ac55200940f3bfea02072450a30a12ba29bd79d8b262391c7b32e972b33ae097

Analysis

max time kernel
82s
max time network
17s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
25-08-2024 06:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d91bbba1b93d9fc794c3dfe4bed4cb80N.exe
Size

302KB
MD5

d91bbba1b93d9fc794c3dfe4bed4cb80
SHA1

73717e427cd340887f1166cf7cb53c6ca581552a
SHA256

ac55200940f3bfea02072450a30a12ba29bd79d8b262391c7b32e972b33ae097
SHA512

635705d0d79f09e2e32902e612531fcf8f6e3d985ff850a69663921b4f8bf13625992587ea1c9c149df97a65d7c38af10425ea64297f6d9de8ebd4eb358ab86a
SSDEEP

6144:h/+sZhnoHswL7GNlighD4lTjZXvEQo9dfEORRAgnIlY1:x+Uhibv8lXhuT9XvEhdfEmwlY1

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 26 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmlbaqfh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bdfjnkne.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ceickb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cofaog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	d91bbba1b93d9fc794c3dfe4bed4cb80N.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bacefpbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bdaabk32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bkkioeig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bkkioeig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bmlbaqfh.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bopknhjd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdamao32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Chofhm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bdfjnkne.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chhpgn32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cofaog32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceickb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chofhm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bacefpbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bopknhjd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ciglaa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ciglaa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Chhpgn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cdamao32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	d91bbba1b93d9fc794c3dfe4bed4cb80N.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bdaabk32.exe

Executes dropped EXE 13 IoCs

pid	Process
1456	Bacefpbg.exe
2732	Bdaabk32.exe
2776	Bkkioeig.exe
2888	Bmlbaqfh.exe
628	Bdfjnkne.exe
2652	Bopknhjd.exe
1952	Ceickb32.exe
1804	Chhpgn32.exe
2192	Ciglaa32.exe
2952	Cdamao32.exe
376	Cofaog32.exe
2380	Chofhm32.exe
264	Coindgbi.exe

Loads dropped DLL 26 IoCs

pid	Process
1732	d91bbba1b93d9fc794c3dfe4bed4cb80N.exe
1732	d91bbba1b93d9fc794c3dfe4bed4cb80N.exe
1456	Bacefpbg.exe
1456	Bacefpbg.exe
2732	Bdaabk32.exe
2732	Bdaabk32.exe
2776	Bkkioeig.exe
2776	Bkkioeig.exe
2888	Bmlbaqfh.exe
2888	Bmlbaqfh.exe
628	Bdfjnkne.exe
628	Bdfjnkne.exe
2652	Bopknhjd.exe
2652	Bopknhjd.exe
1952	Ceickb32.exe
1952	Ceickb32.exe
1804	Chhpgn32.exe
1804	Chhpgn32.exe
2192	Ciglaa32.exe
2192	Ciglaa32.exe
2952	Cdamao32.exe
2952	Cdamao32.exe
376	Cofaog32.exe
376	Cofaog32.exe
2380	Chofhm32.exe
2380	Chofhm32.exe

Drops file in System32 directory 39 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Cdamao32.exe	Ciglaa32.exe
File created	C:\Windows\SysWOW64\Niienepq.dll	Ciglaa32.exe
File created	C:\Windows\SysWOW64\Cofaog32.exe	Cdamao32.exe
File opened for modification	C:\Windows\SysWOW64\Bdaabk32.exe	Bacefpbg.exe
File opened for modification	C:\Windows\SysWOW64\Bkkioeig.exe	Bdaabk32.exe
File created	C:\Windows\SysWOW64\Fbflbd32.dll	Bdaabk32.exe
File opened for modification	C:\Windows\SysWOW64\Bopknhjd.exe	Bdfjnkne.exe
File opened for modification	C:\Windows\SysWOW64\Chhpgn32.exe	Ceickb32.exe
File opened for modification	C:\Windows\SysWOW64\Chofhm32.exe	Cofaog32.exe
File created	C:\Windows\SysWOW64\Ceickb32.exe	Bopknhjd.exe
File opened for modification	C:\Windows\SysWOW64\Ceickb32.exe	Bopknhjd.exe
File opened for modification	C:\Windows\SysWOW64\Cofaog32.exe	Cdamao32.exe
File created	C:\Windows\SysWOW64\Bacefpbg.exe	d91bbba1b93d9fc794c3dfe4bed4cb80N.exe
File created	C:\Windows\SysWOW64\Bijpeihq.dll	Bacefpbg.exe
File created	C:\Windows\SysWOW64\Bmlbaqfh.exe	Bkkioeig.exe
File opened for modification	C:\Windows\SysWOW64\Bmlbaqfh.exe	Bkkioeig.exe
File created	C:\Windows\SysWOW64\Cbiphidl.dll	Bdfjnkne.exe
File created	C:\Windows\SysWOW64\Pkknia32.dll	Cofaog32.exe
File created	C:\Windows\SysWOW64\Ohodgb32.dll	Chofhm32.exe
File opened for modification	C:\Windows\SysWOW64\Bdfjnkne.exe	Bmlbaqfh.exe
File created	C:\Windows\SysWOW64\Jggdmb32.dll	Bmlbaqfh.exe
File created	C:\Windows\SysWOW64\Jfdkkkqh.dll	d91bbba1b93d9fc794c3dfe4bed4cb80N.exe
File opened for modification	C:\Windows\SysWOW64\Coindgbi.exe	Chofhm32.exe
File created	C:\Windows\SysWOW64\Bdaabk32.exe	Bacefpbg.exe
File created	C:\Windows\SysWOW64\Bdfjnkne.exe	Bmlbaqfh.exe
File created	C:\Windows\SysWOW64\Ciglaa32.exe	Chhpgn32.exe
File created	C:\Windows\SysWOW64\Chofhm32.exe	Cofaog32.exe
File opened for modification	C:\Windows\SysWOW64\Bacefpbg.exe	d91bbba1b93d9fc794c3dfe4bed4cb80N.exe
File created	C:\Windows\SysWOW64\Bopknhjd.exe	Bdfjnkne.exe
File created	C:\Windows\SysWOW64\Eajkip32.dll	Ceickb32.exe
File created	C:\Windows\SysWOW64\Mokegi32.dll	Chhpgn32.exe
File created	C:\Windows\SysWOW64\Agcmideg.dll	Bkkioeig.exe
File created	C:\Windows\SysWOW64\Bongfjgo.dll	Bopknhjd.exe
File created	C:\Windows\SysWOW64\Chhpgn32.exe	Ceickb32.exe
File created	C:\Windows\SysWOW64\Cdamao32.exe	Ciglaa32.exe
File created	C:\Windows\SysWOW64\Elnlcjph.dll	Cdamao32.exe
File created	C:\Windows\SysWOW64\Bkkioeig.exe	Bdaabk32.exe
File opened for modification	C:\Windows\SysWOW64\Ciglaa32.exe	Chhpgn32.exe
File created	C:\Windows\SysWOW64\Coindgbi.exe	Chofhm32.exe

System Location Discovery: System Language Discovery 1 TTPs 14 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bacefpbg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bdfjnkne.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bopknhjd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceickb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ciglaa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bkkioeig.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmlbaqfh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdamao32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chofhm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Coindgbi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d91bbba1b93d9fc794c3dfe4bed4cb80N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chhpgn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cofaog32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bdaabk32.exe

Modifies registry class 42 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agcmideg.dll"	Bkkioeig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jggdmb32.dll"	Bmlbaqfh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bmlbaqfh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bdfjnkne.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eajkip32.dll"	Ceickb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cofaog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkknia32.dll"	Cofaog32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Chofhm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	d91bbba1b93d9fc794c3dfe4bed4cb80N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bdaabk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bdfjnkne.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Chhpgn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ciglaa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cdamao32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}	d91bbba1b93d9fc794c3dfe4bed4cb80N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bkkioeig.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bopknhjd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mokegi32.dll"	Chhpgn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	d91bbba1b93d9fc794c3dfe4bed4cb80N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	d91bbba1b93d9fc794c3dfe4bed4cb80N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfdkkkqh.dll"	d91bbba1b93d9fc794c3dfe4bed4cb80N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbflbd32.dll"	Bdaabk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bopknhjd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Niienepq.dll"	Ciglaa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohodgb32.dll"	Chofhm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bacefpbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bongfjgo.dll"	Bopknhjd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ceickb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Chhpgn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ciglaa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elnlcjph.dll"	Cdamao32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	d91bbba1b93d9fc794c3dfe4bed4cb80N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bmlbaqfh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ceickb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cdamao32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cofaog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Chofhm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bijpeihq.dll"	Bacefpbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bacefpbg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bdaabk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bkkioeig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cbiphidl.dll"	Bdfjnkne.exe

Suspicious use of WriteProcessMemory 52 IoCs

description	pid	Process	procid_target
PID 1732 wrote to memory of 1456	1732	d91bbba1b93d9fc794c3dfe4bed4cb80N.exe	30
PID 1732 wrote to memory of 1456	1732	d91bbba1b93d9fc794c3dfe4bed4cb80N.exe	30
PID 1732 wrote to memory of 1456	1732	d91bbba1b93d9fc794c3dfe4bed4cb80N.exe	30
PID 1732 wrote to memory of 1456	1732	d91bbba1b93d9fc794c3dfe4bed4cb80N.exe	30
PID 1456 wrote to memory of 2732	1456	Bacefpbg.exe	31
PID 1456 wrote to memory of 2732	1456	Bacefpbg.exe	31
PID 1456 wrote to memory of 2732	1456	Bacefpbg.exe	31
PID 1456 wrote to memory of 2732	1456	Bacefpbg.exe	31
PID 2732 wrote to memory of 2776	2732	Bdaabk32.exe	32
PID 2732 wrote to memory of 2776	2732	Bdaabk32.exe	32
PID 2732 wrote to memory of 2776	2732	Bdaabk32.exe	32
PID 2732 wrote to memory of 2776	2732	Bdaabk32.exe	32
PID 2776 wrote to memory of 2888	2776	Bkkioeig.exe	33
PID 2776 wrote to memory of 2888	2776	Bkkioeig.exe	33
PID 2776 wrote to memory of 2888	2776	Bkkioeig.exe	33
PID 2776 wrote to memory of 2888	2776	Bkkioeig.exe	33
PID 2888 wrote to memory of 628	2888	Bmlbaqfh.exe	34
PID 2888 wrote to memory of 628	2888	Bmlbaqfh.exe	34
PID 2888 wrote to memory of 628	2888	Bmlbaqfh.exe	34
PID 2888 wrote to memory of 628	2888	Bmlbaqfh.exe	34
PID 628 wrote to memory of 2652	628	Bdfjnkne.exe	35
PID 628 wrote to memory of 2652	628	Bdfjnkne.exe	35
PID 628 wrote to memory of 2652	628	Bdfjnkne.exe	35
PID 628 wrote to memory of 2652	628	Bdfjnkne.exe	35
PID 2652 wrote to memory of 1952	2652	Bopknhjd.exe	36
PID 2652 wrote to memory of 1952	2652	Bopknhjd.exe	36
PID 2652 wrote to memory of 1952	2652	Bopknhjd.exe	36
PID 2652 wrote to memory of 1952	2652	Bopknhjd.exe	36
PID 1952 wrote to memory of 1804	1952	Ceickb32.exe	37
PID 1952 wrote to memory of 1804	1952	Ceickb32.exe	37
PID 1952 wrote to memory of 1804	1952	Ceickb32.exe	37
PID 1952 wrote to memory of 1804	1952	Ceickb32.exe	37
PID 1804 wrote to memory of 2192	1804	Chhpgn32.exe	38
PID 1804 wrote to memory of 2192	1804	Chhpgn32.exe	38
PID 1804 wrote to memory of 2192	1804	Chhpgn32.exe	38
PID 1804 wrote to memory of 2192	1804	Chhpgn32.exe	38
PID 2192 wrote to memory of 2952	2192	Ciglaa32.exe	39
PID 2192 wrote to memory of 2952	2192	Ciglaa32.exe	39
PID 2192 wrote to memory of 2952	2192	Ciglaa32.exe	39
PID 2192 wrote to memory of 2952	2192	Ciglaa32.exe	39
PID 2952 wrote to memory of 376	2952	Cdamao32.exe	40
PID 2952 wrote to memory of 376	2952	Cdamao32.exe	40
PID 2952 wrote to memory of 376	2952	Cdamao32.exe	40
PID 2952 wrote to memory of 376	2952	Cdamao32.exe	40
PID 376 wrote to memory of 2380	376	Cofaog32.exe	41
PID 376 wrote to memory of 2380	376	Cofaog32.exe	41
PID 376 wrote to memory of 2380	376	Cofaog32.exe	41
PID 376 wrote to memory of 2380	376	Cofaog32.exe	41
PID 2380 wrote to memory of 264	2380	Chofhm32.exe	42
PID 2380 wrote to memory of 264	2380	Chofhm32.exe	42
PID 2380 wrote to memory of 264	2380	Chofhm32.exe	42
PID 2380 wrote to memory of 264	2380	Chofhm32.exe	42

C:\Users\Admin\AppData\Local\Temp\d91bbba1b93d9fc794c3dfe4bed4cb80N.exe
"C:\Users\Admin\AppData\Local\Temp\d91bbba1b93d9fc794c3dfe4bed4cb80N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1732
- C:\Windows\SysWOW64\Bacefpbg.exe
  C:\Windows\system32\Bacefpbg.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1456
- - C:\Windows\SysWOW64\Bdaabk32.exe
    C:\Windows\system32\Bdaabk32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2732
  - - C:\Windows\SysWOW64\Bkkioeig.exe
      C:\Windows\system32\Bkkioeig.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2776
    - - C:\Windows\SysWOW64\Bmlbaqfh.exe
        
        C:\Windows\system32\Bmlbaqfh.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2888
      - C:\Windows\SysWOW64\Bdfjnkne.exe
        
        C:\Windows\system32\Bdfjnkne.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:628
        
        C:\Windows\SysWOW64\Bopknhjd.exe
        
        C:\Windows\system32\Bopknhjd.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2652
        
        C:\Windows\SysWOW64\Ceickb32.exe
        
        C:\Windows\system32\Ceickb32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1952
        
        C:\Windows\SysWOW64\Chhpgn32.exe
        
        C:\Windows\system32\Chhpgn32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1804
        
        C:\Windows\SysWOW64\Ciglaa32.exe
        
        C:\Windows\system32\Ciglaa32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2192
        
        C:\Windows\SysWOW64\Cdamao32.exe
        
        C:\Windows\system32\Cdamao32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2952
        
        C:\Windows\SysWOW64\Cofaog32.exe
        
        C:\Windows\system32\Cofaog32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:376
        
        C:\Windows\SysWOW64\Chofhm32.exe
        
        C:\Windows\system32\Chofhm32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2380
        
        C:\Windows\SysWOW64\Coindgbi.exe
        
        C:\Windows\system32\Coindgbi.exe
        14⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:264

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Bacefpbg.exe

Filesize
302KB

MD5
c88a4d627eb7d7b0c0a91d3dc65af0c7

SHA1
e1532a4eb56d8628476693c5470b157e6410691a

SHA256
0d93135c8a9aa6d2ed65fe96868f14ef1ebbb878f3077afa68601bdeb709bcdd

SHA512
04cb7a3063e6055f617d4994307e28406a74bcee5bdab2756d6ed9ce64473fda2f272afbd505c456af8596b3cdb1e7453fbb09fe2a285ac1ecd0a2088226bbfe

Download Submit
C:\Windows\SysWOW64\Bdaabk32.exe

Filesize
302KB

MD5
7d4ce6cd1f2b38c90059148527a5b5e4

SHA1
013f62e6f0e582c66db5f88b6064d2da0c745e4e

SHA256
3174608438429e80f8b22cdba41d8e6eaf3d6973a73965b320b9586e89e004f8

SHA512
a104dbc5ad3fadee2aa72f323befeb242bf6d58691b594de762231874b5b29cb24f326d9de9dbabe1d644c2c14ad673fcd8184f974a5afe60246655e653c3bd8

Download Submit
C:\Windows\SysWOW64\Cofaog32.exe

Filesize
302KB

MD5
99b1929463d8908367ebe0b5b76ffe9f

SHA1
7bb7915d2daed48ae852208d834cca2cdf6ac117

SHA256
c139c629f34522663549ab68f8670ec5c8e2a5905755f20c0483580fc22195b6

SHA512
02352cb1b7346f4645f943f8f36d112014d7e73fdfa6c877e8c905754e6d3af1f16420ff49063680eed443379f30e1c0fc955064be500e3a7be262387be5eaf6

Download Submit
C:\Windows\SysWOW64\Jggdmb32.dll

Filesize
7KB

MD5
e518983b92091e29874817461100efe8

SHA1
243583bba2e4f40095248141542fb5799dfc4964

SHA256
6975fbee3094eae5f936816462f3ebb9efcbafb3a698a2930edb06a84726f8e8

SHA512
2c971330d9adb09d88b0dcb98e7fd2a5ce7e59d0d5e12bf9db4e1dbe2d717391bedb3703d168b02b77034f97b41d4da497ad2ee62c694a9ccfa3bda3974c98e0

Download Submit
\Windows\SysWOW64\Bdfjnkne.exe

Filesize
302KB

MD5
72d8d0371492e344cbd00e82ad67b155

SHA1
6ca32cdd33eff5434454faecf1570111bb93405f

SHA256
0eefd09fe17b47930ec130779ea669d6d53b5510a59ad71ea55d72956009cc8a

SHA512
adb2d00f2db8fe40f0a7f19f06a974b60a88ed4d33aa9dd49dd5a5412e54fdded439ecbb03341cf4d35f7e140ef5ac63443e377a56ce3c03ef5da8781e6d9b37

Download Submit
\Windows\SysWOW64\Bkkioeig.exe

Filesize
302KB

MD5
8974f635ea67cecc26d4442346dbb200

SHA1
71bccaa3b3924f6eb1b90a8f19cd85d7b896ecc5

SHA256
8c1492a6b333303a6fac291d764ba1bce6f5fb24cfa2d21653ef74e36606301b

SHA512
0dbdf58666fb7855123c3385738b712db02c5b1e9dd54b1ba6a8a55598cb58df2502544310299238b81f56107fe65ee6ae4b1a749f1b28d83b41f02b660010ab

Download Submit
\Windows\SysWOW64\Bmlbaqfh.exe

Filesize
302KB

MD5
3592a5b0563febc7b8794840677552ad

SHA1
462667432d98d169723e483e68c7b6f4a0dea95f

SHA256
d3b8f8e4d55ece24fc0ad59fd168759614372667bc14e7223a0f70d62b33fd53

SHA512
9640dc1d01db89c02805b18c22fdb7f10467a322592ea837539e196b0a6563bf888bc7500d3616004f1146301802978915a9d5138008febe88b32a1534466af7

Download Submit
\Windows\SysWOW64\Bopknhjd.exe

Filesize
302KB

MD5
60b3fd2db846e0aedc4b073b3d5b2ab3

SHA1
894a5cbe8c04566d6c732d511d4d5d01f8a6f15e

SHA256
5dd26c3aaf7ff7fa544fe86130a7215c2d366dc1284a01474d06642806fff0e6

SHA512
b9e6e0519d29c1fb1cd693dc37f7d1c226546628a2079b26c6dc3b823ebedc657bbd05f606fdaff8fc52931a3c4f412f99cd6b1deba2de82293d203865d3c442

Download Submit
\Windows\SysWOW64\Cdamao32.exe

Filesize
302KB

MD5
db40b74e14139ddc887119e2681fcd9c

SHA1
ff7461b9cda7055881299811a1263b19f85bd748

SHA256
7c3767e3e0d572d62f72efa7f98cccd21188c85f14ba25b40537f079866ee1ae

SHA512
71c4af12c4e3c4f404fdc4505d2e1c3ddc554a311aa81bd35c0a9ba1fef64d1050a99d95178645ee37c6eacab9a1760876e9084805a63d516f6a03d75ef962f1

Download Submit
\Windows\SysWOW64\Ceickb32.exe

Filesize
302KB

MD5
8b4edca2cc871e88de14dde3cb3fc0c4

SHA1
04a605276303fd5f52336096382b294464a374e3

SHA256
0e12330601c9bebabddcbd8ab05443c04129cba31115ab14144ce2ad18cd9a26

SHA512
6c33e759ed79bd471d348e7d392046d9e3abec5bb0a9a4b2666ea912d53d3da9fddf538a3b1783170a6d63249aaa031cdeea96c3cca920712f978f506a32867c

Download Submit
\Windows\SysWOW64\Chhpgn32.exe

Filesize
302KB

MD5
8a725c8c0187fcd85f07a437f21107b7

SHA1
dfeee1082137719c9f96c4eaeb0f8de90f6f3953

SHA256
1cfb04f05d60163b8fb4e90c2a5086750ca4ff40317a2c4d68ee1fe9874e1e5d

SHA512
59d93f6dd32895e2da9ad263ec514d5d0032b3dad095881ff84d73c4cb0f520b8a766c08b27d253a7f38e259cf76864325446b05177e653619059f8d56241bec

Download Submit
\Windows\SysWOW64\Chofhm32.exe

Filesize
302KB

MD5
af47103e97239edfffd3f87ae4bf6102

SHA1
29cef3b9a07f27d4c837a7cd9aa09f509c443d2d

SHA256
48cb751edee93ce2463aac078351f30412cb8ec1fd9e4f4f9e9511d4cd36da17

SHA512
866d9555b11549c64a19c6db8e74612919204b12207a65c4ac10977207f67b2e7534a5a64bf16d90ac7f4fac9400dc6bef473feb9bbd337be25304f4a418e8dc

Download Submit
\Windows\SysWOW64\Ciglaa32.exe

Filesize
302KB

MD5
729adbff364a0782402b5d3634ae00e6

SHA1
7428d94efb70beb5773a906f353a1057596c2396

SHA256
9701cbf05af0ad74bb53047e6e89ee9dea8a2f1fdda92a563875e447f455d00f

SHA512
4e324a36a59972908f2dccd817567d96e9f119015cfa0ee17fac893b5ce667d2b6c3aedecb8fc7f43a8433fa5c8ee442c9b7245e6b36bd500bed5294114cce8b

Download Submit
\Windows\SysWOW64\Coindgbi.exe

Filesize
302KB

MD5
954fd3f662dc6dfb8c83333011b761af

SHA1
f75f22a4dc1305763327757fa8cb549c7dfe2025

SHA256
45b147b38549aeda143dd95bca29fae4165b1d955c93b930b4977f784ccf0096

SHA512
605761766d47cc8b937634169b55d7a88bf9fc6890ce27d7af7de64b2eea58ffc5804227a2e8757d93f8f65159601f4aa3026a267f05afb34cfdfcf4deb00320

Download Submit
memory/264-178-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/264-188-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/376-159-0x00000000002D0000-0x0000000000315000-memory.dmp

Filesize
276KB

Download
memory/376-186-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/628-69-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/628-77-0x0000000000250000-0x0000000000295000-memory.dmp

Filesize
276KB

Download
memory/628-182-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/1456-180-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/1456-14-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/1732-12-0x0000000000310000-0x0000000000355000-memory.dmp

Filesize
276KB

Download
memory/1732-179-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/1732-0-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/1732-13-0x0000000000310000-0x0000000000355000-memory.dmp

Filesize
276KB

Download
memory/1804-115-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/1804-123-0x00000000002F0000-0x0000000000335000-memory.dmp

Filesize
276KB

Download
memory/1952-103-0x0000000000330000-0x0000000000375000-memory.dmp

Filesize
276KB

Download
memory/1952-96-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/1952-184-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2192-132-0x00000000002D0000-0x0000000000315000-memory.dmp

Filesize
276KB

Download
memory/2192-185-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2192-124-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2380-187-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2380-176-0x0000000000250000-0x0000000000295000-memory.dmp

Filesize
276KB

Download
memory/2652-95-0x0000000000280000-0x00000000002C5000-memory.dmp

Filesize
276KB

Download
memory/2652-183-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2732-32-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2732-40-0x0000000000280000-0x00000000002C5000-memory.dmp

Filesize
276KB

Download
memory/2776-41-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2776-181-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2776-52-0x0000000000370000-0x00000000003B5000-memory.dmp

Filesize
276KB

Download
memory/2776-54-0x0000000000370000-0x00000000003B5000-memory.dmp

Filesize
276KB

Download
memory/2888-61-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2952-151-0x0000000000310000-0x0000000000355000-memory.dmp

Filesize
276KB

Download
memory/2952-144-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads