82f77951f3875349a6a2c2a634e4a1f5bca0645fef33630c7ea3702dfa202851

Analysis

max time kernel
113s
max time network
17s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
18-08-2024 22:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

799ff2ec87c09b704859e31beb2099e0N.exe
Size

1.9MB
MD5

799ff2ec87c09b704859e31beb2099e0
SHA1

b45b3184a107e5760a8a9714de9d637bafe0917a
SHA256

82f77951f3875349a6a2c2a634e4a1f5bca0645fef33630c7ea3702dfa202851
SHA512

66a2d774c1da3bdc92311ac4f7fc967bee44f406ea38dfd2a7e97fac0318651f2d29c04354e6dd3b9e3732fe8f94c7c972f962a3839910edd7f1b747a1c86f13
SSDEEP

24576:KmNIVyeNIVy2jUKaNIVyeNIVy2jUtc9uO2NIVyeNIVy2jUKaNIVyeNIVy2jUO:KZyj1yj3uOpyj1yjH

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 20 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	799ff2ec87c09b704859e31beb2099e0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qfkgdd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bdodmlcm.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bpjnmlel.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cabaec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cabaec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Clhecl32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceqjla32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	799ff2ec87c09b704859e31beb2099e0N.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qmcclolh.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Clhecl32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cofaog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cofaog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ceqjla32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qmcclolh.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qfkgdd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bdodmlcm.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmlbaqfh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmlbaqfh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bpjnmlel.exe

Executes dropped EXE 10 IoCs

pid	Process
1620	Qmcclolh.exe
2892	Qfkgdd32.exe
2868	Bdodmlcm.exe
2688	Bmlbaqfh.exe
2956	Bpjnmlel.exe
1696	Cabaec32.exe
2268	Clhecl32.exe
1036	Cofaog32.exe
3004	Ceqjla32.exe
2204	Coindgbi.exe

Loads dropped DLL 20 IoCs

pid	Process
2464	799ff2ec87c09b704859e31beb2099e0N.exe
2464	799ff2ec87c09b704859e31beb2099e0N.exe
1620	Qmcclolh.exe
1620	Qmcclolh.exe
2892	Qfkgdd32.exe
2892	Qfkgdd32.exe
2868	Bdodmlcm.exe
2868	Bdodmlcm.exe
2688	Bmlbaqfh.exe
2688	Bmlbaqfh.exe
2956	Bpjnmlel.exe
2956	Bpjnmlel.exe
1696	Cabaec32.exe
1696	Cabaec32.exe
2268	Clhecl32.exe
2268	Clhecl32.exe
1036	Cofaog32.exe
1036	Cofaog32.exe
3004	Ceqjla32.exe
3004	Ceqjla32.exe

Drops file in System32 directory 30 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Bdodmlcm.exe	Qfkgdd32.exe
File opened for modification	C:\Windows\SysWOW64\Bmlbaqfh.exe	Bdodmlcm.exe
File opened for modification	C:\Windows\SysWOW64\Cabaec32.exe	Bpjnmlel.exe
File created	C:\Windows\SysWOW64\Ceqjla32.exe	Cofaog32.exe
File opened for modification	C:\Windows\SysWOW64\Qmcclolh.exe	799ff2ec87c09b704859e31beb2099e0N.exe
File created	C:\Windows\SysWOW64\Ohodgb32.dll	Ceqjla32.exe
File created	C:\Windows\SysWOW64\Qfkgdd32.exe	Qmcclolh.exe
File created	C:\Windows\SysWOW64\Agcmideg.dll	Bdodmlcm.exe
File created	C:\Windows\SysWOW64\Elnlcjph.dll	Clhecl32.exe
File opened for modification	C:\Windows\SysWOW64\Coindgbi.exe	Ceqjla32.exe
File created	C:\Windows\SysWOW64\Qmcclolh.exe	799ff2ec87c09b704859e31beb2099e0N.exe
File created	C:\Windows\SysWOW64\Oellihpf.dll	799ff2ec87c09b704859e31beb2099e0N.exe
File opened for modification	C:\Windows\SysWOW64\Bpjnmlel.exe	Bmlbaqfh.exe
File created	C:\Windows\SysWOW64\Bmlbaqfh.exe	Bdodmlcm.exe
File created	C:\Windows\SysWOW64\Cabaec32.exe	Bpjnmlel.exe
File created	C:\Windows\SysWOW64\Lfehem32.dll	Cabaec32.exe
File created	C:\Windows\SysWOW64\Coindgbi.exe	Ceqjla32.exe
File created	C:\Windows\SysWOW64\Nhjpkq32.dll	Qmcclolh.exe
File created	C:\Windows\SysWOW64\Kpijio32.dll	Bmlbaqfh.exe
File created	C:\Windows\SysWOW64\Jqlidcln.dll	Bpjnmlel.exe
File created	C:\Windows\SysWOW64\Clhecl32.exe	Cabaec32.exe
File opened for modification	C:\Windows\SysWOW64\Clhecl32.exe	Cabaec32.exe
File created	C:\Windows\SysWOW64\Cofaog32.exe	Clhecl32.exe
File opened for modification	C:\Windows\SysWOW64\Cofaog32.exe	Clhecl32.exe
File opened for modification	C:\Windows\SysWOW64\Qfkgdd32.exe	Qmcclolh.exe
File created	C:\Windows\SysWOW64\Bdodmlcm.exe	Qfkgdd32.exe
File created	C:\Windows\SysWOW64\Bpjnmlel.exe	Bmlbaqfh.exe
File opened for modification	C:\Windows\SysWOW64\Ceqjla32.exe	Cofaog32.exe
File created	C:\Windows\SysWOW64\Djenbd32.dll	Cofaog32.exe
File created	C:\Windows\SysWOW64\Llpaflnl.dll	Qfkgdd32.exe

System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmlbaqfh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cabaec32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Clhecl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cofaog32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Coindgbi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	799ff2ec87c09b704859e31beb2099e0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qmcclolh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qfkgdd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bdodmlcm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bpjnmlel.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceqjla32.exe

Modifies registry class 33 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nhjpkq32.dll"	Qmcclolh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jqlidcln.dll"	Bpjnmlel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Clhecl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Djenbd32.dll"	Cofaog32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	799ff2ec87c09b704859e31beb2099e0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	799ff2ec87c09b704859e31beb2099e0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oellihpf.dll"	799ff2ec87c09b704859e31beb2099e0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qfkgdd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elnlcjph.dll"	Clhecl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Clhecl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	799ff2ec87c09b704859e31beb2099e0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qmcclolh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qfkgdd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agcmideg.dll"	Bdodmlcm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	799ff2ec87c09b704859e31beb2099e0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qmcclolh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Llpaflnl.dll"	Qfkgdd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cofaog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohodgb32.dll"	Ceqjla32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	799ff2ec87c09b704859e31beb2099e0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bmlbaqfh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bpjnmlel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cabaec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bdodmlcm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ceqjla32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ceqjla32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kpijio32.dll"	Bmlbaqfh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bmlbaqfh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bpjnmlel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bdodmlcm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfehem32.dll"	Cabaec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cabaec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cofaog32.exe

Suspicious use of WriteProcessMemory 40 IoCs

description	pid	Process	procid_target
PID 2464 wrote to memory of 1620	2464	799ff2ec87c09b704859e31beb2099e0N.exe	30
PID 2464 wrote to memory of 1620	2464	799ff2ec87c09b704859e31beb2099e0N.exe	30
PID 2464 wrote to memory of 1620	2464	799ff2ec87c09b704859e31beb2099e0N.exe	30
PID 2464 wrote to memory of 1620	2464	799ff2ec87c09b704859e31beb2099e0N.exe	30
PID 1620 wrote to memory of 2892	1620	Qmcclolh.exe	31
PID 1620 wrote to memory of 2892	1620	Qmcclolh.exe	31
PID 1620 wrote to memory of 2892	1620	Qmcclolh.exe	31
PID 1620 wrote to memory of 2892	1620	Qmcclolh.exe	31
PID 2892 wrote to memory of 2868	2892	Qfkgdd32.exe	32
PID 2892 wrote to memory of 2868	2892	Qfkgdd32.exe	32
PID 2892 wrote to memory of 2868	2892	Qfkgdd32.exe	32
PID 2892 wrote to memory of 2868	2892	Qfkgdd32.exe	32
PID 2868 wrote to memory of 2688	2868	Bdodmlcm.exe	33
PID 2868 wrote to memory of 2688	2868	Bdodmlcm.exe	33
PID 2868 wrote to memory of 2688	2868	Bdodmlcm.exe	33
PID 2868 wrote to memory of 2688	2868	Bdodmlcm.exe	33
PID 2688 wrote to memory of 2956	2688	Bmlbaqfh.exe	34
PID 2688 wrote to memory of 2956	2688	Bmlbaqfh.exe	34
PID 2688 wrote to memory of 2956	2688	Bmlbaqfh.exe	34
PID 2688 wrote to memory of 2956	2688	Bmlbaqfh.exe	34
PID 2956 wrote to memory of 1696	2956	Bpjnmlel.exe	35
PID 2956 wrote to memory of 1696	2956	Bpjnmlel.exe	35
PID 2956 wrote to memory of 1696	2956	Bpjnmlel.exe	35
PID 2956 wrote to memory of 1696	2956	Bpjnmlel.exe	35
PID 1696 wrote to memory of 2268	1696	Cabaec32.exe	36
PID 1696 wrote to memory of 2268	1696	Cabaec32.exe	36
PID 1696 wrote to memory of 2268	1696	Cabaec32.exe	36
PID 1696 wrote to memory of 2268	1696	Cabaec32.exe	36
PID 2268 wrote to memory of 1036	2268	Clhecl32.exe	37
PID 2268 wrote to memory of 1036	2268	Clhecl32.exe	37
PID 2268 wrote to memory of 1036	2268	Clhecl32.exe	37
PID 2268 wrote to memory of 1036	2268	Clhecl32.exe	37
PID 1036 wrote to memory of 3004	1036	Cofaog32.exe	38
PID 1036 wrote to memory of 3004	1036	Cofaog32.exe	38
PID 1036 wrote to memory of 3004	1036	Cofaog32.exe	38
PID 1036 wrote to memory of 3004	1036	Cofaog32.exe	38
PID 3004 wrote to memory of 2204	3004	Ceqjla32.exe	39
PID 3004 wrote to memory of 2204	3004	Ceqjla32.exe	39
PID 3004 wrote to memory of 2204	3004	Ceqjla32.exe	39
PID 3004 wrote to memory of 2204	3004	Ceqjla32.exe	39

C:\Users\Admin\AppData\Local\Temp\799ff2ec87c09b704859e31beb2099e0N.exe
"C:\Users\Admin\AppData\Local\Temp\799ff2ec87c09b704859e31beb2099e0N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2464
- C:\Windows\SysWOW64\Qmcclolh.exe
  C:\Windows\system32\Qmcclolh.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1620
- - C:\Windows\SysWOW64\Qfkgdd32.exe
    C:\Windows\system32\Qfkgdd32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2892
  - - C:\Windows\SysWOW64\Bdodmlcm.exe
      C:\Windows\system32\Bdodmlcm.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2868
    - - C:\Windows\SysWOW64\Bmlbaqfh.exe
        
        C:\Windows\system32\Bmlbaqfh.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2688
      - C:\Windows\SysWOW64\Bpjnmlel.exe
        
        C:\Windows\system32\Bpjnmlel.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2956
        
        C:\Windows\SysWOW64\Cabaec32.exe
        
        C:\Windows\system32\Cabaec32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1696
        
        C:\Windows\SysWOW64\Clhecl32.exe
        
        C:\Windows\system32\Clhecl32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2268
        
        C:\Windows\SysWOW64\Cofaog32.exe
        
        C:\Windows\system32\Cofaog32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1036
        
        C:\Windows\SysWOW64\Ceqjla32.exe
        
        C:\Windows\system32\Ceqjla32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3004
        
        C:\Windows\SysWOW64\Coindgbi.exe
        
        C:\Windows\system32\Coindgbi.exe
        11⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2204

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Bdodmlcm.exe

Filesize
1.9MB

MD5
6d83609d119d0775d0e2c180d9081036

SHA1
65c9cfa432b6ddc44db3f528e9911758bcd62c9f

SHA256
affc2a200b36660edf892d5354d576cf4d2865eda324b4eb8d246bc1d20819d0

SHA512
6e52499e1bcde4602c0304cf4b1a6ffb1c27816cbe4f4255018617b0272b7f14890c318f34cb0b2685d6ca20b013234041f1a46861a8138cc0e47cfefdcfc080

Download Submit
C:\Windows\SysWOW64\Bmlbaqfh.exe

Filesize
1.9MB

MD5
42c4a29d7539a6281ca2e07ff24430a2

SHA1
9945218a7540851fa16bcaa7b6a3dbe3fdba1a49

SHA256
a4cb80278d41860c68416242466f0bf4ccbeaccf430caaaec64fc7d54dec145b

SHA512
0f94a07823e37d3c73bf5f584badb4fda9cacc3780b21132893b2fdc1de7cc51a2e9536372de9b8b90c7406317c45801fa46202029b866a95c6271f1b8de8cd4

Download Submit
C:\Windows\SysWOW64\Cabaec32.exe

Filesize
1.9MB

MD5
0eb8e8a693ae570e7949e27627b1de1c

SHA1
e2afdfbf922f34fcc06d061b06237b0cc479e165

SHA256
57847fdb39081a55f79a7c96632240967992101c41450536b8b0f012297b8f45

SHA512
820171ddd6ffbcee9b757c5873f21a875217f719dc47deed789bc0321394c566655ccfeb30b48d8157c7cfa67b3bcb15a56ee458507496309f4c67107618c79b

Download Submit
C:\Windows\SysWOW64\Ceqjla32.exe

Filesize
1.9MB

MD5
9c0de9918f504e8bb436951a3c3d2701

SHA1
e5c077d913e9348eaf6c6e3a0d60c7c5cee400de

SHA256
c64e2bdb59c033ad6d37144964e7e81cb3df82303ea8362141194914d88904ae

SHA512
cd0d061bb0ea9b88aba61fea6f760302029066dfc2e709a42851e0e2fbb80dd5738ad9604044089c95d20c82a013a84bb497d5e3c5430a1e52862586fd7db370

Download Submit
C:\Windows\SysWOW64\Clhecl32.exe

Filesize
1.9MB

MD5
5a9d40386be0bc9856868dd93e4dd528

SHA1
fbafac133233014158fd08ec48af96856c9bc0bd

SHA256
a3cb26efafc82d3487b3f10d3218bff8eedb11af3e5a214a630bde1b145e29a0

SHA512
c901f413c56cf6fd383aac2b9e14f7ab8f7d1c63778f9daadf24197578246999d711604eb8e03d3e98d91985ab15674958fdb0a08f3b21132b9bc8a418ea6271

Download Submit
C:\Windows\SysWOW64\Cofaog32.exe

Filesize
1.9MB

MD5
fcbffc7bed8447ee6f54e87fa33f8f4f

SHA1
0686d2e8e89ccafdfa5c0ed9a584bb2c4945d420

SHA256
6c2395034c4c9d96a6e89ff5668f1ae09d2a72638fab6b4049efbfee6853dbd1

SHA512
48b7a08eabe79fabeadb7560eaa5d0e92f0a1c7984adc4a952b48cee6f0cbecc63a9603fc8e20a9f769e93c220ba617b50902f63d2980fcab40353db00e32efd

Download Submit
C:\Windows\SysWOW64\Qmcclolh.exe

Filesize
1.9MB

MD5
bf2382cf72cf0926e83da8beb6ec764e

SHA1
b412d5b8e3668bc2f437c0bd6fced2d13aa0b60d

SHA256
f0316ca28b35adea379c90000a52b06015f0414cf18f836ccc98456d15fb7727

SHA512
612f3dc7e3439e78fcfbd8dfd8b39cc3d45b8ac0bca9f52b4deb8f6188cb173ee5f65cfb650ebe3792fd493aea5534774f4156241a5571b151f3e08276acc6c1

Download Submit
\Windows\SysWOW64\Bpjnmlel.exe

Filesize
1.9MB

MD5
8676a8430a4a855d693ce54960703037

SHA1
6ed2f7263ca6610cc28b584bc68a3a7e184c762c

SHA256
78892c514a2c62a29cb0cd9ec50f19de4c4ca8003270d36a2ce4a2724b5a91b5

SHA512
d770adf8626de9ae52fb94210bba94568574a39e8b30e894dee9028affd5c0b98a0c99f8dbac60f28aa070d4b12a472d2a3a18b5f9267d61e1080d238537702f

Download Submit
\Windows\SysWOW64\Coindgbi.exe

Filesize
1.9MB

MD5
123cfb93c44143ac8de3ff2219a7021e

SHA1
0d943a039443117bb554f58b661af5cfcccad307

SHA256
e2e4849a34a9707a3102de7fd258447c1665dd88326b2022b0a5d041f3bd4e2c

SHA512
77ed58b1d0b6e3e61b9425af2be06750780b50ae32d4df12d7276ae81eec542e3211a36188dd3c49a6059f57e3af40430cad4a6b4ac689d07fca25d8ff417849

Download Submit
\Windows\SysWOW64\Qfkgdd32.exe

Filesize
1.9MB

MD5
f277c3c1eff614ae08cd892cbc6eeee8

SHA1
d63bbd62cb5a88634aefb269240fe0af61d9de7a

SHA256
42ee904b13262b384426476eb90d6ce2df9353c6aa7c7ce617e25fc862c6c2bd

SHA512
def5119114a2ff11943149832b020d21d281d84d37bd4dd3b9eea2b59393d98b81c86a24f50d6bba5e26e7643cfb17517c2575528c393d5814d8f3d9e9ad57cc

Download Submit
memory/1036-128-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/1036-129-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/1036-147-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1036-114-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1620-140-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1620-22-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/1620-14-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1696-97-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/1696-145-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1696-87-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2204-149-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2268-146-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2268-98-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2464-12-0x00000000002D0000-0x0000000000303000-memory.dmp

Filesize
204KB

Download
memory/2464-13-0x00000000002D0000-0x0000000000303000-memory.dmp

Filesize
204KB

Download
memory/2464-139-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2464-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2688-60-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2868-42-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2868-142-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2892-141-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2892-41-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2892-28-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2956-85-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2956-86-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2956-69-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2956-144-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3004-133-0x0000000000280000-0x00000000002B3000-memory.dmp

Filesize
204KB

Download
memory/3004-130-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads