Analysis

  • max time kernel
    150s
  • max time network
    134s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    09-04-2024 19:44

General

  • Target

    674a326f3b1f1c88c7f0c239c7310d0a.exe

  • Size

    1.6MB

  • MD5

    674a326f3b1f1c88c7f0c239c7310d0a

  • SHA1

    1cfdcf2cfbd26e25d9f55880f439ca972535a397

  • SHA256

    a1d9150d436efe2a2629e4149c7d6afb2fc91e1a012c2e660d651abcd830c23a

  • SHA512

    8cee2de5fb050d8af7f84a859736d309e14e68bccc47955cb2ba2d52594f3bd59912db260cb47671864530216b3525600ff9f1cc87238536d4908495c5374de0

  • SSDEEP

    24576:G5h3q5hrq5h3q5hFw75h3q5hrq5h3q5hs:O

Score
10/10

Malware Config

Signatures

  • Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 40 IoCs
  • Executes dropped EXE 20 IoCs
  • Loads dropped DLL 43 IoCs
  • Drops file in System32 directory 62 IoCs
  • Program crash 1 IoCs
  • Modifies registry class 63 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\674a326f3b1f1c88c7f0c239c7310d0a.exe
    "C:\Users\Admin\AppData\Local\Temp\674a326f3b1f1c88c7f0c239c7310d0a.exe"
    1⤵
    • Adds autorun key to be loaded by Explorer.exe on startup
    • Loads dropped DLL
    • Drops file in System32 directory
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:2236
    • C:\Windows\SysWOW64\Qhjfgl32.exe
      C:\Windows\system32\Qhjfgl32.exe
      2⤵
      • Adds autorun key to be loaded by Explorer.exe on startup
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in System32 directory
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:1944
      • C:\Windows\SysWOW64\Qhmcmk32.exe
        C:\Windows\system32\Qhmcmk32.exe
        3⤵
        • Adds autorun key to be loaded by Explorer.exe on startup
        • Executes dropped EXE
        • Loads dropped DLL
        • Drops file in System32 directory
        • Modifies registry class
        • Suspicious use of WriteProcessMemory
        PID:2500
        • C:\Windows\SysWOW64\Anjlebjc.exe
          C:\Windows\system32\Anjlebjc.exe
          4⤵
          • Adds autorun key to be loaded by Explorer.exe on startup
          • Executes dropped EXE
          • Loads dropped DLL
          • Drops file in System32 directory
          • Modifies registry class
          • Suspicious use of WriteProcessMemory
          PID:2512
          • C:\Windows\SysWOW64\Biolanld.exe
            C:\Windows\system32\Biolanld.exe
            5⤵
            • Adds autorun key to be loaded by Explorer.exe on startup
            • Executes dropped EXE
            • Loads dropped DLL
            • Drops file in System32 directory
            • Modifies registry class
            • Suspicious use of WriteProcessMemory
            PID:2388
            • C:\Windows\SysWOW64\Dkigoimd.exe
              C:\Windows\system32\Dkigoimd.exe
              6⤵
              • Adds autorun key to be loaded by Explorer.exe on startup
              • Executes dropped EXE
              • Loads dropped DLL
              • Drops file in System32 directory
              • Modifies registry class
              • Suspicious use of WriteProcessMemory
              PID:2356
              • C:\Windows\SysWOW64\Dafmqb32.exe
                C:\Windows\system32\Dafmqb32.exe
                7⤵
                • Adds autorun key to be loaded by Explorer.exe on startup
                • Executes dropped EXE
                • Loads dropped DLL
                • Drops file in System32 directory
                • Modifies registry class
                • Suspicious use of WriteProcessMemory
                PID:2848
                • C:\Windows\SysWOW64\Dahifbpk.exe
                  C:\Windows\system32\Dahifbpk.exe
                  8⤵
                  • Adds autorun key to be loaded by Explorer.exe on startup
                  • Executes dropped EXE
                  • Loads dropped DLL
                  • Drops file in System32 directory
                  • Modifies registry class
                  • Suspicious use of WriteProcessMemory
                  PID:440
                  • C:\Windows\SysWOW64\Dmojkc32.exe
                    C:\Windows\system32\Dmojkc32.exe
                    9⤵
                    • Adds autorun key to be loaded by Explorer.exe on startup
                    • Executes dropped EXE
                    • Loads dropped DLL
                    • Drops file in System32 directory
                    • Modifies registry class
                    • Suspicious use of WriteProcessMemory
                    PID:1696
                    • C:\Windows\SysWOW64\Emagacdm.exe
                      C:\Windows\system32\Emagacdm.exe
                      10⤵
                      • Adds autorun key to be loaded by Explorer.exe on startup
                      • Executes dropped EXE
                      • Loads dropped DLL
                      • Drops file in System32 directory
                      • Modifies registry class
                      • Suspicious use of WriteProcessMemory
                      PID:576
                      • C:\Windows\SysWOW64\Eoepnk32.exe
                        C:\Windows\system32\Eoepnk32.exe
                        11⤵
                        • Adds autorun key to be loaded by Explorer.exe on startup
                        • Executes dropped EXE
                        • Loads dropped DLL
                        • Drops file in System32 directory
                        • Modifies registry class
                        • Suspicious use of WriteProcessMemory
                        PID:2604
                        • C:\Windows\SysWOW64\Eddeladm.exe
                          C:\Windows\system32\Eddeladm.exe
                          12⤵
                          • Adds autorun key to be loaded by Explorer.exe on startup
                          • Executes dropped EXE
                          • Loads dropped DLL
                          • Drops file in System32 directory
                          • Modifies registry class
                          • Suspicious use of WriteProcessMemory
                          PID:2684
                          • C:\Windows\SysWOW64\Edfbaabj.exe
                            C:\Windows\system32\Edfbaabj.exe
                            13⤵
                            • Adds autorun key to be loaded by Explorer.exe on startup
                            • Executes dropped EXE
                            • Loads dropped DLL
                            • Drops file in System32 directory
                            • Modifies registry class
                            • Suspicious use of WriteProcessMemory
                            PID:1992
                            • C:\Windows\SysWOW64\Fpmbfbgo.exe
                              C:\Windows\system32\Fpmbfbgo.exe
                              14⤵
                              • Adds autorun key to be loaded by Explorer.exe on startup
                              • Executes dropped EXE
                              • Loads dropped DLL
                              • Drops file in System32 directory
                              • Modifies registry class
                              • Suspicious use of WriteProcessMemory
                              PID:1836
                              • C:\Windows\SysWOW64\Fkbgckgd.exe
                                C:\Windows\system32\Fkbgckgd.exe
                                15⤵
                                • Adds autorun key to be loaded by Explorer.exe on startup
                                • Executes dropped EXE
                                • Loads dropped DLL
                                • Drops file in System32 directory
                                • Modifies registry class
                                • Suspicious use of WriteProcessMemory
                                PID:1948
                                • C:\Windows\SysWOW64\Fgigil32.exe
                                  C:\Windows\system32\Fgigil32.exe
                                  16⤵
                                  • Adds autorun key to be loaded by Explorer.exe on startup
                                  • Executes dropped EXE
                                  • Loads dropped DLL
                                  • Drops file in System32 directory
                                  • Modifies registry class
                                  • Suspicious use of WriteProcessMemory
                                  PID:980
                                  • C:\Windows\SysWOW64\Fqalaa32.exe
                                    C:\Windows\system32\Fqalaa32.exe
                                    17⤵
                                    • Adds autorun key to be loaded by Explorer.exe on startup
                                    • Executes dropped EXE
                                    • Loads dropped DLL
                                    • Drops file in System32 directory
                                    • Modifies registry class
                                    PID:2216
                                    • C:\Windows\SysWOW64\Fnflke32.exe
                                      C:\Windows\system32\Fnflke32.exe
                                      18⤵
                                      • Adds autorun key to be loaded by Explorer.exe on startup
                                      • Executes dropped EXE
                                      • Loads dropped DLL
                                      • Drops file in System32 directory
                                      • Modifies registry class
                                      PID:1244
                                      • C:\Windows\SysWOW64\Ffaaoh32.exe
                                        C:\Windows\system32\Ffaaoh32.exe
                                        19⤵
                                        • Adds autorun key to be loaded by Explorer.exe on startup
                                        • Executes dropped EXE
                                        • Loads dropped DLL
                                        • Drops file in System32 directory
                                        • Modifies registry class
                                        PID:1280
                                        • C:\Windows\SysWOW64\Ghajacmo.exe
                                          C:\Windows\system32\Ghajacmo.exe
                                          20⤵
                                          • Adds autorun key to be loaded by Explorer.exe on startup
                                          • Executes dropped EXE
                                          • Loads dropped DLL
                                          • Drops file in System32 directory
                                          • Modifies registry class
                                          PID:2688
                                          • C:\Windows\SysWOW64\Dpapaj32.exe
                                            C:\Windows\system32\Dpapaj32.exe
                                            21⤵
                                            • Executes dropped EXE
                                            • Drops file in System32 directory
                                            PID:1336
                                            • C:\Windows\SysWOW64\WerFault.exe
                                              C:\Windows\SysWOW64\WerFault.exe -u -p 1336 -s 144
                                              22⤵
                                              • Loads dropped DLL
                                              • Program crash
                                              PID:2696

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\SysWOW64\Anjlebjc.exe

    Filesize

    1.6MB

    MD5

    e445eb1c31189597e3d03de5be94f867

    SHA1

    62b358406d0cadfb83c35cd6173a981615364181

    SHA256

    49856da26f605e69de24c9bb983c09872ee3cfee297b6caa8929dae6567cede4

    SHA512

    5c32c7093ccf7d94e74f70491fbb5df0976bf44076d1909f94b158b945552b4fafb40ea3617b20d7dd7ae088293c2314f7ca6e94316c56fa53ae8b4a2bbc96b9

  • C:\Windows\SysWOW64\Dafmqb32.exe

    Filesize

    1.6MB

    MD5

    a21a04c4087106b8fef187e8df3fd01a

    SHA1

    5b49efce794dd906b0739349f642ce6351e45b98

    SHA256

    8eaa329d39cc76e1ef009174ca9584d2e6b516b8bf19252ec112d4e4d8173a17

    SHA512

    20e0bbda3fc0ef9f28da109821dc859a1d3ef27574d910e58c815d34a234051ebe003f9a6435c175fd94da6c44dd51ec83351099ebcba13b518d031a5d09fdb3

  • C:\Windows\SysWOW64\Dahifbpk.exe

    Filesize

    1.6MB

    MD5

    2a29b2b18f79ca1daec18300c70a119d

    SHA1

    92d034612405da39beb0680f7a810cba0593e3d7

    SHA256

    ad1ce0037911c5ad447f1157be487e59e7953b8fbbe78f08ca96288293b39361

    SHA512

    bf7ee427048b31edee22e2da17a650828de4b7a71cb19d083617ac14d7fcbe56af63e0364e2fe913dc894ddc3482c7ef9428a1220abb190ee27da2651076a106

  • C:\Windows\SysWOW64\Dkigoimd.exe

    Filesize

    1.6MB

    MD5

    7788cbe877ecf3812c121f86197c08b8

    SHA1

    7d90011be44e076ec3da89d6b8cc3f208e275d1a

    SHA256

    f65d0a5d87a4db6a4c7e3734cce4618d6e30088bf1f1b99d6293dec0e536dd17

    SHA512

    e8b14c1dbc764627363550630c9a0389419efb323380fb8dfbe8cbc0c5ac7cd5c7c8c8279493106327a422344b79977cba9a2aec2f90591c8654ba2bde264b07

  • C:\Windows\SysWOW64\Dpapaj32.exe

    Filesize

    1.6MB

    MD5

    e6b94b42eaa56eda8ad331b87810dfb9

    SHA1

    35397d289f8c54ea9947e42f266dbe456340a7b4

    SHA256

    5b9bd0fb4ca1c910984be5690bfd2b3d9034dbc4b4e2bf2bf121c2107b6d274b

    SHA512

    6c7c34eaa419063019946d1343aaad861b5f6f6af85c9f1365bdaefad96a269ad6713bdc5fc88cca993a33bbda6bcfb8b2c2b40611c9d050be2b3d5632d02d7b

  • C:\Windows\SysWOW64\Eddeladm.exe

    Filesize

    1.6MB

    MD5

    a89f8a75cce6b69717e8e79ffa4a53e9

    SHA1

    2c53716dd3ac9a10daf0ae4f7594d7b9bca8cbb4

    SHA256

    b29d10f27285eda47473044b31043e5f821f1887fb6a6f3d78b6b1050ea15d5c

    SHA512

    d3ea13eb64caac81f3d0dbda342135140b6b0d4d0d7ad8efc0b294681d818268d5e07fad955054b8b4162c69b0d63831f9500fd3738e2a79d3b54ae8cda1037f

  • C:\Windows\SysWOW64\Edfbaabj.exe

    Filesize

    1.6MB

    MD5

    00ccab56c1c9f35f1a8d97576a99f5d6

    SHA1

    31d03882c4cd81e4630bb35aa645057c07198779

    SHA256

    f429e1bc68b14a4b01e62d44838160da7b11d1d64032b677bf1d26af84f4687e

    SHA512

    b2affa611ba80795a9196a6cee3043e01709695bf8f0ee74df305e3eb6eee7f2d439a19e61b59338d7aff088d8144d420e9356e31b3c8838f8eb6e0cf0ba3580

  • C:\Windows\SysWOW64\Emagacdm.exe

    Filesize

    1.6MB

    MD5

    558879e1f126d454f537c24fbf269e90

    SHA1

    37debdbb2f4df216a3a4d8a62f4e19bf8f310a1c

    SHA256

    b8c080f47ddd8f12f3f2ca5f3be996d31081dc9a5fb0397f214b4fc76e8e9876

    SHA512

    cc7dc31f9749fc73c726bd198cf2813807f8b3af5133778d0f041616295e2c7113770c8fcca0f625fcc83aa2570e7951737ed90877e38042a39f79751303fc2d

  • C:\Windows\SysWOW64\Eoepnk32.exe

    Filesize

    1.6MB

    MD5

    525a9c8a0365e0bdc0962027ce64ae95

    SHA1

    4f22bd812bb5873555d1f74c1ae11b11eb3730e5

    SHA256

    fe5c58aff4f2688976fbccc58f28b17d20639d7322ff81818a510551f0ba5c39

    SHA512

    7c05ec2a7273c6258d00532fbf7863ea18f2c452bc6cc6569734974c1f2c5adc44658828a419ecca679bdd2716d978e3b6e2af458c7dc1697ec9caeaf78bc0fa

  • C:\Windows\SysWOW64\Ffaaoh32.exe

    Filesize

    1.6MB

    MD5

    b411f987b91f6e43963d23b70f8d4795

    SHA1

    4853d51e099650decc1f730647de60bb8036d7ee

    SHA256

    34e9e3344961e494c78b9083db677853a8660cb9638a20de3c144c8638ac77ea

    SHA512

    53eec2864625d193f5ed1374a84ae3a097732257ad472a755ddfa0befbeefc20e7c10a9c8a6cdaea35b21a692426316c5cc6fda0ecadea25683b022fb2100fb2

  • C:\Windows\SysWOW64\Fgigil32.exe

    Filesize

    1.6MB

    MD5

    c1545af05a978a6c18e20e2d3fa160c3

    SHA1

    1386b6aaa54133a57b66d74136fd990332786152

    SHA256

    dc713197c79cabd439131b78e644225fcb3dc6e3ce517d8c5d8bbe77c7f725b9

    SHA512

    b5ab37e504799f1b25b8b4d406c7491ee4a5e6de88153b5e521a59ae0232c7e4e8ffe1ffe7442425307b103fa1d24e9936fb6134d090286af1cf3db4cdc287de

  • C:\Windows\SysWOW64\Fkbgckgd.exe

    Filesize

    1.6MB

    MD5

    9ec31987dd8ab9558f26efbbc00348ec

    SHA1

    f8b8bf40e47f7eaba9ee3b3e6bb87fcb3af3a2c0

    SHA256

    43f36b3a6ef7adc193bc7b54c5940200f9983a30f8ee0b4a95772a2c1b87f6b8

    SHA512

    a6f80330b153f41b3471656e015beb6bafb18ae963abd2107129b23193a5e1fa4a60b269a0a068ee5649bcecd572ec8d65b5f2573df27c41c4d4e05c4112a69e

  • C:\Windows\SysWOW64\Fnflke32.exe

    Filesize

    1.6MB

    MD5

    66a1f084f2ed615aa35604f3c3b87f96

    SHA1

    b8f65387fd38f9489f01c921b444f611f771181a

    SHA256

    9a1ef05b0aca6802422bb7697767de0cbaecdd63deee65ae68b30deb40894ef4

    SHA512

    622efabeb20e119f5bc34552156d46f1a563bb5eb5d029192aef21a5b7c3e44ba79c2a86bde34b3b20768aae34a759d7e104287484ab96022b484c13193c857e

  • C:\Windows\SysWOW64\Fpmbfbgo.exe

    Filesize

    1.6MB

    MD5

    bde4d5226b8a1f69a15272a6cd0c5f64

    SHA1

    3777483938e95e1968ac612dac83d3efaa5b8b2d

    SHA256

    9f9f5e568048af35ef71b8071fae1b56cd3bd9a6799bfdce4700a32b25d82be6

    SHA512

    4902f46e7e22fe67cfaebcadff8e81a12e2f3a0e3167fac868967e85b8932e84080fbeed50a71dcbaeb60ce82311aecb7b084403ecc3e9c6df3908942eda4b61

  • C:\Windows\SysWOW64\Fqalaa32.exe

    Filesize

    1.6MB

    MD5

    7b35a2b04db9318af85e467727747c66

    SHA1

    ed8954e23373935255375aeb758f648f465b9616

    SHA256

    e545340a9751751febc06f3b142f8c7055b1288ff8e5a29960c9fe909cd5d790

    SHA512

    07867b1959b3d952afdaa5df1e8084628ca4bc623087055ce95c0d289889943cf7ba1556e7aabae17cb0d14fcec81366a1c420e9727568fa03954aaf08577a3c

  • C:\Windows\SysWOW64\Ghajacmo.exe

    Filesize

    1.6MB

    MD5

    88eb40660ef896b2492cdd093477066b

    SHA1

    26607aa3f0c2cb5cd66378f4940372bc39dff597

    SHA256

    b5ca1856818a0af90598c7fc747154c808dda3d2df46c04ca9de60f04b7f2267

    SHA512

    35620d551411c6bc81fbb767744cd2bd2e6d9f4d9c6349a2de2c047783de581069832d8bd13a00cb0512fce9714d4d758ef2a3bd5c65b232668b30e31810b882

  • C:\Windows\SysWOW64\Qhmcmk32.exe

    Filesize

    1.6MB

    MD5

    b7844e3b74908fcc46c9e25e87099636

    SHA1

    fe243fb878798f2aeb15de3e3f5039e8248c17fa

    SHA256

    9e628bd1605170e7c13ade6143ddcc8a00578498d927348e1d53e18d05d870a9

    SHA512

    3bebb5178bee7fa331e990aa61aa408320f28e10dcff45a326c4cdb9c7f299c23c286d08efe8f5eb7d308836a3022b17c2aa34f7463dccd2fc5bacdf10112a78

  • \Windows\SysWOW64\Biolanld.exe

    Filesize

    1.6MB

    MD5

    fc0def020e3b084191d26022d25a63d9

    SHA1

    7080fd86ee3b9f6572a5c6c850f94f058f9ef4bf

    SHA256

    a72789aecd7ec99174178a2a0971b387dc0ee0b6a836de4ea4e04fa812217a3c

    SHA512

    e22bd485d743c6421aa7a84b73afca2a51bb13ee390fa5f33867fb2a982d77702cf26d19f815be990d5299e4f5f1f03fe5104b99a957999a02c0b7ce853a635c

  • \Windows\SysWOW64\Dmojkc32.exe

    Filesize

    1.6MB

    MD5

    afc15c41672fe5cd46ef54a0c9d20fc0

    SHA1

    5f2fc4d8ffca8725501457e7376718176309c47e

    SHA256

    e63f734830e3b928d16a38d15010fbcd01f7cae97f2403916ef8e8d18b81c8ec

    SHA512

    afc4b8e46ae13cc3bf37a0eb049284ba90b328497f0c46035be736e5a6c271cb762d51a8d1469b0e34148ea9a57c87b7ad554bad113641fcb82d4dbf0e5c581a

  • \Windows\SysWOW64\Qhjfgl32.exe

    Filesize

    1.6MB

    MD5

    40430f364831984dfc64ad8554b7147d

    SHA1

    d6801be99c9fb8a8cdb7aa9c038177410eb79468

    SHA256

    33a5d28c8ca748b5c798eaa506cef800da6ea89c6e088f985f457b204a7c383e

    SHA512

    06e2791a9021e1dcf7eafee97d9abef5879dfde6eca4d6ee8e2720df746e540223f78d590dc873a21941256781e4f3884929c7bf22d10db7a85de52ce21304f0

  • memory/440-242-0x0000000000400000-0x0000000000433000-memory.dmp

    Filesize

    204KB

  • memory/576-244-0x0000000000400000-0x0000000000433000-memory.dmp

    Filesize

    204KB

  • memory/980-250-0x0000000000400000-0x0000000000433000-memory.dmp

    Filesize

    204KB

  • memory/1244-252-0x0000000000400000-0x0000000000433000-memory.dmp

    Filesize

    204KB

  • memory/1280-253-0x0000000000400000-0x0000000000433000-memory.dmp

    Filesize

    204KB

  • memory/1336-255-0x0000000000400000-0x0000000000433000-memory.dmp

    Filesize

    204KB

  • memory/1696-243-0x0000000000400000-0x0000000000433000-memory.dmp

    Filesize

    204KB

  • memory/1836-248-0x0000000000400000-0x0000000000433000-memory.dmp

    Filesize

    204KB

  • memory/1944-31-0x0000000000400000-0x0000000000433000-memory.dmp

    Filesize

    204KB

  • memory/1948-249-0x0000000000400000-0x0000000000433000-memory.dmp

    Filesize

    204KB

  • memory/1992-247-0x0000000000400000-0x0000000000433000-memory.dmp

    Filesize

    204KB

  • memory/2216-251-0x0000000000400000-0x0000000000433000-memory.dmp

    Filesize

    204KB

  • memory/2236-6-0x0000000000220000-0x0000000000253000-memory.dmp

    Filesize

    204KB

  • memory/2236-18-0x0000000000220000-0x0000000000253000-memory.dmp

    Filesize

    204KB

  • memory/2236-0-0x0000000000400000-0x0000000000433000-memory.dmp

    Filesize

    204KB

  • memory/2236-235-0x0000000000400000-0x0000000000433000-memory.dmp

    Filesize

    204KB

  • memory/2356-240-0x0000000000400000-0x0000000000433000-memory.dmp

    Filesize

    204KB

  • memory/2388-239-0x0000000000400000-0x0000000000433000-memory.dmp

    Filesize

    204KB

  • memory/2500-46-0x0000000000220000-0x0000000000253000-memory.dmp

    Filesize

    204KB

  • memory/2500-45-0x0000000000220000-0x0000000000253000-memory.dmp

    Filesize

    204KB

  • memory/2500-38-0x0000000000400000-0x0000000000433000-memory.dmp

    Filesize

    204KB

  • memory/2512-47-0x0000000000400000-0x0000000000433000-memory.dmp

    Filesize

    204KB

  • memory/2512-54-0x0000000000220000-0x0000000000253000-memory.dmp

    Filesize

    204KB

  • memory/2604-245-0x0000000000400000-0x0000000000433000-memory.dmp

    Filesize

    204KB

  • memory/2684-246-0x0000000000400000-0x0000000000433000-memory.dmp

    Filesize

    204KB

  • memory/2688-254-0x0000000000400000-0x0000000000433000-memory.dmp

    Filesize

    204KB

  • memory/2848-241-0x0000000000400000-0x0000000000433000-memory.dmp

    Filesize

    204KB