0975a25b576207d421a94bb6aff47cdf4257b39e4beafe23c2a80648cc9aeddc

General

Target

0975a25b576207d421a94bb6aff47cdf4257b39e4beafe23c2a80648cc9aeddc.exe
Size

92KB
MD5

f347234b8650a975567f549a69d154f7
SHA1

0c4cede64feb5d7f12f74294e7becacfbb0873e1
SHA256

0975a25b576207d421a94bb6aff47cdf4257b39e4beafe23c2a80648cc9aeddc
SHA512

997016289d61f80f508f83330d1fd6a857f08761a1c36e05ac33214d2a96d4fe6dcc77b602d8043763b931dca76fd6fd5e08453b7eff5e4f1929b01aa5f3691c
SSDEEP

1536:o0WC4WzODK+KzOZQLKeAJpNNv/KW/1wtkoElXjXq+66DFUABABOVLefE3:lWC9d/DUpn/KG6tFE1j6+JB8M3

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 10 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ckiigmcd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmgechbh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cgpjlnhh.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	0975a25b576207d421a94bb6aff47cdf4257b39e4beafe23c2a80648cc9aeddc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	0975a25b576207d421a94bb6aff47cdf4257b39e4beafe23c2a80648cc9aeddc.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cpceidcn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cgpjlnhh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cpceidcn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ckiigmcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmgechbh.exe

Executes dropped EXE 5 IoCs

pid	Process
2552	Cpceidcn.exe
3000	Ckiigmcd.exe
2868	Cmgechbh.exe
2792	Cgpjlnhh.exe
2640	Ceegmj32.exe

Loads dropped DLL 14 IoCs

pid	Process
2176	0975a25b576207d421a94bb6aff47cdf4257b39e4beafe23c2a80648cc9aeddc.exe
2176	0975a25b576207d421a94bb6aff47cdf4257b39e4beafe23c2a80648cc9aeddc.exe
2552	Cpceidcn.exe
2552	Cpceidcn.exe
3000	Ckiigmcd.exe
3000	Ckiigmcd.exe
2868	Cmgechbh.exe
2868	Cmgechbh.exe
2792	Cgpjlnhh.exe
2792	Cgpjlnhh.exe
2468	WerFault.exe
2468	WerFault.exe
2468	WerFault.exe
2468	WerFault.exe

Drops file in System32 directory 15 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Cmgechbh.exe	Ckiigmcd.exe
File created	C:\Windows\SysWOW64\Gnnffg32.dll	Ckiigmcd.exe
File created	C:\Windows\SysWOW64\Dojofhjd.dll	Cmgechbh.exe
File opened for modification	C:\Windows\SysWOW64\Ckiigmcd.exe	Cpceidcn.exe
File created	C:\Windows\SysWOW64\Ndmjqgdd.dll	0975a25b576207d421a94bb6aff47cdf4257b39e4beafe23c2a80648cc9aeddc.exe
File created	C:\Windows\SysWOW64\Ckiigmcd.exe	Cpceidcn.exe
File created	C:\Windows\SysWOW64\Bjpdmqog.dll	Cpceidcn.exe
File created	C:\Windows\SysWOW64\Cgpjlnhh.exe	Cmgechbh.exe
File created	C:\Windows\SysWOW64\Aoogfhfp.dll	Cgpjlnhh.exe
File opened for modification	C:\Windows\SysWOW64\Cpceidcn.exe	0975a25b576207d421a94bb6aff47cdf4257b39e4beafe23c2a80648cc9aeddc.exe
File opened for modification	C:\Windows\SysWOW64\Cgpjlnhh.exe	Cmgechbh.exe
File opened for modification	C:\Windows\SysWOW64\Ceegmj32.exe	Cgpjlnhh.exe
File created	C:\Windows\SysWOW64\Cpceidcn.exe	0975a25b576207d421a94bb6aff47cdf4257b39e4beafe23c2a80648cc9aeddc.exe
File created	C:\Windows\SysWOW64\Ceegmj32.exe	Cgpjlnhh.exe
File opened for modification	C:\Windows\SysWOW64\Cmgechbh.exe	Ckiigmcd.exe

Program crash 1 IoCs

pid	pid_target	Process
2468	2640	WerFault.exe

Modifies registry class 18 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ckiigmcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ckiigmcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmgechbh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndmjqgdd.dll"	0975a25b576207d421a94bb6aff47cdf4257b39e4beafe23c2a80648cc9aeddc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cpceidcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gnnffg32.dll"	Ckiigmcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dojofhjd.dll"	Cmgechbh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	0975a25b576207d421a94bb6aff47cdf4257b39e4beafe23c2a80648cc9aeddc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	0975a25b576207d421a94bb6aff47cdf4257b39e4beafe23c2a80648cc9aeddc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	0975a25b576207d421a94bb6aff47cdf4257b39e4beafe23c2a80648cc9aeddc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cpceidcn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmgechbh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cgpjlnhh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aoogfhfp.dll"	Cgpjlnhh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cgpjlnhh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	0975a25b576207d421a94bb6aff47cdf4257b39e4beafe23c2a80648cc9aeddc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	0975a25b576207d421a94bb6aff47cdf4257b39e4beafe23c2a80648cc9aeddc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bjpdmqog.dll"	Cpceidcn.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2176 wrote to memory of 2552	2176	0975a25b576207d421a94bb6aff47cdf4257b39e4beafe23c2a80648cc9aeddc.exe	28
PID 2176 wrote to memory of 2552	2176	0975a25b576207d421a94bb6aff47cdf4257b39e4beafe23c2a80648cc9aeddc.exe	28
PID 2176 wrote to memory of 2552	2176	0975a25b576207d421a94bb6aff47cdf4257b39e4beafe23c2a80648cc9aeddc.exe	28
PID 2176 wrote to memory of 2552	2176	0975a25b576207d421a94bb6aff47cdf4257b39e4beafe23c2a80648cc9aeddc.exe	28
PID 2552 wrote to memory of 3000	2552	Cpceidcn.exe	29
PID 2552 wrote to memory of 3000	2552	Cpceidcn.exe	29
PID 2552 wrote to memory of 3000	2552	Cpceidcn.exe	29
PID 2552 wrote to memory of 3000	2552	Cpceidcn.exe	29
PID 3000 wrote to memory of 2868	3000	Ckiigmcd.exe	30
PID 3000 wrote to memory of 2868	3000	Ckiigmcd.exe	30
PID 3000 wrote to memory of 2868	3000	Ckiigmcd.exe	30
PID 3000 wrote to memory of 2868	3000	Ckiigmcd.exe	30
PID 2868 wrote to memory of 2792	2868	Cmgechbh.exe	31
PID 2868 wrote to memory of 2792	2868	Cmgechbh.exe	31
PID 2868 wrote to memory of 2792	2868	Cmgechbh.exe	31
PID 2868 wrote to memory of 2792	2868	Cmgechbh.exe	31
PID 2792 wrote to memory of 2640	2792	Cgpjlnhh.exe	32
PID 2792 wrote to memory of 2640	2792	Cgpjlnhh.exe	32
PID 2792 wrote to memory of 2640	2792	Cgpjlnhh.exe	32
PID 2792 wrote to memory of 2640	2792	Cgpjlnhh.exe	32
PID 2640 wrote to memory of 2468	2640	Ceegmj32.exe	33
PID 2640 wrote to memory of 2468	2640	Ceegmj32.exe	33
PID 2640 wrote to memory of 2468	2640	Ceegmj32.exe	33
PID 2640 wrote to memory of 2468	2640	Ceegmj32.exe	33

C:\Users\Admin\AppData\Local\Temp\0975a25b576207d421a94bb6aff47cdf4257b39e4beafe23c2a80648cc9aeddc.exe
"C:\Users\Admin\AppData\Local\Temp\0975a25b576207d421a94bb6aff47cdf4257b39e4beafe23c2a80648cc9aeddc.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2176
- C:\Windows\SysWOW64\Cpceidcn.exe
  C:\Windows\system32\Cpceidcn.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2552
- - C:\Windows\SysWOW64\Ckiigmcd.exe
    C:\Windows\system32\Ckiigmcd.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3000
  - - C:\Windows\SysWOW64\Cmgechbh.exe
      C:\Windows\system32\Cmgechbh.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2868
    - - C:\Windows\SysWOW64\Cgpjlnhh.exe
        
        C:\Windows\system32\Cgpjlnhh.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2792
      - C:\Windows\SysWOW64\Ceegmj32.exe
        
        C:\Windows\system32\Ceegmj32.exe
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2640
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2640 -s 140
        7⤵
        Loads dropped DLL
        Program crash
        
        PID:2468

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Ckiigmcd.exe

Filesize
92KB

MD5
309e04d22c7f0e49c0ffc7fafde6996f

SHA1
92b82910599900e5d9c4b52c85cccf9e29b0542f

SHA256
c251c84374d448712e6a4728c399ed89baf85f2f4bc8dafa7d50b518a1b5788e

SHA512
6d05a141d18e7528015803853f39cc3cd6fa1b731cf055d0050474fcbfe27e7272f190f473e39628e181314f7a55eafea7ac6aa5c01564ae6b414c592f76e5c3

Download Submit
C:\Windows\SysWOW64\Cpceidcn.exe

Filesize
92KB

MD5
74952d81f0c95335baaba75d841ed6c7

SHA1
a66eec38768153234430d5cc34e513e05ec343ad

SHA256
63d7ac5f614cb44d3b8bc151c53bc6ad1e0dc31351b30c78a3c3aceaf3c3e7b4

SHA512
ba41574e45a65eca1982e21dc081df4dd2c8a5e0a43145c18e7c43dbcaf630cd8df7ce162f11828cacdb454512b7e05a61f7827227687d3137a05d7f43da209b

Download Submit
\Windows\SysWOW64\Ceegmj32.exe

Filesize
92KB

MD5
5a64311672ed1dfdfc1b27b7332a6f65

SHA1
084bd4fc369bbc2bd61a9d51408f88825e7df682

SHA256
da564d8fc3b1580410a26be75b807446e921e4a1f80fa9e9fff56e669abdb380

SHA512
adf563d5acaa95c40d38338d7ebc01ff0088cb6fe64dc083e3dece6bed0d88e4ed672b09a1e5f678c06e77326706f4b62009637c2132994e4f893d43af9eeccf

Download Submit
\Windows\SysWOW64\Cgpjlnhh.exe

Filesize
92KB

MD5
559e7ad8057a24dd7a14f1d97222e04a

SHA1
c88ac57c99337c480b2a2f57dbdfb25cd7bf48a7

SHA256
74b5a84bf4433dad982addac0e7cd2a27482ed7222d224fa6da57eaebd0f3bb9

SHA512
3bd6c87a83ebc191af2c24eb2ba7e0c27dceec69f63e1b5852c444fbf8ea51982aa7be851de91a9af4181f895571d34c0ff30edb49afa9bb721abec761180383

Download Submit
\Windows\SysWOW64\Cmgechbh.exe

Filesize
92KB

MD5
628ce953184a328a9346a08fc9232162

SHA1
c6a9cc76dad46e7b0f508ee96e339a67ed04f0bf

SHA256
d14f3be84d73242024fdf7cd7abe3a6958bdc236f8f03ef81e7a777a2c834be0

SHA512
554f0fe06627f473c50807c99c2ef9b530ad6f1616b4c05c20d1e5301eab5d0120492fac7295a87fcfc3ec69fe8e2371121e1f9c48f68b6b718efd247c435b6d

Download Submit
memory/2176-0-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2176-6-0x00000000002C0000-0x0000000000303000-memory.dmp

Filesize
268KB

Download
memory/2176-73-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2176-12-0x00000000002C0000-0x0000000000303000-memory.dmp

Filesize
268KB

Download
memory/2552-19-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2640-68-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2792-62-0x0000000000220000-0x0000000000263000-memory.dmp

Filesize
268KB

Download
memory/2792-75-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2868-46-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2868-49-0x0000000000220000-0x0000000000263000-memory.dmp

Filesize
268KB

Download
memory/3000-32-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3000-35-0x0000000000220000-0x0000000000263000-memory.dmp

Filesize
268KB

Download
memory/3000-74-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads