d4df1cbaa8c00f01a574d6f93d74c7a73dba9509f84d54885f5cf72bf46d23c8

General

Target

d4df1cbaa8c00f01a574d6f93d74c7a73dba9509f84d54885f5cf72bf46d23c8.exe
Size

85KB
MD5

0cdc48b7c47f4a87b83a0e31f67a6868
SHA1

3c7001aeedb5818edcd930f63f4687216f35e681
SHA256

d4df1cbaa8c00f01a574d6f93d74c7a73dba9509f84d54885f5cf72bf46d23c8
SHA512

ddc4eda35a335beb7709ece5929972a16e6a83de91d780e96abea9feb80bc251fb9c16d8f82f08b9f4c680816fff44d6907c039078eb1745f02f05629be68103
SSDEEP

1536:kQzVb4i29nYdcMS5fOgtm2LHfAMQ262AjCsQ2PCZZrqOlNfVSLUK+:ii29nYdcM6OcLHIMQH2qC7ZQOlzSLUK+

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	d4df1cbaa8c00f01a574d6f93d74c7a73dba9509f84d54885f5cf72bf46d23c8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	d4df1cbaa8c00f01a574d6f93d74c7a73dba9509f84d54885f5cf72bf46d23c8.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ckiigmcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ckiigmcd.exe

Executes dropped EXE 2 IoCs

pid	Process
2732	Ckiigmcd.exe
2644	Cacacg32.exe

Loads dropped DLL 8 IoCs

pid	Process
2928	d4df1cbaa8c00f01a574d6f93d74c7a73dba9509f84d54885f5cf72bf46d23c8.exe
2928	d4df1cbaa8c00f01a574d6f93d74c7a73dba9509f84d54885f5cf72bf46d23c8.exe
2732	Ckiigmcd.exe
2732	Ckiigmcd.exe
2780	WerFault.exe
2780	WerFault.exe
2780	WerFault.exe
2780	WerFault.exe

Drops file in System32 directory 6 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Ckiigmcd.exe	d4df1cbaa8c00f01a574d6f93d74c7a73dba9509f84d54885f5cf72bf46d23c8.exe
File opened for modification	C:\Windows\SysWOW64\Ckiigmcd.exe	d4df1cbaa8c00f01a574d6f93d74c7a73dba9509f84d54885f5cf72bf46d23c8.exe
File created	C:\Windows\SysWOW64\Bjpdmqog.dll	d4df1cbaa8c00f01a574d6f93d74c7a73dba9509f84d54885f5cf72bf46d23c8.exe
File created	C:\Windows\SysWOW64\Cacacg32.exe	Ckiigmcd.exe
File opened for modification	C:\Windows\SysWOW64\Cacacg32.exe	Ckiigmcd.exe
File created	C:\Windows\SysWOW64\Fdlpjk32.dll	Ckiigmcd.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2780	2644	WerFault.exe	31

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d4df1cbaa8c00f01a574d6f93d74c7a73dba9509f84d54885f5cf72bf46d23c8.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ckiigmcd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cacacg32.exe

Modifies registry class 9 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	d4df1cbaa8c00f01a574d6f93d74c7a73dba9509f84d54885f5cf72bf46d23c8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bjpdmqog.dll"	d4df1cbaa8c00f01a574d6f93d74c7a73dba9509f84d54885f5cf72bf46d23c8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	d4df1cbaa8c00f01a574d6f93d74c7a73dba9509f84d54885f5cf72bf46d23c8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	d4df1cbaa8c00f01a574d6f93d74c7a73dba9509f84d54885f5cf72bf46d23c8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ckiigmcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdlpjk32.dll"	Ckiigmcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ckiigmcd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	d4df1cbaa8c00f01a574d6f93d74c7a73dba9509f84d54885f5cf72bf46d23c8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	d4df1cbaa8c00f01a574d6f93d74c7a73dba9509f84d54885f5cf72bf46d23c8.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2928 wrote to memory of 2732	2928	d4df1cbaa8c00f01a574d6f93d74c7a73dba9509f84d54885f5cf72bf46d23c8.exe	30
PID 2928 wrote to memory of 2732	2928	d4df1cbaa8c00f01a574d6f93d74c7a73dba9509f84d54885f5cf72bf46d23c8.exe	30
PID 2928 wrote to memory of 2732	2928	d4df1cbaa8c00f01a574d6f93d74c7a73dba9509f84d54885f5cf72bf46d23c8.exe	30
PID 2928 wrote to memory of 2732	2928	d4df1cbaa8c00f01a574d6f93d74c7a73dba9509f84d54885f5cf72bf46d23c8.exe	30
PID 2732 wrote to memory of 2644	2732	Ckiigmcd.exe	31
PID 2732 wrote to memory of 2644	2732	Ckiigmcd.exe	31
PID 2732 wrote to memory of 2644	2732	Ckiigmcd.exe	31
PID 2732 wrote to memory of 2644	2732	Ckiigmcd.exe	31
PID 2644 wrote to memory of 2780	2644	Cacacg32.exe	32
PID 2644 wrote to memory of 2780	2644	Cacacg32.exe	32
PID 2644 wrote to memory of 2780	2644	Cacacg32.exe	32
PID 2644 wrote to memory of 2780	2644	Cacacg32.exe	32

C:\Users\Admin\AppData\Local\Temp\d4df1cbaa8c00f01a574d6f93d74c7a73dba9509f84d54885f5cf72bf46d23c8.exe
"C:\Users\Admin\AppData\Local\Temp\d4df1cbaa8c00f01a574d6f93d74c7a73dba9509f84d54885f5cf72bf46d23c8.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2928
- C:\Windows\SysWOW64\Ckiigmcd.exe
  C:\Windows\system32\Ckiigmcd.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2732
- - C:\Windows\SysWOW64\Cacacg32.exe
    C:\Windows\system32\Cacacg32.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2644
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2644 -s 140
      4⤵
      Loads dropped DLL
      Program crash
      PID:2780

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Ckiigmcd.exe

Filesize
85KB

MD5
e5c211dcb9e6f2cecf3f6826cd17ea51

SHA1
5ccdd1cc440ef1ace327d790337583fc99ea6a05

SHA256
d6ececf402d331d946e5402058e927abd9ae505ed1df3137d87a75592d684df8

SHA512
fec8c467eb1ad3187b5b30bd7caa2e5434158ca48ff0011b34ee7ccc6e35ff3b91b782e12d754036100fa62a5f66c31ce57001130bb1f9389b8bcfa1fc886c56

Download Submit
\Windows\SysWOW64\Cacacg32.exe

Filesize
85KB

MD5
3994aac412ca3edc032bd08ef875cee8

SHA1
b44e8d64a5acb023e9d91dff6ea5f76b7743f75a

SHA256
e9f1e78273a00ab2d3b3646d98a917ca20a0a255da6bc73b4a42b25ab9c2c0ea

SHA512
ac06fb46f36038917c930e3fe07d34c2fe5fe68bc8fee2d53f88abe95bf056df7259fde011b769dae45bdbdbe25eb7acb51a7007499bd83c00bed95501ee0fbd

Download Submit
memory/2644-34-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2732-18-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2732-20-0x0000000000450000-0x0000000000491000-memory.dmp

Filesize
260KB

Download
memory/2732-33-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2928-0-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2928-12-0x0000000000280000-0x00000000002C1000-memory.dmp

Filesize
260KB

Download
memory/2928-31-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2928-32-0x0000000000280000-0x00000000002C1000-memory.dmp

Filesize
260KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads