da848c96a668af12bd3763c0d65c442943dffd318cc843c0931df6ec4b51d417

Analysis

max time kernel
142s
max time network
121s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
29/04/2024, 02:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

da848c96a668af12bd3763c0d65c442943dffd318cc843c0931df6ec4b51d417.exe
Size

88KB
MD5

e70df5bd9c303d84a905421368dde412
SHA1

6cd7916be82fbe2ed51b69eb8487b80a9b18ad57
SHA256

da848c96a668af12bd3763c0d65c442943dffd318cc843c0931df6ec4b51d417
SHA512

fcb1c4badd0eeb8fbc87b7fc8dafced6d887e8b7eeecb60c82a24f9dd8f14ea4e112ae5aa5a71ee4a3268f560f627af5c01fde715dd2db3e9f122eb743c8d58c
SSDEEP

1536:GUm0tHEMR63pzD0Q8LMn8/H/m2izW+MYMfCyOwhqcaRArUXMwHcjqebXTWCnouyw:GYZu3pvWYU/m2izW+MYMfCyOOqcaRArl

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qgmdjp32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmclhi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	da848c96a668af12bd3763c0d65c442943dffd318cc843c0931df6ec4b51d417.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	da848c96a668af12bd3763c0d65c442943dffd318cc843c0931df6ec4b51d417.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aganeoip.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aeenochi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Apoooa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ajgpbj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bpfeppop.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bhdgjb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bmclhi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdoajb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cdoajb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qgmdjp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aganeoip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aeenochi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aeqabgoj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Apoooa32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajgpbj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aeqabgoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bpfeppop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bhdgjb32.exe

UPX dump on OEP (original entry point) 11 IoCs

resource	yara_rule
behavioral1/files/0x000c0000000132c6-5.dat	UPX
behavioral1/files/0x002d0000000134ad-19.dat	UPX
behavioral1/files/0x00080000000139e8-33.dat	UPX
behavioral1/files/0x00070000000140f2-47.dat	UPX
behavioral1/files/0x0006000000015c69-61.dat	UPX
behavioral1/files/0x0006000000015c87-74.dat	UPX
behavioral1/files/0x0006000000015d88-95.dat	UPX
behavioral1/files/0x0013000000013721-102.dat	UPX
behavioral1/files/0x0006000000015e5b-116.dat	UPX
behavioral1/files/0x0006000000015e7c-129.dat	UPX
behavioral1/files/0x0006000000015ec0-142.dat	UPX

Executes dropped EXE 11 IoCs

pid	Process
2148	Qgmdjp32.exe
2604	Aganeoip.exe
2632	Aeenochi.exe
2720	Apoooa32.exe
2636	Ajgpbj32.exe
2836	Aeqabgoj.exe
676	Bpfeppop.exe
1568	Bhdgjb32.exe
276	Bmclhi32.exe
2008	Cdoajb32.exe
1404	Cacacg32.exe

Loads dropped DLL 26 IoCs

pid	Process
1540	da848c96a668af12bd3763c0d65c442943dffd318cc843c0931df6ec4b51d417.exe
1540	da848c96a668af12bd3763c0d65c442943dffd318cc843c0931df6ec4b51d417.exe
2148	Qgmdjp32.exe
2148	Qgmdjp32.exe
2604	Aganeoip.exe
2604	Aganeoip.exe
2632	Aeenochi.exe
2632	Aeenochi.exe
2720	Apoooa32.exe
2720	Apoooa32.exe
2636	Ajgpbj32.exe
2636	Ajgpbj32.exe
2836	Aeqabgoj.exe
2836	Aeqabgoj.exe
676	Bpfeppop.exe
676	Bpfeppop.exe
1568	Bhdgjb32.exe
1568	Bhdgjb32.exe
276	Bmclhi32.exe
276	Bmclhi32.exe
2008	Cdoajb32.exe
2008	Cdoajb32.exe
1968	WerFault.exe
1968	WerFault.exe
1968	WerFault.exe
1968	WerFault.exe

Drops file in System32 directory 33 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Naaffn32.dll	Aganeoip.exe
File created	C:\Windows\SysWOW64\Cdblnn32.dll	Aeenochi.exe
File created	C:\Windows\SysWOW64\Bmnbjfam.dll	Apoooa32.exe
File opened for modification	C:\Windows\SysWOW64\Cdoajb32.exe	Bmclhi32.exe
File created	C:\Windows\SysWOW64\Qgmdjp32.exe	da848c96a668af12bd3763c0d65c442943dffd318cc843c0931df6ec4b51d417.exe
File created	C:\Windows\SysWOW64\Apoooa32.exe	Aeenochi.exe
File created	C:\Windows\SysWOW64\Ajgpbj32.exe	Apoooa32.exe
File created	C:\Windows\SysWOW64\Bmclhi32.exe	Bhdgjb32.exe
File created	C:\Windows\SysWOW64\Opacnnhp.dll	Bhdgjb32.exe
File created	C:\Windows\SysWOW64\Dnabbkhk.dll	Bmclhi32.exe
File opened for modification	C:\Windows\SysWOW64\Qgmdjp32.exe	da848c96a668af12bd3763c0d65c442943dffd318cc843c0931df6ec4b51d417.exe
File created	C:\Windows\SysWOW64\Aeenochi.exe	Aganeoip.exe
File opened for modification	C:\Windows\SysWOW64\Bhdgjb32.exe	Bpfeppop.exe
File opened for modification	C:\Windows\SysWOW64\Bmclhi32.exe	Bhdgjb32.exe
File opened for modification	C:\Windows\SysWOW64\Cacacg32.exe	Cdoajb32.exe
File created	C:\Windows\SysWOW64\Aganeoip.exe	Qgmdjp32.exe
File opened for modification	C:\Windows\SysWOW64\Aeqabgoj.exe	Ajgpbj32.exe
File created	C:\Windows\SysWOW64\Bhdgjb32.exe	Bpfeppop.exe
File created	C:\Windows\SysWOW64\Fdlpjk32.dll	Cdoajb32.exe
File created	C:\Windows\SysWOW64\Doojhgfa.dll	da848c96a668af12bd3763c0d65c442943dffd318cc843c0931df6ec4b51d417.exe
File created	C:\Windows\SysWOW64\Aeqabgoj.exe	Ajgpbj32.exe
File opened for modification	C:\Windows\SysWOW64\Bpfeppop.exe	Aeqabgoj.exe
File opened for modification	C:\Windows\SysWOW64\Aeenochi.exe	Aganeoip.exe
File created	C:\Windows\SysWOW64\Pqfjpj32.dll	Ajgpbj32.exe
File created	C:\Windows\SysWOW64\Bpfeppop.exe	Aeqabgoj.exe
File created	C:\Windows\SysWOW64\Jbodgd32.dll	Bpfeppop.exe
File created	C:\Windows\SysWOW64\Cdoajb32.exe	Bmclhi32.exe
File created	C:\Windows\SysWOW64\Cacacg32.exe	Cdoajb32.exe
File opened for modification	C:\Windows\SysWOW64\Aganeoip.exe	Qgmdjp32.exe
File created	C:\Windows\SysWOW64\Hbcicn32.dll	Qgmdjp32.exe
File created	C:\Windows\SysWOW64\Pqncgcah.dll	Aeqabgoj.exe
File opened for modification	C:\Windows\SysWOW64\Apoooa32.exe	Aeenochi.exe
File opened for modification	C:\Windows\SysWOW64\Ajgpbj32.exe	Apoooa32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1968	1404	WerFault.exe	38

Modifies registry class 36 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	da848c96a668af12bd3763c0d65c442943dffd318cc843c0931df6ec4b51d417.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bmclhi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bmclhi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cdoajb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Doojhgfa.dll"	da848c96a668af12bd3763c0d65c442943dffd318cc843c0931df6ec4b51d417.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Qgmdjp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Aeenochi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Aeenochi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bmnbjfam.dll"	Apoooa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Apoooa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbodgd32.dll"	Bpfeppop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnabbkhk.dll"	Bmclhi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbcicn32.dll"	Qgmdjp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cdblnn32.dll"	Aeenochi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Apoooa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bhdgjb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Qgmdjp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Aeqabgoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pqncgcah.dll"	Aeqabgoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opacnnhp.dll"	Bhdgjb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}	da848c96a668af12bd3763c0d65c442943dffd318cc843c0931df6ec4b51d417.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	da848c96a668af12bd3763c0d65c442943dffd318cc843c0931df6ec4b51d417.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Aganeoip.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bpfeppop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bpfeppop.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	da848c96a668af12bd3763c0d65c442943dffd318cc843c0931df6ec4b51d417.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ajgpbj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pqfjpj32.dll"	Ajgpbj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdlpjk32.dll"	Cdoajb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	da848c96a668af12bd3763c0d65c442943dffd318cc843c0931df6ec4b51d417.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Naaffn32.dll"	Aganeoip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Aganeoip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ajgpbj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Aeqabgoj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bhdgjb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cdoajb32.exe

Suspicious use of WriteProcessMemory 48 IoCs

description	pid	Process	procid_target
PID 1540 wrote to memory of 2148	1540	da848c96a668af12bd3763c0d65c442943dffd318cc843c0931df6ec4b51d417.exe	28
PID 1540 wrote to memory of 2148	1540	da848c96a668af12bd3763c0d65c442943dffd318cc843c0931df6ec4b51d417.exe	28
PID 1540 wrote to memory of 2148	1540	da848c96a668af12bd3763c0d65c442943dffd318cc843c0931df6ec4b51d417.exe	28
PID 1540 wrote to memory of 2148	1540	da848c96a668af12bd3763c0d65c442943dffd318cc843c0931df6ec4b51d417.exe	28
PID 2148 wrote to memory of 2604	2148	Qgmdjp32.exe	29
PID 2148 wrote to memory of 2604	2148	Qgmdjp32.exe	29
PID 2148 wrote to memory of 2604	2148	Qgmdjp32.exe	29
PID 2148 wrote to memory of 2604	2148	Qgmdjp32.exe	29
PID 2604 wrote to memory of 2632	2604	Aganeoip.exe	30
PID 2604 wrote to memory of 2632	2604	Aganeoip.exe	30
PID 2604 wrote to memory of 2632	2604	Aganeoip.exe	30
PID 2604 wrote to memory of 2632	2604	Aganeoip.exe	30
PID 2632 wrote to memory of 2720	2632	Aeenochi.exe	31
PID 2632 wrote to memory of 2720	2632	Aeenochi.exe	31
PID 2632 wrote to memory of 2720	2632	Aeenochi.exe	31
PID 2632 wrote to memory of 2720	2632	Aeenochi.exe	31
PID 2720 wrote to memory of 2636	2720	Apoooa32.exe	32
PID 2720 wrote to memory of 2636	2720	Apoooa32.exe	32
PID 2720 wrote to memory of 2636	2720	Apoooa32.exe	32
PID 2720 wrote to memory of 2636	2720	Apoooa32.exe	32
PID 2636 wrote to memory of 2836	2636	Ajgpbj32.exe	33
PID 2636 wrote to memory of 2836	2636	Ajgpbj32.exe	33
PID 2636 wrote to memory of 2836	2636	Ajgpbj32.exe	33
PID 2636 wrote to memory of 2836	2636	Ajgpbj32.exe	33
PID 2836 wrote to memory of 676	2836	Aeqabgoj.exe	34
PID 2836 wrote to memory of 676	2836	Aeqabgoj.exe	34
PID 2836 wrote to memory of 676	2836	Aeqabgoj.exe	34
PID 2836 wrote to memory of 676	2836	Aeqabgoj.exe	34
PID 676 wrote to memory of 1568	676	Bpfeppop.exe	35
PID 676 wrote to memory of 1568	676	Bpfeppop.exe	35
PID 676 wrote to memory of 1568	676	Bpfeppop.exe	35
PID 676 wrote to memory of 1568	676	Bpfeppop.exe	35
PID 1568 wrote to memory of 276	1568	Bhdgjb32.exe	36
PID 1568 wrote to memory of 276	1568	Bhdgjb32.exe	36
PID 1568 wrote to memory of 276	1568	Bhdgjb32.exe	36
PID 1568 wrote to memory of 276	1568	Bhdgjb32.exe	36
PID 276 wrote to memory of 2008	276	Bmclhi32.exe	37
PID 276 wrote to memory of 2008	276	Bmclhi32.exe	37
PID 276 wrote to memory of 2008	276	Bmclhi32.exe	37
PID 276 wrote to memory of 2008	276	Bmclhi32.exe	37
PID 2008 wrote to memory of 1404	2008	Cdoajb32.exe	38
PID 2008 wrote to memory of 1404	2008	Cdoajb32.exe	38
PID 2008 wrote to memory of 1404	2008	Cdoajb32.exe	38
PID 2008 wrote to memory of 1404	2008	Cdoajb32.exe	38
PID 1404 wrote to memory of 1968	1404	Cacacg32.exe	39
PID 1404 wrote to memory of 1968	1404	Cacacg32.exe	39
PID 1404 wrote to memory of 1968	1404	Cacacg32.exe	39
PID 1404 wrote to memory of 1968	1404	Cacacg32.exe	39

C:\Users\Admin\AppData\Local\Temp\da848c96a668af12bd3763c0d65c442943dffd318cc843c0931df6ec4b51d417.exe
"C:\Users\Admin\AppData\Local\Temp\da848c96a668af12bd3763c0d65c442943dffd318cc843c0931df6ec4b51d417.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1540
- C:\Windows\SysWOW64\Qgmdjp32.exe
  C:\Windows\system32\Qgmdjp32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2148
- - C:\Windows\SysWOW64\Aganeoip.exe
    C:\Windows\system32\Aganeoip.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2604
  - - C:\Windows\SysWOW64\Aeenochi.exe
      C:\Windows\system32\Aeenochi.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2632
    - - C:\Windows\SysWOW64\Apoooa32.exe
        
        C:\Windows\system32\Apoooa32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2720
      - C:\Windows\SysWOW64\Ajgpbj32.exe
        
        C:\Windows\system32\Ajgpbj32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2636
        
        C:\Windows\SysWOW64\Aeqabgoj.exe
        
        C:\Windows\system32\Aeqabgoj.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2836
        
        C:\Windows\SysWOW64\Bpfeppop.exe
        
        C:\Windows\system32\Bpfeppop.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:676
        
        C:\Windows\SysWOW64\Bhdgjb32.exe
        
        C:\Windows\system32\Bhdgjb32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1568
        
        C:\Windows\SysWOW64\Bmclhi32.exe
        
        C:\Windows\system32\Bmclhi32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:276
        
        C:\Windows\SysWOW64\Cdoajb32.exe
        
        C:\Windows\system32\Cdoajb32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2008
        
        C:\Windows\SysWOW64\Cacacg32.exe
        
        C:\Windows\system32\Cacacg32.exe
        12⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1404
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1404 -s 140
        13⤵
        Loads dropped DLL
        Program crash
        
        PID:1968

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Bmnbjfam.dll

Filesize
7KB

MD5
6a734295fbd5d253ec0f50b544260409

SHA1
54e7c40be9e4ced5598510fcaf434bf98a153a30

SHA256
516585fa4e5eec101b464e034221aa3e11e25091a18d3eaf30c15317ffa945e5

SHA512
0574ca0e4ca5b13c284dc70bb1fba88f9dc6b424478b56df4da823090104d37510ab6209ad8e3208b3d6d28d74c4ade806ef46dd03e8d2600bc664faedddfe70

Download Submit
C:\Windows\SysWOW64\Bpfeppop.exe

Filesize
88KB

MD5
81fa292ce65ab302702f49fcb4f76b79

SHA1
2d9c62f60c3debac70b4953c8180e48486f6f493

SHA256
aa43be093ed52b429eb7c3e8394e20517cad58fc3d78c7f87524133f44a5d507

SHA512
bb20c89b798370b8dee02d4d3c73ff87ea8852e5294d20d7273ed61f47fd9fd01bb218d1446919ff6340feccc62ff9ff0f4fc204a0eb995588a80b6e5a23eb7d

Download Submit
\Windows\SysWOW64\Aeenochi.exe

Filesize
88KB

MD5
a1c3bc26aef1871a5b0609ed2b901755

SHA1
e1a309df0d1b5dfb63fccda32abc708f162fae78

SHA256
98cc52b3daa5072ae8825c022b7f3b97e2c64b0ca2ac6e927c05a493f3a619f5

SHA512
158d5d855a047cb2f72cf9e5cc61b1ea9eed6b3c7a109a158e0973ea9604b71a168b8c260cb2a760d611d97c7c50c9c0890fc87d85310c435df85868a5dbf0f1

Download Submit
\Windows\SysWOW64\Aeqabgoj.exe

Filesize
88KB

MD5
6a9fb406ec2b709b18f51709bcabf342

SHA1
4c2e64111d8e9f59fd3a1939f86845fa96d58192

SHA256
a06097d1e3e917706579b9479a7cacc7e5fd0fda55bfa4f35d64d083c54e5086

SHA512
9c4be62538a8c9cf4ed48fcfd0714abc696ee4eb508949bca37fae2f111d4f140e86b033baef227ec3fb1687a656337c9c1eebe4f46b7a00e975893ea7cda9eb

Download Submit
\Windows\SysWOW64\Aganeoip.exe

Filesize
88KB

MD5
88ae7c8dc35d6c706b5f4b0128e7621e

SHA1
f1955c3b862d112150a19090359e7606fbfabd08

SHA256
858dcade78cfc44de7cb7f3a8f4a1254e51d23ebc583d53749b24850fe11e9e0

SHA512
a8366e9e5906dc6f0ff19b1435b2c40a14824ef615d74fa3ea8e15285cd8f492b178f527996434d9c3e5ce19028d3023bee80e46b884c670ff97143bb0cd9efc

Download Submit
\Windows\SysWOW64\Ajgpbj32.exe

Filesize
88KB

MD5
a96f2c625ef6cf72fb6e5cc8c3d1271a

SHA1
592d8dee47388c9a039dcd8862e3b9f90dd611ad

SHA256
c751747f05271a41cf0d22c079a717de1a6af4d0a096737b2e3f0199d4c54724

SHA512
17ffdc6cbda42713e7ee53ba726df8cb60450a492a8183ce55c80934ccf899b6180cfa9dcd2f57bfeb847a10c361b796206ff441109b8b504a9362cc464104fc

Download Submit
\Windows\SysWOW64\Apoooa32.exe

Filesize
88KB

MD5
fef585a9d55e4ddb31c53494cc95e16f

SHA1
46eba1a2ded8a8fbf576c56a3f66b3f55e0b8f00

SHA256
1b585d17c6966b1ea0cc0f3a21aab8119bba01073c91f223f08c25105843e053

SHA512
3e4dd3e4bf7ae692e6a37bc956469fd09991b704a7191526b48111e64a42930c801748e22b4580c44bd8dfb10eb918d052cda66a96556cd060e49b291be3a04d

Download Submit
\Windows\SysWOW64\Bhdgjb32.exe

Filesize
88KB

MD5
d4b9f4ba7427f669d882a529485c9076

SHA1
a736ef42d2564adb8966efd8e45f981854f7be70

SHA256
8a9419eeb95cd86456d39a5033498e3fc106012eebb06426a3ffb4bffd80990a

SHA512
cdd8d0fc2854baa9b245c9d59f7a7a6869626e03022f46c244a27684a6a3355c42ddb76e3f22e59614d14ff1d3c14e0df63d65ca8e346dd59c731ea9ab7c09c7

Download Submit
\Windows\SysWOW64\Bmclhi32.exe

Filesize
88KB

MD5
c366801b4202eff80f412d9394fd314f

SHA1
b9cf4a7a4b94ffabec904166ff5cec7c0298763c

SHA256
920f284cea7da17e05013fe83b96ae260ce916da571f50c062f2b29d9f79110a

SHA512
678a471c71ec9f8e4efcf69ae5e5eb1e14630616a78d37d0ce9c6db827fdbbede0a6ab040537dd894f8e1afb4b7d3d29cebff38167fa45b4d71f2dca7ddb7f69

Download Submit
\Windows\SysWOW64\Cacacg32.exe

Filesize
88KB

MD5
88d275c08ab5a7ce8a66173ecf920b7f

SHA1
8a66ab3cdd32cb4b49e589206fff7731f505b396

SHA256
8ca685d067ee549f1a2c090f4c56950a2abf903fc6e8b23484a44006cbbb7a23

SHA512
a56a943f0d1a9c1652cd3abab379d5dcfcc83902e259bae8a2b3544d61fd7596dc402f9191eedcab2932ef10b4db45e8931e21f5dc78f895666e5f498d757219

Download Submit
\Windows\SysWOW64\Cdoajb32.exe

Filesize
88KB

MD5
ce210ac9efaf383a3aa84d91de794555

SHA1
a7a3968c69cf7d057b710e56b49c851f06c4f561

SHA256
edc241984063206bd415c4de4ac9e26d0296944e2b5df4bd89c5b7840e03db7e

SHA512
fdb972b51e3dfabd8dace7e075e62f6a98aba062fda7f88e21a44ff677632d7f76b173c483cc19a6833ea0ebc7d48a69b53c3f52e556b2715365439e0336dab2

Download Submit
\Windows\SysWOW64\Qgmdjp32.exe

Filesize
88KB

MD5
8dc303e85ac325cb92f7aa7d61bf126e

SHA1
6f7b0880673a0a826f02ad632b8c2e40f1234558

SHA256
fcc70a5beb3c4333bbd8f683d7ba69058b6a8025a1fd462bec9b88fef5f3030f

SHA512
e835466e45951040f11d6c45d012489f46da1880743f499ba6ddb5c00318dc357d996b01988aa82f420b681bd092e32f637b935069c59c5c2e0231f0cc2e3a6a

Download Submit
memory/276-131-0x0000000000220000-0x0000000000254000-memory.dmp

Filesize
208KB

Download
memory/276-163-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/676-104-0x0000000000220000-0x0000000000254000-memory.dmp

Filesize
208KB

Download
memory/676-96-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/676-161-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1404-149-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1404-165-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1540-6-0x0000000000220000-0x0000000000254000-memory.dmp

Filesize
208KB

Download
memory/1540-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1540-154-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1568-118-0x00000000001B0000-0x00000000001E4000-memory.dmp

Filesize
208KB

Download
memory/1568-162-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1568-110-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2008-164-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2148-155-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2148-21-0x00000000002C0000-0x00000000002F4000-memory.dmp

Filesize
208KB

Download
memory/2148-13-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2604-36-0x0000000000220000-0x0000000000254000-memory.dmp

Filesize
208KB

Download
memory/2604-32-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2632-41-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2632-157-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2632-54-0x0000000000270000-0x00000000002A4000-memory.dmp

Filesize
208KB

Download
memory/2632-53-0x0000000000270000-0x00000000002A4000-memory.dmp

Filesize
208KB

Download
memory/2636-159-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2636-68-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2720-158-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2836-86-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2836-160-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2836-93-0x0000000000220000-0x0000000000254000-memory.dmp

Filesize
208KB

Download
memory/2836-94-0x0000000000220000-0x0000000000254000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads