cc024191ef5e4fe8fee768bca51ec12a939df67315c3925343b75bfd8a9c1c1b

General

Target

1cc705bb1a69be5c231dbe6a712011a0N.exe
Size

45KB
MD5

1cc705bb1a69be5c231dbe6a712011a0
SHA1

e171462cd66159f3b2c10e3d9d363213af012837
SHA256

cc024191ef5e4fe8fee768bca51ec12a939df67315c3925343b75bfd8a9c1c1b
SHA512

dccc95e204579c65f7c286beb5f0148381843e23f5366079b35538b23cd3fd8be06e293eb99c27fe4a7978dbde25936389a09fe562693fb65ccbacdb5b62cc13
SSDEEP

768:BmjtRGd8oRYMun6DZPGt0qsk2/fbbRGE3UKKp/533ammx4hVS/1H59:ImaoRXvtq0qsk2/fbbRGCUK2BE47Yj

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 10 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cgcnghpl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Calcpm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djdgic32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	1cc705bb1a69be5c231dbe6a712011a0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	1cc705bb1a69be5c231dbe6a712011a0N.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cgcnghpl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnmfdb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnmfdb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Calcpm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Djdgic32.exe

Executes dropped EXE 5 IoCs

pid	Process
2060	Cgcnghpl.exe
2304	Cnmfdb32.exe
2988	Calcpm32.exe
2708	Djdgic32.exe
2796	Dpapaj32.exe

Loads dropped DLL 13 IoCs

pid	Process
2436	1cc705bb1a69be5c231dbe6a712011a0N.exe
2436	1cc705bb1a69be5c231dbe6a712011a0N.exe
2060	Cgcnghpl.exe
2060	Cgcnghpl.exe
2304	Cnmfdb32.exe
2304	Cnmfdb32.exe
2988	Calcpm32.exe
2988	Calcpm32.exe
2708	Djdgic32.exe
2708	Djdgic32.exe
2168	WerFault.exe
2168	WerFault.exe
2168	WerFault.exe

Drops file in System32 directory 15 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Omakjj32.dll	1cc705bb1a69be5c231dbe6a712011a0N.exe
File created	C:\Windows\SysWOW64\Niebgj32.dll	Cgcnghpl.exe
File created	C:\Windows\SysWOW64\Dpapaj32.exe	Djdgic32.exe
File created	C:\Windows\SysWOW64\Cnmfdb32.exe	Cgcnghpl.exe
File opened for modification	C:\Windows\SysWOW64\Cnmfdb32.exe	Cgcnghpl.exe
File created	C:\Windows\SysWOW64\Calcpm32.exe	Cnmfdb32.exe
File created	C:\Windows\SysWOW64\Pdkefp32.dll	Djdgic32.exe
File opened for modification	C:\Windows\SysWOW64\Dpapaj32.exe	Djdgic32.exe
File created	C:\Windows\SysWOW64\Cgcnghpl.exe	1cc705bb1a69be5c231dbe6a712011a0N.exe
File opened for modification	C:\Windows\SysWOW64\Cgcnghpl.exe	1cc705bb1a69be5c231dbe6a712011a0N.exe
File opened for modification	C:\Windows\SysWOW64\Calcpm32.exe	Cnmfdb32.exe
File opened for modification	C:\Windows\SysWOW64\Djdgic32.exe	Calcpm32.exe
File created	C:\Windows\SysWOW64\Ofaejacl.dll	Cnmfdb32.exe
File created	C:\Windows\SysWOW64\Djdgic32.exe	Calcpm32.exe
File created	C:\Windows\SysWOW64\Ccofjipn.dll	Calcpm32.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32†Dhhhbg32.¿xe	Dpapaj32.exe
File created	C:\Windows\system32†Dhhhbg32.¿xe	Dpapaj32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2168	2796	WerFault.exe	35

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djdgic32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dpapaj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1cc705bb1a69be5c231dbe6a712011a0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgcnghpl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnmfdb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Calcpm32.exe

Modifies registry class 18 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	1cc705bb1a69be5c231dbe6a712011a0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cnmfdb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Djdgic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdkefp32.dll"	Djdgic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Djdgic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Omakjj32.dll"	1cc705bb1a69be5c231dbe6a712011a0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cgcnghpl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cgcnghpl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnmfdb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ccofjipn.dll"	Calcpm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Niebgj32.dll"	Cgcnghpl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Calcpm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Calcpm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	1cc705bb1a69be5c231dbe6a712011a0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	1cc705bb1a69be5c231dbe6a712011a0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	1cc705bb1a69be5c231dbe6a712011a0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	1cc705bb1a69be5c231dbe6a712011a0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ofaejacl.dll"	Cnmfdb32.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2436 wrote to memory of 2060	2436	1cc705bb1a69be5c231dbe6a712011a0N.exe	31
PID 2436 wrote to memory of 2060	2436	1cc705bb1a69be5c231dbe6a712011a0N.exe	31
PID 2436 wrote to memory of 2060	2436	1cc705bb1a69be5c231dbe6a712011a0N.exe	31
PID 2436 wrote to memory of 2060	2436	1cc705bb1a69be5c231dbe6a712011a0N.exe	31
PID 2060 wrote to memory of 2304	2060	Cgcnghpl.exe	32
PID 2060 wrote to memory of 2304	2060	Cgcnghpl.exe	32
PID 2060 wrote to memory of 2304	2060	Cgcnghpl.exe	32
PID 2060 wrote to memory of 2304	2060	Cgcnghpl.exe	32
PID 2304 wrote to memory of 2988	2304	Cnmfdb32.exe	33
PID 2304 wrote to memory of 2988	2304	Cnmfdb32.exe	33
PID 2304 wrote to memory of 2988	2304	Cnmfdb32.exe	33
PID 2304 wrote to memory of 2988	2304	Cnmfdb32.exe	33
PID 2988 wrote to memory of 2708	2988	Calcpm32.exe	34
PID 2988 wrote to memory of 2708	2988	Calcpm32.exe	34
PID 2988 wrote to memory of 2708	2988	Calcpm32.exe	34
PID 2988 wrote to memory of 2708	2988	Calcpm32.exe	34
PID 2708 wrote to memory of 2796	2708	Djdgic32.exe	35
PID 2708 wrote to memory of 2796	2708	Djdgic32.exe	35
PID 2708 wrote to memory of 2796	2708	Djdgic32.exe	35
PID 2708 wrote to memory of 2796	2708	Djdgic32.exe	35
PID 2796 wrote to memory of 2168	2796	Dpapaj32.exe	36
PID 2796 wrote to memory of 2168	2796	Dpapaj32.exe	36
PID 2796 wrote to memory of 2168	2796	Dpapaj32.exe	36
PID 2796 wrote to memory of 2168	2796	Dpapaj32.exe	36

C:\Users\Admin\AppData\Local\Temp\1cc705bb1a69be5c231dbe6a712011a0N.exe
"C:\Users\Admin\AppData\Local\Temp\1cc705bb1a69be5c231dbe6a712011a0N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2436
- C:\Windows\SysWOW64\Cgcnghpl.exe
  C:\Windows\system32\Cgcnghpl.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2060
- - C:\Windows\SysWOW64\Cnmfdb32.exe
    C:\Windows\system32\Cnmfdb32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2304
  - - C:\Windows\SysWOW64\Calcpm32.exe
      C:\Windows\system32\Calcpm32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2988
    - - C:\Windows\SysWOW64\Djdgic32.exe
        
        C:\Windows\system32\Djdgic32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2708
      - C:\Windows\SysWOW64\Dpapaj32.exe
        
        C:\Windows\system32\Dpapaj32.exe
        6⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2796
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2796 -s 144
        7⤵
        Loads dropped DLL
        Program crash
        
        PID:2168

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Windows\SysWOW64\Calcpm32.exe

Filesize
45KB

MD5
bd7121345800bd6096898b4f7b413193

SHA1
0574132631fc83dbb8c9ad36db5b6b6bbda3c29b

SHA256
60b81e2e977a7d97e5b9f21614cb53577ad29c6e89abad103c89ae7f379545ba

SHA512
674688f0f071b3538b489f9fb00fb4e87bfa4366a6a18758104f27662f4edfcda00abbef848c4dc8e59cf87ecd613cd9ab1194bdc86f166cf472f3489b1488b7

Download Submit
\Windows\SysWOW64\Cgcnghpl.exe

Filesize
45KB

MD5
1e3a524932996c41f4da950a9c353f31

SHA1
45b30255c5b7f94595f94a183383ec4a9234c797

SHA256
50a0d31ed3f02abd1b931f313a51f2100b244bff6de67b69c854ac204bd325b8

SHA512
eb21b4f7c2c8040698686abc3462bd5b9b39f611e273eb039851215c3b80ce5c666f4723970b110ed12d841fb398ca1cd225d7ec95e1a3a52889294ba340f671

Download Submit
\Windows\SysWOW64\Cnmfdb32.exe

Filesize
45KB

MD5
ffc2cf0b488ba6baec55a839975e7599

SHA1
683884d15953cc0e56c6591b8452706f6ce46fc5

SHA256
ecb7e5eeea96acab70dacbfab95fc6cfe0ab8a74ff640c3d34bed59d518acc5e

SHA512
ccb50b401feb438afc923c652a7520383b8737620564e2f316e2b6c4c64b791f9567967576636d2d2e7859071e54ee58cf1c259fb1c0b9eb43fd89c1feb48396

Download Submit
\Windows\SysWOW64\Djdgic32.exe

Filesize
45KB

MD5
b68ed574916bc2c33a8c714cfdc5b575

SHA1
b300b58ff3b9eaee8a6b26e5099ace1fc37efb59

SHA256
bd7fd7e6a87b0301e005926754b8e3bf90457d3ec524d4f3fb615ac9f7b9d8db

SHA512
4e759f749d12dd2b4a7fa29d575e24036f81d7307292b92fccd6091db941bb2f168d9b90a245d01b21118950bf0763939b1bfd81efba3da6793b46cf4c86dece

Download Submit
\Windows\SysWOW64\Dpapaj32.exe

Filesize
45KB

MD5
f67b66db4ca01e2c374cb15a54881ce2

SHA1
91e80242440606488efc6788e1e5ce00d9048d58

SHA256
69b8de7cb6b79d773e2bf7eeca20a0fe82cbd02e9b9ca3f295429694758418ae

SHA512
3d4bb867a15c821ffcfcc5083db205b3485f29ec6641c437eb8ee3696623889c460901f411fefa9076335654cd29e09e2f4babec793386f477a82daa3332d4b5

Download Submit
memory/2060-19-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2060-22-0x00000000001E0000-0x000000000020F000-memory.dmp

Filesize
188KB

Download
memory/2060-27-0x00000000001E0000-0x000000000020F000-memory.dmp

Filesize
188KB

Download
memory/2304-29-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2304-37-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/2304-79-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2436-77-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2436-0-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2436-12-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/2436-6-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/2708-56-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2708-68-0x0000000000260000-0x000000000028F000-memory.dmp

Filesize
188KB

Download
memory/2708-81-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2796-73-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2796-82-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2988-54-0x00000000002D0000-0x00000000002FF000-memory.dmp

Filesize
188KB

Download
memory/2988-80-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads