3642cc5574d62db91ec3efdf7ed3eb5f7f2cf2d60a814bfc99fcfa500f1fff09

General

Target

d72c4d2d85a90287a19e2764e8607ce0N.exe
Size

80KB
MD5

d72c4d2d85a90287a19e2764e8607ce0
SHA1

56bbfc3288f9558c02ff0f2a1e621ddb969218dd
SHA256

3642cc5574d62db91ec3efdf7ed3eb5f7f2cf2d60a814bfc99fcfa500f1fff09
SHA512

11c782b39e0faf6f88a79e610151fa3577805779b9c3845f091e1c4a1faef702ec2859dbc1b1625dc331d77e077218597bba2b17068a1d012a2d84a11c144080
SSDEEP

1536:uTm0GzFPhg3OfLfBlcYCl3OGFzqzDfWqdMVrlEFtyb7IYOOqw4Tv:ZrTTZiYi3OGFzqzTWqAhELy1MTTv

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 10 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	d72c4d2d85a90287a19e2764e8607ce0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdanpb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cddjebgb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Clmbddgp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cddjebgb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	d72c4d2d85a90287a19e2764e8607ce0N.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfnmfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfnmfn32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdanpb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Clmbddgp.exe

Executes dropped EXE 5 IoCs

pid	Process
2872	Cfnmfn32.exe
2904	Cdanpb32.exe
1720	Clmbddgp.exe
2644	Cddjebgb.exe
2208	Ceegmj32.exe

Loads dropped DLL 14 IoCs

pid	Process
2700	d72c4d2d85a90287a19e2764e8607ce0N.exe
2700	d72c4d2d85a90287a19e2764e8607ce0N.exe
2872	Cfnmfn32.exe
2872	Cfnmfn32.exe
2904	Cdanpb32.exe
2904	Cdanpb32.exe
1720	Clmbddgp.exe
1720	Clmbddgp.exe
2644	Cddjebgb.exe
2644	Cddjebgb.exe
996	WerFault.exe
996	WerFault.exe
996	WerFault.exe
996	WerFault.exe

Drops file in System32 directory 15 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Cdanpb32.exe	Cfnmfn32.exe
File created	C:\Windows\SysWOW64\Aincgi32.dll	Cfnmfn32.exe
File created	C:\Windows\SysWOW64\Bhdmagqq.dll	Clmbddgp.exe
File created	C:\Windows\SysWOW64\Cdanpb32.exe	Cfnmfn32.exe
File opened for modification	C:\Windows\SysWOW64\Clmbddgp.exe	Cdanpb32.exe
File opened for modification	C:\Windows\SysWOW64\Cddjebgb.exe	Clmbddgp.exe
File created	C:\Windows\SysWOW64\Aoogfhfp.dll	Cddjebgb.exe
File created	C:\Windows\SysWOW64\Clmbddgp.exe	Cdanpb32.exe
File created	C:\Windows\SysWOW64\Mabanhgg.dll	d72c4d2d85a90287a19e2764e8607ce0N.exe
File created	C:\Windows\SysWOW64\Eelloqic.dll	Cdanpb32.exe
File created	C:\Windows\SysWOW64\Cddjebgb.exe	Clmbddgp.exe
File opened for modification	C:\Windows\SysWOW64\Ceegmj32.exe	Cddjebgb.exe
File opened for modification	C:\Windows\SysWOW64\Cfnmfn32.exe	d72c4d2d85a90287a19e2764e8607ce0N.exe
File created	C:\Windows\SysWOW64\Ceegmj32.exe	Cddjebgb.exe
File created	C:\Windows\SysWOW64\Cfnmfn32.exe	d72c4d2d85a90287a19e2764e8607ce0N.exe

Program crash 1 IoCs

pid	pid_target	Process
996	2208	WerFault.exe

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d72c4d2d85a90287a19e2764e8607ce0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfnmfn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdanpb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Clmbddgp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cddjebgb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceegmj32.exe

Modifies registry class 18 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Clmbddgp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	d72c4d2d85a90287a19e2764e8607ce0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	d72c4d2d85a90287a19e2764e8607ce0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mabanhgg.dll"	d72c4d2d85a90287a19e2764e8607ce0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aincgi32.dll"	Cfnmfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cfnmfn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdanpb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	d72c4d2d85a90287a19e2764e8607ce0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	d72c4d2d85a90287a19e2764e8607ce0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Clmbddgp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cddjebgb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cddjebgb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eelloqic.dll"	Cdanpb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cdanpb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhdmagqq.dll"	Clmbddgp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aoogfhfp.dll"	Cddjebgb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	d72c4d2d85a90287a19e2764e8607ce0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cfnmfn32.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2700 wrote to memory of 2872	2700	d72c4d2d85a90287a19e2764e8607ce0N.exe	30
PID 2700 wrote to memory of 2872	2700	d72c4d2d85a90287a19e2764e8607ce0N.exe	30
PID 2700 wrote to memory of 2872	2700	d72c4d2d85a90287a19e2764e8607ce0N.exe	30
PID 2700 wrote to memory of 2872	2700	d72c4d2d85a90287a19e2764e8607ce0N.exe	30
PID 2872 wrote to memory of 2904	2872	Cfnmfn32.exe	31
PID 2872 wrote to memory of 2904	2872	Cfnmfn32.exe	31
PID 2872 wrote to memory of 2904	2872	Cfnmfn32.exe	31
PID 2872 wrote to memory of 2904	2872	Cfnmfn32.exe	31
PID 2904 wrote to memory of 1720	2904	Cdanpb32.exe	32
PID 2904 wrote to memory of 1720	2904	Cdanpb32.exe	32
PID 2904 wrote to memory of 1720	2904	Cdanpb32.exe	32
PID 2904 wrote to memory of 1720	2904	Cdanpb32.exe	32
PID 1720 wrote to memory of 2644	1720	Clmbddgp.exe	33
PID 1720 wrote to memory of 2644	1720	Clmbddgp.exe	33
PID 1720 wrote to memory of 2644	1720	Clmbddgp.exe	33
PID 1720 wrote to memory of 2644	1720	Clmbddgp.exe	33
PID 2644 wrote to memory of 2208	2644	Cddjebgb.exe	34
PID 2644 wrote to memory of 2208	2644	Cddjebgb.exe	34
PID 2644 wrote to memory of 2208	2644	Cddjebgb.exe	34
PID 2644 wrote to memory of 2208	2644	Cddjebgb.exe	34
PID 2208 wrote to memory of 996	2208	Ceegmj32.exe	35
PID 2208 wrote to memory of 996	2208	Ceegmj32.exe	35
PID 2208 wrote to memory of 996	2208	Ceegmj32.exe	35
PID 2208 wrote to memory of 996	2208	Ceegmj32.exe	35

C:\Users\Admin\AppData\Local\Temp\d72c4d2d85a90287a19e2764e8607ce0N.exe
"C:\Users\Admin\AppData\Local\Temp\d72c4d2d85a90287a19e2764e8607ce0N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2700
- C:\Windows\SysWOW64\Cfnmfn32.exe
  C:\Windows\system32\Cfnmfn32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2872
- - C:\Windows\SysWOW64\Cdanpb32.exe
    C:\Windows\system32\Cdanpb32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2904
  - - C:\Windows\SysWOW64\Clmbddgp.exe
      C:\Windows\system32\Clmbddgp.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:1720
    - - C:\Windows\SysWOW64\Cddjebgb.exe
        
        C:\Windows\system32\Cddjebgb.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2644
      - C:\Windows\SysWOW64\Ceegmj32.exe
        
        C:\Windows\system32\Ceegmj32.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2208
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2208 -s 140
        7⤵
        Loads dropped DLL
        Program crash
        
        PID:996

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Ceegmj32.exe

Filesize
80KB

MD5
833605bd25bf8f521f7429326700c4ab

SHA1
503255f03d9690d6fcc84e7ce655164f2a33815f

SHA256
d1fc16accabbf0695e6773087a2e6b20182ec426957d1d135477acf2bb359dfc

SHA512
f2d89be348765debbe1aa6f204488842707e58a49658c27e350c499cbd2655ae59637365c87ac80173fb835f7a0fb282cea3044b51c5b251e3892fce3d41e8e1

Download Submit
C:\Windows\SysWOW64\Clmbddgp.exe

Filesize
80KB

MD5
2892fe17c83bcdf37f0acb13d836e480

SHA1
40d826f4867d9d585e1d7ab05c424abd5a13393b

SHA256
7d090e10af2c9d36696780d2c325e4f78578fd3e1e80df95a17395227ff01ce3

SHA512
4966fcfb971803dd54be4d2197255af6416f795443d0a500df88c9feacb137a1ac43ee3a3573201796d0645e52414851cfc6d392f1f57ee89cff9d9214ada5e0

Download Submit
\Windows\SysWOW64\Cdanpb32.exe

Filesize
80KB

MD5
2307348d9021978ef68392789b19176a

SHA1
3feacedf1b3f3108f781530e3751a78adb50b6ea

SHA256
ec40f9a8aa95ffe2074f0f6b042b46760f5d37d1cdf939c21fba46918eeb70a8

SHA512
e75f163654a437693f21dd217b18963b3b349b57e0a138e0649497d2edd9be94783cbfc2264f699c72571ff71c28063134dadd4793f6722bded836eda8afdb39

Download Submit
\Windows\SysWOW64\Cddjebgb.exe

Filesize
80KB

MD5
02d00ab105e771efdfcba3c001eaa218

SHA1
02dc709cf3336bd414e98463963f29f52ea2853b

SHA256
2bdb171b7259e0aeca9f1d8e47e303814a2b2ea11e3c773f2d8203122206f0a4

SHA512
d6431441210a5f73e7770bd64fe930eb643fd84922d46066b9e3210b76c3b28b35ca8a95fa9fb2cc0ecdf379eec601ec1c3d84a85db89eb9ededd731a7e50d76

Download Submit
\Windows\SysWOW64\Cfnmfn32.exe

Filesize
80KB

MD5
5ec75967e0863ea13c67807f78b73d2f

SHA1
8720152ab32de629afc9ffd5eaaac539418ad5ba

SHA256
c983e80d41d293176739aa740fd57fcc7037fb0b002cbffaef2d6d7f154a31e0

SHA512
f8b70b0ae35e6df570eed85ded8b1dbc9f802ffa03572f73ad197f3b5faf2da3f60be6a0e5424553a04e8bb0582bc8e1cdf4e07e371679b4032282a15f671752

Download Submit
memory/1720-75-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2208-77-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2208-68-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2644-54-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2644-76-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2644-62-0x0000000000260000-0x0000000000295000-memory.dmp

Filesize
212KB

Download
memory/2700-73-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2700-0-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2700-7-0x0000000000270000-0x00000000002A5000-memory.dmp

Filesize
212KB

Download
memory/2872-24-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2872-25-0x0000000000250000-0x0000000000285000-memory.dmp

Filesize
212KB

Download
memory/2904-34-0x0000000000250000-0x0000000000285000-memory.dmp

Filesize
212KB

Download
memory/2904-40-0x0000000000250000-0x0000000000285000-memory.dmp

Filesize
212KB

Download
memory/2904-74-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2904-27-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads