57f21f3b07f85167975e47e26d6cfd3f18fd7078385f0f22e7ea64999e6a26fe

Analysis

max time kernel
140s
max time network
120s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
02-09-2024 22:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

57f21f3b07f85167975e47e26d6cfd3f18fd7078385f0f22e7ea64999e6a26fe.exe
Size

72KB
MD5

ebc6dd43160343659d76e9f25a380923
SHA1

51ce8adc06ae057c1ef994d3c510725c3aff7806
SHA256

57f21f3b07f85167975e47e26d6cfd3f18fd7078385f0f22e7ea64999e6a26fe
SHA512

13f8b89b69f422e9f69373b9b825bcbdea0f3efd293d8d765a8a71ef7bafe18583bd3a0a2b0ada1bf63eb02ebe273937c0aae5c36a7594be9523ba0380a316ce
SSDEEP

1536:JuvbURwunczVHNpadRWEfV9m3sF/CX1rxxT:JuDURnsVHrCN9m3sUFr3

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bhhpeafc.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bobhal32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdoajb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cilibi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdanpb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	57f21f3b07f85167975e47e26d6cfd3f18fd7078385f0f22e7ea64999e6a26fe.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjdplm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bobhal32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cddjebgb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cddjebgb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	57f21f3b07f85167975e47e26d6cfd3f18fd7078385f0f22e7ea64999e6a26fe.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Blaopqpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Blaopqpo.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bejdiffp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cdoajb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Behgcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bjdplm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bejdiffp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bhhpeafc.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cilibi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cdanpb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cgpjlnhh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cgpjlnhh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Behgcf32.exe

Executes dropped EXE 12 IoCs

pid	Process
2872	Behgcf32.exe
2712	Blaopqpo.exe
2732	Bjdplm32.exe
2644	Bejdiffp.exe
2208	Bhhpeafc.exe
952	Bobhal32.exe
2064	Cdoajb32.exe
2000	Cilibi32.exe
1800	Cdanpb32.exe
288	Cgpjlnhh.exe
2808	Cddjebgb.exe
1804	Ceegmj32.exe

Loads dropped DLL 28 IoCs

pid	Process
2700	57f21f3b07f85167975e47e26d6cfd3f18fd7078385f0f22e7ea64999e6a26fe.exe
2700	57f21f3b07f85167975e47e26d6cfd3f18fd7078385f0f22e7ea64999e6a26fe.exe
2872	Behgcf32.exe
2872	Behgcf32.exe
2712	Blaopqpo.exe
2712	Blaopqpo.exe
2732	Bjdplm32.exe
2732	Bjdplm32.exe
2644	Bejdiffp.exe
2644	Bejdiffp.exe
2208	Bhhpeafc.exe
2208	Bhhpeafc.exe
952	Bobhal32.exe
952	Bobhal32.exe
2064	Cdoajb32.exe
2064	Cdoajb32.exe
2000	Cilibi32.exe
2000	Cilibi32.exe
1800	Cdanpb32.exe
1800	Cdanpb32.exe
288	Cgpjlnhh.exe
288	Cgpjlnhh.exe
2808	Cddjebgb.exe
2808	Cddjebgb.exe
764	WerFault.exe
764	WerFault.exe
764	WerFault.exe
764	WerFault.exe

Drops file in System32 directory 36 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Nmmfff32.dll	Bjdplm32.exe
File opened for modification	C:\Windows\SysWOW64\Cdoajb32.exe	Bobhal32.exe
File created	C:\Windows\SysWOW64\Cilibi32.exe	Cdoajb32.exe
File created	C:\Windows\SysWOW64\Bjdplm32.exe	Blaopqpo.exe
File opened for modification	C:\Windows\SysWOW64\Bobhal32.exe	Bhhpeafc.exe
File opened for modification	C:\Windows\SysWOW64\Cilibi32.exe	Cdoajb32.exe
File opened for modification	C:\Windows\SysWOW64\Behgcf32.exe	57f21f3b07f85167975e47e26d6cfd3f18fd7078385f0f22e7ea64999e6a26fe.exe
File created	C:\Windows\SysWOW64\Blaopqpo.exe	Behgcf32.exe
File opened for modification	C:\Windows\SysWOW64\Bhhpeafc.exe	Bejdiffp.exe
File created	C:\Windows\SysWOW64\Cddjebgb.exe	Cgpjlnhh.exe
File created	C:\Windows\SysWOW64\Dhnook32.dll	57f21f3b07f85167975e47e26d6cfd3f18fd7078385f0f22e7ea64999e6a26fe.exe
File created	C:\Windows\SysWOW64\Cdoajb32.exe	Bobhal32.exe
File created	C:\Windows\SysWOW64\Hgpmbc32.dll	Cdoajb32.exe
File opened for modification	C:\Windows\SysWOW64\Cdanpb32.exe	Cilibi32.exe
File opened for modification	C:\Windows\SysWOW64\Ceegmj32.exe	Cddjebgb.exe
File created	C:\Windows\SysWOW64\Bejdiffp.exe	Bjdplm32.exe
File created	C:\Windows\SysWOW64\Bobhal32.exe	Bhhpeafc.exe
File created	C:\Windows\SysWOW64\Dojofhjd.dll	Cdanpb32.exe
File opened for modification	C:\Windows\SysWOW64\Cddjebgb.exe	Cgpjlnhh.exe
File created	C:\Windows\SysWOW64\Cdanpb32.exe	Cilibi32.exe
File created	C:\Windows\SysWOW64\Aoogfhfp.dll	Cddjebgb.exe
File created	C:\Windows\SysWOW64\Behgcf32.exe	57f21f3b07f85167975e47e26d6cfd3f18fd7078385f0f22e7ea64999e6a26fe.exe
File created	C:\Windows\SysWOW64\Fpcopobi.dll	Blaopqpo.exe
File created	C:\Windows\SysWOW64\Bhhpeafc.exe	Bejdiffp.exe
File created	C:\Windows\SysWOW64\Imklkg32.dll	Bhhpeafc.exe
File created	C:\Windows\SysWOW64\Ceegmj32.exe	Cddjebgb.exe
File created	C:\Windows\SysWOW64\Jodjlm32.dll	Bejdiffp.exe
File created	C:\Windows\SysWOW64\Dnabbkhk.dll	Bobhal32.exe
File created	C:\Windows\SysWOW64\Aincgi32.dll	Cilibi32.exe
File created	C:\Windows\SysWOW64\Cgpjlnhh.exe	Cdanpb32.exe
File opened for modification	C:\Windows\SysWOW64\Cgpjlnhh.exe	Cdanpb32.exe
File created	C:\Windows\SysWOW64\Bhdmagqq.dll	Cgpjlnhh.exe
File opened for modification	C:\Windows\SysWOW64\Blaopqpo.exe	Behgcf32.exe
File created	C:\Windows\SysWOW64\Cfgheegc.dll	Behgcf32.exe
File opened for modification	C:\Windows\SysWOW64\Bjdplm32.exe	Blaopqpo.exe
File opened for modification	C:\Windows\SysWOW64\Bejdiffp.exe	Bjdplm32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
764	1804	WerFault.exe	42

System Location Discovery: System Language Discovery 1 TTPs 13 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	57f21f3b07f85167975e47e26d6cfd3f18fd7078385f0f22e7ea64999e6a26fe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Blaopqpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cilibi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdanpb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjdplm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bejdiffp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhhpeafc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceegmj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdoajb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cddjebgb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Behgcf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bobhal32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgpjlnhh.exe

Modifies registry class 39 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	57f21f3b07f85167975e47e26d6cfd3f18fd7078385f0f22e7ea64999e6a26fe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	57f21f3b07f85167975e47e26d6cfd3f18fd7078385f0f22e7ea64999e6a26fe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Behgcf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cilibi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cilibi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dojofhjd.dll"	Cdanpb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhdmagqq.dll"	Cgpjlnhh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	57f21f3b07f85167975e47e26d6cfd3f18fd7078385f0f22e7ea64999e6a26fe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bhhpeafc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bhhpeafc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bobhal32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cgpjlnhh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cddjebgb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bjdplm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imklkg32.dll"	Bhhpeafc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hgpmbc32.dll"	Cdoajb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cdoajb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cgpjlnhh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jodjlm32.dll"	Bejdiffp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cfgheegc.dll"	Behgcf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Blaopqpo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bjdplm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cdanpb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aoogfhfp.dll"	Cddjebgb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}	57f21f3b07f85167975e47e26d6cfd3f18fd7078385f0f22e7ea64999e6a26fe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpcopobi.dll"	Blaopqpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bobhal32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cdoajb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	57f21f3b07f85167975e47e26d6cfd3f18fd7078385f0f22e7ea64999e6a26fe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Blaopqpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nmmfff32.dll"	Bjdplm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bejdiffp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cdanpb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cddjebgb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dhnook32.dll"	57f21f3b07f85167975e47e26d6cfd3f18fd7078385f0f22e7ea64999e6a26fe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bejdiffp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnabbkhk.dll"	Bobhal32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aincgi32.dll"	Cilibi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Behgcf32.exe

Suspicious use of WriteProcessMemory 52 IoCs

description	pid	Process	procid_target
PID 2700 wrote to memory of 2872	2700	57f21f3b07f85167975e47e26d6cfd3f18fd7078385f0f22e7ea64999e6a26fe.exe	31
PID 2700 wrote to memory of 2872	2700	57f21f3b07f85167975e47e26d6cfd3f18fd7078385f0f22e7ea64999e6a26fe.exe	31
PID 2700 wrote to memory of 2872	2700	57f21f3b07f85167975e47e26d6cfd3f18fd7078385f0f22e7ea64999e6a26fe.exe	31
PID 2700 wrote to memory of 2872	2700	57f21f3b07f85167975e47e26d6cfd3f18fd7078385f0f22e7ea64999e6a26fe.exe	31
PID 2872 wrote to memory of 2712	2872	Behgcf32.exe	32
PID 2872 wrote to memory of 2712	2872	Behgcf32.exe	32
PID 2872 wrote to memory of 2712	2872	Behgcf32.exe	32
PID 2872 wrote to memory of 2712	2872	Behgcf32.exe	32
PID 2712 wrote to memory of 2732	2712	Blaopqpo.exe	33
PID 2712 wrote to memory of 2732	2712	Blaopqpo.exe	33
PID 2712 wrote to memory of 2732	2712	Blaopqpo.exe	33
PID 2712 wrote to memory of 2732	2712	Blaopqpo.exe	33
PID 2732 wrote to memory of 2644	2732	Bjdplm32.exe	34
PID 2732 wrote to memory of 2644	2732	Bjdplm32.exe	34
PID 2732 wrote to memory of 2644	2732	Bjdplm32.exe	34
PID 2732 wrote to memory of 2644	2732	Bjdplm32.exe	34
PID 2644 wrote to memory of 2208	2644	Bejdiffp.exe	35
PID 2644 wrote to memory of 2208	2644	Bejdiffp.exe	35
PID 2644 wrote to memory of 2208	2644	Bejdiffp.exe	35
PID 2644 wrote to memory of 2208	2644	Bejdiffp.exe	35
PID 2208 wrote to memory of 952	2208	Bhhpeafc.exe	36
PID 2208 wrote to memory of 952	2208	Bhhpeafc.exe	36
PID 2208 wrote to memory of 952	2208	Bhhpeafc.exe	36
PID 2208 wrote to memory of 952	2208	Bhhpeafc.exe	36
PID 952 wrote to memory of 2064	952	Bobhal32.exe	37
PID 952 wrote to memory of 2064	952	Bobhal32.exe	37
PID 952 wrote to memory of 2064	952	Bobhal32.exe	37
PID 952 wrote to memory of 2064	952	Bobhal32.exe	37
PID 2064 wrote to memory of 2000	2064	Cdoajb32.exe	38
PID 2064 wrote to memory of 2000	2064	Cdoajb32.exe	38
PID 2064 wrote to memory of 2000	2064	Cdoajb32.exe	38
PID 2064 wrote to memory of 2000	2064	Cdoajb32.exe	38
PID 2000 wrote to memory of 1800	2000	Cilibi32.exe	39
PID 2000 wrote to memory of 1800	2000	Cilibi32.exe	39
PID 2000 wrote to memory of 1800	2000	Cilibi32.exe	39
PID 2000 wrote to memory of 1800	2000	Cilibi32.exe	39
PID 1800 wrote to memory of 288	1800	Cdanpb32.exe	40
PID 1800 wrote to memory of 288	1800	Cdanpb32.exe	40
PID 1800 wrote to memory of 288	1800	Cdanpb32.exe	40
PID 1800 wrote to memory of 288	1800	Cdanpb32.exe	40
PID 288 wrote to memory of 2808	288	Cgpjlnhh.exe	41
PID 288 wrote to memory of 2808	288	Cgpjlnhh.exe	41
PID 288 wrote to memory of 2808	288	Cgpjlnhh.exe	41
PID 288 wrote to memory of 2808	288	Cgpjlnhh.exe	41
PID 2808 wrote to memory of 1804	2808	Cddjebgb.exe	42
PID 2808 wrote to memory of 1804	2808	Cddjebgb.exe	42
PID 2808 wrote to memory of 1804	2808	Cddjebgb.exe	42
PID 2808 wrote to memory of 1804	2808	Cddjebgb.exe	42
PID 1804 wrote to memory of 764	1804	Ceegmj32.exe	43
PID 1804 wrote to memory of 764	1804	Ceegmj32.exe	43
PID 1804 wrote to memory of 764	1804	Ceegmj32.exe	43
PID 1804 wrote to memory of 764	1804	Ceegmj32.exe	43

C:\Users\Admin\AppData\Local\Temp\57f21f3b07f85167975e47e26d6cfd3f18fd7078385f0f22e7ea64999e6a26fe.exe
"C:\Users\Admin\AppData\Local\Temp\57f21f3b07f85167975e47e26d6cfd3f18fd7078385f0f22e7ea64999e6a26fe.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2700
- C:\Windows\SysWOW64\Behgcf32.exe
  C:\Windows\system32\Behgcf32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2872
- - C:\Windows\SysWOW64\Blaopqpo.exe
    C:\Windows\system32\Blaopqpo.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2712
  - - C:\Windows\SysWOW64\Bjdplm32.exe
      C:\Windows\system32\Bjdplm32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2732
    - - C:\Windows\SysWOW64\Bejdiffp.exe
        
        C:\Windows\system32\Bejdiffp.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2644
      - C:\Windows\SysWOW64\Bhhpeafc.exe
        
        C:\Windows\system32\Bhhpeafc.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2208
        
        C:\Windows\SysWOW64\Bobhal32.exe
        
        C:\Windows\system32\Bobhal32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:952
        
        C:\Windows\SysWOW64\Cdoajb32.exe
        
        C:\Windows\system32\Cdoajb32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2064
        
        C:\Windows\SysWOW64\Cilibi32.exe
        
        C:\Windows\system32\Cilibi32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2000
        
        C:\Windows\SysWOW64\Cdanpb32.exe
        
        C:\Windows\system32\Cdanpb32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1800
        
        C:\Windows\SysWOW64\Cgpjlnhh.exe
        
        C:\Windows\system32\Cgpjlnhh.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:288
        
        C:\Windows\SysWOW64\Cddjebgb.exe
        
        C:\Windows\system32\Cddjebgb.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2808
        
        C:\Windows\SysWOW64\Ceegmj32.exe
        
        C:\Windows\system32\Ceegmj32.exe
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1804
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1804 -s 140
        14⤵
        Loads dropped DLL
        Program crash
        
        PID:764

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Bejdiffp.exe

Filesize
72KB

MD5
d897d875f82c460138dea64379b30616

SHA1
768749c61c9f88437944c5e53a703a7d1f6a94f5

SHA256
df4fc2921570c0f1625066b56a07b9bf16522717a7ad18672fc3e60b9eac1c49

SHA512
f9ef1fb606f24d52349a8a0c311097268b9f81a18532ee410870030cae4a87a092eeb5386593e3f90f476cd2325bdd87391222dc1f8be651e33038a474c01b1b

Download Submit
C:\Windows\SysWOW64\Bhhpeafc.exe

Filesize
72KB

MD5
7e8a3ebd1ee0ed1dba979d3b0b4cbc85

SHA1
49d5046d53394c5e67fc17c1a23eb95974a9de3d

SHA256
ab35dc22bcc5da0a93f8f50e1d8214efe4074e869e2986cd6c71c0daa6ce771d

SHA512
615308b03ca23a318398e442a244ddba6f214349d92436bdc0a77450c31501c6d9a0a3d18f45f9ae851dd794c9957c82b1da310f6c1171fe0ca2953835dd153a

Download Submit
C:\Windows\SysWOW64\Blaopqpo.exe

Filesize
72KB

MD5
aaf692fe7b89301bba282066884a6752

SHA1
347c1d41c7b4464ac9ccc349cb763a7a356da98b

SHA256
629855e2eda8d634a4e2df0638c3f00a5be93cadbf0a2ab0999523e44b4019c1

SHA512
3a9a3b67fecb7ea31fc8a3cc7df5896d6c9902139474f61318b97140d9b85dcd2b76135cc560a111a85a67cf66a7afa6d9c6b570c65721835342da138d26f091

Download Submit
C:\Windows\SysWOW64\Cdanpb32.exe

Filesize
72KB

MD5
6ddcf2da1ce76f73576d7f54b35e8605

SHA1
098e6c4e3e7fb9ccf8d6feb24959ce7177fbe082

SHA256
63b73473442253c741fd4144787de90036df0af8b0382744f48cf3724b36212e

SHA512
4d590760cf4e7b8e8e0aefe6383c72bec7ec477e92e826cb3d1c9044a7b924c115a33ff94b740068241e2e6f16c5f7970aeffc09de1710158c44261f9795dbea

Download Submit
C:\Windows\SysWOW64\Jodjlm32.dll

Filesize
7KB

MD5
eb45c275655c2c6365dd98230855fc20

SHA1
24fca233d1c44f48a646685266972e6ec94d3918

SHA256
9afe59853c3f2f538189fadd0af5620e1c181de2dbe38fbc9b3b615dfc166b46

SHA512
cef95884e0bef5007cd81508acb4755b80ed331760a06630bb6f3026d63c3845585095b28beecbea47082c70b6cc81ef1dff27d9cfadeede7f76d758d53b4307

Download Submit
\Windows\SysWOW64\Behgcf32.exe

Filesize
72KB

MD5
b8e61412044175d5a98f568030168e13

SHA1
4cd08271e383919384ae1cb9b65751e80e8436fe

SHA256
4a2dfbede556979bf898f0ebad6bc8fe0395f29e26d57d98e4801e13ff866b2d

SHA512
211d74aa4eb724a58d3cddc57e7e0747f9515463ec335cab3465594dccc13f0423f2dfe21a7d8830c259666bef801a353f83b8db378e32e6ad31e5c78053023b

Download Submit
\Windows\SysWOW64\Bjdplm32.exe

Filesize
72KB

MD5
630ae2ac608c8cfdbc969d22cc148b89

SHA1
41f4c67b809b1e65498edf4a846c17921fed052f

SHA256
e18b37f7f1cd5386608b936a80c20e0420fc5c5bc0a5c60e9a83280fc63b713f

SHA512
cd61371128ba1999e24d7b5f07b38aeb9cda74f36db7f30f9f57cd748af755af6416c0b41323879f3228cbb4b4cc9a775bba4f291118fc3ef188677e1b901f28

Download Submit
\Windows\SysWOW64\Bobhal32.exe

Filesize
72KB

MD5
0559510d051ba1c8e526aa90c45b6641

SHA1
de6a6663feca7dec6724b134ade7e046294a785f

SHA256
25509bac31793118f36ef900bbbc6246481f4613133cc328c0793d4b8f515a8b

SHA512
9eb9843003574f6199dd311c21157e329e7a363fba98c751be3e5ee8bfb57db7e02f2ad7171201fce321e16bad457615fc9072de4237b50fe7828dc4c715ab84

Download Submit
\Windows\SysWOW64\Cddjebgb.exe

Filesize
72KB

MD5
dcbf2ebfe5ee753064e6c741ed5f15d7

SHA1
e0703768949e215d042d06dfde677ec17e77c5c3

SHA256
81029ba87d29dbe35522eb68cd5a21ebc7a7dbd2350e6ebe1670063c84a5b69c

SHA512
8bc2a376f64d9e766ede4c88824cd26f4d460dd898deb13870ca39c099e9e6cd1802fd25ed57687de3c9f88b8e6470912fde80b034f26913547db98e387c6045

Download Submit
\Windows\SysWOW64\Cdoajb32.exe

Filesize
72KB

MD5
8b8e17baf8fc436c23f34f067d508f55

SHA1
3da2333ebadcc313265515b973a51873e4b7bf5d

SHA256
e8ae80a8a53234ac963a2523b6de657d3c000c9077b6fd1e0f4b18fdf437481b

SHA512
481d1be6b9b24c0291ec657f088730bd531fa2e5a292e5ee7ca5da58a30fa78ad247b97a60f82338608fc435eb685d05ad530adf95b481458cb1949a104828e6

Download Submit
\Windows\SysWOW64\Ceegmj32.exe

Filesize
72KB

MD5
44fdf40fda295dc548debba6dc228428

SHA1
8a3dc636f7311bfcb6ee56663a58685f1a6f071b

SHA256
31b37d3d395e3292e74406633430d54e5b914535562c79f8ad7b3989257c6753

SHA512
7125d477283340473569dd722423d24e7af66120d4a9ed6bf927bb3031900f0e3e8b851383d63db95f8b74da3ac0949589cfe492b81a75ba937e6768f60c9b2e

Download Submit
\Windows\SysWOW64\Cgpjlnhh.exe

Filesize
72KB

MD5
8252e41c396128b017aee2c491618b3a

SHA1
820ed9b4e2476b6d97961fe3c15a0fc5b5b06f63

SHA256
3a51f288c64625b74035e531e17a9289dd3e9d4a7acd355fd8e0054dd20b3c19

SHA512
95dc168e66b9532fec718635d6402726a2242f1e2f6aa1cbf72ebef2b27e78f28a693cd4970707dab12d6539c883dc0c46048061680ae9206c456dd38d8b2f9a

Download Submit
\Windows\SysWOW64\Cilibi32.exe

Filesize
72KB

MD5
ae9cd9d9827dc93480ddfe6aa09d8cd2

SHA1
7838416fe6b07bd9cd5adb3d6820f1fc44c26290

SHA256
c13d5076b9530b2f9135be593ab3e26864f37f1e9a8bde99b6839b3d10deef57

SHA512
6d789597ef56ed0973ea2db652c1aa45fd8094810b761ade0700c097fb0620befebf4a47b5e2abb743bcbd9d7d7a4d8973b832e74ccfe3aea4280690b4d35c66

Download Submit
memory/288-135-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/288-177-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/288-143-0x0000000000270000-0x00000000002A4000-memory.dmp

Filesize
208KB

Download
memory/952-94-0x0000000000290000-0x00000000002C4000-memory.dmp

Filesize
208KB

Download
memory/952-173-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/952-82-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1800-122-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1800-176-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1804-179-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1804-162-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2000-175-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2000-109-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2064-96-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2064-174-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2208-80-0x0000000000340000-0x0000000000374000-memory.dmp

Filesize
208KB

Download
memory/2208-172-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2644-67-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2644-62-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2644-171-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2700-12-0x00000000002D0000-0x0000000000304000-memory.dmp

Filesize
208KB

Download
memory/2700-167-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2700-8-0x00000000002D0000-0x0000000000304000-memory.dmp

Filesize
208KB

Download
memory/2700-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2712-28-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2712-169-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2712-35-0x0000000000290000-0x00000000002C4000-memory.dmp

Filesize
208KB

Download
memory/2732-54-0x0000000000440000-0x0000000000474000-memory.dmp

Filesize
208KB

Download
memory/2732-170-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2808-149-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2808-178-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2872-19-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2872-26-0x0000000000290000-0x00000000002C4000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads