2b4d06e8c58ce594673c5726bda7e325e72b383aa11de9a8725e31899d1d107f

Analysis

max time kernel
142s
max time network
19s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
27/07/2024, 20:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2b4d06e8c58ce594673c5726bda7e325e72b383aa11de9a8725e31899d1d107f.exe
Size

81KB
MD5

8976d8b7af01abea57cfaeebb5473a86
SHA1

a00af7a49331ee306d579a56306043774f8877b2
SHA256

2b4d06e8c58ce594673c5726bda7e325e72b383aa11de9a8725e31899d1d107f
SHA512

28c9b93cbf62f2fb2646b53f3c3f4663a7a5fbfcb61b12a5cbaeacdd37e81072c89e9ff5285e0555b28484db8fbe3691cf2ebcba3847d58c6ef5d45b3eda1e4b
SSDEEP

1536:Bh0gnzuAzXuYDzocBYVMx20+Aa2P7m4LO++/+1m6KadhYxU33HX0L:bbnzpzgqxXWm/LrCimBaH8UH30L

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aoihaa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	2b4d06e8c58ce594673c5726bda7e325e72b383aa11de9a8725e31899d1d107f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qckalamk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qgiibp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Amebjgai.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Afnfcl32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afpchl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Paekijkb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pgacaaij.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pgacaaij.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pjblcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Afpchl32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aehmoh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qgiibp32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afnfcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aehmoh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	2b4d06e8c58ce594673c5726bda7e325e72b383aa11de9a8725e31899d1d107f.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Paekijkb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjblcl32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qckalamk.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Amebjgai.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aoihaa32.exe

Executes dropped EXE 11 IoCs

pid	Process
1880	Paekijkb.exe
2808	Pgacaaij.exe
2816	Pjblcl32.exe
2996	Qckalamk.exe
1568	Qgiibp32.exe
2740	Amebjgai.exe
1496	Afnfcl32.exe
776	Afpchl32.exe
2352	Aoihaa32.exe
2868	Aehmoh32.exe
2892	Bmenijcd.exe

Loads dropped DLL 26 IoCs

pid	Process
2064	2b4d06e8c58ce594673c5726bda7e325e72b383aa11de9a8725e31899d1d107f.exe
2064	2b4d06e8c58ce594673c5726bda7e325e72b383aa11de9a8725e31899d1d107f.exe
1880	Paekijkb.exe
1880	Paekijkb.exe
2808	Pgacaaij.exe
2808	Pgacaaij.exe
2816	Pjblcl32.exe
2816	Pjblcl32.exe
2996	Qckalamk.exe
2996	Qckalamk.exe
1568	Qgiibp32.exe
1568	Qgiibp32.exe
2740	Amebjgai.exe
2740	Amebjgai.exe
1496	Afnfcl32.exe
1496	Afnfcl32.exe
776	Afpchl32.exe
776	Afpchl32.exe
2352	Aoihaa32.exe
2352	Aoihaa32.exe
2868	Aehmoh32.exe
2868	Aehmoh32.exe
2264	WerFault.exe
2264	WerFault.exe
2264	WerFault.exe
2264	WerFault.exe

Drops file in System32 directory 33 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Inmfkm32.dll	Afnfcl32.exe
File created	C:\Windows\SysWOW64\Aehmoh32.exe	Aoihaa32.exe
File created	C:\Windows\SysWOW64\Klhejn32.dll	Paekijkb.exe
File opened for modification	C:\Windows\SysWOW64\Qgiibp32.exe	Qckalamk.exe
File opened for modification	C:\Windows\SysWOW64\Afpchl32.exe	Afnfcl32.exe
File created	C:\Windows\SysWOW64\Amebjgai.exe	Qgiibp32.exe
File opened for modification	C:\Windows\SysWOW64\Aoihaa32.exe	Afpchl32.exe
File created	C:\Windows\SysWOW64\Bjaoaabb.dll	2b4d06e8c58ce594673c5726bda7e325e72b383aa11de9a8725e31899d1d107f.exe
File opened for modification	C:\Windows\SysWOW64\Pjblcl32.exe	Pgacaaij.exe
File created	C:\Windows\SysWOW64\Qckalamk.exe	Pjblcl32.exe
File created	C:\Windows\SysWOW64\Pjblcl32.exe	Pgacaaij.exe
File opened for modification	C:\Windows\SysWOW64\Bmenijcd.exe	Aehmoh32.exe
File created	C:\Windows\SysWOW64\Ddgoncih.dll	Pjblcl32.exe
File opened for modification	C:\Windows\SysWOW64\Amebjgai.exe	Qgiibp32.exe
File created	C:\Windows\SysWOW64\Aoihaa32.exe	Afpchl32.exe
File opened for modification	C:\Windows\SysWOW64\Aehmoh32.exe	Aoihaa32.exe
File created	C:\Windows\SysWOW64\Jgelak32.dll	Aoihaa32.exe
File created	C:\Windows\SysWOW64\Pgacaaij.exe	Paekijkb.exe
File opened for modification	C:\Windows\SysWOW64\Pgacaaij.exe	Paekijkb.exe
File opened for modification	C:\Windows\SysWOW64\Qckalamk.exe	Pjblcl32.exe
File created	C:\Windows\SysWOW64\Bmenijcd.exe	Aehmoh32.exe
File created	C:\Windows\SysWOW64\Diflambo.dll	Aehmoh32.exe
File created	C:\Windows\SysWOW64\Paekijkb.exe	2b4d06e8c58ce594673c5726bda7e325e72b383aa11de9a8725e31899d1d107f.exe
File created	C:\Windows\SysWOW64\Iindag32.dll	Qckalamk.exe
File created	C:\Windows\SysWOW64\Jpobja32.dll	Qgiibp32.exe
File created	C:\Windows\SysWOW64\Ejbmjalg.dll	Afpchl32.exe
File opened for modification	C:\Windows\SysWOW64\Afnfcl32.exe	Amebjgai.exe
File created	C:\Windows\SysWOW64\Qebepc32.dll	Amebjgai.exe
File created	C:\Windows\SysWOW64\Afpchl32.exe	Afnfcl32.exe
File opened for modification	C:\Windows\SysWOW64\Paekijkb.exe	2b4d06e8c58ce594673c5726bda7e325e72b383aa11de9a8725e31899d1d107f.exe
File created	C:\Windows\SysWOW64\Cbkingcj.dll	Pgacaaij.exe
File created	C:\Windows\SysWOW64\Afnfcl32.exe	Amebjgai.exe
File created	C:\Windows\SysWOW64\Qgiibp32.exe	Qckalamk.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2264	2892	WerFault.exe	40

System Location Discovery: System Language Discovery 1 TTPs 12 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qckalamk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amebjgai.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afnfcl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afpchl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aoihaa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmenijcd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2b4d06e8c58ce594673c5726bda7e325e72b383aa11de9a8725e31899d1d107f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Paekijkb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgacaaij.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjblcl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qgiibp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aehmoh32.exe

Modifies registry class 36 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pgacaaij.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pgacaaij.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qgiibp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Afnfcl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aoihaa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	2b4d06e8c58ce594673c5726bda7e325e72b383aa11de9a8725e31899d1d107f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bjaoaabb.dll"	2b4d06e8c58ce594673c5726bda7e325e72b383aa11de9a8725e31899d1d107f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qckalamk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qckalamk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qebepc32.dll"	Amebjgai.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Paekijkb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pjblcl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	2b4d06e8c58ce594673c5726bda7e325e72b383aa11de9a8725e31899d1d107f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Afnfcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aoihaa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Paekijkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Afpchl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Amebjgai.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Afpchl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejbmjalg.dll"	Afpchl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Diflambo.dll"	Aehmoh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Klhejn32.dll"	Paekijkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pjblcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgelak32.dll"	Aoihaa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aehmoh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	2b4d06e8c58ce594673c5726bda7e325e72b383aa11de9a8725e31899d1d107f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cbkingcj.dll"	Pgacaaij.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qgiibp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Amebjgai.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Inmfkm32.dll"	Afnfcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aehmoh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	2b4d06e8c58ce594673c5726bda7e325e72b383aa11de9a8725e31899d1d107f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iindag32.dll"	Qckalamk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpobja32.dll"	Qgiibp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	2b4d06e8c58ce594673c5726bda7e325e72b383aa11de9a8725e31899d1d107f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ddgoncih.dll"	Pjblcl32.exe

Suspicious use of WriteProcessMemory 48 IoCs

description	pid	Process	procid_target
PID 2064 wrote to memory of 1880	2064	2b4d06e8c58ce594673c5726bda7e325e72b383aa11de9a8725e31899d1d107f.exe	30
PID 2064 wrote to memory of 1880	2064	2b4d06e8c58ce594673c5726bda7e325e72b383aa11de9a8725e31899d1d107f.exe	30
PID 2064 wrote to memory of 1880	2064	2b4d06e8c58ce594673c5726bda7e325e72b383aa11de9a8725e31899d1d107f.exe	30
PID 2064 wrote to memory of 1880	2064	2b4d06e8c58ce594673c5726bda7e325e72b383aa11de9a8725e31899d1d107f.exe	30
PID 1880 wrote to memory of 2808	1880	Paekijkb.exe	31
PID 1880 wrote to memory of 2808	1880	Paekijkb.exe	31
PID 1880 wrote to memory of 2808	1880	Paekijkb.exe	31
PID 1880 wrote to memory of 2808	1880	Paekijkb.exe	31
PID 2808 wrote to memory of 2816	2808	Pgacaaij.exe	32
PID 2808 wrote to memory of 2816	2808	Pgacaaij.exe	32
PID 2808 wrote to memory of 2816	2808	Pgacaaij.exe	32
PID 2808 wrote to memory of 2816	2808	Pgacaaij.exe	32
PID 2816 wrote to memory of 2996	2816	Pjblcl32.exe	33
PID 2816 wrote to memory of 2996	2816	Pjblcl32.exe	33
PID 2816 wrote to memory of 2996	2816	Pjblcl32.exe	33
PID 2816 wrote to memory of 2996	2816	Pjblcl32.exe	33
PID 2996 wrote to memory of 1568	2996	Qckalamk.exe	34
PID 2996 wrote to memory of 1568	2996	Qckalamk.exe	34
PID 2996 wrote to memory of 1568	2996	Qckalamk.exe	34
PID 2996 wrote to memory of 1568	2996	Qckalamk.exe	34
PID 1568 wrote to memory of 2740	1568	Qgiibp32.exe	35
PID 1568 wrote to memory of 2740	1568	Qgiibp32.exe	35
PID 1568 wrote to memory of 2740	1568	Qgiibp32.exe	35
PID 1568 wrote to memory of 2740	1568	Qgiibp32.exe	35
PID 2740 wrote to memory of 1496	2740	Amebjgai.exe	36
PID 2740 wrote to memory of 1496	2740	Amebjgai.exe	36
PID 2740 wrote to memory of 1496	2740	Amebjgai.exe	36
PID 2740 wrote to memory of 1496	2740	Amebjgai.exe	36
PID 1496 wrote to memory of 776	1496	Afnfcl32.exe	37
PID 1496 wrote to memory of 776	1496	Afnfcl32.exe	37
PID 1496 wrote to memory of 776	1496	Afnfcl32.exe	37
PID 1496 wrote to memory of 776	1496	Afnfcl32.exe	37
PID 776 wrote to memory of 2352	776	Afpchl32.exe	38
PID 776 wrote to memory of 2352	776	Afpchl32.exe	38
PID 776 wrote to memory of 2352	776	Afpchl32.exe	38
PID 776 wrote to memory of 2352	776	Afpchl32.exe	38
PID 2352 wrote to memory of 2868	2352	Aoihaa32.exe	39
PID 2352 wrote to memory of 2868	2352	Aoihaa32.exe	39
PID 2352 wrote to memory of 2868	2352	Aoihaa32.exe	39
PID 2352 wrote to memory of 2868	2352	Aoihaa32.exe	39
PID 2868 wrote to memory of 2892	2868	Aehmoh32.exe	40
PID 2868 wrote to memory of 2892	2868	Aehmoh32.exe	40
PID 2868 wrote to memory of 2892	2868	Aehmoh32.exe	40
PID 2868 wrote to memory of 2892	2868	Aehmoh32.exe	40
PID 2892 wrote to memory of 2264	2892	Bmenijcd.exe	41
PID 2892 wrote to memory of 2264	2892	Bmenijcd.exe	41
PID 2892 wrote to memory of 2264	2892	Bmenijcd.exe	41
PID 2892 wrote to memory of 2264	2892	Bmenijcd.exe	41

C:\Users\Admin\AppData\Local\Temp\2b4d06e8c58ce594673c5726bda7e325e72b383aa11de9a8725e31899d1d107f.exe
"C:\Users\Admin\AppData\Local\Temp\2b4d06e8c58ce594673c5726bda7e325e72b383aa11de9a8725e31899d1d107f.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2064
- C:\Windows\SysWOW64\Paekijkb.exe
  C:\Windows\system32\Paekijkb.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1880
- - C:\Windows\SysWOW64\Pgacaaij.exe
    C:\Windows\system32\Pgacaaij.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2808
  - - C:\Windows\SysWOW64\Pjblcl32.exe
      C:\Windows\system32\Pjblcl32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2816
    - - C:\Windows\SysWOW64\Qckalamk.exe
        
        C:\Windows\system32\Qckalamk.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2996
      - C:\Windows\SysWOW64\Qgiibp32.exe
        
        C:\Windows\system32\Qgiibp32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1568
        
        C:\Windows\SysWOW64\Amebjgai.exe
        
        C:\Windows\system32\Amebjgai.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2740
        
        C:\Windows\SysWOW64\Afnfcl32.exe
        
        C:\Windows\system32\Afnfcl32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1496
        
        C:\Windows\SysWOW64\Afpchl32.exe
        
        C:\Windows\system32\Afpchl32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:776
        
        C:\Windows\SysWOW64\Aoihaa32.exe
        
        C:\Windows\system32\Aoihaa32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2352
        
        C:\Windows\SysWOW64\Aehmoh32.exe
        
        C:\Windows\system32\Aehmoh32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2868
        
        C:\Windows\SysWOW64\Bmenijcd.exe
        
        C:\Windows\system32\Bmenijcd.exe
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2892
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2892 -s 140
        13⤵
        Loads dropped DLL
        Program crash
        
        PID:2264

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Afpchl32.exe

Filesize
81KB

MD5
f978a4c8f03bcf41ddc79327e57d7abd

SHA1
86103b132dcf9079367220e3c88aeb890254b979

SHA256
b4b6dbaa9a29a696550b7010cf02efc30cc2defc2a4dc6caf3edcd831184a001

SHA512
e0d34471f68780f84834ecd448dd4ad991ee4fc66650c319e7c5bb3c6c74898960eac9217939de70480b905efde59d1cc8a4fea128d4ea58909ed3203f626429

Download Submit
C:\Windows\SysWOW64\Pgacaaij.exe

Filesize
81KB

MD5
3490aac670741462116e5abc4d14a2ab

SHA1
75a9feda2f4f452d63778f839b72d36ce5d80f4a

SHA256
da8bed4824b520860ddb118b3a77ae6b83616c653b4e1dc3efab751c2940a0d7

SHA512
585ec3562acc9969e8090e8cf5e97da33aaa9c9d8a3f395e436aca8c6849e5338df3c6900d43a7308796003309b8d3af2a2c5912139f0489673578855c1a6d7c

Download Submit
C:\Windows\SysWOW64\Qckalamk.exe

Filesize
81KB

MD5
1dc5dbdc232c315d26d3b0f30a233716

SHA1
6acc81deee5ff0207af350ce26f3c70256cc637b

SHA256
774394f077c6126a72e84dc2f57092a1413082d93ddf10c717efe9f47bb32430

SHA512
762651c7c1694b38062b893c2d2b7755462c6c33b4719d10fd5a0a50888e69df308b52b2aef75396509bc7d232f01064add5053b8d255dfa6eaf729537a97529

Download Submit
\Windows\SysWOW64\Aehmoh32.exe

Filesize
81KB

MD5
472c6f14b43f4adf433697cc26505555

SHA1
313363915f019efedd358565ddbf2d794c82bf42

SHA256
62387eb8fdab9714881ff9a814304ec0d393a93dbc51610f406411b7823faaa1

SHA512
2e6fadd8a774be41d9ceddd62c0e7860c3a488d85deb6bad61c40faeb11978564724483ea03f49742e0f35a063e06302227b57d7e6fb25cab35d15099f567e54

Download Submit
\Windows\SysWOW64\Afnfcl32.exe

Filesize
81KB

MD5
96aac9476e402faa877915cc903bc6c6

SHA1
7cceed84850701544b21b80667423c4a1466894f

SHA256
6b336159937b8448dd7839a61e45f10645b8d669ac2ba8d2c64f668358263cd6

SHA512
5a4809f56fa93f8aaec4e353b68e289b55562df62cf9f4ecc5702da8b292a57d8fc91a47af751373bb6b856563c483a29f517b1ae129d6c7b75cd1f2cf8c346d

Download Submit
\Windows\SysWOW64\Amebjgai.exe

Filesize
81KB

MD5
fba422dee5cb8fc71e853e64df09083e

SHA1
831680434edf13039d05d06f56470671f3da39f7

SHA256
7fbc94b5bb160c68afcbbbc3039cd14ed42778aeeb027736158572185a8d998a

SHA512
7254b9e5181f32363134016904aff17fdbc84d2857180699cf737f2ab72e96778cf79b300f6edadbba5d2d7b626cf53d0178793a1e3232523cb1c93a4721eab6

Download Submit
\Windows\SysWOW64\Aoihaa32.exe

Filesize
81KB

MD5
b54d7f4690a891e099c8eaf610058923

SHA1
c7e7da25f71c47da865426231de31e978fd73bbe

SHA256
9656be65a44c67107d2a0c8a667f1e2cf5548c8f6b807507efe56cd736f6cb42

SHA512
35b9e643f901def2bc53890e6277462c38127818a7ff6e93be922080ddad3f66ad3c5dece2418dc9b8d2a8bd584fcf287b0fc939a4a35e0faf5bf9cccd14ef28

Download Submit
\Windows\SysWOW64\Bmenijcd.exe

Filesize
81KB

MD5
59618fdf41b3a5c21f0ddaea6faa6e40

SHA1
43a5a090bac4f694f55d0ad0082a8665908a856e

SHA256
c1de055f09db2334ca7f252df1d43c558697e09262d551fed8eeb7e3ae3021cd

SHA512
302f660f6aaf39fcda8a1a4cc238370a3b180131b6dc7cb8ae2227cdf93fd89a4e2bad5e54b6923bec95e9c3a275d9ee5fe7c49e66625fbe929ecb02c8b121ed

Download Submit
\Windows\SysWOW64\Paekijkb.exe

Filesize
81KB

MD5
85dc2aaeb8493420d0aad7ab8a763342

SHA1
160bc748cb03c8a6f31ac8f23562c0623d6b6804

SHA256
58691a10142cd480ca138b36dbab7202808cd6f2e6ffae09230a94f396784242

SHA512
71c9ad929980416b9d93e5b3c42430928ce637b678234fb67542231ca8c668c4484db497f518e43df7f273119743ab3bc3a844786f929188d16920cd614cffdd

Download Submit
\Windows\SysWOW64\Pjblcl32.exe

Filesize
81KB

MD5
b2e16525be1e451161c68ed3b131a067

SHA1
f7a981bbe0890a77454ee2c68c68b23a46a3a6c7

SHA256
77c5a09cfed0f583718c34e42f0b09c1c958353d876781f10e436ba1bc1b255a

SHA512
040951aa16b002505a270f95d325e4ed03a929b73c59bbc1ff0a87619143151a2cbb72f0e68e586ddc87396f3f98304e9d98387679f81d8ff5c74f2716a7687f

Download Submit
\Windows\SysWOW64\Qgiibp32.exe

Filesize
81KB

MD5
3fa3f2991c09842373a61a164287224a

SHA1
c9bc1021dc4d69b1d91ff010303ee546f8ee3209

SHA256
2c42d84cd662dc04a17a925c8c186768a8de23177414027f877eec6680b8584a

SHA512
452ec5d790fc680ca059a2ae0be508ba55daeb03ebdf8d1ed73f58dfb1c90427055bb4d0744ac5a602dce42e1272dd760cc6d6700971d77487ba518ccd14069d

Download Submit
memory/776-107-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/776-160-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/776-115-0x0000000000300000-0x0000000000334000-memory.dmp

Filesize
208KB

Download
memory/776-121-0x0000000000300000-0x0000000000334000-memory.dmp

Filesize
208KB

Download
memory/1496-159-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1496-106-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/1568-157-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1568-68-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1880-26-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/1880-13-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1880-153-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2064-152-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2064-12-0x0000000000440000-0x0000000000474000-memory.dmp

Filesize
208KB

Download
memory/2064-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2352-128-0x0000000000280000-0x00000000002B4000-memory.dmp

Filesize
208KB

Download
memory/2352-161-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2740-158-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2740-81-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2740-88-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2808-39-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2808-154-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2816-155-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2816-40-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2868-162-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2892-147-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2892-163-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2996-65-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2996-156-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2996-53-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads