fb4967c562ba8f8010d729733f60095f45021248cfc3b2b0fb4703bb8c74eb3d

Analysis

max time kernel
144s
max time network
122s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
01/07/2024, 04:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fb4967c562ba8f8010d729733f60095f45021248cfc3b2b0fb4703bb8c74eb3d.exe
Size

295KB
MD5

1c10223488a5e2cc4a3284d68fa0d90b
SHA1

2632505cd65c003b2457b8641d75c35b53a1ca28
SHA256

fb4967c562ba8f8010d729733f60095f45021248cfc3b2b0fb4703bb8c74eb3d
SHA512

90bd39431a0b4d1b09180a37570efdcf64138ed76c8bee785a47310ccdbcecf08e9fc4676600bc79e50906f7febe66ca6f33fb36c0dcdfbf76f40f71e838cce8
SSDEEP

3072:gEL3szdE4GR5O3u1XiQ1UkY1UkVHe1rUtst76UtoUtFVgtRQ2c+tlB5xpWJLM77N:Ts5EFfOe5J1PY1PRe19V+tbFOLM77OLY

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aaloddnn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Balkchpi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cdoajb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	fb4967c562ba8f8010d729733f60095f45021248cfc3b2b0fb4703bb8c74eb3d.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Okanklik.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pqhijbog.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qodlkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qodlkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Balkchpi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Okanklik.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pkfceo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pkfceo32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	fb4967c562ba8f8010d729733f60095f45021248cfc3b2b0fb4703bb8c74eb3d.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oopfakpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Oopfakpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aaloddnn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Apdhjq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Apdhjq32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bajomhbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bajomhbl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pqhijbog.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pbkbgjcc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pbkbgjcc.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdoajb32.exe

Executes dropped EXE 12 IoCs

pid	Process
2344	Okanklik.exe
2720	Oopfakpa.exe
1760	Pqhijbog.exe
2368	Pbkbgjcc.exe
2612	Pkfceo32.exe
2472	Qodlkm32.exe
1148	Aaloddnn.exe
336	Apdhjq32.exe
2900	Bajomhbl.exe
924	Balkchpi.exe
2800	Cdoajb32.exe
3012	Ceegmj32.exe

Loads dropped DLL 28 IoCs

pid	Process
1968	fb4967c562ba8f8010d729733f60095f45021248cfc3b2b0fb4703bb8c74eb3d.exe
1968	fb4967c562ba8f8010d729733f60095f45021248cfc3b2b0fb4703bb8c74eb3d.exe
2344	Okanklik.exe
2344	Okanklik.exe
2720	Oopfakpa.exe
2720	Oopfakpa.exe
1760	Pqhijbog.exe
1760	Pqhijbog.exe
2368	Pbkbgjcc.exe
2368	Pbkbgjcc.exe
2612	Pkfceo32.exe
2612	Pkfceo32.exe
2472	Qodlkm32.exe
2472	Qodlkm32.exe
1148	Aaloddnn.exe
1148	Aaloddnn.exe
336	Apdhjq32.exe
336	Apdhjq32.exe
2900	Bajomhbl.exe
2900	Bajomhbl.exe
924	Balkchpi.exe
924	Balkchpi.exe
2800	Cdoajb32.exe
2800	Cdoajb32.exe
2820	WerFault.exe
2820	WerFault.exe
2820	WerFault.exe
2820	WerFault.exe

Drops file in System32 directory 36 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Cdepma32.dll	fb4967c562ba8f8010d729733f60095f45021248cfc3b2b0fb4703bb8c74eb3d.exe
File opened for modification	C:\Windows\SysWOW64\Apdhjq32.exe	Aaloddnn.exe
File opened for modification	C:\Windows\SysWOW64\Bajomhbl.exe	Apdhjq32.exe
File created	C:\Windows\SysWOW64\Dnabbkhk.dll	Balkchpi.exe
File opened for modification	C:\Windows\SysWOW64\Ceegmj32.exe	Cdoajb32.exe
File created	C:\Windows\SysWOW64\Aoogfhfp.dll	Cdoajb32.exe
File opened for modification	C:\Windows\SysWOW64\Okanklik.exe	fb4967c562ba8f8010d729733f60095f45021248cfc3b2b0fb4703bb8c74eb3d.exe
File created	C:\Windows\SysWOW64\Bajomhbl.exe	Apdhjq32.exe
File created	C:\Windows\SysWOW64\Cdoajb32.exe	Balkchpi.exe
File created	C:\Windows\SysWOW64\Pqhijbog.exe	Oopfakpa.exe
File opened for modification	C:\Windows\SysWOW64\Pqhijbog.exe	Oopfakpa.exe
File opened for modification	C:\Windows\SysWOW64\Pkfceo32.exe	Pbkbgjcc.exe
File created	C:\Windows\SysWOW64\Nacehmno.dll	Pkfceo32.exe
File created	C:\Windows\SysWOW64\Aaloddnn.exe	Qodlkm32.exe
File created	C:\Windows\SysWOW64\Mhpeoj32.dll	Qodlkm32.exe
File opened for modification	C:\Windows\SysWOW64\Balkchpi.exe	Bajomhbl.exe
File opened for modification	C:\Windows\SysWOW64\Cdoajb32.exe	Balkchpi.exe
File created	C:\Windows\SysWOW64\Bpodeegi.dll	Oopfakpa.exe
File created	C:\Windows\SysWOW64\Okanklik.exe	fb4967c562ba8f8010d729733f60095f45021248cfc3b2b0fb4703bb8c74eb3d.exe
File opened for modification	C:\Windows\SysWOW64\Pbkbgjcc.exe	Pqhijbog.exe
File created	C:\Windows\SysWOW64\Igciil32.dll	Pqhijbog.exe
File created	C:\Windows\SysWOW64\Pkfceo32.exe	Pbkbgjcc.exe
File created	C:\Windows\SysWOW64\Qodlkm32.exe	Pkfceo32.exe
File created	C:\Windows\SysWOW64\Hocjoqin.dll	Bajomhbl.exe
File created	C:\Windows\SysWOW64\Ceegmj32.exe	Cdoajb32.exe
File created	C:\Windows\SysWOW64\Oopfakpa.exe	Okanklik.exe
File opened for modification	C:\Windows\SysWOW64\Oopfakpa.exe	Okanklik.exe
File opened for modification	C:\Windows\SysWOW64\Qodlkm32.exe	Pkfceo32.exe
File created	C:\Windows\SysWOW64\Apdhjq32.exe	Aaloddnn.exe
File created	C:\Windows\SysWOW64\Njelgo32.dll	Aaloddnn.exe
File created	C:\Windows\SysWOW64\Fhbhji32.dll	Apdhjq32.exe
File created	C:\Windows\SysWOW64\Balkchpi.exe	Bajomhbl.exe
File created	C:\Windows\SysWOW64\Oflcmqaa.dll	Okanklik.exe
File created	C:\Windows\SysWOW64\Pbkbgjcc.exe	Pqhijbog.exe
File created	C:\Windows\SysWOW64\Aipheffp.dll	Pbkbgjcc.exe
File opened for modification	C:\Windows\SysWOW64\Aaloddnn.exe	Qodlkm32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2820	3012	WerFault.exe	39

Modifies registry class 39 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	fb4967c562ba8f8010d729733f60095f45021248cfc3b2b0fb4703bb8c74eb3d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Oopfakpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhbhji32.dll"	Apdhjq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pbkbgjcc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nacehmno.dll"	Pkfceo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Apdhjq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	fb4967c562ba8f8010d729733f60095f45021248cfc3b2b0fb4703bb8c74eb3d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cdepma32.dll"	fb4967c562ba8f8010d729733f60095f45021248cfc3b2b0fb4703bb8c74eb3d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bpodeegi.dll"	Oopfakpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Oopfakpa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pbkbgjcc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bajomhbl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	fb4967c562ba8f8010d729733f60095f45021248cfc3b2b0fb4703bb8c74eb3d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Aaloddnn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Balkchpi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cdoajb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}	fb4967c562ba8f8010d729733f60095f45021248cfc3b2b0fb4703bb8c74eb3d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oflcmqaa.dll"	Okanklik.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pkfceo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mhpeoj32.dll"	Qodlkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Okanklik.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pkfceo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Aaloddnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bajomhbl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cdoajb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aoogfhfp.dll"	Cdoajb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aipheffp.dll"	Pbkbgjcc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Qodlkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hocjoqin.dll"	Bajomhbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnabbkhk.dll"	Balkchpi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Balkchpi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	fb4967c562ba8f8010d729733f60095f45021248cfc3b2b0fb4703bb8c74eb3d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Igciil32.dll"	Pqhijbog.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njelgo32.dll"	Aaloddnn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Okanklik.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pqhijbog.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pqhijbog.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Qodlkm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Apdhjq32.exe

Suspicious use of WriteProcessMemory 52 IoCs

description	pid	Process	procid_target
PID 1968 wrote to memory of 2344	1968	fb4967c562ba8f8010d729733f60095f45021248cfc3b2b0fb4703bb8c74eb3d.exe	28
PID 1968 wrote to memory of 2344	1968	fb4967c562ba8f8010d729733f60095f45021248cfc3b2b0fb4703bb8c74eb3d.exe	28
PID 1968 wrote to memory of 2344	1968	fb4967c562ba8f8010d729733f60095f45021248cfc3b2b0fb4703bb8c74eb3d.exe	28
PID 1968 wrote to memory of 2344	1968	fb4967c562ba8f8010d729733f60095f45021248cfc3b2b0fb4703bb8c74eb3d.exe	28
PID 2344 wrote to memory of 2720	2344	Okanklik.exe	29
PID 2344 wrote to memory of 2720	2344	Okanklik.exe	29
PID 2344 wrote to memory of 2720	2344	Okanklik.exe	29
PID 2344 wrote to memory of 2720	2344	Okanklik.exe	29
PID 2720 wrote to memory of 1760	2720	Oopfakpa.exe	30
PID 2720 wrote to memory of 1760	2720	Oopfakpa.exe	30
PID 2720 wrote to memory of 1760	2720	Oopfakpa.exe	30
PID 2720 wrote to memory of 1760	2720	Oopfakpa.exe	30
PID 1760 wrote to memory of 2368	1760	Pqhijbog.exe	31
PID 1760 wrote to memory of 2368	1760	Pqhijbog.exe	31
PID 1760 wrote to memory of 2368	1760	Pqhijbog.exe	31
PID 1760 wrote to memory of 2368	1760	Pqhijbog.exe	31
PID 2368 wrote to memory of 2612	2368	Pbkbgjcc.exe	32
PID 2368 wrote to memory of 2612	2368	Pbkbgjcc.exe	32
PID 2368 wrote to memory of 2612	2368	Pbkbgjcc.exe	32
PID 2368 wrote to memory of 2612	2368	Pbkbgjcc.exe	32
PID 2612 wrote to memory of 2472	2612	Pkfceo32.exe	33
PID 2612 wrote to memory of 2472	2612	Pkfceo32.exe	33
PID 2612 wrote to memory of 2472	2612	Pkfceo32.exe	33
PID 2612 wrote to memory of 2472	2612	Pkfceo32.exe	33
PID 2472 wrote to memory of 1148	2472	Qodlkm32.exe	34
PID 2472 wrote to memory of 1148	2472	Qodlkm32.exe	34
PID 2472 wrote to memory of 1148	2472	Qodlkm32.exe	34
PID 2472 wrote to memory of 1148	2472	Qodlkm32.exe	34
PID 1148 wrote to memory of 336	1148	Aaloddnn.exe	35
PID 1148 wrote to memory of 336	1148	Aaloddnn.exe	35
PID 1148 wrote to memory of 336	1148	Aaloddnn.exe	35
PID 1148 wrote to memory of 336	1148	Aaloddnn.exe	35
PID 336 wrote to memory of 2900	336	Apdhjq32.exe	36
PID 336 wrote to memory of 2900	336	Apdhjq32.exe	36
PID 336 wrote to memory of 2900	336	Apdhjq32.exe	36
PID 336 wrote to memory of 2900	336	Apdhjq32.exe	36
PID 2900 wrote to memory of 924	2900	Bajomhbl.exe	37
PID 2900 wrote to memory of 924	2900	Bajomhbl.exe	37
PID 2900 wrote to memory of 924	2900	Bajomhbl.exe	37
PID 2900 wrote to memory of 924	2900	Bajomhbl.exe	37
PID 924 wrote to memory of 2800	924	Balkchpi.exe	38
PID 924 wrote to memory of 2800	924	Balkchpi.exe	38
PID 924 wrote to memory of 2800	924	Balkchpi.exe	38
PID 924 wrote to memory of 2800	924	Balkchpi.exe	38
PID 2800 wrote to memory of 3012	2800	Cdoajb32.exe	39
PID 2800 wrote to memory of 3012	2800	Cdoajb32.exe	39
PID 2800 wrote to memory of 3012	2800	Cdoajb32.exe	39
PID 2800 wrote to memory of 3012	2800	Cdoajb32.exe	39
PID 3012 wrote to memory of 2820	3012	Ceegmj32.exe	40
PID 3012 wrote to memory of 2820	3012	Ceegmj32.exe	40
PID 3012 wrote to memory of 2820	3012	Ceegmj32.exe	40
PID 3012 wrote to memory of 2820	3012	Ceegmj32.exe	40

C:\Users\Admin\AppData\Local\Temp\fb4967c562ba8f8010d729733f60095f45021248cfc3b2b0fb4703bb8c74eb3d.exe
"C:\Users\Admin\AppData\Local\Temp\fb4967c562ba8f8010d729733f60095f45021248cfc3b2b0fb4703bb8c74eb3d.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1968
- C:\Windows\SysWOW64\Okanklik.exe
  C:\Windows\system32\Okanklik.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2344
- - C:\Windows\SysWOW64\Oopfakpa.exe
    C:\Windows\system32\Oopfakpa.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2720
  - - C:\Windows\SysWOW64\Pqhijbog.exe
      C:\Windows\system32\Pqhijbog.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:1760
    - - C:\Windows\SysWOW64\Pbkbgjcc.exe
        
        C:\Windows\system32\Pbkbgjcc.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2368
      - C:\Windows\SysWOW64\Pkfceo32.exe
        
        C:\Windows\system32\Pkfceo32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2612
        
        C:\Windows\SysWOW64\Qodlkm32.exe
        
        C:\Windows\system32\Qodlkm32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2472
        
        C:\Windows\SysWOW64\Aaloddnn.exe
        
        C:\Windows\system32\Aaloddnn.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1148
        
        C:\Windows\SysWOW64\Apdhjq32.exe
        
        C:\Windows\system32\Apdhjq32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:336
        
        C:\Windows\SysWOW64\Bajomhbl.exe
        
        C:\Windows\system32\Bajomhbl.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2900
        
        C:\Windows\SysWOW64\Balkchpi.exe
        
        C:\Windows\system32\Balkchpi.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:924
        
        C:\Windows\SysWOW64\Cdoajb32.exe
        
        C:\Windows\system32\Cdoajb32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2800
        
        C:\Windows\SysWOW64\Ceegmj32.exe
        
        C:\Windows\system32\Ceegmj32.exe
        13⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3012
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3012 -s 140
        14⤵
        Loads dropped DLL
        Program crash
        
        PID:2820

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aipheffp.dll

Filesize
7KB

MD5
740b508a4ae724ea2f6607ccaf83fb21

SHA1
e7c8b36818e25f129b2fafb590464e4709de60c4

SHA256
4c97369b19d67c72c7c6672a34ac67147266ea69ab8accc9f46b9510e458d5b9

SHA512
aa9d5ef7957864de988c6a0f380255cba14a94f4d2f8be4b8c84edf2fee6fa33e08ba063415e3487fff6531d5c96588e2991c04b3dbbf6bb12edb9e1312282ab

Download Submit
C:\Windows\SysWOW64\Balkchpi.exe

Filesize
295KB

MD5
e3fff4ce89b702bc4bf6211cc6c3253d

SHA1
22846b120d4ce1e164b5882c08bceb9e26f266cf

SHA256
caddc590b891280c8bc142bf87bd107fae2a0d528a031bbe3e7a9eab6c570c75

SHA512
89559d761562430c7c5492cd6738f5511950be5f323cdaba03427e5da08892e0b6cfbbd73034138d1a09c28cd2cb222bec731b79a2086b1d6f438356c2648fbf

Download Submit
C:\Windows\SysWOW64\Ceegmj32.exe

Filesize
295KB

MD5
dbac60952aa3aea102e539007e1f89cc

SHA1
c285804e621937f05626a2ad8d7e49f5924f4e55

SHA256
287fe216858a8af23146c602ff642312e08c8fec76e95cd0306ebcf598280851

SHA512
9dc555cddf43e44fb4a521b6199ecb9090188038eb49f80ad44ada8f0da7a22a7f06320258d2a6a0ad7d1e05cdacb75ef843293b27f0c9cde0721a069723d89a

Download Submit
C:\Windows\SysWOW64\Oopfakpa.exe

Filesize
295KB

MD5
105f7ae4918e857052a2b0f9bf339d05

SHA1
b0881e69bca71d7c20b3a431773327500b451af4

SHA256
692d1809915f16ea02a086a53d22df1eebc7cc7f24c1c27f74d6d7a423691843

SHA512
631dad7cd44f2fb8056175fbc75d41a8d593248949d30d89acca48d8541f7954f315de39d0891e69216ee4298f3ef704d1b613667af5a4c875480d6a09bce5bc

Download Submit
\Windows\SysWOW64\Aaloddnn.exe

Filesize
295KB

MD5
593e460da14e169981641e11a10007ec

SHA1
2588440a0879f3832e94867351d9ae9869722cd9

SHA256
abb6b53126c6e664c5ccfab980bf78f0971c63c45f39010fe1430f93d92e7d44

SHA512
8b0f3f4d8ca9eaa843efab6f907b7836db036f0da9cd8a3c8f957d0224d8690d180c4b6eebdb1f8676c4fc39bdc1991cabf2daffbfd5d5cc1260e005f5c8434c

Download Submit
\Windows\SysWOW64\Apdhjq32.exe

Filesize
295KB

MD5
ec0d205d04cf0a474e55e9b335917938

SHA1
0418dfaa133f950e8379cd3f9b050d0389b202a3

SHA256
eae724ed7c33375b6bc57521ec1448ee7ae74989500843c3331676efa043f573

SHA512
744c25978e3fb6d798691c0cb32f75f1f6284091419badc7dc1cb36c52d5f027f8197ddd62334f4fd62dcd10f9d772c69453096c75cd86853a15e3a750e34f4c

Download Submit
\Windows\SysWOW64\Bajomhbl.exe

Filesize
295KB

MD5
db36fa234b1927364d2cd4f95ddc54c6

SHA1
ee2ab9e5519c13f41428282d7eeca57dc6afc2f2

SHA256
0019282c14f833ec9ce0c160b14799f9499b50774060670e470ea2ed5fdc363d

SHA512
38399762e8ca3e78d005cf281356527ffaad72dc6f88933c0b4144e24afc380434312662462440b64499e0757d63758a3ffcd024eb890d4d4f8ac5085331c890

Download Submit
\Windows\SysWOW64\Cdoajb32.exe

Filesize
295KB

MD5
f0819a6094770be4d22ec025852c8638

SHA1
078cdfea3cb1c9fc597e005dbf0b654facbc189c

SHA256
a73f0d395a0d9fa31958df8b572dbb3f3ce24410f670897f61e50f1edaaf7993

SHA512
6dee041e6a0d6d3cd470bce6c41e2d161d5b8dcdde443518104839369c0f8e2c51e3a0a5a1e758fa656268d71269ea4b2d6de2997284c176e66ca60ebe9d6299

Download Submit
\Windows\SysWOW64\Okanklik.exe

Filesize
295KB

MD5
30048ed6d107a3900aaed4ae5d8ac117

SHA1
60790977e6578e0a80a360a100be6ab2f118c564

SHA256
a578f1d459729b482ebb8d0e1420d29915c70d0b114ff5dadfe31682cbe8bbff

SHA512
c3debfa03c18162a4253bd5926d3bccbca970bc0d463939556c3981474fa168dd63530a9fc1652f02fa7361b2fc3261c59559ccb82b2844bc7d823e83493e2dd

Download Submit
\Windows\SysWOW64\Pbkbgjcc.exe

Filesize
295KB

MD5
40ae3841c726cef0cb93c57ef90eed92

SHA1
585724b693764e672d106da7fe7d0299d573c95d

SHA256
87e9a53521907b3caa6ca6508b23efd2d348764f38e4c58d9990987da6898b5b

SHA512
3402141f6b9dc8e66cb3e7e4d350dcb893cc0095341be1f67d2b18be04c5974ab53370483006759915011bfb62aa2cc8ad0eae1515d8b4d07d00ace2aa10f698

Download Submit
\Windows\SysWOW64\Pkfceo32.exe

Filesize
295KB

MD5
d25e7a6fde51889736217356954705f7

SHA1
f2088026a3cf27842f49ff6d49ec93765e8d2bef

SHA256
ac98d95523ddb539678a5467e176978567a3b6c5155c24ef91be24fb5cf0a1b2

SHA512
b49fc8974e319401d138fcad08c734f3ec6a451355409a0eb55321888bc7e7d97f871d869b75da1c335e498affbcb80018b5f8df97997b0e1296ee9100705516

Download Submit
\Windows\SysWOW64\Pqhijbog.exe

Filesize
295KB

MD5
b7d57525b07fc4a273d5d4c0c421ff89

SHA1
2652abd718a4ede1812eb9e7196c91fd680eff34

SHA256
4d1adfaab67a43b0d6b68580a7764ad41a9eb596d9b854548117fc7473e72f55

SHA512
5c5174cbf20ec73be29c721aa6599a0d2ebbc28c83f8cf39923babfd9e5ee760258343bf29463e7f0317a9ffde30cae9036e2bd8a19ee5481f257ffaf119a8f6

Download Submit
\Windows\SysWOW64\Qodlkm32.exe

Filesize
295KB

MD5
41e231e1eeb2cca931ceb8971d07fab9

SHA1
be46da5d045430e22f6e5df3d2ab0bd58cdf12af

SHA256
5d2fc2a3763e02a51276c946bd9104b70f65d3b684d32cb70c256f27f209cbf9

SHA512
7bb29affbc3b219282beaebd37da122f436b4a79a88a5c8043e07ed6c13e0d7d5db0702cedd1f2b0d49517c67045f5c4f33baaf89d059810960fe722ef8e650f

Download Submit
memory/336-124-0x00000000004E0000-0x000000000053F000-memory.dmp

Filesize
380KB

Download
memory/336-219-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/924-141-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/924-148-0x0000000000320000-0x000000000037F000-memory.dmp

Filesize
380KB

Download
memory/924-223-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/1148-217-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/1148-111-0x0000000000220000-0x000000000027F000-memory.dmp

Filesize
380KB

Download
memory/1148-99-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/1760-54-0x0000000000320000-0x000000000037F000-memory.dmp

Filesize
380KB

Download
memory/1760-47-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/1760-209-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/1968-6-0x0000000000220000-0x000000000027F000-memory.dmp

Filesize
380KB

Download
memory/1968-200-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/1968-0-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/2344-18-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/2344-202-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/2344-26-0x0000000000460000-0x00000000004BF000-memory.dmp

Filesize
380KB

Download
memory/2344-25-0x0000000000460000-0x00000000004BF000-memory.dmp

Filesize
380KB

Download
memory/2368-211-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/2368-69-0x0000000000220000-0x000000000027F000-memory.dmp

Filesize
380KB

Download
memory/2368-56-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/2368-68-0x0000000000220000-0x000000000027F000-memory.dmp

Filesize
380KB

Download
memory/2472-85-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/2472-97-0x0000000000380000-0x00000000003DF000-memory.dmp

Filesize
380KB

Download
memory/2472-215-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/2612-213-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/2612-71-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/2612-83-0x0000000000220000-0x000000000027F000-memory.dmp

Filesize
380KB

Download
memory/2720-204-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/2720-28-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/2720-35-0x00000000004D0000-0x000000000052F000-memory.dmp

Filesize
380KB

Download
memory/2800-168-0x0000000000220000-0x000000000027F000-memory.dmp

Filesize
380KB

Download
memory/2800-166-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/2800-225-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/2900-139-0x0000000000330000-0x000000000038F000-memory.dmp

Filesize
380KB

Download
memory/2900-126-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/2900-221-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/3012-167-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads