f97354c13216495a7d661b4a4159611acd93175172118dbd315c6e67b2b6777a

Analysis

max time kernel
120s
max time network
125s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
09/04/2024, 22:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

306974658ec438995e4bc55ec4dbf9be.exe
Size

347KB
MD5

306974658ec438995e4bc55ec4dbf9be
SHA1

2844d1b3180adc42333ab7865e382119eca0192f
SHA256

f97354c13216495a7d661b4a4159611acd93175172118dbd315c6e67b2b6777a
SHA512

46ac27d6f8f313bb7dc3ed2c51a49efaa6a6535f2e1d0b2db6410006404584cd8a864fc8b8ec057cffd12c86995b5d58e4e7abc0b0901dda41cc2d94091b250e
SSDEEP

6144:M8LNRgdYe/5jx4brq2Ah1FM6234lKm3mo8Yvi4KsLTFM6234lKm3qk9:fpRylx4brRGFB24lwR45FB24lEk

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aoepcn32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bpiipf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnaocmmi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cnaocmmi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dcenlceh.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Enhacojl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	306974658ec438995e4bc55ec4dbf9be.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	306974658ec438995e4bc55ec4dbf9be.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Enhacojl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Aoepcn32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bghjhp32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chnqkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Chnqkg32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dcenlceh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dookgcij.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ecqqpgli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bpiipf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bghjhp32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cgejac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cgejac32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dookgcij.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ecqqpgli.exe

Executes dropped EXE 11 IoCs

pid	Process
2220	Aoepcn32.exe
2616	Bpiipf32.exe
2664	Bghjhp32.exe
2444	Chnqkg32.exe
2472	Cgejac32.exe
2856	Cnaocmmi.exe
888	Dcenlceh.exe
2476	Dookgcij.exe
1912	Ecqqpgli.exe
1952	Enhacojl.exe
2348	Fkckeh32.exe

Loads dropped DLL 26 IoCs

pid	Process
1620	306974658ec438995e4bc55ec4dbf9be.exe
1620	306974658ec438995e4bc55ec4dbf9be.exe
2220	Aoepcn32.exe
2220	Aoepcn32.exe
2616	Bpiipf32.exe
2616	Bpiipf32.exe
2664	Bghjhp32.exe
2664	Bghjhp32.exe
2444	Chnqkg32.exe
2444	Chnqkg32.exe
2472	Cgejac32.exe
2472	Cgejac32.exe
2856	Cnaocmmi.exe
2856	Cnaocmmi.exe
888	Dcenlceh.exe
888	Dcenlceh.exe
2476	Dookgcij.exe
2476	Dookgcij.exe
1912	Ecqqpgli.exe
1912	Ecqqpgli.exe
1952	Enhacojl.exe
1952	Enhacojl.exe
776	WerFault.exe
776	WerFault.exe
776	WerFault.exe
776	WerFault.exe

Drops file in System32 directory 33 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Cnaocmmi.exe	Cgejac32.exe
File opened for modification	C:\Windows\SysWOW64\Dookgcij.exe	Dcenlceh.exe
File created	C:\Windows\SysWOW64\Jkhgfq32.dll	Dcenlceh.exe
File created	C:\Windows\SysWOW64\Dinhacjp.dll	Dookgcij.exe
File opened for modification	C:\Windows\SysWOW64\Enhacojl.exe	Ecqqpgli.exe
File opened for modification	C:\Windows\SysWOW64\Bpiipf32.exe	Aoepcn32.exe
File opened for modification	C:\Windows\SysWOW64\Bghjhp32.exe	Bpiipf32.exe
File created	C:\Windows\SysWOW64\Flojhn32.dll	Bghjhp32.exe
File created	C:\Windows\SysWOW64\Hdjlnm32.dll	Chnqkg32.exe
File created	C:\Windows\SysWOW64\Lklohbmo.dll	Cgejac32.exe
File opened for modification	C:\Windows\SysWOW64\Chnqkg32.exe	Bghjhp32.exe
File opened for modification	C:\Windows\SysWOW64\Dcenlceh.exe	Cnaocmmi.exe
File created	C:\Windows\SysWOW64\Ecqqpgli.exe	Dookgcij.exe
File created	C:\Windows\SysWOW64\Aoepcn32.exe	306974658ec438995e4bc55ec4dbf9be.exe
File created	C:\Windows\SysWOW64\Bpiipf32.exe	Aoepcn32.exe
File created	C:\Windows\SysWOW64\Mbiaej32.dll	Aoepcn32.exe
File created	C:\Windows\SysWOW64\Kclhicjn.dll	Bpiipf32.exe
File created	C:\Windows\SysWOW64\Cgejac32.exe	Chnqkg32.exe
File created	C:\Windows\SysWOW64\Cnaocmmi.exe	Cgejac32.exe
File created	C:\Windows\SysWOW64\Dcenlceh.exe	Cnaocmmi.exe
File created	C:\Windows\SysWOW64\Enhacojl.exe	Ecqqpgli.exe
File opened for modification	C:\Windows\SysWOW64\Cgejac32.exe	Chnqkg32.exe
File opened for modification	C:\Windows\SysWOW64\Ecqqpgli.exe	Dookgcij.exe
File created	C:\Windows\SysWOW64\Ampehe32.dll	Ecqqpgli.exe
File opened for modification	C:\Windows\SysWOW64\Aoepcn32.exe	306974658ec438995e4bc55ec4dbf9be.exe
File created	C:\Windows\SysWOW64\Knhfdmdo.dll	306974658ec438995e4bc55ec4dbf9be.exe
File created	C:\Windows\SysWOW64\Bjidgghp.dll	Cnaocmmi.exe
File created	C:\Windows\SysWOW64\Fkckeh32.exe	Enhacojl.exe
File opened for modification	C:\Windows\SysWOW64\Fkckeh32.exe	Enhacojl.exe
File created	C:\Windows\SysWOW64\Bghjhp32.exe	Bpiipf32.exe
File created	C:\Windows\SysWOW64\Dookgcij.exe	Dcenlceh.exe
File created	C:\Windows\SysWOW64\Chnqkg32.exe	Bghjhp32.exe
File created	C:\Windows\SysWOW64\Clkmne32.dll	Enhacojl.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
776	2348	WerFault.exe	38

Modifies registry class 36 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Chnqkg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cgejac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lklohbmo.dll"	Cgejac32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cnaocmmi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dookgcij.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	306974658ec438995e4bc55ec4dbf9be.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}	306974658ec438995e4bc55ec4dbf9be.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	306974658ec438995e4bc55ec4dbf9be.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	306974658ec438995e4bc55ec4dbf9be.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dookgcij.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ampehe32.dll"	Ecqqpgli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ecqqpgli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clkmne32.dll"	Enhacojl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flojhn32.dll"	Bghjhp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bghjhp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkhgfq32.dll"	Dcenlceh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dcenlceh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dinhacjp.dll"	Dookgcij.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Enhacojl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Aoepcn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cgejac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bjidgghp.dll"	Cnaocmmi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	306974658ec438995e4bc55ec4dbf9be.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Knhfdmdo.dll"	306974658ec438995e4bc55ec4dbf9be.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ecqqpgli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cnaocmmi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Enhacojl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Aoepcn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bpiipf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hdjlnm32.dll"	Chnqkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbiaej32.dll"	Aoepcn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dcenlceh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Chnqkg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bpiipf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kclhicjn.dll"	Bpiipf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bghjhp32.exe

Suspicious use of WriteProcessMemory 48 IoCs

description	pid	Process	procid_target
PID 1620 wrote to memory of 2220	1620	306974658ec438995e4bc55ec4dbf9be.exe	28
PID 1620 wrote to memory of 2220	1620	306974658ec438995e4bc55ec4dbf9be.exe	28
PID 1620 wrote to memory of 2220	1620	306974658ec438995e4bc55ec4dbf9be.exe	28
PID 1620 wrote to memory of 2220	1620	306974658ec438995e4bc55ec4dbf9be.exe	28
PID 2220 wrote to memory of 2616	2220	Aoepcn32.exe	29
PID 2220 wrote to memory of 2616	2220	Aoepcn32.exe	29
PID 2220 wrote to memory of 2616	2220	Aoepcn32.exe	29
PID 2220 wrote to memory of 2616	2220	Aoepcn32.exe	29
PID 2616 wrote to memory of 2664	2616	Bpiipf32.exe	30
PID 2616 wrote to memory of 2664	2616	Bpiipf32.exe	30
PID 2616 wrote to memory of 2664	2616	Bpiipf32.exe	30
PID 2616 wrote to memory of 2664	2616	Bpiipf32.exe	30
PID 2664 wrote to memory of 2444	2664	Bghjhp32.exe	31
PID 2664 wrote to memory of 2444	2664	Bghjhp32.exe	31
PID 2664 wrote to memory of 2444	2664	Bghjhp32.exe	31
PID 2664 wrote to memory of 2444	2664	Bghjhp32.exe	31
PID 2444 wrote to memory of 2472	2444	Chnqkg32.exe	32
PID 2444 wrote to memory of 2472	2444	Chnqkg32.exe	32
PID 2444 wrote to memory of 2472	2444	Chnqkg32.exe	32
PID 2444 wrote to memory of 2472	2444	Chnqkg32.exe	32
PID 2472 wrote to memory of 2856	2472	Cgejac32.exe	33
PID 2472 wrote to memory of 2856	2472	Cgejac32.exe	33
PID 2472 wrote to memory of 2856	2472	Cgejac32.exe	33
PID 2472 wrote to memory of 2856	2472	Cgejac32.exe	33
PID 2856 wrote to memory of 888	2856	Cnaocmmi.exe	34
PID 2856 wrote to memory of 888	2856	Cnaocmmi.exe	34
PID 2856 wrote to memory of 888	2856	Cnaocmmi.exe	34
PID 2856 wrote to memory of 888	2856	Cnaocmmi.exe	34
PID 888 wrote to memory of 2476	888	Dcenlceh.exe	35
PID 888 wrote to memory of 2476	888	Dcenlceh.exe	35
PID 888 wrote to memory of 2476	888	Dcenlceh.exe	35
PID 888 wrote to memory of 2476	888	Dcenlceh.exe	35
PID 2476 wrote to memory of 1912	2476	Dookgcij.exe	36
PID 2476 wrote to memory of 1912	2476	Dookgcij.exe	36
PID 2476 wrote to memory of 1912	2476	Dookgcij.exe	36
PID 2476 wrote to memory of 1912	2476	Dookgcij.exe	36
PID 1912 wrote to memory of 1952	1912	Ecqqpgli.exe	37
PID 1912 wrote to memory of 1952	1912	Ecqqpgli.exe	37
PID 1912 wrote to memory of 1952	1912	Ecqqpgli.exe	37
PID 1912 wrote to memory of 1952	1912	Ecqqpgli.exe	37
PID 1952 wrote to memory of 2348	1952	Enhacojl.exe	38
PID 1952 wrote to memory of 2348	1952	Enhacojl.exe	38
PID 1952 wrote to memory of 2348	1952	Enhacojl.exe	38
PID 1952 wrote to memory of 2348	1952	Enhacojl.exe	38
PID 2348 wrote to memory of 776	2348	Fkckeh32.exe	39
PID 2348 wrote to memory of 776	2348	Fkckeh32.exe	39
PID 2348 wrote to memory of 776	2348	Fkckeh32.exe	39
PID 2348 wrote to memory of 776	2348	Fkckeh32.exe	39

C:\Users\Admin\AppData\Local\Temp\306974658ec438995e4bc55ec4dbf9be.exe
"C:\Users\Admin\AppData\Local\Temp\306974658ec438995e4bc55ec4dbf9be.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1620
- C:\Windows\SysWOW64\Aoepcn32.exe
  C:\Windows\system32\Aoepcn32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2220
- - C:\Windows\SysWOW64\Bpiipf32.exe
    C:\Windows\system32\Bpiipf32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2616
  - - C:\Windows\SysWOW64\Bghjhp32.exe
      C:\Windows\system32\Bghjhp32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2664
    - - C:\Windows\SysWOW64\Chnqkg32.exe
        
        C:\Windows\system32\Chnqkg32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2444
      - C:\Windows\SysWOW64\Cgejac32.exe
        
        C:\Windows\system32\Cgejac32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2472
        
        C:\Windows\SysWOW64\Cnaocmmi.exe
        
        C:\Windows\system32\Cnaocmmi.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2856
        
        C:\Windows\SysWOW64\Dcenlceh.exe
        
        C:\Windows\system32\Dcenlceh.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:888
        
        C:\Windows\SysWOW64\Dookgcij.exe
        
        C:\Windows\system32\Dookgcij.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2476
        
        C:\Windows\SysWOW64\Ecqqpgli.exe
        
        C:\Windows\system32\Ecqqpgli.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1912
        
        C:\Windows\SysWOW64\Enhacojl.exe
        
        C:\Windows\system32\Enhacojl.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1952
        
        C:\Windows\SysWOW64\Fkckeh32.exe
        
        C:\Windows\system32\Fkckeh32.exe
        12⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2348
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2348 -s 140
        13⤵
        Loads dropped DLL
        Program crash
        
        PID:776

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Hdjlnm32.dll

Filesize
7KB

MD5
20932d0f7dac178047f9eea5c4800850

SHA1
37262f891bcc56aa8302d71a38dbb40882d2885e

SHA256
35f9760c2b5a227f382887f572a3e6d85eb874674f67e0c5008d03e74bad9a9b

SHA512
a9815db5ccbef3e328e467dd3591c5362208d922faaf48cb6452e187d10595726fb7033b4b627665c989eaaf76abc1105955fcd8de6aa1dd772b04ef239b2139

Download Submit
\Windows\SysWOW64\Aoepcn32.exe

Filesize
347KB

MD5
1a193f504ece45b5e69840cff55e2f1c

SHA1
f8c1bdbd9311257f6c3561c8125daf83218a4a8b

SHA256
e608f7ae1a31f40df3c62fa8a212ce1b3e33edc0ce9c05ef16bf3b750f746310

SHA512
68454dfa6aafb86b90701f1d9dbb1e2120fbb6c06de6375ce63560515e68ae3170c8b3bd8be204ab4a21f7b451d07adeee6daa99ec9da2c96bdba7478c93979d

Download Submit
\Windows\SysWOW64\Bghjhp32.exe

Filesize
347KB

MD5
1ee13849dd3259012afafef86b130a75

SHA1
4f76fde59e45300bcca68459d7daa691a4cc0c20

SHA256
b6e04523b19969f135c5534d5e4a803da04f59ba59b72c52b09828ad39c020a4

SHA512
f9936b1cb140cb16d4adec746b2eb1654a46b043e35dab294b376800656139b5ef9884ae81b4e2f55f28e9c1d2f5ca501155d6e03b578b82e3ba8a512e31ce1e

Download Submit
\Windows\SysWOW64\Bpiipf32.exe

Filesize
347KB

MD5
e6505d505ecc8717c3c31fb6a33bbfcb

SHA1
da0de971703cf5e5e17a31e4044cb82f56929f33

SHA256
d7d5edba0f395fc6b81d7d591508183b99186f6857785969407bb01758c0dca1

SHA512
59b151a75ed5b2e2a1901ae7395334d2fa54c9a65af484955c517a39d104b19e734485edf8e72ed102fadc6586884f22789fd35cb06728ceb5bb1b95394216f1

Download Submit
\Windows\SysWOW64\Cgejac32.exe

Filesize
347KB

MD5
60a9f3aa31340fc0dc28fbc74b617f5e

SHA1
24c60fe597bcd7f87b490284b4958506723207b9

SHA256
4c0910fac1bfa764f8786228979dd897b0877a286f6ccf9b7e17e448dd6833fe

SHA512
cc4be2896939c15203ce604225fc1cb75cb17b2ace2fe5af8e2d99160c2ae2bcc6cbbe59851975c2ef5eb224fd495382926d84e0c6b145b19b683612a66b00a6

Download Submit
\Windows\SysWOW64\Chnqkg32.exe

Filesize
347KB

MD5
a564eff70099acfc8e24530cc630eee6

SHA1
3a4f080cb787db531dbdbb8114547aaaea391888

SHA256
807270d7060496ff8e39760429e319a4140c9ee310de7466f1c4ec0400a5073a

SHA512
c59fdc16d2b1d28355192ca2eb01a3a982442c8bc6cc04e471f2c507556eeace06aa9c6d47674ba55a78921214874e98dbf669f7b00e56cf988d1b3dd62739aa

Download Submit
\Windows\SysWOW64\Cnaocmmi.exe

Filesize
347KB

MD5
815e5ae536674a40463af26c01ef0a34

SHA1
67af11a671bd3b10bec54af1e6acac0714233068

SHA256
d4d6b05eab89fbaef460ef8e2551969f25a439468f18a760c9bf1e326935f755

SHA512
5dea97f3fc87a22d5395b72a0555b4a7b94e8b731f74e25360a05bb8657be65e5042279ac93bc02c637427886cbf16078b74bbc48462a0527a88ad1065d6dba6

Download Submit
\Windows\SysWOW64\Dcenlceh.exe

Filesize
347KB

MD5
354345c2c16cff75da31942a1f182d33

SHA1
19cf6ad2fd92845c23ec0f56d687303ddca00076

SHA256
cda0db54e748258e7510c703dc4d13eccfa89ca479a8c355d8536814fdbd1ded

SHA512
2f2b5939c69764dde55ffcf32a9a3fe3218faf9423acd0e48161880422635838a03aa7323444236c78c994f6308ee5de918518843fe43a68b4bc0a6027403dde

Download Submit
\Windows\SysWOW64\Dookgcij.exe

Filesize
347KB

MD5
4bd0a950253d8903ab7f16a4a8e7a869

SHA1
5385cb5c881b1d243465dc7f4ec14df8dfafa9ac

SHA256
8b72d97db51de3e0f36d2c08c8b93744b1f728b9987572c2390f9a52b0c845a2

SHA512
0801914e0c96b28cc6384ba7b297f02d9909f861b29347a97461fea9e20c41a6fed6c8342515e92586eb544e1717ad9346dfd553db8cc0f3e40305cf32665658

Download Submit
\Windows\SysWOW64\Ecqqpgli.exe

Filesize
347KB

MD5
3a81cb55e40cff5633e555a91287ccd4

SHA1
9a97be454435fd40c0012633e7bf3e6ac73c6084

SHA256
d5c2dfd68774c11d473a53d0a36e719bf996d6a9c5c36913ff952db64510a98f

SHA512
f720a20ce72b5a6de51cd29aaac8d7cf9257f548b97c8580979f5c143445cb3f29fd2e1955483744ca007133f8aaefbef13a2aacfda588680e8cc4218e000724

Download Submit
\Windows\SysWOW64\Enhacojl.exe

Filesize
347KB

MD5
2fe567bc1e25ed3f5eb1c273957843ba

SHA1
158c271b9b851e62249edd6a74e86bb73ff3f4f4

SHA256
a575abed879d354cdb090b5729a828dbbf3fcea43a7d490a3e6431efe0578500

SHA512
9e1793c000e50e85fdac6e3d6fb23393b3795cc421427946068500cd880fda2e27160127b7ef32a01d1a72e16d2f3cb248f29468b1e77ca5383b5e5781d8f822

Download Submit
\Windows\SysWOW64\Fkckeh32.exe

Filesize
347KB

MD5
b5e1166ef3ba464ef4ced6ed30049644

SHA1
7cc8c562739d8b422559aa2faf8c4f2572976526

SHA256
1989b87bcb896391cc6cb6fe54d1616f1f16b066bea66f736637146f4e20ce82

SHA512
4b544e2af7adb811f9e0e6913c3f22793c3eaff289a3e6396894c9691e7f49a05a59e115aeeaa6c23fe7ce46480ffe2936c486e8da20e609ba16e6165ab04867

Download Submit
memory/888-106-0x0000000000220000-0x0000000000263000-memory.dmp

Filesize
268KB

Download
memory/888-158-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1620-6-0x0000000000220000-0x0000000000263000-memory.dmp

Filesize
268KB

Download
memory/1620-0-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1620-13-0x0000000000220000-0x0000000000263000-memory.dmp

Filesize
268KB

Download
memory/1620-153-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1912-134-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1952-140-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1952-160-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2220-21-0x0000000000220000-0x0000000000263000-memory.dmp

Filesize
268KB

Download
memory/2220-26-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2348-148-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2444-155-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2444-66-0x00000000003B0000-0x00000000003F3000-memory.dmp

Filesize
268KB

Download
memory/2472-75-0x0000000000220000-0x0000000000263000-memory.dmp

Filesize
268KB

Download
memory/2472-69-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2472-156-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2476-109-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2476-120-0x0000000000330000-0x0000000000373000-memory.dmp

Filesize
268KB

Download
memory/2476-159-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2616-36-0x0000000000220000-0x0000000000263000-memory.dmp

Filesize
268KB

Download
memory/2616-33-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2664-154-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2664-48-0x0000000000340000-0x0000000000383000-memory.dmp

Filesize
268KB

Download
memory/2856-157-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2856-89-0x00000000001B0000-0x00000000001F3000-memory.dmp

Filesize
268KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads