3f9097cb3d9842bb37767250ecb348b74c849189bd615069d795540887dc4d32

General

Target

3f9097cb3d9842bb37767250ecb348b74c849189bd615069d795540887dc4d32.exe
Size

226KB
MD5

bce0b80e6206c1e0b63f8a52aa872f5e
SHA1

f247f13b97d690ba052e4f9728b54d946aa6cc6a
SHA256

3f9097cb3d9842bb37767250ecb348b74c849189bd615069d795540887dc4d32
SHA512

b8bbc9c966c1769585b765eec95aeabdb236d3e0e5a559c67bbccea1bc815320fd9eb4b1b259581cca12e20f06ccf2a19e131fa616234108ab31fc84b8e8515b
SSDEEP

3072:FmySRxSTuS2v5eDKcWmjRvDKcpDKcWmjRrzNtQtjDKcWmjRrzNtb:Fmpv5fxEtQtsEtb

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	3f9097cb3d9842bb37767250ecb348b74c849189bd615069d795540887dc4d32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	3f9097cb3d9842bb37767250ecb348b74c849189bd615069d795540887dc4d32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cinfhigl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cinfhigl.exe

Executes dropped EXE 2 IoCs

pid	Process
2712	Cinfhigl.exe
2636	Ceegmj32.exe

Loads dropped DLL 8 IoCs

pid	Process
2880	3f9097cb3d9842bb37767250ecb348b74c849189bd615069d795540887dc4d32.exe
2880	3f9097cb3d9842bb37767250ecb348b74c849189bd615069d795540887dc4d32.exe
2712	Cinfhigl.exe
2712	Cinfhigl.exe
2780	WerFault.exe
2780	WerFault.exe
2780	WerFault.exe
2780	WerFault.exe

Drops file in System32 directory 6 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Cinfhigl.exe	3f9097cb3d9842bb37767250ecb348b74c849189bd615069d795540887dc4d32.exe
File opened for modification	C:\Windows\SysWOW64\Cinfhigl.exe	3f9097cb3d9842bb37767250ecb348b74c849189bd615069d795540887dc4d32.exe
File created	C:\Windows\SysWOW64\Mblnbcjf.dll	3f9097cb3d9842bb37767250ecb348b74c849189bd615069d795540887dc4d32.exe
File created	C:\Windows\SysWOW64\Ceegmj32.exe	Cinfhigl.exe
File opened for modification	C:\Windows\SysWOW64\Ceegmj32.exe	Cinfhigl.exe
File created	C:\Windows\SysWOW64\Aoogfhfp.dll	Cinfhigl.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2780	2636	WerFault.exe	31

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceegmj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3f9097cb3d9842bb37767250ecb348b74c849189bd615069d795540887dc4d32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cinfhigl.exe

Modifies registry class 9 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aoogfhfp.dll"	Cinfhigl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cinfhigl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	3f9097cb3d9842bb37767250ecb348b74c849189bd615069d795540887dc4d32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	3f9097cb3d9842bb37767250ecb348b74c849189bd615069d795540887dc4d32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	3f9097cb3d9842bb37767250ecb348b74c849189bd615069d795540887dc4d32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cinfhigl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	3f9097cb3d9842bb37767250ecb348b74c849189bd615069d795540887dc4d32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	3f9097cb3d9842bb37767250ecb348b74c849189bd615069d795540887dc4d32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mblnbcjf.dll"	3f9097cb3d9842bb37767250ecb348b74c849189bd615069d795540887dc4d32.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2880 wrote to memory of 2712	2880	3f9097cb3d9842bb37767250ecb348b74c849189bd615069d795540887dc4d32.exe	30
PID 2880 wrote to memory of 2712	2880	3f9097cb3d9842bb37767250ecb348b74c849189bd615069d795540887dc4d32.exe	30
PID 2880 wrote to memory of 2712	2880	3f9097cb3d9842bb37767250ecb348b74c849189bd615069d795540887dc4d32.exe	30
PID 2880 wrote to memory of 2712	2880	3f9097cb3d9842bb37767250ecb348b74c849189bd615069d795540887dc4d32.exe	30
PID 2712 wrote to memory of 2636	2712	Cinfhigl.exe	31
PID 2712 wrote to memory of 2636	2712	Cinfhigl.exe	31
PID 2712 wrote to memory of 2636	2712	Cinfhigl.exe	31
PID 2712 wrote to memory of 2636	2712	Cinfhigl.exe	31
PID 2636 wrote to memory of 2780	2636	Ceegmj32.exe	32
PID 2636 wrote to memory of 2780	2636	Ceegmj32.exe	32
PID 2636 wrote to memory of 2780	2636	Ceegmj32.exe	32
PID 2636 wrote to memory of 2780	2636	Ceegmj32.exe	32

C:\Users\Admin\AppData\Local\Temp\3f9097cb3d9842bb37767250ecb348b74c849189bd615069d795540887dc4d32.exe
"C:\Users\Admin\AppData\Local\Temp\3f9097cb3d9842bb37767250ecb348b74c849189bd615069d795540887dc4d32.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2880
- C:\Windows\SysWOW64\Cinfhigl.exe
  C:\Windows\system32\Cinfhigl.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2712
- - C:\Windows\SysWOW64\Ceegmj32.exe
    C:\Windows\system32\Ceegmj32.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2636
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2636 -s 140
      4⤵
      Loads dropped DLL
      Program crash
      PID:2780

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Windows\SysWOW64\Ceegmj32.exe

Filesize
226KB

MD5
142c17c9663ad41eea82a2170985a956

SHA1
83cf887c8ebdbf34ea9e083f5cd8a4a6961a4d6a

SHA256
dbe5c671472efb3c6f346078ef460d0ed1a35322eac961cd951654ff0a293cf2

SHA512
77130d7350917e0861d5616f163deaeb9afc2d4024a5f4daf4fd2a2e6e9b43fa844c8c73fcb8286d9ae50b57a6448f8a9637f7a01621930733cb439f92d79513

Download Submit
\Windows\SysWOW64\Cinfhigl.exe

Filesize
226KB

MD5
4d4d0c87330eef950597bb2c3e7bc25c

SHA1
011ca867f6c41a075f0a5eac00387ca9ab1e03d3

SHA256
6fbb6b5a05483a58e941c8847780c260a2937fe4c75a65b173c9e5378407c9b4

SHA512
ad74e9d28158bf15bed4c4933dde81a60078340d118ba06d8293725b2e7c8a98c174bdaeddc5c61531e9536b289eefc551e5ff61442644579b289d9e13e875f9

Download Submit
memory/2636-27-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2712-14-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2712-43-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2880-0-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2880-6-0x0000000000250000-0x00000000002B0000-memory.dmp

Filesize
384KB

Download
memory/2880-13-0x0000000000250000-0x00000000002B0000-memory.dmp

Filesize
384KB

Download
memory/2880-39-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads