Overview

overview

10

Static

static

3

fe01b92794...41.exe

windows7-x64

10

fe01b92794...41.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    119s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    03/09/2024, 06:50

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    fe01b92794805f41931d81a1958ccd43d986e6a3d012219084c6b4014a420841.exe

  • Size

    67KB

  • MD5

    eee4207ed42455d8df6553215c1bfed5

  • SHA1

    3bf5161f0d3afea08296728ddb56a3348399ad26

  • SHA256

    fe01b92794805f41931d81a1958ccd43d986e6a3d012219084c6b4014a420841

  • SHA512

    feecd72f71c7662315c5ac891399b88f39b92662082bc4f598865a84c589fdff4776400d39be38745054419a1157125d9ecadeb5eb3eebe007d20b9abe7fb09b

  • SSDEEP

    1536:VbS4S09TPvDyd+cFMinCYkkDZFmR3w+b+qX6SAPNRQxR/Rj:JS4SYjvAFMdYk4K35aw6SAPNexVx

Score
10/10
discoverypersistence

Malware Config

Signatures

  • Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 28 IoCs
    persistence
  • Executes dropped EXE 14 IoCs
  • Loads dropped DLL 28 IoCs
  • Drops file in System32 directory 42 IoCs
  • Drops file in Windows directory 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 15 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 50 IoCs
  • Suspicious use of WriteProcessMemory 56 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\fe01b92794805f41931d81a1958ccd43d986e6a3d012219084c6b4014a420841.exe
    "C:\Users\Admin\AppData\Local\Temp\fe01b92794805f41931d81a1958ccd43d986e6a3d012219084c6b4014a420841.exe"
    1⤵
    • Adds autorun key to be loaded by Explorer.exe on startup
    • Loads dropped DLL
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:3060
    • C:\Windows\SysWOW64\Cbblda32.exe
      C:\Windows\system32\Cbblda32.exe
      2⤵
      • Adds autorun key to be loaded by Explorer.exe on startup
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:988
      • C:\Windows\SysWOW64\Cgoelh32.exe
        C:\Windows\system32\Cgoelh32.exe
        3⤵
        • Adds autorun key to be loaded by Explorer.exe on startup
        • Executes dropped EXE
        • Loads dropped DLL
        • Drops file in System32 directory
        • System Location Discovery: System Language Discovery
        • Modifies registry class
        • Suspicious use of WriteProcessMemory
        PID:2192
        • C:\Windows\SysWOW64\Cbdiia32.exe
          C:\Windows\system32\Cbdiia32.exe
          4⤵
          • Adds autorun key to be loaded by Explorer.exe on startup
          • Executes dropped EXE
          • Loads dropped DLL
          • Drops file in System32 directory
          • System Location Discovery: System Language Discovery
          • Modifies registry class
          • Suspicious use of WriteProcessMemory
          PID:2712
          • C:\Windows\SysWOW64\Cebeem32.exe
            C:\Windows\system32\Cebeem32.exe
            5⤵
            • Adds autorun key to be loaded by Explorer.exe on startup
            • Executes dropped EXE
            • Loads dropped DLL
            • Drops file in System32 directory
            • System Location Discovery: System Language Discovery
            • Modifies registry class
            • Suspicious use of WriteProcessMemory
            PID:2860
            • C:\Windows\SysWOW64\Cgaaah32.exe
              C:\Windows\system32\Cgaaah32.exe
              6⤵
              • Adds autorun key to be loaded by Explorer.exe on startup
              • Executes dropped EXE
              • Loads dropped DLL
              • Drops file in System32 directory
              • System Location Discovery: System Language Discovery
              • Modifies registry class
              • Suspicious use of WriteProcessMemory
              PID:2560
              • C:\Windows\SysWOW64\Cnkjnb32.exe
                C:\Windows\system32\Cnkjnb32.exe
                7⤵
                • Adds autorun key to be loaded by Explorer.exe on startup
                • Executes dropped EXE
                • Loads dropped DLL
                • Drops file in System32 directory
                • System Location Discovery: System Language Discovery
                • Modifies registry class
                • Suspicious use of WriteProcessMemory
                PID:2592
                • C:\Windows\SysWOW64\Ceebklai.exe
                  C:\Windows\system32\Ceebklai.exe
                  8⤵
                  • Adds autorun key to be loaded by Explorer.exe on startup
                  • Executes dropped EXE
                  • Loads dropped DLL
                  • Drops file in System32 directory
                  • System Location Discovery: System Language Discovery
                  • Modifies registry class
                  • Suspicious use of WriteProcessMemory
                  PID:2360
                  • C:\Windows\SysWOW64\Clojhf32.exe
                    C:\Windows\system32\Clojhf32.exe
                    9⤵
                    • Adds autorun key to be loaded by Explorer.exe on startup
                    • Executes dropped EXE
                    • Loads dropped DLL
                    • Drops file in System32 directory
                    • System Location Discovery: System Language Discovery
                    • Modifies registry class
                    • Suspicious use of WriteProcessMemory
                    PID:2880
                    • C:\Windows\SysWOW64\Cmpgpond.exe
                      C:\Windows\system32\Cmpgpond.exe
                      10⤵
                      • Adds autorun key to be loaded by Explorer.exe on startup
                      • Executes dropped EXE
                      • Loads dropped DLL
                      • Drops file in System32 directory
                      • System Location Discovery: System Language Discovery
                      • Modifies registry class
                      • Suspicious use of WriteProcessMemory
                      PID:664
                      • C:\Windows\SysWOW64\Cegoqlof.exe
                        C:\Windows\system32\Cegoqlof.exe
                        11⤵
                        • Adds autorun key to be loaded by Explorer.exe on startup
                        • Executes dropped EXE
                        • Loads dropped DLL
                        • Drops file in System32 directory
                        • System Location Discovery: System Language Discovery
                        • Modifies registry class
                        • Suspicious use of WriteProcessMemory
                        PID:2064
                        • C:\Windows\SysWOW64\Cgfkmgnj.exe
                          C:\Windows\system32\Cgfkmgnj.exe
                          12⤵
                          • Adds autorun key to be loaded by Explorer.exe on startup
                          • Executes dropped EXE
                          • Loads dropped DLL
                          • Drops file in System32 directory
                          • System Location Discovery: System Language Discovery
                          • Modifies registry class
                          • Suspicious use of WriteProcessMemory
                          PID:1008
                          • C:\Windows\SysWOW64\Djdgic32.exe
                            C:\Windows\system32\Djdgic32.exe
                            13⤵
                            • Adds autorun key to be loaded by Explorer.exe on startup
                            • Executes dropped EXE
                            • Loads dropped DLL
                            • Drops file in System32 directory
                            • System Location Discovery: System Language Discovery
                            • Modifies registry class
                            • Suspicious use of WriteProcessMemory
                            PID:1608
                            • C:\Windows\SysWOW64\Danpemej.exe
                              C:\Windows\system32\Danpemej.exe
                              14⤵
                              • Adds autorun key to be loaded by Explorer.exe on startup
                              • Executes dropped EXE
                              • Loads dropped DLL
                              • Drops file in System32 directory
                              • System Location Discovery: System Language Discovery
                              • Modifies registry class
                              • Suspicious use of WriteProcessMemory
                              PID:484
                              • C:\Windows\SysWOW64\Dpapaj32.exe
                                C:\Windows\system32\Dpapaj32.exe
                                15⤵
                                • Executes dropped EXE
                                • Drops file in Windows directory
                                • System Location Discovery: System Language Discovery
                                • Modifies registry class
                                PID:2140

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Windows\SysWOW64\Cbblda32.exe
          Filesize

          67KB

          MD5

          8485a024403620415f5da3d199900331

          SHA1

          c0ff222995edbc4878b8274d35c67ad5a89d5399

          SHA256

          3863b147588cc706eca63ee817246decace88bd09e3e15bb7548fee6e63d9daa

          SHA512

          737983046ffcba6f82faa67910fe0fdb3a41100ede3159d6d30c62af11d2b10d46a024027d46c0fe1d6016dead8666120900366625328fb6252f5ca55a36fabc

          Download Submit

        • C:\Windows\SysWOW64\Cgfkmgnj.exe
          Filesize

          67KB

          MD5

          5567eff7792f7ff15c1ee0f8b87e4fcc

          SHA1

          92e323c40d710f964cb0e2a0d411b898fa588464

          SHA256

          a4991feaa4ecaf784b59f6db8ea111cdd956599798e07213d14e13354b2f1ad3

          SHA512

          a37e9072dbfafc4180431eb950a26349de85e6e6952bf31c557c417ef2258cae21ebc1cabad404d6ba31af5538838bea03ecf34563ec688d3f280d52b653f8f1

          Download Submit

        • C:\Windows\SysWOW64\Clojhf32.exe
          Filesize

          67KB

          MD5

          80d301ec775eece739c512270eda4c63

          SHA1

          7bc1d81d96554758a830b88d22a8134abc0518f5

          SHA256

          c7eaab98102b7c9f3c5a1de1e2f6fc02a87cd56b87e97086c16eb813bebe8770

          SHA512

          3cbed598f02ea85fb6ace0a8d9491d6ab91828af635bedf815f55606413dc210da0543cfa9515e34437e356982684057091786bf3a0cee00a5f733df37e17176

          Download Submit

        • C:\Windows\SysWOW64\Dpapaj32.exe
          Filesize

          67KB

          MD5

          a7b3fc964de13609b8652be2baacbcf6

          SHA1

          c77e8c103ebb3721ea8bfa0a5682f6187a6d0c6d

          SHA256

          3528a917c630530832d8ad6e76c08a08bf470af5a651485b026cca9f4a75607d

          SHA512

          9a19f69eada8965a9ffaf030647c370c54af67f7fa2be77f8b2c316dc643c131edd8d3214530d0f0d07b0140a444c1af23af35bbea62376d1ce9df9d3402f095

          Download Submit

        • C:\Windows\SysWOW64\Kaqnpc32.dll
          Filesize

          7KB

          MD5

          3de74b4ec464db84c3154cc340a17fb1

          SHA1

          39760899fc848c33814c77cb904de161b4a4b106

          SHA256

          658abc56034cd15a69c07dbe6e04b458906a263a5281a9010504cf0003ab8f7a

          SHA512

          a59368b2a95b87ceb1bb641b3e1afce834b480bdd7475cb3a61783bae5bf1d041d8f861c1302c215309a6ecbefa83840a30a825c25ba34e18d1895be7caf0b3e

          Download Submit

        • \Windows\SysWOW64\Cbdiia32.exe
          Filesize

          67KB

          MD5

          f673eee8f349dac8a0e17348b9d36037

          SHA1

          9cfd983d1b33e5b3ca22598eb2232bbe5cdf759b

          SHA256

          dbe9a40badd980a03bac9807f487babe991629996323754b2fda8500d5bd8093

          SHA512

          0700c9a3dcea6ae27419c3622a0ef49454a042e54f02f985bf112717e67688399b76df0caa602a005f28b5dd3cea0d87acf3feee1bd912b28cfd7bf3a481b522

          Download Submit

        • \Windows\SysWOW64\Cebeem32.exe
          Filesize

          67KB

          MD5

          a0191204253ac0efc8332ca252e34d8c

          SHA1

          8024ab2f92f7c89c9aa8bbc49b59372237a2f30b

          SHA256

          2645d55d4c8b67754e9fbab8f7a4b34ba1c2ca952a0c5e435c6bd8b029184cd8

          SHA512

          0baa9421a2aa1cb2e614fadf7aa5fbd873688553d9fb2cd42f954b543c2812458b1f511506b420edb4e2631c890a7c221bb824a87303ec89611585ef5505babc

          Download Submit

        • \Windows\SysWOW64\Ceebklai.exe
          Filesize

          67KB

          MD5

          f3b4d282b514774fa27380487b39452e

          SHA1

          59da1ecbe883522eae521b448a50636189300733

          SHA256

          a47fe07d9baef66bd668e5bc02efccec1bb8d9777f044c277334bd5013985223

          SHA512

          24d6fbb076319905b451612b65430d9df1b9cd5f660293781a85531239e452525fd2b566a745f2610c382809df8ac5d770640fc8337a797122d4f27240a584a8

          Download Submit

        • \Windows\SysWOW64\Cegoqlof.exe
          Filesize

          67KB

          MD5

          38ba310ee7d820e923282f8b57b5d431

          SHA1

          c12674d9d70f534dc6c2615ed47ece6a18242b32

          SHA256

          87a39f5ca09e2e71b1acd3e34673d9e79892af0c91bcc2761c1c57efcf202b3b

          SHA512

          8905532c03bef2856c9c6161c156c1861561fdd0e576a0b095d17ff013d7913a8c0b50360bdf71b4f6fd4f305c3de7ddc40b8be74e63e736275559c5915920d8

          Download Submit

        • \Windows\SysWOW64\Cgaaah32.exe
          Filesize

          67KB

          MD5

          5e39f6bcd579dc019a2e4c61f63a971e

          SHA1

          2c96cd455d1bedf70ee016f99167357ce0ff7de8

          SHA256

          d0c276a5aba5df61283193c909b7d65ff08c1bcb9484638a5e91e9e289b86343

          SHA512

          da1fcfa4674d2acd4e785ec7265686f16f160e809ede23d57984b0201ca040ba97a0426ce50b50a124c1276bb5d77c2e8b1d3ac5170c7bdfa0e42c4ff4e0e8dd

          Download Submit

        • \Windows\SysWOW64\Cgoelh32.exe
          Filesize

          67KB

          MD5

          16a43196511fbf8f260ddcb33f5d9ff1

          SHA1

          05898438c8e934598af22f18980a0cce305b2499

          SHA256

          3129e20517f3093aad575b0ea3780376c36189b7e6d5af413180b0fe3b80585b

          SHA512

          9e6c6f2260891d7589d78f7f3d1528b7a1ef79369c7398d1f524c4b6ec5681c992850a5a48f7f69ee6d7fe3c882bd28508ddb7e64f9c1f6cb36f03a140cff27a

          Download Submit

        • \Windows\SysWOW64\Cmpgpond.exe
          Filesize

          67KB

          MD5

          8f6e2a04d451deec0d6f87fe200d1112

          SHA1

          5feaf92090af1f38b764fa5b6c6fe0778f2f8e20

          SHA256

          88810fc7bad2428be34fd136680e462bde5acfb42250a10d261af8894bb58f2e

          SHA512

          b505221fffed74328a3f6d8e458c03f1808e6b14275e3568498850795c5e2ea1181478300a0661add43c52d63032238734d5ce8fd85b00218374f408eff2f6af

          Download Submit

        • \Windows\SysWOW64\Cnkjnb32.exe
          Filesize

          67KB

          MD5

          71a06bdbd1c73c917d6f62e58c187f75

          SHA1

          7ce29f50bedd3739970b56f16358efbb9a0d09dd

          SHA256

          a24091a6781379770284df85c61565a11ed31f6ab2eaa173912c3e737a1f9027

          SHA512

          fc1ee283878c3bc35b57a1904a11d97faa77a481bfba2a5b560abc6d37a8ae1fa4ea6607590a2dd0849d9c74b0a3978f29731132282fa980c4cc533589e663b6

          Download Submit

        • \Windows\SysWOW64\Danpemej.exe
          Filesize

          67KB

          MD5

          0105b97f65bdbe1a60fc7fabf327e6d4

          SHA1

          37bb4aad4a898862df0bc58460368eb3b448bba2

          SHA256

          ae226d5af77dc43fb5dd5c81132f2c65f292e7c0448cc43089e57187522679db

          SHA512

          098b9f15812ede31bd8df1e74bc2ed0bc9baa6bc90648e761cf39a1681b9b568c72267a08e38897f3f209bf9ac9c2f50bec18fce5663dbe297ea535e3007564e

          Download Submit

        • \Windows\SysWOW64\Djdgic32.exe
          Filesize

          67KB

          MD5

          c695cf93f97270a4b26f9d03ec7da960

          SHA1

          a28700cdbcfe43cb038927949553b7f5ba4b9190

          SHA256

          c0e4044118ab794dcb22ebb933a15f4632620a96bd6de22f9886f9cef0b6b9bb

          SHA512

          db7726d4ded1a821421268a150a03aee65e12d57204a6b8dd8a14e9118a447ed07eef9fa29dc8c4d62c4ca2fa18c767955ff31e0148cb252f17c52af0ed2e6a4

          Download Submit

        • memory/484-176-0x0000000000400000-0x0000000000435000-memory.dmp

          Filesize

          212KB

          Download

        • memory/484-182-0x0000000000250000-0x0000000000285000-memory.dmp

          Filesize

          212KB

          Download

        • memory/484-192-0x0000000000400000-0x0000000000435000-memory.dmp

          Filesize

          212KB

          Download

        • memory/664-194-0x0000000000400000-0x0000000000435000-memory.dmp

          Filesize

          212KB

          Download

        • memory/664-119-0x0000000000400000-0x0000000000435000-memory.dmp

          Filesize

          212KB

          Download

        • memory/664-127-0x0000000000330000-0x0000000000365000-memory.dmp

          Filesize

          212KB

          Download

        • memory/988-21-0x00000000002D0000-0x0000000000305000-memory.dmp

          Filesize

          212KB

          Download

        • memory/988-14-0x0000000000400000-0x0000000000435000-memory.dmp

          Filesize

          212KB

          Download

        • memory/988-203-0x0000000000400000-0x0000000000435000-memory.dmp

          Filesize

          212KB

          Download

        • memory/1008-193-0x0000000000400000-0x0000000000435000-memory.dmp

          Filesize

          212KB

          Download

        • memory/1008-148-0x0000000000400000-0x0000000000435000-memory.dmp

          Filesize

          212KB

          Download

        • memory/1008-155-0x0000000000290000-0x00000000002C5000-memory.dmp

          Filesize

          212KB

          Download

        • memory/1608-173-0x0000000000400000-0x0000000000435000-memory.dmp

          Filesize

          212KB

          Download

        • memory/2064-196-0x0000000000400000-0x0000000000435000-memory.dmp

          Filesize

          212KB

          Download

        • memory/2064-137-0x0000000000400000-0x0000000000435000-memory.dmp

          Filesize

          212KB

          Download

        • memory/2064-146-0x0000000000260000-0x0000000000295000-memory.dmp

          Filesize

          212KB

          Download

        • memory/2140-188-0x0000000000400000-0x0000000000435000-memory.dmp

          Filesize

          212KB

          Download

        • memory/2140-191-0x0000000000400000-0x0000000000435000-memory.dmp

          Filesize

          212KB

          Download

        • memory/2192-201-0x0000000000400000-0x0000000000435000-memory.dmp

          Filesize

          212KB

          Download

        • memory/2360-101-0x0000000000270000-0x00000000002A5000-memory.dmp

          Filesize

          212KB

          Download

        • memory/2360-204-0x0000000000400000-0x0000000000435000-memory.dmp

          Filesize

          212KB

          Download

        • memory/2560-74-0x0000000000270000-0x00000000002A5000-memory.dmp

          Filesize

          212KB

          Download

        • memory/2560-198-0x0000000000400000-0x0000000000435000-memory.dmp

          Filesize

          212KB

          Download

        • memory/2560-66-0x0000000000400000-0x0000000000435000-memory.dmp

          Filesize

          212KB

          Download

        • memory/2592-80-0x0000000000400000-0x0000000000435000-memory.dmp

          Filesize

          212KB

          Download

        • memory/2592-93-0x0000000000250000-0x0000000000285000-memory.dmp

          Filesize

          212KB

          Download

        • memory/2592-197-0x0000000000400000-0x0000000000435000-memory.dmp

          Filesize

          212KB

          Download

        • memory/2712-200-0x0000000000400000-0x0000000000435000-memory.dmp

          Filesize

          212KB

          Download

        • memory/2712-40-0x0000000000400000-0x0000000000435000-memory.dmp

          Filesize

          212KB

          Download

        • memory/2860-199-0x0000000000400000-0x0000000000435000-memory.dmp

          Filesize

          212KB

          Download

        • memory/2860-53-0x0000000000400000-0x0000000000435000-memory.dmp

          Filesize

          212KB

          Download

        • memory/2880-195-0x0000000000400000-0x0000000000435000-memory.dmp

          Filesize

          212KB

          Download

        • memory/3060-0-0x0000000000400000-0x0000000000435000-memory.dmp

          Filesize

          212KB

          Download

        • memory/3060-13-0x0000000000440000-0x0000000000475000-memory.dmp

          Filesize

          212KB

          Download

        • memory/3060-12-0x0000000000440000-0x0000000000475000-memory.dmp

          Filesize

          212KB

          Download

        • memory/3060-202-0x0000000000400000-0x0000000000435000-memory.dmp

          Filesize

          212KB

          Download