dd0a79e3863720c6892d447acfeaf95e235c0935d9ac579109deab345910fc7b

General

Target

dd0a79e3863720c6892d447acfeaf95e235c0935d9ac579109deab345910fc7b.exe
Size

314KB
MD5

cc69a0fb0dddf0cbd81c1cb96ea7988a
SHA1

bea9b4e4801170c1850360a6c686a501cc3d1b32
SHA256

dd0a79e3863720c6892d447acfeaf95e235c0935d9ac579109deab345910fc7b
SHA512

ca164a0caff7bd13da06e80bb24ee9bf32a81487dc641f4e5084cfeb35bbd184c121e157be3b9edc72871df95f62142ae0d7880b630265c3dfff55880ef7b71f
SSDEEP

6144:4BiBnnAj6MB8MhjwszeXmr8SeNpgdyuH1lFDjC:4MBnS6Najb87gP3C

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cegoqlof.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfhkhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfhkhd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmbcen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmbcen32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	dd0a79e3863720c6892d447acfeaf95e235c0935d9ac579109deab345910fc7b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	dd0a79e3863720c6892d447acfeaf95e235c0935d9ac579109deab345910fc7b.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cegoqlof.exe

Executes dropped EXE 4 IoCs

pid	Process
2844	Cegoqlof.exe
3008	Cfhkhd32.exe
1916	Dmbcen32.exe
2620	Dpapaj32.exe

Loads dropped DLL 11 IoCs

pid	Process
2460	dd0a79e3863720c6892d447acfeaf95e235c0935d9ac579109deab345910fc7b.exe
2460	dd0a79e3863720c6892d447acfeaf95e235c0935d9ac579109deab345910fc7b.exe
2844	Cegoqlof.exe
2844	Cegoqlof.exe
3008	Cfhkhd32.exe
3008	Cfhkhd32.exe
1916	Dmbcen32.exe
1916	Dmbcen32.exe
2224	WerFault.exe
2224	WerFault.exe
2224	WerFault.exe

Drops file in System32 directory 14 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Cegoqlof.exe	dd0a79e3863720c6892d447acfeaf95e235c0935d9ac579109deab345910fc7b.exe
File opened for modification	C:\Windows\SysWOW64\Dmbcen32.exe	Cfhkhd32.exe
File created	C:\Windows\SysWOW64\Fikbiheg.dll	Cfhkhd32.exe
File created	C:\Windows\SysWOW64\Pdkefp32.dll	Dmbcen32.exe
File created	C:\Windows\SysWOW64\ÿs.e¢e	Dpapaj32.exe
File created	C:\Windows\SysWOW64\Nloone32.dll	dd0a79e3863720c6892d447acfeaf95e235c0935d9ac579109deab345910fc7b.exe
File created	C:\Windows\SysWOW64\Cfhkhd32.exe	Cegoqlof.exe
File opened for modification	C:\Windows\SysWOW64\Cfhkhd32.exe	Cegoqlof.exe
File created	C:\Windows\SysWOW64\Fkdqjn32.dll	Cegoqlof.exe
File created	C:\Windows\SysWOW64\Dpapaj32.exe	Dmbcen32.exe
File opened for modification	C:\Windows\SysWOW64\ÿs.e¢e	Dpapaj32.exe
File created	C:\Windows\SysWOW64\Cegoqlof.exe	dd0a79e3863720c6892d447acfeaf95e235c0935d9ac579109deab345910fc7b.exe
File created	C:\Windows\SysWOW64\Dmbcen32.exe	Cfhkhd32.exe
File opened for modification	C:\Windows\SysWOW64\Dpapaj32.exe	Dmbcen32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2224	2620	WerFault.exe	34

Modifies registry class 15 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fikbiheg.dll"	Cfhkhd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	dd0a79e3863720c6892d447acfeaf95e235c0935d9ac579109deab345910fc7b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	dd0a79e3863720c6892d447acfeaf95e235c0935d9ac579109deab345910fc7b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	dd0a79e3863720c6892d447acfeaf95e235c0935d9ac579109deab345910fc7b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cegoqlof.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	dd0a79e3863720c6892d447acfeaf95e235c0935d9ac579109deab345910fc7b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cegoqlof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cfhkhd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmbcen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdkefp32.dll"	Dmbcen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmbcen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nloone32.dll"	dd0a79e3863720c6892d447acfeaf95e235c0935d9ac579109deab345910fc7b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	dd0a79e3863720c6892d447acfeaf95e235c0935d9ac579109deab345910fc7b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fkdqjn32.dll"	Cegoqlof.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cfhkhd32.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2460 wrote to memory of 2844	2460	dd0a79e3863720c6892d447acfeaf95e235c0935d9ac579109deab345910fc7b.exe	31
PID 2460 wrote to memory of 2844	2460	dd0a79e3863720c6892d447acfeaf95e235c0935d9ac579109deab345910fc7b.exe	31
PID 2460 wrote to memory of 2844	2460	dd0a79e3863720c6892d447acfeaf95e235c0935d9ac579109deab345910fc7b.exe	31
PID 2460 wrote to memory of 2844	2460	dd0a79e3863720c6892d447acfeaf95e235c0935d9ac579109deab345910fc7b.exe	31
PID 2844 wrote to memory of 3008	2844	Cegoqlof.exe	32
PID 2844 wrote to memory of 3008	2844	Cegoqlof.exe	32
PID 2844 wrote to memory of 3008	2844	Cegoqlof.exe	32
PID 2844 wrote to memory of 3008	2844	Cegoqlof.exe	32
PID 3008 wrote to memory of 1916	3008	Cfhkhd32.exe	33
PID 3008 wrote to memory of 1916	3008	Cfhkhd32.exe	33
PID 3008 wrote to memory of 1916	3008	Cfhkhd32.exe	33
PID 3008 wrote to memory of 1916	3008	Cfhkhd32.exe	33
PID 1916 wrote to memory of 2620	1916	Dmbcen32.exe	34
PID 1916 wrote to memory of 2620	1916	Dmbcen32.exe	34
PID 1916 wrote to memory of 2620	1916	Dmbcen32.exe	34
PID 1916 wrote to memory of 2620	1916	Dmbcen32.exe	34
PID 2620 wrote to memory of 2224	2620	Dpapaj32.exe	35
PID 2620 wrote to memory of 2224	2620	Dpapaj32.exe	35
PID 2620 wrote to memory of 2224	2620	Dpapaj32.exe	35
PID 2620 wrote to memory of 2224	2620	Dpapaj32.exe	35

C:\Users\Admin\AppData\Local\Temp\dd0a79e3863720c6892d447acfeaf95e235c0935d9ac579109deab345910fc7b.exe
"C:\Users\Admin\AppData\Local\Temp\dd0a79e3863720c6892d447acfeaf95e235c0935d9ac579109deab345910fc7b.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2460
- C:\Windows\SysWOW64\Cegoqlof.exe
  C:\Windows\system32\Cegoqlof.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2844
- - C:\Windows\SysWOW64\Cfhkhd32.exe
    C:\Windows\system32\Cfhkhd32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3008
  - - C:\Windows\SysWOW64\Dmbcen32.exe
      C:\Windows\system32\Dmbcen32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:1916
    - - C:\Windows\SysWOW64\Dpapaj32.exe
        
        C:\Windows\system32\Dpapaj32.exe
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2620
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2620 -s 144
        6⤵
        Loads dropped DLL
        Program crash
        
        PID:2224

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Cfhkhd32.exe

Filesize
314KB

MD5
eecc08dc098a6a3352c983d51baa87c1

SHA1
d54cd97ac3bef8d0050e700aa02686189581f97f

SHA256
c9c1789e93ac2c3cac36ac08748be5c90cbfd07972d938ff37c17702fe4a2b6f

SHA512
d7c0ab25d9f3fad145b5bc74622f6324a90d62e06ec4038088b49d07397104c66030631ad2a6b15f83ed4263bc7a1b10fb62e82f4adb1d4cbe2e011cc0227fb9

Download Submit
C:\Windows\SysWOW64\Dmbcen32.exe

Filesize
314KB

MD5
3e767a6875e2773003301c895e65b710

SHA1
7b219b4a2dd42aa5d809c832b558f562e40b7479

SHA256
5fc81ddf96a32b6d1fafa2e6b787e5d1f1ec0a17b4c8ea9b8ba35e0d80c1eb04

SHA512
50319a4d8f9ff5e37e4046caee2f82d50f55cead424888fd1805d92fdd21dd940ab097c9621e17b2538de81c6f40f1f919ad5a59f543caf5e1a42672325dedc6

Download Submit
\Windows\SysWOW64\Cegoqlof.exe

Filesize
314KB

MD5
6f33f1f5b5e660d5c3abf6302c2903f6

SHA1
8843f1542a2b8f70c7e5b5973701ffef18f0e953

SHA256
0c325b4dcb9d982d5bf5b5b472ef488638f515a3fe4ab3051851668fccdfbd04

SHA512
acb0a77ed1b201e12e9422505137b30dccb4d4b7303d8a3852fe8af8c3ad234bef03b10f078a4708a888367cd5c51f4fe288d2205ec8860e324b77f51cfa89cb

Download Submit
\Windows\SysWOW64\Dpapaj32.exe

Filesize
314KB

MD5
f5ecc30395731019661a43019f1f1822

SHA1
f9d865d358f6d7d4bd07c78305e82ca44aedb10c

SHA256
924bcf65ef418b82931deb97f584f1fc09d1ca7889e67e5a2a18c362713da733

SHA512
4030adaa1eaf71b8f60c42da1eded29604a25f7f3edcd108a5f5e8fc370111d5b0c787457e426085d9ccf4d8a3fc33ea71ab3d17b67fbb8e146c500d6d08cb6e

Download Submit
memory/1916-44-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1916-47-0x0000000000250000-0x0000000000293000-memory.dmp

Filesize
268KB

Download
memory/2460-0-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2460-29-0x00000000002F0000-0x0000000000333000-memory.dmp

Filesize
268KB

Download
memory/2460-59-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2844-30-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3008-31-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads