e364432ce91ad453cbd26686c1962f26c035186b29b30b397306365c95f7fa56

General

Target

e364432ce91ad453cbd26686c1962f26c035186b29b30b397306365c95f7fa56.exe
Size

378KB
MD5

fa0a835fbb2afc28a67e92f67a86d27a
SHA1

7f120d1ef26e67e7394aaf18d9c9ea8a2e402635
SHA256

e364432ce91ad453cbd26686c1962f26c035186b29b30b397306365c95f7fa56
SHA512

1bbe29ac8fdddf8c3a8433a0ea41ae57eedbdd44fff3a571aba5dffd40b3674f5704b0f54e968993414fbd7d4f17de225b3602b536a3727586b5b7950c12748e
SSDEEP

6144:2twYJoprtMsQBma/atn9pG4l+0K76zHTgb8ecFeK8TJ4u392vVAMR4/5V0lLn+CV:ow5RMsEat9pG4l+0K7WHT91M52vVAMqa

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ckebcg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdbpgl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdbpgl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dojqjdbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dojqjdbl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	e364432ce91ad453cbd26686c1962f26c035186b29b30b397306365c95f7fa56.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	e364432ce91ad453cbd26686c1962f26c035186b29b30b397306365c95f7fa56.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ckebcg32.exe

Executes dropped EXE 4 IoCs

pid	Process
4168	Ckebcg32.exe
3348	Cdbpgl32.exe
2376	Dojqjdbl.exe
4988	Dkqaoe32.exe

Drops file in System32 directory 12 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Dllfqd32.dll	Cdbpgl32.exe
File created	C:\Windows\SysWOW64\Glfdiedd.dll	Dojqjdbl.exe
File created	C:\Windows\SysWOW64\Ckebcg32.exe	e364432ce91ad453cbd26686c1962f26c035186b29b30b397306365c95f7fa56.exe
File created	C:\Windows\SysWOW64\Aijjhbli.dll	e364432ce91ad453cbd26686c1962f26c035186b29b30b397306365c95f7fa56.exe
File opened for modification	C:\Windows\SysWOW64\Cdbpgl32.exe	Ckebcg32.exe
File created	C:\Windows\SysWOW64\Eekgliip.dll	Ckebcg32.exe
File created	C:\Windows\SysWOW64\Dojqjdbl.exe	Cdbpgl32.exe
File opened for modification	C:\Windows\SysWOW64\Dojqjdbl.exe	Cdbpgl32.exe
File created	C:\Windows\SysWOW64\Dkqaoe32.exe	Dojqjdbl.exe
File opened for modification	C:\Windows\SysWOW64\Dkqaoe32.exe	Dojqjdbl.exe
File opened for modification	C:\Windows\SysWOW64\Ckebcg32.exe	e364432ce91ad453cbd26686c1962f26c035186b29b30b397306365c95f7fa56.exe
File created	C:\Windows\SysWOW64\Cdbpgl32.exe	Ckebcg32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1544	4988	WerFault.exe	93

Modifies registry class 15 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	e364432ce91ad453cbd26686c1962f26c035186b29b30b397306365c95f7fa56.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aijjhbli.dll"	e364432ce91ad453cbd26686c1962f26c035186b29b30b397306365c95f7fa56.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ckebcg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dojqjdbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dojqjdbl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	e364432ce91ad453cbd26686c1962f26c035186b29b30b397306365c95f7fa56.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Glfdiedd.dll"	Dojqjdbl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	e364432ce91ad453cbd26686c1962f26c035186b29b30b397306365c95f7fa56.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	e364432ce91ad453cbd26686c1962f26c035186b29b30b397306365c95f7fa56.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	e364432ce91ad453cbd26686c1962f26c035186b29b30b397306365c95f7fa56.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdbpgl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dllfqd32.dll"	Cdbpgl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cdbpgl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ckebcg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eekgliip.dll"	Ckebcg32.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3104 wrote to memory of 4168	3104	e364432ce91ad453cbd26686c1962f26c035186b29b30b397306365c95f7fa56.exe	90
PID 3104 wrote to memory of 4168	3104	e364432ce91ad453cbd26686c1962f26c035186b29b30b397306365c95f7fa56.exe	90
PID 3104 wrote to memory of 4168	3104	e364432ce91ad453cbd26686c1962f26c035186b29b30b397306365c95f7fa56.exe	90
PID 4168 wrote to memory of 3348	4168	Ckebcg32.exe	91
PID 4168 wrote to memory of 3348	4168	Ckebcg32.exe	91
PID 4168 wrote to memory of 3348	4168	Ckebcg32.exe	91
PID 3348 wrote to memory of 2376	3348	Cdbpgl32.exe	92
PID 3348 wrote to memory of 2376	3348	Cdbpgl32.exe	92
PID 3348 wrote to memory of 2376	3348	Cdbpgl32.exe	92
PID 2376 wrote to memory of 4988	2376	Dojqjdbl.exe	93
PID 2376 wrote to memory of 4988	2376	Dojqjdbl.exe	93
PID 2376 wrote to memory of 4988	2376	Dojqjdbl.exe	93

C:\Users\Admin\AppData\Local\Temp\e364432ce91ad453cbd26686c1962f26c035186b29b30b397306365c95f7fa56.exe
"C:\Users\Admin\AppData\Local\Temp\e364432ce91ad453cbd26686c1962f26c035186b29b30b397306365c95f7fa56.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3104
- C:\Windows\SysWOW64\Ckebcg32.exe
  C:\Windows\system32\Ckebcg32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4168
- - C:\Windows\SysWOW64\Cdbpgl32.exe
    C:\Windows\system32\Cdbpgl32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3348
  - - C:\Windows\SysWOW64\Dojqjdbl.exe
      C:\Windows\system32\Dojqjdbl.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2376
    - - C:\Windows\SysWOW64\Dkqaoe32.exe
        
        C:\Windows\system32\Dkqaoe32.exe
        5⤵
        Executes dropped EXE
        
        PID:4988
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4988 -s 400
        6⤵
        Program crash
        
        PID:1544

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 4988 -ip 4988
1⤵
PID:2552

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1312 --field-trial-handle=2284,i,9807419199535700662,2319175108930815708,262144 --variations-seed-version /prefetch:8
1⤵
PID:4060

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Cdbpgl32.exe

Filesize
378KB

MD5
5de0e14aa9ef12cfd6b373a7685599d8

SHA1
46361e7742ea14fa171e45dfc42df684826b3ce5

SHA256
e4d6df90e88821f77f92731337d5cc892e8d2b6b39dc054a39ba30552a5a7e42

SHA512
e6b2a146d71f6a3e38e3e8b35d159eddbdfdfd1c6e98be8c8e0bc516583fd0542959d60d8c1b26dfe12b3a2ee4cdae782df3795226a67c789a061e43bd0fa12d

Download Submit
C:\Windows\SysWOW64\Ckebcg32.exe

Filesize
378KB

MD5
021602866593dcc89443c11cd58bc310

SHA1
cf20c556aa6aa28934de527415ef09d52c6352fe

SHA256
16be53a36591c68857b28d9c79e114bb474eeac9691749288b2fd5f79361300f

SHA512
f34726b5b8d485dc4123e32e706ae264ec1ef3aae670a167253b9aa1711d3a12fe2165591c0c098961116e3541371427d1204bd4204ce07c7a83e99b53bde245

Download Submit
C:\Windows\SysWOW64\Dkqaoe32.exe

Filesize
378KB

MD5
929d9bb1ce64674527a3ef80e7937887

SHA1
4ac03ec4a879e3440391be915072a24087773c59

SHA256
42f0870c0ed454f690736d722d85985dff7bebeb175e021b1b6ca4f16a0f1d24

SHA512
0efe52cf3c81b00475cc04c34e7d86d5cba01987cdd71bd23a0f687809cc22d3b11e63a83e27013cdb42434032fac7f11515d7290c35da798800b387dfa4e2ed

Download Submit
C:\Windows\SysWOW64\Dojqjdbl.exe

Filesize
378KB

MD5
1220c8d93a6fe9f648dd5b8c2696b9db

SHA1
9fe03ba05c62bf8a797861c195a28a46086a1b8b

SHA256
b626dcc18ae396255dc56ce2aaac8ba867b0d6455f690aad18a0b804a440ca55

SHA512
8e0133ca1cb8c708016a1a48dfcccebd7ae6439b36c8e2ac48feb3d5838a821104d4c0ba731703adcc7fe560d5bcc79055367b7a3cb05271a436e57cb3bc480d

Download Submit
memory/2376-24-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2376-35-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3104-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3104-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/3104-38-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3348-16-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3348-36-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4168-9-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4168-37-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4988-33-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4988-34-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads