216d6ffd55eb3e5e920845a8f501734f000612f208e99c3765e2ed483254557f

General

Target

216d6ffd55eb3e5e920845a8f501734f000612f208e99c3765e2ed483254557f.exe
Size

1.1MB
MD5

ff85769e985a82f50b956d4f75d822bc
SHA1

21fbc8c55b125895d894de08ca393370f73ec700
SHA256

216d6ffd55eb3e5e920845a8f501734f000612f208e99c3765e2ed483254557f
SHA512

d16b657e70ee1c377297bdae7f7e2c1781273d4f7520337dcabdffc93f57c31f886b301707c6f8c04d032d53790368f85f5348a35cbc46b150db35bdf542b2b3
SSDEEP

12288:v6xLFHRFbeteBFHRFbeWFHRFbeteBFHRFbeN:kBR7BRjBR7BRE

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 10 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Beejng32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdanpb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdanpb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bbgnak32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bbgnak32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Beejng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bobhal32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	216d6ffd55eb3e5e920845a8f501734f000612f208e99c3765e2ed483254557f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	216d6ffd55eb3e5e920845a8f501734f000612f208e99c3765e2ed483254557f.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bobhal32.exe

Executes dropped EXE 5 IoCs

pid	Process
2736	Bbgnak32.exe
2984	Beejng32.exe
2600	Bobhal32.exe
2112	Cdanpb32.exe
560	Ceegmj32.exe

Loads dropped DLL 14 IoCs

pid	Process
2940	216d6ffd55eb3e5e920845a8f501734f000612f208e99c3765e2ed483254557f.exe
2940	216d6ffd55eb3e5e920845a8f501734f000612f208e99c3765e2ed483254557f.exe
2736	Bbgnak32.exe
2736	Bbgnak32.exe
2984	Beejng32.exe
2984	Beejng32.exe
2600	Bobhal32.exe
2600	Bobhal32.exe
2112	Cdanpb32.exe
2112	Cdanpb32.exe
2064	WerFault.exe
2064	WerFault.exe
2064	WerFault.exe
2064	WerFault.exe

Drops file in System32 directory 15 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Ceegmj32.exe	Cdanpb32.exe
File created	C:\Windows\SysWOW64\Imklkg32.dll	Beejng32.exe
File created	C:\Windows\SysWOW64\Aincgi32.dll	Bobhal32.exe
File created	C:\Windows\SysWOW64\Eoqbnm32.dll	Bbgnak32.exe
File opened for modification	C:\Windows\SysWOW64\Bobhal32.exe	Beejng32.exe
File opened for modification	C:\Windows\SysWOW64\Cdanpb32.exe	Bobhal32.exe
File opened for modification	C:\Windows\SysWOW64\Ceegmj32.exe	Cdanpb32.exe
File created	C:\Windows\SysWOW64\Bbgnak32.exe	216d6ffd55eb3e5e920845a8f501734f000612f208e99c3765e2ed483254557f.exe
File created	C:\Windows\SysWOW64\Ehieciqq.dll	216d6ffd55eb3e5e920845a8f501734f000612f208e99c3765e2ed483254557f.exe
File created	C:\Windows\SysWOW64\Cdanpb32.exe	Bobhal32.exe
File created	C:\Windows\SysWOW64\Aoogfhfp.dll	Cdanpb32.exe
File opened for modification	C:\Windows\SysWOW64\Beejng32.exe	Bbgnak32.exe
File created	C:\Windows\SysWOW64\Bobhal32.exe	Beejng32.exe
File opened for modification	C:\Windows\SysWOW64\Bbgnak32.exe	216d6ffd55eb3e5e920845a8f501734f000612f208e99c3765e2ed483254557f.exe
File created	C:\Windows\SysWOW64\Beejng32.exe	Bbgnak32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2064	560	WerFault.exe	34

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	216d6ffd55eb3e5e920845a8f501734f000612f208e99c3765e2ed483254557f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bbgnak32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beejng32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bobhal32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdanpb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceegmj32.exe

Modifies registry class 18 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	216d6ffd55eb3e5e920845a8f501734f000612f208e99c3765e2ed483254557f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	216d6ffd55eb3e5e920845a8f501734f000612f208e99c3765e2ed483254557f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	216d6ffd55eb3e5e920845a8f501734f000612f208e99c3765e2ed483254557f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehieciqq.dll"	216d6ffd55eb3e5e920845a8f501734f000612f208e99c3765e2ed483254557f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	216d6ffd55eb3e5e920845a8f501734f000612f208e99c3765e2ed483254557f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bobhal32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bobhal32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Beejng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cdanpb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eoqbnm32.dll"	Bbgnak32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bbgnak32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imklkg32.dll"	Beejng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aincgi32.dll"	Bobhal32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdanpb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aoogfhfp.dll"	Cdanpb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	216d6ffd55eb3e5e920845a8f501734f000612f208e99c3765e2ed483254557f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bbgnak32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Beejng32.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2940 wrote to memory of 2736	2940	216d6ffd55eb3e5e920845a8f501734f000612f208e99c3765e2ed483254557f.exe	30
PID 2940 wrote to memory of 2736	2940	216d6ffd55eb3e5e920845a8f501734f000612f208e99c3765e2ed483254557f.exe	30
PID 2940 wrote to memory of 2736	2940	216d6ffd55eb3e5e920845a8f501734f000612f208e99c3765e2ed483254557f.exe	30
PID 2940 wrote to memory of 2736	2940	216d6ffd55eb3e5e920845a8f501734f000612f208e99c3765e2ed483254557f.exe	30
PID 2736 wrote to memory of 2984	2736	Bbgnak32.exe	31
PID 2736 wrote to memory of 2984	2736	Bbgnak32.exe	31
PID 2736 wrote to memory of 2984	2736	Bbgnak32.exe	31
PID 2736 wrote to memory of 2984	2736	Bbgnak32.exe	31
PID 2984 wrote to memory of 2600	2984	Beejng32.exe	32
PID 2984 wrote to memory of 2600	2984	Beejng32.exe	32
PID 2984 wrote to memory of 2600	2984	Beejng32.exe	32
PID 2984 wrote to memory of 2600	2984	Beejng32.exe	32
PID 2600 wrote to memory of 2112	2600	Bobhal32.exe	33
PID 2600 wrote to memory of 2112	2600	Bobhal32.exe	33
PID 2600 wrote to memory of 2112	2600	Bobhal32.exe	33
PID 2600 wrote to memory of 2112	2600	Bobhal32.exe	33
PID 2112 wrote to memory of 560	2112	Cdanpb32.exe	34
PID 2112 wrote to memory of 560	2112	Cdanpb32.exe	34
PID 2112 wrote to memory of 560	2112	Cdanpb32.exe	34
PID 2112 wrote to memory of 560	2112	Cdanpb32.exe	34
PID 560 wrote to memory of 2064	560	Ceegmj32.exe	35
PID 560 wrote to memory of 2064	560	Ceegmj32.exe	35
PID 560 wrote to memory of 2064	560	Ceegmj32.exe	35
PID 560 wrote to memory of 2064	560	Ceegmj32.exe	35

C:\Users\Admin\AppData\Local\Temp\216d6ffd55eb3e5e920845a8f501734f000612f208e99c3765e2ed483254557f.exe
"C:\Users\Admin\AppData\Local\Temp\216d6ffd55eb3e5e920845a8f501734f000612f208e99c3765e2ed483254557f.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2940
- C:\Windows\SysWOW64\Bbgnak32.exe
  C:\Windows\system32\Bbgnak32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2736
- - C:\Windows\SysWOW64\Beejng32.exe
    C:\Windows\system32\Beejng32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2984
  - - C:\Windows\SysWOW64\Bobhal32.exe
      C:\Windows\system32\Bobhal32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2600
    - - C:\Windows\SysWOW64\Cdanpb32.exe
        
        C:\Windows\system32\Cdanpb32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2112
      - C:\Windows\SysWOW64\Ceegmj32.exe
        
        C:\Windows\system32\Ceegmj32.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:560
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 560 -s 140
        7⤵
        Loads dropped DLL
        Program crash
        
        PID:2064

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Beejng32.exe

Filesize
1.1MB

MD5
6235519d45ce53e326199b938c798111

SHA1
31862628714c6d2601acf9bc7e008cce7ad3c883

SHA256
d5d80988dc60456a18f706a71c33ceeca1a2c596b7c8815a61822a283531ac67

SHA512
ffd7a1f0bbcd865b03006a3d7ca2da1642e0909a07ae74bf26137816f2deeec7e9845a9fbff5b644f30a66ec842317527ecddfe2e2a605046eeac0ff8059eef1

Download Submit
\Windows\SysWOW64\Bbgnak32.exe

Filesize
1.1MB

MD5
3677c3d897446ca8e9e1c68b2dbf493f

SHA1
7a4a882a297e56d75b4a9747ef8efa07f6bdf5ee

SHA256
063f0f7ce1593038e3e6e996b0178adec6cc7e4ebd5b4a40d2b05f079d484cac

SHA512
0dd39052f9d29983efa6cc5e955b3e3e21eae03445b274bd847b8528cb618758efa1a60b25df7c048d719758f053e09ccd4713e42d082ba44027bed0cd155c11

Download Submit
\Windows\SysWOW64\Bobhal32.exe

Filesize
1.1MB

MD5
2410c31b71f726528c2f42f0137a286b

SHA1
c39e180bdc2777ed6b069a2244a93cf7c40fd297

SHA256
f2306550c0aec0072bd62a012492825f768aae165f8dfa928e0d473a0fb8b032

SHA512
742ebd02ccca75131ae6cdeccba002ee957d94465ac69ed0b3bf2aaeab393047447f06a5cf4d13830f81a856b1a8cbceacf63accaec992d2ef9b6f5d9a88f278

Download Submit
\Windows\SysWOW64\Cdanpb32.exe

Filesize
1.1MB

MD5
e362fc87b39e3ce39e7ebef2bccb24b0

SHA1
ee707a2cf757ee2b8e8055f925a028cd0aab659d

SHA256
7bbbfe9cd03e6770e91c8e94b8bb96fb0c149249d597882a5416fcfdf15fe9e6

SHA512
c2cc54216fbf7067bdbb84b142218fc1444755d7e981ce6a8c58ee18b2fd5021908f5526f3a2fa4b01c1bb3ed806f3b20e632cd95bdf9b6b960e84c023123972

Download Submit
\Windows\SysWOW64\Ceegmj32.exe

Filesize
1.1MB

MD5
131a6e4ed99927882dca66d835e44d37

SHA1
7d7342a03e5b870ac5a31cdb10433e2c907340e3

SHA256
efc399ea6b644585ae8a91a2975d5f28b97f8273e4671f68185cab777d475b38

SHA512
bea872afb8759b5cb103bdc286ae9ac9221fb1dad6a9c06644d7a58db96e20b03fe68deaf25a55fc1fc9a707453e70bc9a3e3b28fd091bd220ac7477774ebbd7

Download Submit
memory/560-81-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/560-71-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2112-69-0x0000000000270000-0x00000000002A3000-memory.dmp

Filesize
204KB

Download
memory/2112-68-0x0000000000270000-0x00000000002A3000-memory.dmp

Filesize
204KB

Download
memory/2112-80-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2112-56-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2600-79-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2600-50-0x00000000002E0000-0x0000000000313000-memory.dmp

Filesize
204KB

Download
memory/2736-19-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2736-27-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2940-11-0x0000000000290000-0x00000000002C3000-memory.dmp

Filesize
204KB

Download
memory/2940-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2940-76-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2940-12-0x0000000000290000-0x00000000002C3000-memory.dmp

Filesize
204KB

Download
memory/2984-28-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2984-78-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2984-40-0x0000000000290000-0x00000000002C3000-memory.dmp

Filesize
204KB

Download
memory/2984-41-0x0000000000290000-0x00000000002C3000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads