26ffc9fc945bfe0fd979de3e0cfadcf149f0668f770e98b4ac71b5b7aab893b4

General

Target

a316926dbaeefe1e056ef0a28c152fc0N.exe
Size

96KB
MD5

a316926dbaeefe1e056ef0a28c152fc0
SHA1

87bcc1d0f0f6513836a69fa5e5a642215edb3f37
SHA256

26ffc9fc945bfe0fd979de3e0cfadcf149f0668f770e98b4ac71b5b7aab893b4
SHA512

85254b01ce0c9826c02b82a09cee77e09236a8a31d78d9740b5d89862a0fd57c77508014f641cb0ca628ae5e34a36f91efb2a3f7ad83f29277980271cc7ee27e
SSDEEP

1536:84dOj9tTPtmH/2nh2mFIazBle9MbinV39+ChnSdFFn7Elz45zFV3zMetM:zdOhmf2rlAMbqV39ThSdn7Elz45P34

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnimiblo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnimiblo.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ckmnbg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ckmnbg32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmpgpond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmpgpond.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	a316926dbaeefe1e056ef0a28c152fc0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	a316926dbaeefe1e056ef0a28c152fc0N.exe

Executes dropped EXE 4 IoCs

pid	Process
2416	Cnimiblo.exe
2204	Ckmnbg32.exe
2864	Cmpgpond.exe
812	Dpapaj32.exe

Loads dropped DLL 11 IoCs

pid	Process
1960	a316926dbaeefe1e056ef0a28c152fc0N.exe
1960	a316926dbaeefe1e056ef0a28c152fc0N.exe
2416	Cnimiblo.exe
2416	Cnimiblo.exe
2204	Ckmnbg32.exe
2204	Ckmnbg32.exe
2864	Cmpgpond.exe
2864	Cmpgpond.exe
2984	WerFault.exe
2984	WerFault.exe
2984	WerFault.exe

Drops file in System32 directory 14 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Pobghn32.dll	a316926dbaeefe1e056ef0a28c152fc0N.exe
File created	C:\Windows\SysWOW64\Cmpgpond.exe	Ckmnbg32.exe
File created	C:\Windows\SysWOW64\Pcaibd32.dll	Ckmnbg32.exe
File created	C:\Windows\SysWOW64\ÿs.e¢e	Dpapaj32.exe
File opened for modification	C:\Windows\SysWOW64\ÿs.e¢e	Dpapaj32.exe
File created	C:\Windows\SysWOW64\Cnimiblo.exe	a316926dbaeefe1e056ef0a28c152fc0N.exe
File opened for modification	C:\Windows\SysWOW64\Cnimiblo.exe	a316926dbaeefe1e056ef0a28c152fc0N.exe
File opened for modification	C:\Windows\SysWOW64\Ckmnbg32.exe	Cnimiblo.exe
File created	C:\Windows\SysWOW64\Jhogdg32.dll	Cnimiblo.exe
File created	C:\Windows\SysWOW64\Dpapaj32.exe	Cmpgpond.exe
File opened for modification	C:\Windows\SysWOW64\Dpapaj32.exe	Cmpgpond.exe
File created	C:\Windows\SysWOW64\Ckmnbg32.exe	Cnimiblo.exe
File opened for modification	C:\Windows\SysWOW64\Cmpgpond.exe	Ckmnbg32.exe
File created	C:\Windows\SysWOW64\Pdkefp32.dll	Cmpgpond.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2984	812	WerFault.exe	34

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a316926dbaeefe1e056ef0a28c152fc0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnimiblo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ckmnbg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmpgpond.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dpapaj32.exe

Modifies registry class 15 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhogdg32.dll"	Cnimiblo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ckmnbg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	a316926dbaeefe1e056ef0a28c152fc0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	a316926dbaeefe1e056ef0a28c152fc0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pobghn32.dll"	a316926dbaeefe1e056ef0a28c152fc0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cnimiblo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	a316926dbaeefe1e056ef0a28c152fc0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdkefp32.dll"	Cmpgpond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmpgpond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	a316926dbaeefe1e056ef0a28c152fc0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ckmnbg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pcaibd32.dll"	Ckmnbg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	a316926dbaeefe1e056ef0a28c152fc0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnimiblo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmpgpond.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 1960 wrote to memory of 2416	1960	a316926dbaeefe1e056ef0a28c152fc0N.exe	31
PID 1960 wrote to memory of 2416	1960	a316926dbaeefe1e056ef0a28c152fc0N.exe	31
PID 1960 wrote to memory of 2416	1960	a316926dbaeefe1e056ef0a28c152fc0N.exe	31
PID 1960 wrote to memory of 2416	1960	a316926dbaeefe1e056ef0a28c152fc0N.exe	31
PID 2416 wrote to memory of 2204	2416	Cnimiblo.exe	32
PID 2416 wrote to memory of 2204	2416	Cnimiblo.exe	32
PID 2416 wrote to memory of 2204	2416	Cnimiblo.exe	32
PID 2416 wrote to memory of 2204	2416	Cnimiblo.exe	32
PID 2204 wrote to memory of 2864	2204	Ckmnbg32.exe	33
PID 2204 wrote to memory of 2864	2204	Ckmnbg32.exe	33
PID 2204 wrote to memory of 2864	2204	Ckmnbg32.exe	33
PID 2204 wrote to memory of 2864	2204	Ckmnbg32.exe	33
PID 2864 wrote to memory of 812	2864	Cmpgpond.exe	34
PID 2864 wrote to memory of 812	2864	Cmpgpond.exe	34
PID 2864 wrote to memory of 812	2864	Cmpgpond.exe	34
PID 2864 wrote to memory of 812	2864	Cmpgpond.exe	34
PID 812 wrote to memory of 2984	812	Dpapaj32.exe	35
PID 812 wrote to memory of 2984	812	Dpapaj32.exe	35
PID 812 wrote to memory of 2984	812	Dpapaj32.exe	35
PID 812 wrote to memory of 2984	812	Dpapaj32.exe	35

C:\Users\Admin\AppData\Local\Temp\a316926dbaeefe1e056ef0a28c152fc0N.exe
"C:\Users\Admin\AppData\Local\Temp\a316926dbaeefe1e056ef0a28c152fc0N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1960
- C:\Windows\SysWOW64\Cnimiblo.exe
  C:\Windows\system32\Cnimiblo.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2416
- - C:\Windows\SysWOW64\Ckmnbg32.exe
    C:\Windows\system32\Ckmnbg32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2204
  - - C:\Windows\SysWOW64\Cmpgpond.exe
      C:\Windows\system32\Cmpgpond.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2864
    - - C:\Windows\SysWOW64\Dpapaj32.exe
        
        C:\Windows\system32\Dpapaj32.exe
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:812
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 812 -s 144
        6⤵
        Loads dropped DLL
        Program crash
        
        PID:2984

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Cmpgpond.exe

Filesize
96KB

MD5
ff59cdbbe1fc6aaf4e1d98f0da6e985c

SHA1
f7d4d7abc0b9bfdf83b66ae8133099af77a17d04

SHA256
060efb519add563879858e203a1983ec4adfb4fd3cceee65e6924ecf1c0c910a

SHA512
ef3f46698fa609c862ff4f5a34bb8c513dc08e8dc7b25097bf4027cbb5652632b30bbd19c01a20fde9bb9e49cc7d06baacd0125ac992402fbcb53b3aa25cd4b5

Download Submit
C:\Windows\SysWOW64\Cnimiblo.exe

Filesize
96KB

MD5
4ba47572f341e6961c0d3912a84faf01

SHA1
c38e0ce16f7c2b6b0ed192b7d2b15d09b808ad47

SHA256
c58c2f7b64adf02b375277d25fc24b05d2a73c43026052ce642b9f0a941e774c

SHA512
f0d8cf056fa17c8b7eb921c405c0f1da2c54f64e1cae697d08bd87722c5becab43e600a686cd9e0d52165e1948cf07dc2031d0efa6c9e463621d565ff3ce3027

Download Submit
\Windows\SysWOW64\Ckmnbg32.exe

Filesize
96KB

MD5
06f4b5cf2c27ff67eee943511e6aec4e

SHA1
4d65913b1d3970dac9426f8628fbf3e3e6c4d20c

SHA256
567b11b814867b3c90d4f376beae52762bb4440033c7e0faaf8e9cf6fcc562b0

SHA512
ca17f5db1d3ff03c927e2fd170465edd35f820abfa1c069e42267a9a1183b17a83cafdf62b606da04b95e0eac1833b352a724488e9d296e6911493cbc0ed1279

Download Submit
\Windows\SysWOW64\Dpapaj32.exe

Filesize
96KB

MD5
31d39170d1f2e5a7d637a6be61706096

SHA1
b6676625de350d4c58a7e05eec439d32a71c3edf

SHA256
00e2b0745193d4bd89855eac0e4437df7d48e9c58e4dee72c1addf8d5c15339d

SHA512
665186fa234bf3f9c3fc78a906ffc15e53bf225dd6f793151bff26be675d3f74d691d3f17f717703c0466f28389a6efe18639a6c23514067c8d6116c58056f9d

Download Submit
memory/812-65-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1960-23-0x00000000002C0000-0x00000000002F4000-memory.dmp

Filesize
208KB

Download
memory/1960-62-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1960-24-0x00000000002C0000-0x00000000002F4000-memory.dmp

Filesize
208KB

Download
memory/1960-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2204-40-0x0000000000270000-0x00000000002A4000-memory.dmp

Filesize
208KB

Download
memory/2204-39-0x0000000000270000-0x00000000002A4000-memory.dmp

Filesize
208KB

Download
memory/2204-27-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2204-63-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2416-25-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2864-55-0x00000000002D0000-0x0000000000304000-memory.dmp

Filesize
208KB

Download
memory/2864-64-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2864-42-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads