a08de0adeb44d5ef1db6a7091e23c482602ea1879a1528efc1e8d3c89eae4611

Analysis

max time kernel
143s
max time network
123s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
27/07/2024, 01:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a08de0adeb44d5ef1db6a7091e23c482602ea1879a1528efc1e8d3c89eae4611.exe
Size

64KB
MD5

4652c4944c929cd7c139763a224196ed
SHA1

fbc7084554f04f2466f1a56b0663d3dec45d3c98
SHA256

a08de0adeb44d5ef1db6a7091e23c482602ea1879a1528efc1e8d3c89eae4611
SHA512

abeec373da8f0aa4c0afb1c60227d58cbf174f26b4d3deba7a4eb3bf0fd7868c95b5d6a77279059d0c74fc2a782813745abdec4d3205a37e3863b1652ebd8a34
SSDEEP

768:OMpAHWgvLP2/EGH7p+egEQ1iJ/daUGUoEPO/34OvYLPXlSv/1H54b6XJ1IwEGp9k:OM6Wgip+enDaRpEPcIOv3BGWXUwXfzwv

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afnagk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Afnagk32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bdmddc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	a08de0adeb44d5ef1db6a7091e23c482602ea1879a1528efc1e8d3c89eae4611.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qqeicede.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aecaidjl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bonoflae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bdmddc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	a08de0adeb44d5ef1db6a7091e23c482602ea1879a1528efc1e8d3c89eae4611.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qngmgjeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ajbggjfq.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajecmj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aijpnfif.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bonoflae.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cpceidcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cpceidcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qngmgjeb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qqeicede.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aecaidjl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajbggjfq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ajecmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aijpnfif.exe

Executes dropped EXE 11 IoCs

pid	Process
3020	Qngmgjeb.exe
2916	Qqeicede.exe
2656	Aecaidjl.exe
2220	Ajbggjfq.exe
780	Ajecmj32.exe
852	Aijpnfif.exe
2428	Afnagk32.exe
2672	Bonoflae.exe
868	Bdmddc32.exe
2192	Cpceidcn.exe
1268	Cacacg32.exe

Loads dropped DLL 26 IoCs

pid	Process
2884	a08de0adeb44d5ef1db6a7091e23c482602ea1879a1528efc1e8d3c89eae4611.exe
2884	a08de0adeb44d5ef1db6a7091e23c482602ea1879a1528efc1e8d3c89eae4611.exe
3020	Qngmgjeb.exe
3020	Qngmgjeb.exe
2916	Qqeicede.exe
2916	Qqeicede.exe
2656	Aecaidjl.exe
2656	Aecaidjl.exe
2220	Ajbggjfq.exe
2220	Ajbggjfq.exe
780	Ajecmj32.exe
780	Ajecmj32.exe
852	Aijpnfif.exe
852	Aijpnfif.exe
2428	Afnagk32.exe
2428	Afnagk32.exe
2672	Bonoflae.exe
2672	Bonoflae.exe
868	Bdmddc32.exe
868	Bdmddc32.exe
2192	Cpceidcn.exe
2192	Cpceidcn.exe
112	WerFault.exe
112	WerFault.exe
112	WerFault.exe
112	WerFault.exe

Drops file in System32 directory 33 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Afnagk32.exe	Aijpnfif.exe
File created	C:\Windows\SysWOW64\Mgjcep32.dll	Aijpnfif.exe
File created	C:\Windows\SysWOW64\Bdmddc32.exe	Bonoflae.exe
File opened for modification	C:\Windows\SysWOW64\Cacacg32.exe	Cpceidcn.exe
File created	C:\Windows\SysWOW64\Imjcfnhk.dll	Qngmgjeb.exe
File opened for modification	C:\Windows\SysWOW64\Ajbggjfq.exe	Aecaidjl.exe
File created	C:\Windows\SysWOW64\Fekagf32.dll	Ajbggjfq.exe
File created	C:\Windows\SysWOW64\Fdlpjk32.dll	Cpceidcn.exe
File created	C:\Windows\SysWOW64\Aecaidjl.exe	Qqeicede.exe
File opened for modification	C:\Windows\SysWOW64\Ajecmj32.exe	Ajbggjfq.exe
File opened for modification	C:\Windows\SysWOW64\Bdmddc32.exe	Bonoflae.exe
File opened for modification	C:\Windows\SysWOW64\Qngmgjeb.exe	a08de0adeb44d5ef1db6a7091e23c482602ea1879a1528efc1e8d3c89eae4611.exe
File created	C:\Windows\SysWOW64\Eignpade.dll	Afnagk32.exe
File opened for modification	C:\Windows\SysWOW64\Afnagk32.exe	Aijpnfif.exe
File opened for modification	C:\Windows\SysWOW64\Bonoflae.exe	Afnagk32.exe
File created	C:\Windows\SysWOW64\Qqeicede.exe	Qngmgjeb.exe
File opened for modification	C:\Windows\SysWOW64\Aecaidjl.exe	Qqeicede.exe
File created	C:\Windows\SysWOW64\Ajecmj32.exe	Ajbggjfq.exe
File created	C:\Windows\SysWOW64\Ajbggjfq.exe	Aecaidjl.exe
File created	C:\Windows\SysWOW64\Aijpnfif.exe	Ajecmj32.exe
File created	C:\Windows\SysWOW64\Bonoflae.exe	Afnagk32.exe
File created	C:\Windows\SysWOW64\Cpceidcn.exe	Bdmddc32.exe
File opened for modification	C:\Windows\SysWOW64\Cpceidcn.exe	Bdmddc32.exe
File created	C:\Windows\SysWOW64\Cmelgapq.dll	a08de0adeb44d5ef1db6a7091e23c482602ea1879a1528efc1e8d3c89eae4611.exe
File opened for modification	C:\Windows\SysWOW64\Qqeicede.exe	Qngmgjeb.exe
File created	C:\Windows\SysWOW64\Hjphijco.dll	Ajecmj32.exe
File opened for modification	C:\Windows\SysWOW64\Aijpnfif.exe	Ajecmj32.exe
File created	C:\Windows\SysWOW64\Cjnolikh.dll	Bonoflae.exe
File created	C:\Windows\SysWOW64\Ndmjqgdd.dll	Bdmddc32.exe
File created	C:\Windows\SysWOW64\Cacacg32.exe	Cpceidcn.exe
File created	C:\Windows\SysWOW64\Qngmgjeb.exe	a08de0adeb44d5ef1db6a7091e23c482602ea1879a1528efc1e8d3c89eae4611.exe
File created	C:\Windows\SysWOW64\Emfmdo32.dll	Qqeicede.exe
File created	C:\Windows\SysWOW64\Cenaioaq.dll	Aecaidjl.exe

Program crash 1 IoCs

pid	pid_target	Process
112	1268	WerFault.exe

System Location Discovery: System Language Discovery 1 TTPs 12 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a08de0adeb44d5ef1db6a7091e23c482602ea1879a1528efc1e8d3c89eae4611.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qqeicede.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aijpnfif.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afnagk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bonoflae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cpceidcn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cacacg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qngmgjeb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aecaidjl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajbggjfq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajecmj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bdmddc32.exe

Modifies registry class 36 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qqeicede.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eignpade.dll"	Afnagk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bonoflae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndmjqgdd.dll"	Bdmddc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qngmgjeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Emfmdo32.dll"	Qqeicede.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ajbggjfq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aijpnfif.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bdmddc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cpceidcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmelgapq.dll"	a08de0adeb44d5ef1db6a7091e23c482602ea1879a1528efc1e8d3c89eae4611.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjphijco.dll"	Ajecmj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Afnagk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bonoflae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdlpjk32.dll"	Cpceidcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cpceidcn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	a08de0adeb44d5ef1db6a7091e23c482602ea1879a1528efc1e8d3c89eae4611.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Afnagk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	a08de0adeb44d5ef1db6a7091e23c482602ea1879a1528efc1e8d3c89eae4611.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imjcfnhk.dll"	Qngmgjeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qqeicede.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ajecmj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	a08de0adeb44d5ef1db6a7091e23c482602ea1879a1528efc1e8d3c89eae4611.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aecaidjl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cenaioaq.dll"	Aecaidjl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cjnolikh.dll"	Bonoflae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qngmgjeb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	a08de0adeb44d5ef1db6a7091e23c482602ea1879a1528efc1e8d3c89eae4611.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aecaidjl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ajbggjfq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgjcep32.dll"	Aijpnfif.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bdmddc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	a08de0adeb44d5ef1db6a7091e23c482602ea1879a1528efc1e8d3c89eae4611.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ajecmj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aijpnfif.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fekagf32.dll"	Ajbggjfq.exe

Suspicious use of WriteProcessMemory 48 IoCs

description	pid	Process	procid_target
PID 2884 wrote to memory of 3020	2884	a08de0adeb44d5ef1db6a7091e23c482602ea1879a1528efc1e8d3c89eae4611.exe	30
PID 2884 wrote to memory of 3020	2884	a08de0adeb44d5ef1db6a7091e23c482602ea1879a1528efc1e8d3c89eae4611.exe	30
PID 2884 wrote to memory of 3020	2884	a08de0adeb44d5ef1db6a7091e23c482602ea1879a1528efc1e8d3c89eae4611.exe	30
PID 2884 wrote to memory of 3020	2884	a08de0adeb44d5ef1db6a7091e23c482602ea1879a1528efc1e8d3c89eae4611.exe	30
PID 3020 wrote to memory of 2916	3020	Qngmgjeb.exe	31
PID 3020 wrote to memory of 2916	3020	Qngmgjeb.exe	31
PID 3020 wrote to memory of 2916	3020	Qngmgjeb.exe	31
PID 3020 wrote to memory of 2916	3020	Qngmgjeb.exe	31
PID 2916 wrote to memory of 2656	2916	Qqeicede.exe	32
PID 2916 wrote to memory of 2656	2916	Qqeicede.exe	32
PID 2916 wrote to memory of 2656	2916	Qqeicede.exe	32
PID 2916 wrote to memory of 2656	2916	Qqeicede.exe	32
PID 2656 wrote to memory of 2220	2656	Aecaidjl.exe	33
PID 2656 wrote to memory of 2220	2656	Aecaidjl.exe	33
PID 2656 wrote to memory of 2220	2656	Aecaidjl.exe	33
PID 2656 wrote to memory of 2220	2656	Aecaidjl.exe	33
PID 2220 wrote to memory of 780	2220	Ajbggjfq.exe	34
PID 2220 wrote to memory of 780	2220	Ajbggjfq.exe	34
PID 2220 wrote to memory of 780	2220	Ajbggjfq.exe	34
PID 2220 wrote to memory of 780	2220	Ajbggjfq.exe	34
PID 780 wrote to memory of 852	780	Ajecmj32.exe	35
PID 780 wrote to memory of 852	780	Ajecmj32.exe	35
PID 780 wrote to memory of 852	780	Ajecmj32.exe	35
PID 780 wrote to memory of 852	780	Ajecmj32.exe	35
PID 852 wrote to memory of 2428	852	Aijpnfif.exe	36
PID 852 wrote to memory of 2428	852	Aijpnfif.exe	36
PID 852 wrote to memory of 2428	852	Aijpnfif.exe	36
PID 852 wrote to memory of 2428	852	Aijpnfif.exe	36
PID 2428 wrote to memory of 2672	2428	Afnagk32.exe	37
PID 2428 wrote to memory of 2672	2428	Afnagk32.exe	37
PID 2428 wrote to memory of 2672	2428	Afnagk32.exe	37
PID 2428 wrote to memory of 2672	2428	Afnagk32.exe	37
PID 2672 wrote to memory of 868	2672	Bonoflae.exe	38
PID 2672 wrote to memory of 868	2672	Bonoflae.exe	38
PID 2672 wrote to memory of 868	2672	Bonoflae.exe	38
PID 2672 wrote to memory of 868	2672	Bonoflae.exe	38
PID 868 wrote to memory of 2192	868	Bdmddc32.exe	39
PID 868 wrote to memory of 2192	868	Bdmddc32.exe	39
PID 868 wrote to memory of 2192	868	Bdmddc32.exe	39
PID 868 wrote to memory of 2192	868	Bdmddc32.exe	39
PID 2192 wrote to memory of 1268	2192	Cpceidcn.exe	40
PID 2192 wrote to memory of 1268	2192	Cpceidcn.exe	40
PID 2192 wrote to memory of 1268	2192	Cpceidcn.exe	40
PID 2192 wrote to memory of 1268	2192	Cpceidcn.exe	40
PID 1268 wrote to memory of 112	1268	Cacacg32.exe	41
PID 1268 wrote to memory of 112	1268	Cacacg32.exe	41
PID 1268 wrote to memory of 112	1268	Cacacg32.exe	41
PID 1268 wrote to memory of 112	1268	Cacacg32.exe	41

C:\Users\Admin\AppData\Local\Temp\a08de0adeb44d5ef1db6a7091e23c482602ea1879a1528efc1e8d3c89eae4611.exe
"C:\Users\Admin\AppData\Local\Temp\a08de0adeb44d5ef1db6a7091e23c482602ea1879a1528efc1e8d3c89eae4611.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2884
- C:\Windows\SysWOW64\Qngmgjeb.exe
  C:\Windows\system32\Qngmgjeb.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3020
- - C:\Windows\SysWOW64\Qqeicede.exe
    C:\Windows\system32\Qqeicede.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2916
  - - C:\Windows\SysWOW64\Aecaidjl.exe
      C:\Windows\system32\Aecaidjl.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2656
    - - C:\Windows\SysWOW64\Ajbggjfq.exe
        
        C:\Windows\system32\Ajbggjfq.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2220
      - C:\Windows\SysWOW64\Ajecmj32.exe
        
        C:\Windows\system32\Ajecmj32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:780
        
        C:\Windows\SysWOW64\Aijpnfif.exe
        
        C:\Windows\system32\Aijpnfif.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:852
        
        C:\Windows\SysWOW64\Afnagk32.exe
        
        C:\Windows\system32\Afnagk32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2428
        
        C:\Windows\SysWOW64\Bonoflae.exe
        
        C:\Windows\system32\Bonoflae.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2672
        
        C:\Windows\SysWOW64\Bdmddc32.exe
        
        C:\Windows\system32\Bdmddc32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:868
        
        C:\Windows\SysWOW64\Cpceidcn.exe
        
        C:\Windows\system32\Cpceidcn.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2192
        
        C:\Windows\SysWOW64\Cacacg32.exe
        
        C:\Windows\system32\Cacacg32.exe
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1268
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1268 -s 140
        13⤵
        Loads dropped DLL
        Program crash
        
        PID:112

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aecaidjl.exe

Filesize
64KB

MD5
002912c1894813888954197568201925

SHA1
42cabe88635cdd576e383e172324a5c95c71f55c

SHA256
9a2904ee08d7e5f425182c201dca8770a473b3d5ff2e4474d24231f701bbe9e9

SHA512
a8d1427949a923a17cd257068cdba1fe695e6679d20320adf0035101f6189007c23749989e39755dac9c284a2f28fcc0c9133eb02cc31f5c421f51da9f370ed8

Download Submit
C:\Windows\SysWOW64\Afnagk32.exe

Filesize
64KB

MD5
2222f50ef1e46982f48a4b8a378687d6

SHA1
95b6c0540c39c7e223afe62df104e245ab0e08b7

SHA256
69f011100c80a05cfdcdf59b557529379cc897a0fd7138d8d7be55e4697940ce

SHA512
f126463cdcf0a3e4a0f3d9c4e42b283fa15c8179f5c2f880db72db481127bf1175bff6f583ff3a2f53e380829d6f284c58d696a757b51720c8dbe654fbbd5e5e

Download Submit
C:\Windows\SysWOW64\Aijpnfif.exe

Filesize
64KB

MD5
9ce5eafd3eb978510bcd27a9467871bb

SHA1
04bfd6158cce4e56c192080d58a6abe4c3bfb555

SHA256
eecb38907e6dbc5138c65dce1aa5dc7ea0f4c574dd8e4779ac029c99b977cd73

SHA512
47f09e30e9b088c6584053b362ffaa2bcb08c63c62cc65f5649c9741e5965bd21a3a8ff352446a25c416b934d6d84e0d24d8ac09a70156eccdfe88eeb95e09f2

Download Submit
C:\Windows\SysWOW64\Ajbggjfq.exe

Filesize
64KB

MD5
4a9808aae9747c3f920c25fa4e157923

SHA1
0cbb9e7e3157a832ba9a672e8c9f70d21c5df1fd

SHA256
1333f157790f04a8c991a20307a7333ff0fe679a8ead278ee9a364de8bdf5b73

SHA512
16413be7c7076c749a50ecfb6f43e655f4c4dca6d57b21dae5d3776193e52cfe25d01942b9a83a637f88079da8b49d7ff69b6d8f34e832a3eadb979675e2dd48

Download Submit
C:\Windows\SysWOW64\Ajecmj32.exe

Filesize
64KB

MD5
faa43a5b54bbf6125ad38f4c8fe09bd4

SHA1
1a08e32f4a2142ffaf245103326a1dc1dbc8b8b9

SHA256
03d6edf572cc80dcd9db45fc9a54ed501a08a8cfd30b629f40e2c0030244468f

SHA512
fbd3291c3d6223dafa45ac07a636fdc61e369adfe21cc6ebef2399bf82f0926f8a5566521b9cdd422fdfb64608af71982e5f0043a28ca3271e6513db52cdf1f0

Download Submit
C:\Windows\SysWOW64\Bdmddc32.exe

Filesize
64KB

MD5
ead2faa01f4c6ff5041c36a300137e07

SHA1
715e8ee90ea5fe64cff78dc82d0ae9013b6a64a9

SHA256
343ba283728bdf10a8fae195abbc01349b298c6c76ee4a9a5fbf8689c1051ffa

SHA512
e5a67f4614555f1ad8d06b1004c4833ea6d2c944f22743b64bba01b458c64f1c696ca88b4448780e118ac97f3513182300fc307acd0bc53c0dba31c2acb0bd00

Download Submit
C:\Windows\SysWOW64\Bonoflae.exe

Filesize
64KB

MD5
e030e47ced14157a707e6ad2f169260e

SHA1
9589c4e37bb8333691033ea1208a3818965d902a

SHA256
27f0852f6972a5d3cac0fd52cb583b0d00ef5a774cbc08595a8e0e3bfae5466d

SHA512
b6a2d0fb4cb488907cc91ae9bafd8afc66eaa20ebcb747c6c6436cac3ec333d86ff1e58bcc9d13d8c8f88c8179a057de5a1070f98b8f8071e77be9ebd58a96d7

Download Submit
C:\Windows\SysWOW64\Cpceidcn.exe

Filesize
64KB

MD5
11ead56c705b56b13adb5824e174b79a

SHA1
2cb415e7fc0a880754be7ae4e14e623d59864f3f

SHA256
736c3e90e34200e321de09e3821018f181c9e53f38528c091ae28272b3396ed2

SHA512
59f41078e1eb73d269829ca0d5cc629463e9726473919e028d303dcd0cccb3a43958a9411aadd60c7618b47e5e385d403b563faf4f15e29fcf32dccc9a4a1014

Download Submit
C:\Windows\SysWOW64\Qngmgjeb.exe

Filesize
64KB

MD5
e89d5fd02d6d4efac876138379123ec9

SHA1
ab3695db7a4cb3c80153206885c5dbec6eb6d837

SHA256
7255b6aa6f181b11e0f6266e62d9c512124ab910af945a422b94552610bf64c7

SHA512
8a82ac24d9d33e9d52b198b68263f64ced05944c2650c6b29051cce82c32ad4951f79596019c719cbef79f6e9a8d4988d09720675e7b069802fe4ac6225bdbe9

Download Submit
C:\Windows\SysWOW64\Qqeicede.exe

Filesize
64KB

MD5
2e008b783074b4aca43db8d8aed56622

SHA1
e1d988a7afc202c0ea2e7eb334755db1cb0be622

SHA256
0975f46802efb652ecfc44e2e34f92a832f8cd0f1b30aaf25d36fe7962cd063a

SHA512
f095344e1e18aedbcd4b4f317580b7d0b7c27cdd8e3a5ed351e16d6db958d0344921bbd841828b34438036883922fe0eb5d615f5afc566c859ad882343177bb0

Download Submit
\Windows\SysWOW64\Cacacg32.exe

Filesize
64KB

MD5
c8f66ebd941889ada6d5ec9c30c48ede

SHA1
b2caf528593e064602a3d941768b6e499be7d172

SHA256
d44cf0b25ace1e20a1ab7aa7e0f791f8c9eae6d78199708a639a8a5b72a5672f

SHA512
44dd8d3b9176b20817450f54ed982772a7a5f0f2f4a7efc41c07b23051332423db9b5aa8072fc740324044169d0c432cedad635016d4f571019049eec4f49e21

Download Submit
memory/780-68-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/780-160-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/780-81-0x0000000000260000-0x000000000028F000-memory.dmp

Filesize
188KB

Download
memory/852-161-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/852-82-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/868-164-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/868-135-0x0000000000310000-0x000000000033F000-memory.dmp

Filesize
188KB

Download
memory/868-127-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1268-166-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2192-137-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2192-147-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/2192-165-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2220-55-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2220-159-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2428-95-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2428-162-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2428-105-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/2428-109-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/2656-49-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/2656-158-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2656-41-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2672-163-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2672-110-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2884-0-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2884-155-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2884-12-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/2916-157-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2916-26-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2916-34-0x00000000003D0000-0x00000000003FF000-memory.dmp

Filesize
188KB

Download
memory/2916-39-0x00000000003D0000-0x00000000003FF000-memory.dmp

Filesize
188KB

Download
memory/3020-18-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads