e0d30f3c71a2904e1943862bc967c84cbfd0b0c62d99892abc7a6987ab87d7f2

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
19/08/2024, 01:11

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

f415b21434345c605f283067bc7722f0N.exe
Size

99KB
MD5

f415b21434345c605f283067bc7722f0
SHA1

834b235790f693cb9caca5b0a46e5ccb9d2b05cc
SHA256

e0d30f3c71a2904e1943862bc967c84cbfd0b0c62d99892abc7a6987ab87d7f2
SHA512

9bb9baa1ccbd3ff330b381f2a382ac6f94ac1d8f52534bde1b0fae20cd33e5f441bd46d03f9128765b7d5883aec9790fade1c2a796a4c74321acfc58103b7816
SSDEEP

3072:laRnUiUdcFai/ktYY+I+nQgb3a3+X13XRzG:LiUdxZYBdt7aOl3BzG

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 20 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cklfll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cklfll32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	f415b21434345c605f283067bc7722f0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	f415b21434345c605f283067bc7722f0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Baohhgnf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cdanpb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cdoajb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ckiigmcd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Clmbddgp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Clmbddgp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bdkgocpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Boplllob.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Baohhgnf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bkglameg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Boplllob.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bkglameg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ckiigmcd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bdkgocpm.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdoajb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdanpb32.exe

Executes dropped EXE 10 IoCs

pid	Process
2848	Bdkgocpm.exe
2712	Boplllob.exe
1720	Baohhgnf.exe
2636	Bkglameg.exe
2196	Cdoajb32.exe
1608	Ckiigmcd.exe
2976	Cdanpb32.exe
2216	Cklfll32.exe
2684	Clmbddgp.exe
1924	Ceegmj32.exe

Loads dropped DLL 24 IoCs

pid	Process
2844	f415b21434345c605f283067bc7722f0N.exe
2844	f415b21434345c605f283067bc7722f0N.exe
2848	Bdkgocpm.exe
2848	Bdkgocpm.exe
2712	Boplllob.exe
2712	Boplllob.exe
1720	Baohhgnf.exe
1720	Baohhgnf.exe
2636	Bkglameg.exe
2636	Bkglameg.exe
2196	Cdoajb32.exe
2196	Cdoajb32.exe
1608	Ckiigmcd.exe
1608	Ckiigmcd.exe
2976	Cdanpb32.exe
2976	Cdanpb32.exe
2216	Cklfll32.exe
2216	Cklfll32.exe
2684	Clmbddgp.exe
2684	Clmbddgp.exe
2664	WerFault.exe
2664	WerFault.exe
2664	WerFault.exe
2664	WerFault.exe

Drops file in System32 directory 30 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Baohhgnf.exe	Boplllob.exe
File created	C:\Windows\SysWOW64\Bkglameg.exe	Baohhgnf.exe
File created	C:\Windows\SysWOW64\Clmbddgp.exe	Cklfll32.exe
File opened for modification	C:\Windows\SysWOW64\Ceegmj32.exe	Clmbddgp.exe
File created	C:\Windows\SysWOW64\Baohhgnf.exe	Boplllob.exe
File opened for modification	C:\Windows\SysWOW64\Bkglameg.exe	Baohhgnf.exe
File created	C:\Windows\SysWOW64\Mdqfkmom.dll	Baohhgnf.exe
File created	C:\Windows\SysWOW64\Cklfll32.exe	Cdanpb32.exe
File created	C:\Windows\SysWOW64\Bdkgocpm.exe	f415b21434345c605f283067bc7722f0N.exe
File created	C:\Windows\SysWOW64\Cdoajb32.exe	Bkglameg.exe
File opened for modification	C:\Windows\SysWOW64\Cdoajb32.exe	Bkglameg.exe
File created	C:\Windows\SysWOW64\Cdanpb32.exe	Ckiigmcd.exe
File created	C:\Windows\SysWOW64\Aoogfhfp.dll	Clmbddgp.exe
File created	C:\Windows\SysWOW64\Liggabfp.dll	Bdkgocpm.exe
File created	C:\Windows\SysWOW64\Ckiigmcd.exe	Cdoajb32.exe
File created	C:\Windows\SysWOW64\Bjpdmqog.dll	Cdoajb32.exe
File created	C:\Windows\SysWOW64\Boplllob.exe	Bdkgocpm.exe
File created	C:\Windows\SysWOW64\Nfolbbmp.dll	Boplllob.exe
File opened for modification	C:\Windows\SysWOW64\Cdanpb32.exe	Ckiigmcd.exe
File opened for modification	C:\Windows\SysWOW64\Bdkgocpm.exe	f415b21434345c605f283067bc7722f0N.exe
File opened for modification	C:\Windows\SysWOW64\Ckiigmcd.exe	Cdoajb32.exe
File opened for modification	C:\Windows\SysWOW64\Clmbddgp.exe	Cklfll32.exe
File created	C:\Windows\SysWOW64\Eelloqic.dll	Cklfll32.exe
File created	C:\Windows\SysWOW64\Ceegmj32.exe	Clmbddgp.exe
File created	C:\Windows\SysWOW64\Dnabbkhk.dll	Bkglameg.exe
File created	C:\Windows\SysWOW64\Aincgi32.dll	Ckiigmcd.exe
File opened for modification	C:\Windows\SysWOW64\Cklfll32.exe	Cdanpb32.exe
File created	C:\Windows\SysWOW64\Fcohbnpe.dll	f415b21434345c605f283067bc7722f0N.exe
File opened for modification	C:\Windows\SysWOW64\Boplllob.exe	Bdkgocpm.exe
File created	C:\Windows\SysWOW64\Aheefb32.dll	Cdanpb32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2664	1924	WerFault.exe	39

System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f415b21434345c605f283067bc7722f0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdoajb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ckiigmcd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdanpb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cklfll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Clmbddgp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bdkgocpm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Boplllob.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Baohhgnf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bkglameg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceegmj32.exe

Modifies registry class 33 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mdqfkmom.dll"	Baohhgnf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cdoajb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bjpdmqog.dll"	Cdoajb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aheefb32.dll"	Cdanpb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cklfll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	f415b21434345c605f283067bc7722f0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bdkgocpm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bkglameg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnabbkhk.dll"	Bkglameg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	f415b21434345c605f283067bc7722f0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	f415b21434345c605f283067bc7722f0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Boplllob.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ckiigmcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eelloqic.dll"	Cklfll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fcohbnpe.dll"	f415b21434345c605f283067bc7722f0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bdkgocpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cdoajb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cklfll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aoogfhfp.dll"	Clmbddgp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	f415b21434345c605f283067bc7722f0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nfolbbmp.dll"	Boplllob.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bkglameg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aincgi32.dll"	Ckiigmcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cdanpb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Clmbddgp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}	f415b21434345c605f283067bc7722f0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Boplllob.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cdanpb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Clmbddgp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ckiigmcd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Baohhgnf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Baohhgnf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Liggabfp.dll"	Bdkgocpm.exe

Suspicious use of WriteProcessMemory 44 IoCs

description	pid	Process	procid_target
PID 2844 wrote to memory of 2848	2844	f415b21434345c605f283067bc7722f0N.exe	30
PID 2844 wrote to memory of 2848	2844	f415b21434345c605f283067bc7722f0N.exe	30
PID 2844 wrote to memory of 2848	2844	f415b21434345c605f283067bc7722f0N.exe	30
PID 2844 wrote to memory of 2848	2844	f415b21434345c605f283067bc7722f0N.exe	30
PID 2848 wrote to memory of 2712	2848	Bdkgocpm.exe	31
PID 2848 wrote to memory of 2712	2848	Bdkgocpm.exe	31
PID 2848 wrote to memory of 2712	2848	Bdkgocpm.exe	31
PID 2848 wrote to memory of 2712	2848	Bdkgocpm.exe	31
PID 2712 wrote to memory of 1720	2712	Boplllob.exe	32
PID 2712 wrote to memory of 1720	2712	Boplllob.exe	32
PID 2712 wrote to memory of 1720	2712	Boplllob.exe	32
PID 2712 wrote to memory of 1720	2712	Boplllob.exe	32
PID 1720 wrote to memory of 2636	1720	Baohhgnf.exe	33
PID 1720 wrote to memory of 2636	1720	Baohhgnf.exe	33
PID 1720 wrote to memory of 2636	1720	Baohhgnf.exe	33
PID 1720 wrote to memory of 2636	1720	Baohhgnf.exe	33
PID 2636 wrote to memory of 2196	2636	Bkglameg.exe	34
PID 2636 wrote to memory of 2196	2636	Bkglameg.exe	34
PID 2636 wrote to memory of 2196	2636	Bkglameg.exe	34
PID 2636 wrote to memory of 2196	2636	Bkglameg.exe	34
PID 2196 wrote to memory of 1608	2196	Cdoajb32.exe	35
PID 2196 wrote to memory of 1608	2196	Cdoajb32.exe	35
PID 2196 wrote to memory of 1608	2196	Cdoajb32.exe	35
PID 2196 wrote to memory of 1608	2196	Cdoajb32.exe	35
PID 1608 wrote to memory of 2976	1608	Ckiigmcd.exe	36
PID 1608 wrote to memory of 2976	1608	Ckiigmcd.exe	36
PID 1608 wrote to memory of 2976	1608	Ckiigmcd.exe	36
PID 1608 wrote to memory of 2976	1608	Ckiigmcd.exe	36
PID 2976 wrote to memory of 2216	2976	Cdanpb32.exe	37
PID 2976 wrote to memory of 2216	2976	Cdanpb32.exe	37
PID 2976 wrote to memory of 2216	2976	Cdanpb32.exe	37
PID 2976 wrote to memory of 2216	2976	Cdanpb32.exe	37
PID 2216 wrote to memory of 2684	2216	Cklfll32.exe	38
PID 2216 wrote to memory of 2684	2216	Cklfll32.exe	38
PID 2216 wrote to memory of 2684	2216	Cklfll32.exe	38
PID 2216 wrote to memory of 2684	2216	Cklfll32.exe	38
PID 2684 wrote to memory of 1924	2684	Clmbddgp.exe	39
PID 2684 wrote to memory of 1924	2684	Clmbddgp.exe	39
PID 2684 wrote to memory of 1924	2684	Clmbddgp.exe	39
PID 2684 wrote to memory of 1924	2684	Clmbddgp.exe	39
PID 1924 wrote to memory of 2664	1924	Ceegmj32.exe	40
PID 1924 wrote to memory of 2664	1924	Ceegmj32.exe	40
PID 1924 wrote to memory of 2664	1924	Ceegmj32.exe	40
PID 1924 wrote to memory of 2664	1924	Ceegmj32.exe	40

C:\Users\Admin\AppData\Local\Temp\f415b21434345c605f283067bc7722f0N.exe
"C:\Users\Admin\AppData\Local\Temp\f415b21434345c605f283067bc7722f0N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2844
- C:\Windows\SysWOW64\Bdkgocpm.exe
  C:\Windows\system32\Bdkgocpm.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2848
- - C:\Windows\SysWOW64\Boplllob.exe
    C:\Windows\system32\Boplllob.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2712
  - - C:\Windows\SysWOW64\Baohhgnf.exe
      C:\Windows\system32\Baohhgnf.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:1720
    - - C:\Windows\SysWOW64\Bkglameg.exe
        
        C:\Windows\system32\Bkglameg.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2636
      - C:\Windows\SysWOW64\Cdoajb32.exe
        
        C:\Windows\system32\Cdoajb32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2196
        
        C:\Windows\SysWOW64\Ckiigmcd.exe
        
        C:\Windows\system32\Ckiigmcd.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1608
        
        C:\Windows\SysWOW64\Cdanpb32.exe
        
        C:\Windows\system32\Cdanpb32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2976
        
        C:\Windows\SysWOW64\Cklfll32.exe
        
        C:\Windows\system32\Cklfll32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2216
        
        C:\Windows\SysWOW64\Clmbddgp.exe
        
        C:\Windows\system32\Clmbddgp.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2684
        
        C:\Windows\SysWOW64\Ceegmj32.exe
        
        C:\Windows\system32\Ceegmj32.exe
        11⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1924
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1924 -s 140
        12⤵
        Loads dropped DLL
        Program crash
        
        PID:2664

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Dnabbkhk.dll

Filesize
7KB

MD5
8ec88a66b0782f3988bfec9d40930c90

SHA1
b51d10dcfed198c3e2331a867231e542dd61874b

SHA256
cac13f823b51829b6ff874e68ba621b875c32528b2d264fd59dca9c77255325a

SHA512
686bf4c0f38ea9c9107ca62f323ad729dcf2a8f505e974d26634cf6074122a19a6ae5fc38797b58e7993db9ab4062b4105e6ca1315fd3bef84d94e6a8119a204

Download Submit
\Windows\SysWOW64\Baohhgnf.exe

Filesize
99KB

MD5
b3f794118fc4e36b20caa9c93e09f3d5

SHA1
bca5794db2a772fc9695f5aae50e20439c33ff64

SHA256
7c4a69e918a804fc65f0fe91d79017d88fc307d188e4711887af487297de4ca2

SHA512
b323dcd869824b7ec485bd01ce0d41d049d3865f8a010015ac9f05b0e25da410e9c9c9a5b246ca5e54bb2633a2e8197c4d951d6e8e3383f67927d0f8a4092045

Download Submit
\Windows\SysWOW64\Bdkgocpm.exe

Filesize
99KB

MD5
a56effe7731ab63e3e753024d0cf6fb0

SHA1
ab9966c2c3bba67f80957045843fdf7897108f0c

SHA256
f79aeaedbd857af0c1335a0dcd1ac313c3972994b8e7304fef7ab9ecaa19f324

SHA512
4112985f4f381a52fe3998a5206219f9ec996094c99e41a43b9b30a41ab23563b1a3964d618054cbebeecfe01ff46fee6ca072a9affdff9c030e9a6b0b8d1d76

Download Submit
\Windows\SysWOW64\Bkglameg.exe

Filesize
99KB

MD5
2a0288c18748599f5c7e6ea46a94171c

SHA1
bcc2e057eaf01c1ff4f1abd7c5293c97fd8bcb90

SHA256
fb3ac1095dd994e87b140ec1842a815fed48794ad6be17b47d4aec360eacef31

SHA512
73d1dc65cd39b703bdceb4e7046d6dbb28855325667887103cf8ec8d5cad5906559ac20df156826affbbec6254442d72ed46a88ea5b4630ef7c03d49d61245c8

Download Submit
\Windows\SysWOW64\Boplllob.exe

Filesize
99KB

MD5
00500c9378a55aa1a6cdc0a1637b0153

SHA1
3dbbf344637ebaa7f7c103d90a6bdbfb73eaf5de

SHA256
5aaa13db42c22359f9c0dc0a44ad0c41df40aca2fd8b638d39f9abe0c5d521a9

SHA512
0683eb61bb6f92620af2d2d6ee5c21713fac189bc0250209f62a06668c856d45defa9272e58516d8668b1c661efe688ec42208152d9c13a5d1db9ff66deda702

Download Submit
\Windows\SysWOW64\Cdanpb32.exe

Filesize
99KB

MD5
42c1c0bf61fb8aac1a691eea8c940281

SHA1
19190c68cc755aba8eb52def00187d22cacf3c85

SHA256
577e3cbc9254a8265166b782da024a10a8b36445b291f563d507e51ff7171a2f

SHA512
8ad087870271bc08a9b57a333d9554e2bbab3cfe9b1141b7d095c9e7077add257094d4adfd6cdf6073f4e1de38ebc0fa0828f123b5317bb4347b1d75d526646b

Download Submit
\Windows\SysWOW64\Cdoajb32.exe

Filesize
99KB

MD5
b40e0795b8c0684140dc2651f53fe333

SHA1
ceb0064105b6462443cce39a7090cd60554bdbd7

SHA256
c328fd951b03cd645b600e3e2bf896a74bf7e68a910d0dfd8ff66e1cc71c7f06

SHA512
91721aba239d08b705cef1001e704566176f2e54097ef6aba7fbed315080d3ee846cd1108d81ef646b1fa776f48a76d8c1b66c86bf59c23faa470964467a92c7

Download Submit
\Windows\SysWOW64\Ceegmj32.exe

Filesize
99KB

MD5
16490e71ed452968531bae3819bedc96

SHA1
a00d2e95589fd6e9840ff11d45c0aaf6c982cbcb

SHA256
bb64267746ccd9edd90941764234534b2044028de43237cbd4ab4b86d90aba8a

SHA512
b96421854dc1e742780cf53284711b6b3026eb1f185c5d4c5bb836dedd1928c7c64ef5b4f0f40aed925405ce4642c8516719345e4cb0491d42bfc837306f8fe7

Download Submit
\Windows\SysWOW64\Ckiigmcd.exe

Filesize
99KB

MD5
13af08bb88fe16134f1762b87c15c260

SHA1
4b7ee897055f73677876d56859980e53cd290890

SHA256
4d6f50931d8461524b02c6cb5a1d1dc1288965b5e0c7780a106b7f4444c16c44

SHA512
87dbba176a296c86b73fa2965f6eef3a873934cc50e52df62efafc7507437a657cf900d4ac549412e212e00ed4490860ea6b0063ec82e78ec3f8b633f23948bb

Download Submit
\Windows\SysWOW64\Cklfll32.exe

Filesize
99KB

MD5
c932d7934dae08e16169f897feef9d42

SHA1
8874ded7d7d92b322f23685b0f93c957e5564bba

SHA256
4a0d9e39376fc79c56ccd306edc10628198e63d3ce3f02501970bd118c04009f

SHA512
f8b563d8a752c80d9ba908ed12ac52e6653103952541794019c24bc5ff8dd1f5f41bf2986ab17f8103cb4c1439345f454627acdbf26b7470bb3dfb021bef638b

Download Submit
\Windows\SysWOW64\Clmbddgp.exe

Filesize
99KB

MD5
6e3031b56ce4e0d98f10878c69396381

SHA1
07c9f60bffeee20ebdce0561c799346811e48b49

SHA256
8e0acd7198b781a8fd92be6d8fee965527243681186f6f3489782872c4113cf9

SHA512
b9e775712951f4e31592000b2b08c0f77a9c13fa2d7e3d21c747b694560c2e7b69c9e6d9ecd6a85adb031d2f9f229b9a85ebe1bbcb9893af152a2eadbb52bd01

Download Submit
memory/1608-78-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1608-144-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1608-85-0x0000000000380000-0x00000000003C2000-memory.dmp

Filesize
264KB

Download
memory/1720-141-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1924-133-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1924-147-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2196-143-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2216-146-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2216-106-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2216-114-0x0000000000250000-0x0000000000292000-memory.dmp

Filesize
264KB

Download
memory/2636-52-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2636-59-0x00000000005F0000-0x0000000000632000-memory.dmp

Filesize
264KB

Download
memory/2636-142-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2684-125-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2712-140-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2712-34-0x0000000000310000-0x0000000000352000-memory.dmp

Filesize
264KB

Download
memory/2712-26-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2844-138-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2844-0-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2844-11-0x00000000002D0000-0x0000000000312000-memory.dmp

Filesize
264KB

Download
memory/2844-12-0x00000000002D0000-0x0000000000312000-memory.dmp

Filesize
264KB

Download
memory/2848-139-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2976-105-0x0000000000300000-0x0000000000342000-memory.dmp

Filesize
264KB

Download
memory/2976-97-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2976-145-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads