b1e460a6aa70b976a1c65f7006a1958ba0e8a2b0610a13039d904b13bf334e7a

Analysis

max time kernel
111s
max time network
17s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
14-08-2024 09:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dd65e206a41ef1cc3643931b86a0a1c0N.exe
Size

245KB
MD5

dd65e206a41ef1cc3643931b86a0a1c0
SHA1

faf78e60a107d320ebdad3b5bde43b492fd2fd9d
SHA256

b1e460a6aa70b976a1c65f7006a1958ba0e8a2b0610a13039d904b13bf334e7a
SHA512

621c1794d0bb9838accea694fa0223ff313a2cd282bf93d02256d63ebf0a160fea701d701b497a8f2fb90907bf7afedd3523b832500a15cfde9c1be13b007c99
SSDEEP

3072:a0w3jLueztXGG5zKSLHEUwago+bAr+Qka:aNuWPKSgUhgo0ArV

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 26 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bbfnchfb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cbkgog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cpohhk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cabaec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	dd65e206a41ef1cc3643931b86a0a1c0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bpfebmia.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdamao32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceqjla32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	dd65e206a41ef1cc3643931b86a0a1c0N.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bhmmcjjd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Biqfpb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Beggec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ceqjla32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cbkgog32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ciepkajj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ciglaa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bhmmcjjd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Biqfpb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Beggec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ciepkajj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bpfebmia.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cpohhk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ciglaa32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cabaec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bbfnchfb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdamao32.exe

Executes dropped EXE 13 IoCs

pid	Process
1456	Bpfebmia.exe
2732	Bhmmcjjd.exe
2784	Bbfnchfb.exe
2888	Biqfpb32.exe
2796	Beggec32.exe
2652	Cbkgog32.exe
1952	Ciepkajj.exe
1804	Cpohhk32.exe
2192	Ciglaa32.exe
2848	Cabaec32.exe
3000	Cdamao32.exe
1596	Ceqjla32.exe
660	Coindgbi.exe

Loads dropped DLL 26 IoCs

pid	Process
1732	dd65e206a41ef1cc3643931b86a0a1c0N.exe
1732	dd65e206a41ef1cc3643931b86a0a1c0N.exe
1456	Bpfebmia.exe
1456	Bpfebmia.exe
2732	Bhmmcjjd.exe
2732	Bhmmcjjd.exe
2784	Bbfnchfb.exe
2784	Bbfnchfb.exe
2888	Biqfpb32.exe
2888	Biqfpb32.exe
2796	Beggec32.exe
2796	Beggec32.exe
2652	Cbkgog32.exe
2652	Cbkgog32.exe
1952	Ciepkajj.exe
1952	Ciepkajj.exe
1804	Cpohhk32.exe
1804	Cpohhk32.exe
2192	Ciglaa32.exe
2192	Ciglaa32.exe
2848	Cabaec32.exe
2848	Cabaec32.exe
3000	Cdamao32.exe
3000	Cdamao32.exe
1596	Ceqjla32.exe
1596	Ceqjla32.exe

Drops file in System32 directory 39 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Bpfebmia.exe	dd65e206a41ef1cc3643931b86a0a1c0N.exe
File created	C:\Windows\SysWOW64\Cnfnahkp.dll	Ciepkajj.exe
File created	C:\Windows\SysWOW64\Cabaec32.exe	Ciglaa32.exe
File created	C:\Windows\SysWOW64\Cdamao32.exe	Cabaec32.exe
File created	C:\Windows\SysWOW64\Coindgbi.exe	Ceqjla32.exe
File opened for modification	C:\Windows\SysWOW64\Bhmmcjjd.exe	Bpfebmia.exe
File opened for modification	C:\Windows\SysWOW64\Biqfpb32.exe	Bbfnchfb.exe
File created	C:\Windows\SysWOW64\Cbkgog32.exe	Beggec32.exe
File opened for modification	C:\Windows\SysWOW64\Cbkgog32.exe	Beggec32.exe
File created	C:\Windows\SysWOW64\Ceqjla32.exe	Cdamao32.exe
File opened for modification	C:\Windows\SysWOW64\Bbfnchfb.exe	Bhmmcjjd.exe
File created	C:\Windows\SysWOW64\Kbmamh32.dll	Biqfpb32.exe
File created	C:\Windows\SysWOW64\Cpohhk32.exe	Ciepkajj.exe
File created	C:\Windows\SysWOW64\Mokegi32.dll	Cpohhk32.exe
File created	C:\Windows\SysWOW64\Djenbd32.dll	Cdamao32.exe
File created	C:\Windows\SysWOW64\Knoegqbp.dll	Bbfnchfb.exe
File opened for modification	C:\Windows\SysWOW64\Ciepkajj.exe	Cbkgog32.exe
File opened for modification	C:\Windows\SysWOW64\Ciglaa32.exe	Cpohhk32.exe
File created	C:\Windows\SysWOW64\Jqlidcln.dll	Ciglaa32.exe
File created	C:\Windows\SysWOW64\Bbfnchfb.exe	Bhmmcjjd.exe
File opened for modification	C:\Windows\SysWOW64\Beggec32.exe	Biqfpb32.exe
File created	C:\Windows\SysWOW64\Jlmhimhb.dll	Beggec32.exe
File created	C:\Windows\SysWOW64\Iibogmjf.dll	Cbkgog32.exe
File opened for modification	C:\Windows\SysWOW64\Cpohhk32.exe	Ciepkajj.exe
File opened for modification	C:\Windows\SysWOW64\Cabaec32.exe	Ciglaa32.exe
File created	C:\Windows\SysWOW64\Ohodgb32.dll	Ceqjla32.exe
File created	C:\Windows\SysWOW64\Aohiimmp.dll	Bpfebmia.exe
File opened for modification	C:\Windows\SysWOW64\Ceqjla32.exe	Cdamao32.exe
File opened for modification	C:\Windows\SysWOW64\Coindgbi.exe	Ceqjla32.exe
File created	C:\Windows\SysWOW64\Bpfebmia.exe	dd65e206a41ef1cc3643931b86a0a1c0N.exe
File created	C:\Windows\SysWOW64\Lpqafeln.dll	dd65e206a41ef1cc3643931b86a0a1c0N.exe
File created	C:\Windows\SysWOW64\Flffpf32.dll	Bhmmcjjd.exe
File created	C:\Windows\SysWOW64\Ciepkajj.exe	Cbkgog32.exe
File created	C:\Windows\SysWOW64\Ciglaa32.exe	Cpohhk32.exe
File opened for modification	C:\Windows\SysWOW64\Cdamao32.exe	Cabaec32.exe
File created	C:\Windows\SysWOW64\Niienepq.dll	Cabaec32.exe
File created	C:\Windows\SysWOW64\Bhmmcjjd.exe	Bpfebmia.exe
File created	C:\Windows\SysWOW64\Biqfpb32.exe	Bbfnchfb.exe
File created	C:\Windows\SysWOW64\Beggec32.exe	Biqfpb32.exe

System Location Discovery: System Language Discovery 1 TTPs 14 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Biqfpb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beggec32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cpohhk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cabaec32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bpfebmia.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Coindgbi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdamao32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bbfnchfb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dd65e206a41ef1cc3643931b86a0a1c0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cbkgog32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ciepkajj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ciglaa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceqjla32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhmmcjjd.exe

Modifies registry class 42 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ciglaa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	dd65e206a41ef1cc3643931b86a0a1c0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cabaec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cabaec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Djenbd32.dll"	Cdamao32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpqafeln.dll"	dd65e206a41ef1cc3643931b86a0a1c0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Knoegqbp.dll"	Bbfnchfb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bbfnchfb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kbmamh32.dll"	Biqfpb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flffpf32.dll"	Bhmmcjjd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	dd65e206a41ef1cc3643931b86a0a1c0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bbfnchfb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cbkgog32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ciepkajj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cdamao32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ceqjla32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	dd65e206a41ef1cc3643931b86a0a1c0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aohiimmp.dll"	Bpfebmia.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Beggec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iibogmjf.dll"	Cbkgog32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cpohhk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jqlidcln.dll"	Ciglaa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohodgb32.dll"	Ceqjla32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ceqjla32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bpfebmia.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Biqfpb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Beggec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ciepkajj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cpohhk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bhmmcjjd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bpfebmia.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Biqfpb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cbkgog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cnfnahkp.dll"	Ciepkajj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mokegi32.dll"	Cpohhk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdamao32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	dd65e206a41ef1cc3643931b86a0a1c0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bhmmcjjd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlmhimhb.dll"	Beggec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ciglaa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Niienepq.dll"	Cabaec32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	dd65e206a41ef1cc3643931b86a0a1c0N.exe

Suspicious use of WriteProcessMemory 52 IoCs

description	pid	Process	procid_target
PID 1732 wrote to memory of 1456	1732	dd65e206a41ef1cc3643931b86a0a1c0N.exe	30
PID 1732 wrote to memory of 1456	1732	dd65e206a41ef1cc3643931b86a0a1c0N.exe	30
PID 1732 wrote to memory of 1456	1732	dd65e206a41ef1cc3643931b86a0a1c0N.exe	30
PID 1732 wrote to memory of 1456	1732	dd65e206a41ef1cc3643931b86a0a1c0N.exe	30
PID 1456 wrote to memory of 2732	1456	Bpfebmia.exe	31
PID 1456 wrote to memory of 2732	1456	Bpfebmia.exe	31
PID 1456 wrote to memory of 2732	1456	Bpfebmia.exe	31
PID 1456 wrote to memory of 2732	1456	Bpfebmia.exe	31
PID 2732 wrote to memory of 2784	2732	Bhmmcjjd.exe	32
PID 2732 wrote to memory of 2784	2732	Bhmmcjjd.exe	32
PID 2732 wrote to memory of 2784	2732	Bhmmcjjd.exe	32
PID 2732 wrote to memory of 2784	2732	Bhmmcjjd.exe	32
PID 2784 wrote to memory of 2888	2784	Bbfnchfb.exe	33
PID 2784 wrote to memory of 2888	2784	Bbfnchfb.exe	33
PID 2784 wrote to memory of 2888	2784	Bbfnchfb.exe	33
PID 2784 wrote to memory of 2888	2784	Bbfnchfb.exe	33
PID 2888 wrote to memory of 2796	2888	Biqfpb32.exe	34
PID 2888 wrote to memory of 2796	2888	Biqfpb32.exe	34
PID 2888 wrote to memory of 2796	2888	Biqfpb32.exe	34
PID 2888 wrote to memory of 2796	2888	Biqfpb32.exe	34
PID 2796 wrote to memory of 2652	2796	Beggec32.exe	35
PID 2796 wrote to memory of 2652	2796	Beggec32.exe	35
PID 2796 wrote to memory of 2652	2796	Beggec32.exe	35
PID 2796 wrote to memory of 2652	2796	Beggec32.exe	35
PID 2652 wrote to memory of 1952	2652	Cbkgog32.exe	36
PID 2652 wrote to memory of 1952	2652	Cbkgog32.exe	36
PID 2652 wrote to memory of 1952	2652	Cbkgog32.exe	36
PID 2652 wrote to memory of 1952	2652	Cbkgog32.exe	36
PID 1952 wrote to memory of 1804	1952	Ciepkajj.exe	37
PID 1952 wrote to memory of 1804	1952	Ciepkajj.exe	37
PID 1952 wrote to memory of 1804	1952	Ciepkajj.exe	37
PID 1952 wrote to memory of 1804	1952	Ciepkajj.exe	37
PID 1804 wrote to memory of 2192	1804	Cpohhk32.exe	38
PID 1804 wrote to memory of 2192	1804	Cpohhk32.exe	38
PID 1804 wrote to memory of 2192	1804	Cpohhk32.exe	38
PID 1804 wrote to memory of 2192	1804	Cpohhk32.exe	38
PID 2192 wrote to memory of 2848	2192	Ciglaa32.exe	39
PID 2192 wrote to memory of 2848	2192	Ciglaa32.exe	39
PID 2192 wrote to memory of 2848	2192	Ciglaa32.exe	39
PID 2192 wrote to memory of 2848	2192	Ciglaa32.exe	39
PID 2848 wrote to memory of 3000	2848	Cabaec32.exe	40
PID 2848 wrote to memory of 3000	2848	Cabaec32.exe	40
PID 2848 wrote to memory of 3000	2848	Cabaec32.exe	40
PID 2848 wrote to memory of 3000	2848	Cabaec32.exe	40
PID 3000 wrote to memory of 1596	3000	Cdamao32.exe	41
PID 3000 wrote to memory of 1596	3000	Cdamao32.exe	41
PID 3000 wrote to memory of 1596	3000	Cdamao32.exe	41
PID 3000 wrote to memory of 1596	3000	Cdamao32.exe	41
PID 1596 wrote to memory of 660	1596	Ceqjla32.exe	42
PID 1596 wrote to memory of 660	1596	Ceqjla32.exe	42
PID 1596 wrote to memory of 660	1596	Ceqjla32.exe	42
PID 1596 wrote to memory of 660	1596	Ceqjla32.exe	42

C:\Users\Admin\AppData\Local\Temp\dd65e206a41ef1cc3643931b86a0a1c0N.exe
"C:\Users\Admin\AppData\Local\Temp\dd65e206a41ef1cc3643931b86a0a1c0N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1732
- C:\Windows\SysWOW64\Bpfebmia.exe
  C:\Windows\system32\Bpfebmia.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1456
- - C:\Windows\SysWOW64\Bhmmcjjd.exe
    C:\Windows\system32\Bhmmcjjd.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2732
  - - C:\Windows\SysWOW64\Bbfnchfb.exe
      C:\Windows\system32\Bbfnchfb.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2784
    - - C:\Windows\SysWOW64\Biqfpb32.exe
        
        C:\Windows\system32\Biqfpb32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2888
      - C:\Windows\SysWOW64\Beggec32.exe
        
        C:\Windows\system32\Beggec32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2796
        
        C:\Windows\SysWOW64\Cbkgog32.exe
        
        C:\Windows\system32\Cbkgog32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2652
        
        C:\Windows\SysWOW64\Ciepkajj.exe
        
        C:\Windows\system32\Ciepkajj.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1952
        
        C:\Windows\SysWOW64\Cpohhk32.exe
        
        C:\Windows\system32\Cpohhk32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1804
        
        C:\Windows\SysWOW64\Ciglaa32.exe
        
        C:\Windows\system32\Ciglaa32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2192
        
        C:\Windows\SysWOW64\Cabaec32.exe
        
        C:\Windows\system32\Cabaec32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2848
        
        C:\Windows\SysWOW64\Cdamao32.exe
        
        C:\Windows\system32\Cdamao32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3000
        
        C:\Windows\SysWOW64\Ceqjla32.exe
        
        C:\Windows\system32\Ceqjla32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1596
        
        C:\Windows\SysWOW64\Coindgbi.exe
        
        C:\Windows\system32\Coindgbi.exe
        14⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:660

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Bbfnchfb.exe

Filesize
245KB

MD5
75b62b450d603ed99032fe4994d23ad4

SHA1
66a48d648e5110335c0b9a48189dc26b41020b8e

SHA256
6278fb51a26b5ef377a0cea6cb119f6e91017c54e18f80b251db809326382ee4

SHA512
782e58591cfcfa78da6d10ff06e7adeb246a78043e8ecb0ff2f39826d03bfc34da9257981fbfd790aaa27d7fd33ef3a3d4a95b8c826365d125fda64d7d8a5d1c

Download Submit
C:\Windows\SysWOW64\Beggec32.exe

Filesize
245KB

MD5
21b6509a0738a4300672444634e53b2e

SHA1
80e2af01a2bab24b3e70fdf9cb911c443dcfc8f3

SHA256
d3617e467a45ae9893ee62c7fc998b398852a48d60e84df00a0efd3d4eba5274

SHA512
ae79d52fa8179137aa8d2f309687c07bfdf221f1b5380f46ea5c4ab5aaf2cae4886d57f428661a2245423b26b7055fcf0c57a0a4ec0c8d116e83bba0996a511d

Download Submit
C:\Windows\SysWOW64\Bhmmcjjd.exe

Filesize
245KB

MD5
af8a08513ab37698c96403839c1bbc15

SHA1
bda10f330022cb5e8093228c14476e90774fd0ed

SHA256
d38a92fcccdeb3626cd2d5c5f767cf52efa4f3ee7209d829e54cfd78d7a08829

SHA512
fea5a076b11e9cc859acedfdd10a8c0d5660145d63a84aa2a56c9b220be2ff8e60f3b2d57fcc80889a0b6850f16495f281234af273ac1647a494179de7e77d19

Download Submit
C:\Windows\SysWOW64\Bpfebmia.exe

Filesize
245KB

MD5
1ec93ed17a8e5e961dbcbd848d9b38a5

SHA1
72c9bcefa21d484bf5f1234885096b3a68c35f0c

SHA256
ef6c1371a617dd9ba8ae50e5763c09193c0dc20b0ae39c6ff6230b75948fd680

SHA512
e0d44e2144fe398857ec31f437614159c1b60977d01df3b0163abeb3fce68c508ddbb53fb92dff99c2cef76381cbd1d3f088d3e2ffeeea2376cab89ab68380f4

Download Submit
C:\Windows\SysWOW64\Cdamao32.exe

Filesize
245KB

MD5
b289dd07aecc411e34bc6604e3d749b4

SHA1
8c5783df2c44495add1df971b00d8c53c2a42969

SHA256
09ccd00b715637facd26df8b9e2e358b86cec5bea0043dabfdc26e1aabf35bed

SHA512
e55e8f7cdf95525be4e2218572065016639aea62e195b9bbc00f5f4b898c6a0abbe6cd15ba2961a218d6d4c3091c55a076b09b88a71de473cc723f715cb42d54

Download Submit
C:\Windows\SysWOW64\Ciepkajj.exe

Filesize
245KB

MD5
d33e5e1190bed5269c6f3fd2d347c1a0

SHA1
dda1d83c0909796c3055eaf063b4aad8954464cf

SHA256
6b1b5c5c980f2d3ddcbf62970fa80d8dc9639c16914537b0acd297afd2073859

SHA512
82e596f137b99a4374213003d3a66253db4bf412680f04689088869c6b6be97770059f286b7536846e2cca66fdeca1ae81e3d4e78e4d68c0cce33b326f938525

Download Submit
C:\Windows\SysWOW64\Ciglaa32.exe

Filesize
245KB

MD5
5df614a023831f246a2b16469c842f1d

SHA1
30566927678a15e1e4bb52feb671efc53928e655

SHA256
8f0db8d6f367e1ae8c21c06c1492f6f7b22f0c2b420ab0a2197e0a29d296061e

SHA512
bf9150b8bf7261939aaf50b0e621e96c034151c6fc9f6755748ae6b094bd68e51016c6399d699768b0e7e6f2375db04f1ce2be783f8c22424e0d6b5d1d98ddc3

Download Submit
\Windows\SysWOW64\Biqfpb32.exe

Filesize
245KB

MD5
48c7cbba619073d12b1a2aa7a73b55fe

SHA1
426b760af682c979f2db42bf33f11e858e4aecef

SHA256
5beea0d5f2b53613c5b8c4ce2eed3619f8dc075169bb28997bed6b13df68d068

SHA512
0f27352cc65e9bc5515c89595f6e37632b82c5eaafdc647eaa4a10b9a282fefc836c6382463f7a254d354d3139f6d0ca8bb917f5df6b3f802ff04459b4138e2d

Download Submit
\Windows\SysWOW64\Cabaec32.exe

Filesize
245KB

MD5
44837719c60ca6d63fc763b8b5e2b0f1

SHA1
9aa0bd6e6894b5326bcea99090ef9c7bf918cc09

SHA256
240618e2fb980fa8da69b9cd4c417bff71926d0391b3419a65efcc877e2d513f

SHA512
02f52d683e3a6a3987a49df090522f742f0312cbb29c61c3e1a3be23645f47355beb04c0b9ee504f6948cda756193f6214a63a35a6a970f3dc0df4f0ef9fc5f5

Download Submit
\Windows\SysWOW64\Cbkgog32.exe

Filesize
245KB

MD5
1548134866a710a4fb156c59b38777df

SHA1
1bf6052d3e0c4b9e2ec4c0e0d080f3a27faea902

SHA256
2c1f5cf1926cc4207ef1671d497e99cf6d85c39bd7ab198037db14420996909b

SHA512
a0e781a260e8ef5714653a2c03dea90904765e8c5ac1649a8897b6b255225b2a79f15562ef2d3bf66baa0115640290ad2385bbf100bb3cca1124fb34ea1d5ab6

Download Submit
\Windows\SysWOW64\Ceqjla32.exe

Filesize
245KB

MD5
7a10c24eac414615fe7e63bb46499365

SHA1
3b153220d065d23d08433fc6cf5cfcb8e303d2f7

SHA256
83b652926fc8aa8ac77fbd278edc8c8dd77e781cd5ab6e17e26ef375b2015f0b

SHA512
c67101f80bcae0020609e26a143bb8713ea21e5ff07d4c0277a17b408e2edc223e223395bbbd4f2403efc551645cdb81fb8072d8dfa8d003fb8bfb5880db86c5

Download Submit
\Windows\SysWOW64\Coindgbi.exe

Filesize
245KB

MD5
2e69cae66976a72e43e8139c96a29e4a

SHA1
11364ed82080043e95514de8f22914751c91a9e9

SHA256
40b9c23c354950bf88418abd008c4c15b391abfb3277ebdfff0973d97262c966

SHA512
66748bfa272afd8806031d31c7be799e6a15beda106a2fb365a501448883e35ead8b24bc116974e83940e62dff1fab5d1868e5c4d2ef6002c763290468ed850f

Download Submit
\Windows\SysWOW64\Cpohhk32.exe

Filesize
245KB

MD5
168af86a03d3af3ebe4fc578f9f006ba

SHA1
7a1d44be9ecf4519d6711595438b88cf7163182b

SHA256
13e16d0a8e8c76e3b20ffdb541131e9f97d9972ccd80e8649995516ffd2101c8

SHA512
a1623937755e5384eee2074cd01576b5ca05f208005c0a18f76aee35f4b780e59cc7dd23376d9e51b8068e5b465ba04babc30ea53a313d97a6d51ee20b308c03

Download Submit
memory/660-177-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/1456-32-0x0000000001FC0000-0x0000000002028000-memory.dmp

Filesize
416KB

Download
memory/1456-209-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/1456-14-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/1596-175-0x0000000000310000-0x0000000000378000-memory.dmp

Filesize
416KB

Download
memory/1596-162-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/1596-176-0x0000000000310000-0x0000000000378000-memory.dmp

Filesize
416KB

Download
memory/1596-233-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/1732-207-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/1732-12-0x0000000000470000-0x00000000004D8000-memory.dmp

Filesize
416KB

Download
memory/1732-0-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/1732-13-0x0000000000470000-0x00000000004D8000-memory.dmp

Filesize
416KB

Download
memory/1804-110-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/1804-223-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/1952-109-0x0000000001FD0000-0x0000000002038000-memory.dmp

Filesize
416KB

Download
memory/1952-101-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/1952-221-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2192-134-0x0000000000470000-0x00000000004D8000-memory.dmp

Filesize
416KB

Download
memory/2192-225-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2652-90-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2652-219-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2732-211-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2732-33-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2784-41-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2784-53-0x00000000002D0000-0x0000000000338000-memory.dmp

Filesize
416KB

Download
memory/2784-213-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2796-81-0x0000000000250000-0x00000000002B8000-memory.dmp

Filesize
416KB

Download
memory/2796-217-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2796-69-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2848-227-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2888-68-0x0000000000250000-0x00000000002B8000-memory.dmp

Filesize
416KB

Download
memory/2888-215-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2888-55-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/3000-160-0x0000000000470000-0x00000000004D8000-memory.dmp

Filesize
416KB

Download
memory/3000-148-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/3000-229-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/3000-228-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads