4dc9c7e

SHA1
b9ea4e47f3e887865fb60387bac6c9fa63be4d6e

SHA256
308c35a3565b676d5384d2dcdf9ff14c1f6b73d4188dc29f16a1a025f51f2e22

SHA512
4c9b39c5522d69c31d88ec111475c4bd433a04667b96b50569730935f115c00468f9485ba823feade897da98c9159be6bcdda70c7fb472ad0e20a04b5b61f7ab

Download Submit
C:\Windows\SysWOW64\Dbfabp32.exe

Filesize
399KB

MD5
e80ee20eab0b2dbe62f6647b468bea48

SHA1
47ea9108988f00674add9889fc1a1318d202ae45

SHA256
d90bd2a5677cbeb5163aec687bfdbba0a74c47bf9881f6e284af543832425d5a

SHA512
fc08e1c06803f75ba8c7398b1400963b02c4cb34e2738b3fa82c0f9f03eee905f9a6d0eca34c59c7fb55ebc3fd0968c06a54da625a2e43ca091dce9240ef59a4

Download Submit
C:\Windows\SysWOW64\Ejobhppq.exe

Filesize
399KB

MD5
f64d95bd05976172a620ce183fd16e47

SHA1
70334c37697875d9fc4302c6649b9ced1b4d1eae

SHA256
ab3c5d2108409b43e3e48070ed50d3603fb5f2160113f6c262d89b4fde03a90f

SHA512
f09d6fa23d8aa904439206236eb5b0c6c63a7532533dfa260f1c446fda349c0b5be8b84a9147cfcdc996572a3957e2483061d86f42778839cc81e8a4580b398c

Download Submit
\Windows\SysWOW64\Bghjhp32.exe

Filesize
399KB

MD5
ad9113526fcccd6c1b87a876f355ba1b

SHA1
88f4ac859c9af8f0973c2094ef5bc4ef107dae6c

SHA256
20ce0a5f265bd710e198128c957e2dce62ca6104c6c96c2278b8a333e06615ab

SHA512
89649c7b0fe53e7dadde03a8ebaecad69f3193fb9fc95363fd6db927e72fd627badde2ef0bf4fb97a2d072cfb213296b7911f0a13f74c87d03003b8088c27a00

Download Submit
\Windows\SysWOW64\Bmmiij32.exe

Filesize
399KB

MD5
ba41d121a240fedadc33e6864aa5f104

SHA1
76bc0d273264a834d22043ba113cdeb24edb7872

SHA256
579466438e1c7f82461f695a6e4907c9d312409be2d277d1092dcf6a71ca8eb3

SHA512
cee5ee28e178a5c5a313d43b106d5a320b5485ed5e1a3810568419e1d7101422c0aec84011731c4fe9fdcc7a6b4cfdcd2fd08c5d3e628aa0974f2e0cebb1e22a

Download Submit
\Windows\SysWOW64\Chbjffad.exe

Filesize
384KB

MD5
c6efac0c34609b40a94fa2e312f6a51e

SHA1
006005e813098288c990dbf2c198d1563de24326

SHA256
3db57925425ea1b2dd036e8fcd5a8549e854efdb4927c9dac1ad5bd25f31eaf7

SHA512
94ea66836cd7ade5d48b41a930d0495251ce147eb72edb4d8165e68abbaa2ce5757d0d2cba49a1c168fb5e52f9d613b4fd1dd328dbce2d35040ad1e98f8ecee7

Download Submit
\Windows\SysWOW64\Clilkfnb.exe

Filesize
399KB

MD5
4e2ca3e12bfc2089d84de33d57784a41

SHA1
b42c6cba3f400e242464a80dfbfce186783555ba

SHA256
5f41b9f80135563a00eb16e7035295eb442e0ce767a40f0d346ec29cc7ae0f68

SHA512
0025f9240a990a17d2f76bd225137eaa3e8e8ece323f24855c46bac54c1434819d4e6cc4a6b3a8d9cbbae785069602dce746d84afbadb11e902a36e9761b7142

Download Submit
\Windows\SysWOW64\Dknekeef.exe

Filesize
399KB

MD5
29087089914de055f5f822d33a027cce

SHA1
0ace835d83d4e1674a08b31117e8180a65fa9f8c

SHA256
bb71f0eaf48a627f4d47ff4b6cf9d1e24b1237a10be3ecd95d342c0c52861767

SHA512
51651524acc6414475e74c4a196ad6573fa764a037a1e8c632603a86ff26a280ea4174959cbce36e42441932eba3c3be375c60cb228b84d2aa68f376f42197db

Download Submit
\Windows\SysWOW64\Dkqbaecc.exe

Filesize
399KB

MD5
2b82744c33a437dfd9f091818e84cf20

SHA1
50fa17e88e75cf6199316c54852678591006c274

SHA256
3e35150e34300989dc2066ced4bf3b512d64a2410c40bd5820759d6af457ffc1

SHA512
61d51a6575e639439474f8c2bbee3dd4cfe8c64d555f71a5caba71200db39ab873d13ed77019579d74695c1be401771a4bf9896e8c3a48ab882380ce95b13301

Download Submit
\Windows\SysWOW64\Dpbheh32.exe

Filesize
399KB

MD5
4822107f39f1df618bc4ff6688a7f16b

SHA1
300ed56c7e3259b521b762e0206034170a9b70b0

SHA256
613d5b8892d8577026b3ef574be8cc5dcf2f4dc1805748b1294c48661462456b

SHA512
6b52ab1a0a49c8ae32ad0da22af4dd1d22465656aa6677e8b40d5772480b8507a94460a82c0f1914776f1c6147847adafab61d451f06e5eaecd81d82a2193b0c

Download Submit
\Windows\SysWOW64\Edpmjj32.exe

Filesize
399KB

MD5
9eebf8956e5a822724fef4797cb5f15d

SHA1
942631f26d0ad5d528b8010d7dc0886593c66cd5

SHA256
8d4f3275466f109db7711d2b4ce3a4abfbd2447507e0de8a33acbfc241d7899e

SHA512
d0c907095b36a555652115826f7a7f78761663eadbed757a5a5a6f563f42fc31a6a26c2342f0502ad6e9f1df6093d5dbe659fa7e03d0fefe85b78f237367de02

Download Submit
\Windows\SysWOW64\Fkckeh32.exe

Filesize
399KB

MD5
3428e1f15341d631beae67fdfe192694

SHA1
b9602ce763216ffc0110956e80af55f8be3850a8

SHA256
a68babac80c6a25f26a1b20fa68aaf9afb4c58f596ef401ad556eaf0305ced0e

SHA512
771cb9c09ca7eff336865d589f498ade9fa66c63c9dd49ec30e1072f3f4ea8ad4e3dc4498ec0d1ed6af93675d6aa82a2c05147c95c81a96e2d8f699a24f90317

Download Submit
memory/1580-149-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1820-153-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1848-152-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2156-34-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2456-148-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2548-146-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2548-42-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2724-147-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2740-150-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2780-151-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2972-33-0x0000000000440000-0x0000000000474000-memory.dmp

Filesize
208KB

Download
memory/2972-26-0x0000000000440000-0x0000000000474000-memory.dmp

Filesize
208KB

Download
memory/2972-21-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3044-143-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3044-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3044-13-0x0000000000220000-0x0000000000254000-memory.dmp

Filesize
208KB

Download
memory/3044-6-0x0000000000220000-0x0000000000254000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads