87ef73b7eaabd9b720aef66c49075bbfbd1873022fd0c016705f600399b05937

Analysis

max time kernel
31s
max time network
16s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
22-08-2024 12:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d51df27bda8d70d86cb7f6b4b0b88470N.exe
Size

85KB
MD5

d51df27bda8d70d86cb7f6b4b0b88470
SHA1

c7f58633625b23086db9405e2c5b9507b80a4108
SHA256

87ef73b7eaabd9b720aef66c49075bbfbd1873022fd0c016705f600399b05937
SHA512

cbd8a6adcc0b1c112241744be63ba99e8cf4490966b9559caf1af86e56f61211b21b18ffbb9f6b20fafde284521472a993b44f7b27f73538cb7720544f95bf1c
SSDEEP

1536:EPZYGcZFcJnOubnJG41pw1TX2LH6kMQ262AjCsQ2PCZZrqOlNfVSLUK+:sR0c1nnJGvWHtMQH2qC7ZQOlzSLUK+

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 18 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Clfhml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cenmfbml.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chmibmlo.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cniajdkg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bopknhjd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cpohhk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cobhdhha.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Clfhml32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	d51df27bda8d70d86cb7f6b4b0b88470N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chhpgn32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cenmfbml.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chmibmlo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cniajdkg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	d51df27bda8d70d86cb7f6b4b0b88470N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bopknhjd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chhpgn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cpohhk32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cobhdhha.exe

Executes dropped EXE 9 IoCs

pid	Process
2360	Bopknhjd.exe
2924	Chhpgn32.exe
2548	Cpohhk32.exe
2868	Cobhdhha.exe
2744	Clfhml32.exe
2148	Cenmfbml.exe
1140	Chmibmlo.exe
2232	Cniajdkg.exe
2988	Coindgbi.exe

Loads dropped DLL 18 IoCs

pid	Process
3000	d51df27bda8d70d86cb7f6b4b0b88470N.exe
3000	d51df27bda8d70d86cb7f6b4b0b88470N.exe
2360	Bopknhjd.exe
2360	Bopknhjd.exe
2924	Chhpgn32.exe
2924	Chhpgn32.exe
2548	Cpohhk32.exe
2548	Cpohhk32.exe
2868	Cobhdhha.exe
2868	Cobhdhha.exe
2744	Clfhml32.exe
2744	Clfhml32.exe
2148	Cenmfbml.exe
2148	Cenmfbml.exe
1140	Chmibmlo.exe
1140	Chmibmlo.exe
2232	Cniajdkg.exe
2232	Cniajdkg.exe

Drops file in System32 directory 27 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Hlilhb32.dll	Clfhml32.exe
File created	C:\Windows\SysWOW64\Ohodgb32.dll	Cniajdkg.exe
File opened for modification	C:\Windows\SysWOW64\Chhpgn32.exe	Bopknhjd.exe
File created	C:\Windows\SysWOW64\Cobhdhha.exe	Cpohhk32.exe
File opened for modification	C:\Windows\SysWOW64\Cenmfbml.exe	Clfhml32.exe
File created	C:\Windows\SysWOW64\Chmibmlo.exe	Cenmfbml.exe
File created	C:\Windows\SysWOW64\Cniajdkg.exe	Chmibmlo.exe
File created	C:\Windows\SysWOW64\Khpbbn32.dll	Chmibmlo.exe
File opened for modification	C:\Windows\SysWOW64\Cniajdkg.exe	Chmibmlo.exe
File opened for modification	C:\Windows\SysWOW64\Coindgbi.exe	Cniajdkg.exe
File created	C:\Windows\SysWOW64\Chhpgn32.exe	Bopknhjd.exe
File created	C:\Windows\SysWOW64\Cnfnahkp.dll	Chhpgn32.exe
File opened for modification	C:\Windows\SysWOW64\Chmibmlo.exe	Cenmfbml.exe
File created	C:\Windows\SysWOW64\Bopknhjd.exe	d51df27bda8d70d86cb7f6b4b0b88470N.exe
File created	C:\Windows\SysWOW64\Clfhml32.exe	Cobhdhha.exe
File created	C:\Windows\SysWOW64\Hjlkkhne.dll	Cobhdhha.exe
File created	C:\Windows\SysWOW64\Cpohhk32.exe	Chhpgn32.exe
File created	C:\Windows\SysWOW64\Cenmfbml.exe	Clfhml32.exe
File created	C:\Windows\SysWOW64\Hkfggj32.dll	Cpohhk32.exe
File created	C:\Windows\SysWOW64\Eajkip32.dll	Bopknhjd.exe
File opened for modification	C:\Windows\SysWOW64\Cpohhk32.exe	Chhpgn32.exe
File opened for modification	C:\Windows\SysWOW64\Cobhdhha.exe	Cpohhk32.exe
File opened for modification	C:\Windows\SysWOW64\Bopknhjd.exe	d51df27bda8d70d86cb7f6b4b0b88470N.exe
File opened for modification	C:\Windows\SysWOW64\Clfhml32.exe	Cobhdhha.exe
File created	C:\Windows\SysWOW64\Coindgbi.exe	Cniajdkg.exe
File created	C:\Windows\SysWOW64\Cbiphidl.dll	d51df27bda8d70d86cb7f6b4b0b88470N.exe
File created	C:\Windows\SysWOW64\Mpgoaiep.dll	Cenmfbml.exe

System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cpohhk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cobhdhha.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d51df27bda8d70d86cb7f6b4b0b88470N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bopknhjd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cenmfbml.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chmibmlo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cniajdkg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Coindgbi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chhpgn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Clfhml32.exe

Modifies registry class 30 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cbiphidl.dll"	d51df27bda8d70d86cb7f6b4b0b88470N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	d51df27bda8d70d86cb7f6b4b0b88470N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cniajdkg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	d51df27bda8d70d86cb7f6b4b0b88470N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bopknhjd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cpohhk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Clfhml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Chmibmlo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cnfnahkp.dll"	Chhpgn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjlkkhne.dll"	Cobhdhha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cobhdhha.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	d51df27bda8d70d86cb7f6b4b0b88470N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eajkip32.dll"	Bopknhjd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cenmfbml.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cenmfbml.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bopknhjd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hkfggj32.dll"	Cpohhk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlilhb32.dll"	Clfhml32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	d51df27bda8d70d86cb7f6b4b0b88470N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cpohhk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Chmibmlo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohodgb32.dll"	Cniajdkg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khpbbn32.dll"	Chmibmlo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cniajdkg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	d51df27bda8d70d86cb7f6b4b0b88470N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Chhpgn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Chhpgn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cobhdhha.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Clfhml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mpgoaiep.dll"	Cenmfbml.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 3000 wrote to memory of 2360	3000	d51df27bda8d70d86cb7f6b4b0b88470N.exe	30
PID 3000 wrote to memory of 2360	3000	d51df27bda8d70d86cb7f6b4b0b88470N.exe	30
PID 3000 wrote to memory of 2360	3000	d51df27bda8d70d86cb7f6b4b0b88470N.exe	30
PID 3000 wrote to memory of 2360	3000	d51df27bda8d70d86cb7f6b4b0b88470N.exe	30
PID 2360 wrote to memory of 2924	2360	Bopknhjd.exe	31
PID 2360 wrote to memory of 2924	2360	Bopknhjd.exe	31
PID 2360 wrote to memory of 2924	2360	Bopknhjd.exe	31
PID 2360 wrote to memory of 2924	2360	Bopknhjd.exe	31
PID 2924 wrote to memory of 2548	2924	Chhpgn32.exe	32
PID 2924 wrote to memory of 2548	2924	Chhpgn32.exe	32
PID 2924 wrote to memory of 2548	2924	Chhpgn32.exe	32
PID 2924 wrote to memory of 2548	2924	Chhpgn32.exe	32
PID 2548 wrote to memory of 2868	2548	Cpohhk32.exe	33
PID 2548 wrote to memory of 2868	2548	Cpohhk32.exe	33
PID 2548 wrote to memory of 2868	2548	Cpohhk32.exe	33
PID 2548 wrote to memory of 2868	2548	Cpohhk32.exe	33
PID 2868 wrote to memory of 2744	2868	Cobhdhha.exe	34
PID 2868 wrote to memory of 2744	2868	Cobhdhha.exe	34
PID 2868 wrote to memory of 2744	2868	Cobhdhha.exe	34
PID 2868 wrote to memory of 2744	2868	Cobhdhha.exe	34
PID 2744 wrote to memory of 2148	2744	Clfhml32.exe	35
PID 2744 wrote to memory of 2148	2744	Clfhml32.exe	35
PID 2744 wrote to memory of 2148	2744	Clfhml32.exe	35
PID 2744 wrote to memory of 2148	2744	Clfhml32.exe	35
PID 2148 wrote to memory of 1140	2148	Cenmfbml.exe	36
PID 2148 wrote to memory of 1140	2148	Cenmfbml.exe	36
PID 2148 wrote to memory of 1140	2148	Cenmfbml.exe	36
PID 2148 wrote to memory of 1140	2148	Cenmfbml.exe	36
PID 1140 wrote to memory of 2232	1140	Chmibmlo.exe	37
PID 1140 wrote to memory of 2232	1140	Chmibmlo.exe	37
PID 1140 wrote to memory of 2232	1140	Chmibmlo.exe	37
PID 1140 wrote to memory of 2232	1140	Chmibmlo.exe	37
PID 2232 wrote to memory of 2988	2232	Cniajdkg.exe	38
PID 2232 wrote to memory of 2988	2232	Cniajdkg.exe	38
PID 2232 wrote to memory of 2988	2232	Cniajdkg.exe	38
PID 2232 wrote to memory of 2988	2232	Cniajdkg.exe	38

C:\Users\Admin\AppData\Local\Temp\d51df27bda8d70d86cb7f6b4b0b88470N.exe
"C:\Users\Admin\AppData\Local\Temp\d51df27bda8d70d86cb7f6b4b0b88470N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3000
- C:\Windows\SysWOW64\Bopknhjd.exe
  C:\Windows\system32\Bopknhjd.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2360
- - C:\Windows\SysWOW64\Chhpgn32.exe
    C:\Windows\system32\Chhpgn32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2924
  - - C:\Windows\SysWOW64\Cpohhk32.exe
      C:\Windows\system32\Cpohhk32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2548
    - - C:\Windows\SysWOW64\Cobhdhha.exe
        
        C:\Windows\system32\Cobhdhha.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2868
      - C:\Windows\SysWOW64\Clfhml32.exe
        
        C:\Windows\system32\Clfhml32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2744
        
        C:\Windows\SysWOW64\Cenmfbml.exe
        
        C:\Windows\system32\Cenmfbml.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2148
        
        C:\Windows\SysWOW64\Chmibmlo.exe
        
        C:\Windows\system32\Chmibmlo.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1140
        
        C:\Windows\SysWOW64\Cniajdkg.exe
        
        C:\Windows\system32\Cniajdkg.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2232
        
        C:\Windows\SysWOW64\Coindgbi.exe
        
        C:\Windows\system32\Coindgbi.exe
        10⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2988

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Clfhml32.exe

Filesize
85KB

MD5
4441bc45a6e39e9627377f65b8fb4b0e

SHA1
d6e5f716b6a61e45c0dbdcb7e6280533f673ab2f

SHA256
5904de07982a11afb98a057203d82a70afe6a26f136bd07db688a6adb450a59d

SHA512
5a439967d19caeca8ab3f48a4301b676601fd7fb50e9bf78f2701e4c110ccae9c652351eb996c11d7c8828ad86414565386497208c62e51df3fabf52e7d9adbd

Download Submit
C:\Windows\SysWOW64\Cpohhk32.exe

Filesize
85KB

MD5
6cb0db3a58be66d4143e4dec09130757

SHA1
1a3eb91177ff464a4a9b4a7fd9a68e945bb64400

SHA256
7bf88fc8e10c382ce251942889833ae8acb069cc4aebca267575737c0254fa64

SHA512
f1138033b3c5d993856ec054256427c8606fbb9db88785f9c016c48bb8e7777e5f76fbe0dcaf8c10785adf6cba7ebf56eaa6997c7fe8a5ca2bb398d04644314c

Download Submit
\Windows\SysWOW64\Bopknhjd.exe

Filesize
85KB

MD5
70765a342a118522d86ef5db27c32d0a

SHA1
37a2c2460a55d774eac4183a042211b470ee0a0d

SHA256
802d79a88752b1d3993fa746eab40ff9d3234a4d65cd3dd2ab04e2e511416c57

SHA512
b0c7e1bc536c3c7514cdad4a523355996923846f1edbcd9fa2ece1d18202fe41bc27d9a3002fe1baf97efbb431ad48b5b0e8c4ae7e1fad2cbf8067f7289ac002

Download Submit
\Windows\SysWOW64\Cenmfbml.exe

Filesize
85KB

MD5
76ff3cdd7efe4975f615d95a8b52aafa

SHA1
d11ba3a632d2780ad0b842a0449a2712da4fdefd

SHA256
8dad5257b724fe8cf1eff8b854621d23c9886390007e80f7a3974b3fa00e4020

SHA512
cafef6c7e48c8360aa626ddf1f61a24d63e17c5fc596da31fd0802d4953942588e6b7efa6f79795feb89df8b8ab80504cbd259dc6bc968ddb865e570ffdc1c3f

Download Submit
\Windows\SysWOW64\Chhpgn32.exe

Filesize
85KB

MD5
74352929a6cd3115b9d85651c2ce03b6

SHA1
defbeda0b60d055b99b16ec2ec1361939306670f

SHA256
b32ed2d9caeba0f15b508d114f2aa46664593e160d8d40045d37bce53388345a

SHA512
3a620606a843fdd3cf1f7eb9d8af10b879aab00e49a400229b440ec51c1533dff384539965df5e9463439b288839dc13c2a89c0b59a136f3a10671be7c71c268

Download Submit
\Windows\SysWOW64\Chmibmlo.exe

Filesize
85KB

MD5
886d9cdc56214e7dbd3f71b27daefa8c

SHA1
f2da3162256b98d7590788b278f0b33dc6ff9a94

SHA256
c5007373b157997e1429323b322ef28e87dd40ab3e1400242aaa2e42aa8d0657

SHA512
3c7c2e2ff037c3b2e173fd52b0ba5482e4b87275cf9e5c272ee79cc56ed225bc2415278b8643a8f44217b52e03faa584001a5ae5348866a86bcba0070e211ca2

Download Submit
\Windows\SysWOW64\Cniajdkg.exe

Filesize
85KB

MD5
c19b8676236fd865a58577cb51ca06b5

SHA1
3e477bc2c1b7c1152a0d001d1c68e3cba8bed4c0

SHA256
968ede4d1425a2c1f7a2aec74b31c55ed88aa8df895921ca5cac67f25511648f

SHA512
f8852c8391cb559506ce0ff7c1cdca84d45bc07e677828af931276dd862080bcd4018355c80b1f517c1cf5acf27111b19fef27b0cd32d07c4cc86e61e01bf55a

Download Submit
\Windows\SysWOW64\Cobhdhha.exe

Filesize
85KB

MD5
a198fc75faff5576a11bd2ee9d365449

SHA1
cd418a4d1ebe695ca9cca7d953dfbc76221dfaa1

SHA256
a0f738916e7fd917a0f5eece6fb78f97c13918a8c57bd4d9871a4525e23c9eaf

SHA512
8f322ad13a836653c1eb094549c2b50e02e3151ff97a067581209104c85bc67d99398d8431f1a896cdb4033093571fd8f20eca1be835417fe8c91ee5d9fcac28

Download Submit
\Windows\SysWOW64\Coindgbi.exe

Filesize
85KB

MD5
8c71551159ff63ffbb5f15d0bcd192a2

SHA1
e3aa4823e6b8408cb66ec5e53667c4d6b4334b9e

SHA256
e870843344735fa5b419b432e44427ff3dc254a3c023a1323ee954aef6bb6a07

SHA512
a471e742c67b0ee638cbbf6e27b79ac2877a937cc0fcaf6584bd0ca1eb062eb37cac73a027838b128aa299b40f08c02425a5cacb4672cced6cba98888e6744cf

Download Submit
memory/1140-113-0x0000000001F80000-0x0000000001FC1000-memory.dmp

Filesize
260KB

Download
memory/1140-112-0x0000000001F80000-0x0000000001FC1000-memory.dmp

Filesize
260KB

Download
memory/1140-134-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1140-135-0x0000000001F80000-0x0000000001FC1000-memory.dmp

Filesize
260KB

Download
memory/1140-99-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1140-136-0x0000000001F80000-0x0000000001FC1000-memory.dmp

Filesize
260KB

Download
memory/2148-85-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2148-133-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2232-130-0x0000000000250000-0x0000000000291000-memory.dmp

Filesize
260KB

Download
memory/2232-129-0x0000000000250000-0x0000000000291000-memory.dmp

Filesize
260KB

Download
memory/2232-116-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2232-139-0x0000000000250000-0x0000000000291000-memory.dmp

Filesize
260KB

Download
memory/2232-138-0x0000000000250000-0x0000000000291000-memory.dmp

Filesize
260KB

Download
memory/2232-137-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2360-14-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2360-93-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2360-26-0x0000000000250000-0x0000000000291000-memory.dmp

Filesize
260KB

Download
memory/2548-68-0x00000000002E0000-0x0000000000321000-memory.dmp

Filesize
260KB

Download
memory/2548-128-0x00000000002E0000-0x0000000000321000-memory.dmp

Filesize
260KB

Download
memory/2548-47-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2548-67-0x00000000002E0000-0x0000000000321000-memory.dmp

Filesize
260KB

Download
memory/2744-70-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2744-114-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2868-78-0x0000000000450000-0x0000000000491000-memory.dmp

Filesize
260KB

Download
memory/2868-69-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2924-46-0x0000000000250000-0x0000000000291000-memory.dmp

Filesize
260KB

Download
memory/2924-28-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2924-107-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2988-132-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2988-140-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3000-12-0x00000000002D0000-0x0000000000311000-memory.dmp

Filesize
260KB

Download
memory/3000-13-0x00000000002D0000-0x0000000000311000-memory.dmp

Filesize
260KB

Download
memory/3000-84-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3000-0-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads