cb766dfd8804698b3d646b8103b746ff1ba4875b93e14714b6987c36f5e442fd

Analysis

max time kernel
148s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
16/04/2024, 02:04

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

cb766dfd8804698b3d646b8103b746ff1ba4875b93e14714b6987c36f5e442fd.exe
Size

199KB
MD5

1e42cc20cdabc3046e6d3b5969458938
SHA1

32a3475ce37cb9c797f906e0843a1a3005cc2ad1
SHA256

cb766dfd8804698b3d646b8103b746ff1ba4875b93e14714b6987c36f5e442fd
SHA512

7d8363b82645eb848ff3d2f902b8c6b2cffa1101f00705d727788bc415680b8218709ab918fb9010a99c7129edb1528d2e82e019bec06c867a538ab094e5ea09
SSDEEP

6144:KYUV7IcaJ5SZSCZj81+jq4peBK034YOmFz1h:KYULLZSCG1+jheBbOmFxh

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhkjej32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	cb766dfd8804698b3d646b8103b746ff1ba4875b93e14714b6987c36f5e442fd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnkplejl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfiafg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmjocp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chokikeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cagobalc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnkplejl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ceehho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cegdnopg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhkjej32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dodbbdbb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	cb766dfd8804698b3d646b8103b746ff1ba4875b93e14714b6987c36f5e442fd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chokikeb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cagobalc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceehho32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cegdnopg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfiafg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmefhako.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dddhpjof.exe

Executes dropped EXE 12 IoCs

pid	Process
1324	Chokikeb.exe
4968	Cagobalc.exe
4780	Cnkplejl.exe
900	Ceehho32.exe
2348	Cegdnopg.exe
884	Dfiafg32.exe
3720	Dmefhako.exe
4572	Dhkjej32.exe
1768	Dodbbdbb.exe
2284	Dmjocp32.exe
3212	Dddhpjof.exe
636	Dmllipeg.exe

Drops file in System32 directory 36 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Ceehho32.exe	Cnkplejl.exe
File created	C:\Windows\SysWOW64\Cegdnopg.exe	Ceehho32.exe
File created	C:\Windows\SysWOW64\Dhkjej32.exe	Dmefhako.exe
File created	C:\Windows\SysWOW64\Dodbbdbb.exe	Dhkjej32.exe
File created	C:\Windows\SysWOW64\Dnieoofh.dll	cb766dfd8804698b3d646b8103b746ff1ba4875b93e14714b6987c36f5e442fd.exe
File opened for modification	C:\Windows\SysWOW64\Dhkjej32.exe	Dmefhako.exe
File created	C:\Windows\SysWOW64\Amjknl32.dll	Dmjocp32.exe
File created	C:\Windows\SysWOW64\Kngpec32.dll	Dddhpjof.exe
File created	C:\Windows\SysWOW64\Echdno32.dll	Chokikeb.exe
File created	C:\Windows\SysWOW64\Kkmjgool.dll	Cegdnopg.exe
File created	C:\Windows\SysWOW64\Fnmnbf32.dll	Dhkjej32.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Dddhpjof.exe
File created	C:\Windows\SysWOW64\Dddhpjof.exe	Dmjocp32.exe
File created	C:\Windows\SysWOW64\Cnkplejl.exe	Cagobalc.exe
File opened for modification	C:\Windows\SysWOW64\Cnkplejl.exe	Cagobalc.exe
File created	C:\Windows\SysWOW64\Ceehho32.exe	Cnkplejl.exe
File opened for modification	C:\Windows\SysWOW64\Dfiafg32.exe	Cegdnopg.exe
File opened for modification	C:\Windows\SysWOW64\Dmjocp32.exe	Dodbbdbb.exe
File created	C:\Windows\SysWOW64\Chokikeb.exe	cb766dfd8804698b3d646b8103b746ff1ba4875b93e14714b6987c36f5e442fd.exe
File created	C:\Windows\SysWOW64\Dmefhako.exe	Dfiafg32.exe
File created	C:\Windows\SysWOW64\Dmjocp32.exe	Dodbbdbb.exe
File created	C:\Windows\SysWOW64\Bobiobnp.dll	Dodbbdbb.exe
File opened for modification	C:\Windows\SysWOW64\Dddhpjof.exe	Dmjocp32.exe
File created	C:\Windows\SysWOW64\Cagobalc.exe	Chokikeb.exe
File opened for modification	C:\Windows\SysWOW64\Cagobalc.exe	Chokikeb.exe
File created	C:\Windows\SysWOW64\Jekpanpa.dll	Cnkplejl.exe
File created	C:\Windows\SysWOW64\Mgcail32.dll	Ceehho32.exe
File created	C:\Windows\SysWOW64\Gidbim32.dll	Dfiafg32.exe
File created	C:\Windows\SysWOW64\Dfiafg32.exe	Cegdnopg.exe
File opened for modification	C:\Windows\SysWOW64\Dmefhako.exe	Dfiafg32.exe
File created	C:\Windows\SysWOW64\Jbpbca32.dll	Dmefhako.exe
File opened for modification	C:\Windows\SysWOW64\Chokikeb.exe	cb766dfd8804698b3d646b8103b746ff1ba4875b93e14714b6987c36f5e442fd.exe
File created	C:\Windows\SysWOW64\Pjngmo32.dll	Cagobalc.exe
File opened for modification	C:\Windows\SysWOW64\Cegdnopg.exe	Ceehho32.exe
File opened for modification	C:\Windows\SysWOW64\Dodbbdbb.exe	Dhkjej32.exe
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Dddhpjof.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4416	636	WerFault.exe	97

Modifies registry class 39 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dodbbdbb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmjocp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	cb766dfd8804698b3d646b8103b746ff1ba4875b93e14714b6987c36f5e442fd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnkplejl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfiafg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbpbca32.dll"	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	cb766dfd8804698b3d646b8103b746ff1ba4875b93e14714b6987c36f5e442fd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjngmo32.dll"	Cagobalc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amjknl32.dll"	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jekpanpa.dll"	Cnkplejl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgcail32.dll"	Ceehho32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Chokikeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cagobalc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	cb766dfd8804698b3d646b8103b746ff1ba4875b93e14714b6987c36f5e442fd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnmnbf32.dll"	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dodbbdbb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	cb766dfd8804698b3d646b8103b746ff1ba4875b93e14714b6987c36f5e442fd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	cb766dfd8804698b3d646b8103b746ff1ba4875b93e14714b6987c36f5e442fd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Chokikeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bobiobnp.dll"	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kkmjgool.dll"	Cegdnopg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gidbim32.dll"	Dfiafg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfiafg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnieoofh.dll"	cb766dfd8804698b3d646b8103b746ff1ba4875b93e14714b6987c36f5e442fd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ceehho32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cnkplejl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ceehho32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cegdnopg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cegdnopg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Echdno32.dll"	Chokikeb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cagobalc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dddhpjof.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 688 wrote to memory of 1324	688	cb766dfd8804698b3d646b8103b746ff1ba4875b93e14714b6987c36f5e442fd.exe	84
PID 688 wrote to memory of 1324	688	cb766dfd8804698b3d646b8103b746ff1ba4875b93e14714b6987c36f5e442fd.exe	84
PID 688 wrote to memory of 1324	688	cb766dfd8804698b3d646b8103b746ff1ba4875b93e14714b6987c36f5e442fd.exe	84
PID 1324 wrote to memory of 4968	1324	Chokikeb.exe	85
PID 1324 wrote to memory of 4968	1324	Chokikeb.exe	85
PID 1324 wrote to memory of 4968	1324	Chokikeb.exe	85
PID 4968 wrote to memory of 4780	4968	Cagobalc.exe	87
PID 4968 wrote to memory of 4780	4968	Cagobalc.exe	87
PID 4968 wrote to memory of 4780	4968	Cagobalc.exe	87
PID 4780 wrote to memory of 900	4780	Cnkplejl.exe	88
PID 4780 wrote to memory of 900	4780	Cnkplejl.exe	88
PID 4780 wrote to memory of 900	4780	Cnkplejl.exe	88
PID 900 wrote to memory of 2348	900	Ceehho32.exe	89
PID 900 wrote to memory of 2348	900	Ceehho32.exe	89
PID 900 wrote to memory of 2348	900	Ceehho32.exe	89
PID 2348 wrote to memory of 884	2348	Cegdnopg.exe	90
PID 2348 wrote to memory of 884	2348	Cegdnopg.exe	90
PID 2348 wrote to memory of 884	2348	Cegdnopg.exe	90
PID 884 wrote to memory of 3720	884	Dfiafg32.exe	92
PID 884 wrote to memory of 3720	884	Dfiafg32.exe	92
PID 884 wrote to memory of 3720	884	Dfiafg32.exe	92
PID 3720 wrote to memory of 4572	3720	Dmefhako.exe	93
PID 3720 wrote to memory of 4572	3720	Dmefhako.exe	93
PID 3720 wrote to memory of 4572	3720	Dmefhako.exe	93
PID 4572 wrote to memory of 1768	4572	Dhkjej32.exe	94
PID 4572 wrote to memory of 1768	4572	Dhkjej32.exe	94
PID 4572 wrote to memory of 1768	4572	Dhkjej32.exe	94
PID 1768 wrote to memory of 2284	1768	Dodbbdbb.exe	95
PID 1768 wrote to memory of 2284	1768	Dodbbdbb.exe	95
PID 1768 wrote to memory of 2284	1768	Dodbbdbb.exe	95
PID 2284 wrote to memory of 3212	2284	Dmjocp32.exe	96
PID 2284 wrote to memory of 3212	2284	Dmjocp32.exe	96
PID 2284 wrote to memory of 3212	2284	Dmjocp32.exe	96
PID 3212 wrote to memory of 636	3212	Dddhpjof.exe	97
PID 3212 wrote to memory of 636	3212	Dddhpjof.exe	97
PID 3212 wrote to memory of 636	3212	Dddhpjof.exe	97

C:\Users\Admin\AppData\Local\Temp\cb766dfd8804698b3d646b8103b746ff1ba4875b93e14714b6987c36f5e442fd.exe
"C:\Users\Admin\AppData\Local\Temp\cb766dfd8804698b3d646b8103b746ff1ba4875b93e14714b6987c36f5e442fd.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:688
- C:\Windows\SysWOW64\Chokikeb.exe
  C:\Windows\system32\Chokikeb.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1324
- - C:\Windows\SysWOW64\Cagobalc.exe
    C:\Windows\system32\Cagobalc.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4968
  - - C:\Windows\SysWOW64\Cnkplejl.exe
      C:\Windows\system32\Cnkplejl.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4780
    - - C:\Windows\SysWOW64\Ceehho32.exe
        
        C:\Windows\system32\Ceehho32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:900
      - C:\Windows\SysWOW64\Cegdnopg.exe
        
        C:\Windows\system32\Cegdnopg.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2348
        
        C:\Windows\SysWOW64\Dfiafg32.exe
        
        C:\Windows\system32\Dfiafg32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:884
        
        C:\Windows\SysWOW64\Dmefhako.exe
        
        C:\Windows\system32\Dmefhako.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3720
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4572
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1768
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2284
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3212
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        13⤵
        Executes dropped EXE
        
        PID:636
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 636 -s 396
        14⤵
        Program crash
        
        PID:4416

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 636 -ip 636
1⤵
PID:3300

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Cagobalc.exe

Filesize
199KB

MD5
8b5f172c7ac7e68e3f7ac2491c58a74c

SHA1
850540548391c0a4ac1b1ea34179e1a1b97da0c1

SHA256
91bba52b577fca401717c5ba5434b8cdbe5ad59c4066a8dafec69cdee05ce91f

SHA512
f2b6ec94ca16b64f2af3e93ccd9fd2af94df2a1c74e365c398bf4ede7ede2ab5123db461efc61811164dc25f4de0b246b2e9b1fb217e3852391fe69f0567a47f

Download Submit
C:\Windows\SysWOW64\Ceehho32.exe

Filesize
199KB

MD5
eea992ff440c81cc750fe09cdaa87deb

SHA1
2425cab0de15cf8d199f64e3b2ee8a499f81bd1f

SHA256
38bc650c4945faebf40ff3791327bf89f9aaa94ac03a28e1124cce465b1cee18

SHA512
f1e13b3860e2a947eb435eec601bc174a1a00446369ea369a4d5e10e1a3bd1cde61d736c8933d4cafb207956c0feffbf81406d3f1256f3740ab211686419f0e1

Download Submit
C:\Windows\SysWOW64\Cegdnopg.exe

Filesize
199KB

MD5
806e2bf953163031dccb329effc4067e

SHA1
92077a0b9ff248d52b09b105623420242c364b37

SHA256
26d5392bd6f6af096c250f24b4c428a97bb4ed6d8ac2444ef29640fb1b99d619

SHA512
86c52c5ab04d3b24a87a9f92c50b6a67089ac97541a0eea861e38a0a87519b1ea53e821015f517d8ddaa7592b5ea12a5531003dcea56f6c33b56fedcdb81e50b

Download Submit
C:\Windows\SysWOW64\Chokikeb.exe

Filesize
199KB

MD5
3ce36b5521c2f469d22a1092bfc85e98

SHA1
87fdf2d049225a9884fe5db094e692f1d2aae862

SHA256
42f1b38c1cc9460ddd24703f2fd5e64fb5a36f41841a565799adc1537650481d

SHA512
60df580a7cfb878d39b690be7d437d38bfd2b9614e52e11263ccda3761bc2d6b16ca7c7fa5846ec4df6b982f25f8f920ee7d72fe0f7a1a4f1681a664a071e505

Download Submit
C:\Windows\SysWOW64\Cnkplejl.exe

Filesize
199KB

MD5
acc4b4924dab52906621a02521542e1b

SHA1
44a019ee23e1b63834549547fe9f74c75bed6977

SHA256
fb68af2867e69c05ce6b163dc301961326dbda147a46c91911e10fdb48af0062

SHA512
c3dfeea74686b48b5b0e26a2436d076587216c8030e173ac2599f97dda66723a4218a8da4a9e764518598e13ce15a10596ac7473dfac45197fb4498bc5147a1e

Download Submit
C:\Windows\SysWOW64\Dddhpjof.exe

Filesize
199KB

MD5
eaab0e7ca4b6914cfdd6501f20428683

SHA1
9077db15ad423dbe88fb7948e983493502e4b1ad

SHA256
71f34e312f831944a1090a14957800819f79f17eba94a1def7ab6a9d3bb11370

SHA512
d906652a71b7082ae93488e7d14e02e00fa144e81bf7a107561ced6d681982655e0ca8938abb5a01124abce7ede9e351f9011bce3442b677296582aa21ba148b

Download Submit
C:\Windows\SysWOW64\Dfiafg32.exe

Filesize
199KB

MD5
a062f2a71beb64f3557fa5382eff539f

SHA1
c87f541f39d0465efbf2d670a2f9f02442de0774

SHA256
1e6bdbf0d71335b87fe0dc0f8a634c87e8c606594537919b3aa89ff3b3a7988b

SHA512
8d47ee80d7aada9c740eaab641ae5f753ec356cf1ce7882270a5abb93efe6801edaf2c2e1fee9f617c7c7d6ae2dc9146dd1ae9061791e1f7e4dea4285ca6fa5d

Download Submit
C:\Windows\SysWOW64\Dhkjej32.exe

Filesize
199KB

MD5
b4f1f458780d14fe25bbf03f77003764

SHA1
704af01719132603e1f976d27771364f66d159fa

SHA256
13be5ae39335e26df984110701c5a6f68612c82019a762b5432f35b5c15f9d6e

SHA512
61d3721675c72ac1e547eb707002dc65d62ef168a320976c16cc4543763c1c3ea9ded3a22a8c0c2fa4f38aba3203e0741b58283f232382c1944f89340a089d7f

Download Submit
C:\Windows\SysWOW64\Dmefhako.exe

Filesize
199KB

MD5
98803e82ebf869b2e9bf4c722294b79f

SHA1
eae61f69d7712f831793a48d5ac81dca0b935f34

SHA256
a5c9f07ebe2d666d0e20fe6ea12585256f7bc73393c49246c09b8912d6e02a6c

SHA512
5085c8a15c99479f55bfac63e083e5566ab76d3a2b9757d7f493a984a573d07fcc2c0d97268d835ebaad10640aa885291456e546856bface7a649f6ccdbe04c6

Download Submit
C:\Windows\SysWOW64\Dmjocp32.exe

Filesize
199KB

MD5
182f7267f16d5d3d0553c0a56bc6de71

SHA1
23c5d30a7c4a75df6ce808958f475e868dfe0421

SHA256
e3ae031ea8b67a2d266d78932801f9d288a11a138fada04bc30dc329b9a35e96

SHA512
48b2c4ec29371fdb0fecf73cf8b8df46822bb041f106955db183205096c5bfb1579740207ba8761d2168fa39be3508702249baa4935df45047569d92249e5b12

Download Submit
C:\Windows\SysWOW64\Dmllipeg.exe

Filesize
199KB

MD5
b3abe7c99dc9986bdcfbc18eb400af64

SHA1
b1f5b8c90322b8e1ba9d32f58e5b8629b7cf8c22

SHA256
38bc33d030d33b59b6529128a27093406132b84017b16a79eead41ddd99f2000

SHA512
b711bf88dc73e5e13c125ed8b39f6456fc82476ba70b55427dd5a525a3fc77c17102156b5107fa9d27d3bcd9498b27297a0383ceb9c21e953b6442b9cdf1fb8a

Download Submit
C:\Windows\SysWOW64\Dodbbdbb.exe

Filesize
199KB

MD5
9d8272baf27512e670068c6492c2e064

SHA1
747870f1f37c69a357f916f10249168a620c4ae8

SHA256
66163f17e2ffec6821cc01018bc6fa3dd00dd3aac4f6eee3f65e39036c6121f8

SHA512
3670f7280a71f6b7ade9466a7c5675b60a83dc85ccdecf09b77fb4b37860f61af76f6b4ef9eabe70c0e82205c7dbfaa0b3d7449381af35020722725c6ee05efa

Download Submit
memory/636-98-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/688-81-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/688-5-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/688-0-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/884-48-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/884-102-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/900-104-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/900-32-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1324-13-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1768-100-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1768-73-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2284-89-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2348-41-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2348-103-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3212-90-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3212-99-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3720-57-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3720-101-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4572-69-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4780-24-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4780-105-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4968-106-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4968-17-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads