97a9ff8a7a77fc7472ce43bfe1a6d0cd3f693ccf3e932a75ca4c1b695c927f8c

Analysis

max time kernel
92s
max time network
16s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
06/09/2024, 02:25

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

cf7bc2401b872f1b45ed3925eac78760N.exe
Size

77KB
MD5

cf7bc2401b872f1b45ed3925eac78760
SHA1

d428a255d7e26c5da195a4381babee757cd41e29
SHA256

97a9ff8a7a77fc7472ce43bfe1a6d0cd3f693ccf3e932a75ca4c1b695c927f8c
SHA512

39f8f8721bea0f5cd8d97d63fa351db861a7786e5e4c494edb4c1e203b1490fb76dba8742990d70b0b31721694c0806b4bb5ec4a1701c8b0ee5c970a2d9ab389
SSDEEP

1536:+FxoeE0iTtgNwJ6xXSNU+bi2uLU2LtCwfi+TjRC/D:+r3ipgNwkSNU+bi20tswf1TjYD

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 26 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfkloq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cinafkkd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmbcen32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	cf7bc2401b872f1b45ed3925eac78760N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	cf7bc2401b872f1b45ed3925eac78760N.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cinafkkd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cbffoabe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cbffoabe.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfhkhd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cchbgi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnmfdb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfhkhd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ckhdggom.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ckmnbg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Calcpm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmedlk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ckhdggom.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfkloq32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmedlk32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cgoelh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Calcpm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cgoelh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ckmnbg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cchbgi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmbcen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnmfdb32.exe

Executes dropped EXE 13 IoCs

pid	Process
2148	Cfkloq32.exe
2084	Cmedlk32.exe
2640	Ckhdggom.exe
2664	Cgoelh32.exe
2772	Cinafkkd.exe
2592	Ckmnbg32.exe
2656	Cbffoabe.exe
1280	Cchbgi32.exe
2288	Cnmfdb32.exe
2012	Calcpm32.exe
2440	Cfhkhd32.exe
1624	Dmbcen32.exe
2780	Dpapaj32.exe

Loads dropped DLL 29 IoCs

pid	Process
1392	cf7bc2401b872f1b45ed3925eac78760N.exe
1392	cf7bc2401b872f1b45ed3925eac78760N.exe
2148	Cfkloq32.exe
2148	Cfkloq32.exe
2084	Cmedlk32.exe
2084	Cmedlk32.exe
2640	Ckhdggom.exe
2640	Ckhdggom.exe
2664	Cgoelh32.exe
2664	Cgoelh32.exe
2772	Cinafkkd.exe
2772	Cinafkkd.exe
2592	Ckmnbg32.exe
2592	Ckmnbg32.exe
2656	Cbffoabe.exe
2656	Cbffoabe.exe
1280	Cchbgi32.exe
1280	Cchbgi32.exe
2288	Cnmfdb32.exe
2288	Cnmfdb32.exe
2012	Calcpm32.exe
2012	Calcpm32.exe
2440	Cfhkhd32.exe
2440	Cfhkhd32.exe
1624	Dmbcen32.exe
1624	Dmbcen32.exe
896	WerFault.exe
896	WerFault.exe
896	WerFault.exe

Drops file in System32 directory 41 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Cbffoabe.exe	Ckmnbg32.exe
File created	C:\Windows\SysWOW64\Dmbcen32.exe	Cfhkhd32.exe
File created	C:\Windows\SysWOW64\Dpapaj32.exe	Dmbcen32.exe
File opened for modification	C:\Windows\SysWOW64\Dpapaj32.exe	Dmbcen32.exe
File created	C:\Windows\SysWOW64\ÿs.e¢e	Dpapaj32.exe
File created	C:\Windows\SysWOW64\Cgoelh32.exe	Ckhdggom.exe
File opened for modification	C:\Windows\SysWOW64\Cinafkkd.exe	Cgoelh32.exe
File created	C:\Windows\SysWOW64\Cbffoabe.exe	Ckmnbg32.exe
File created	C:\Windows\SysWOW64\Fkdqjn32.dll	Calcpm32.exe
File created	C:\Windows\SysWOW64\Pdkefp32.dll	Dmbcen32.exe
File created	C:\Windows\SysWOW64\Cfkloq32.exe	cf7bc2401b872f1b45ed3925eac78760N.exe
File created	C:\Windows\SysWOW64\Ofaejacl.dll	Cnmfdb32.exe
File created	C:\Windows\SysWOW64\Cfhkhd32.exe	Calcpm32.exe
File created	C:\Windows\SysWOW64\Eepejpil.dll	Cgoelh32.exe
File created	C:\Windows\SysWOW64\Ckmnbg32.exe	Cinafkkd.exe
File created	C:\Windows\SysWOW64\Cnmfdb32.exe	Cchbgi32.exe
File opened for modification	C:\Windows\SysWOW64\Dmbcen32.exe	Cfhkhd32.exe
File created	C:\Windows\SysWOW64\Fikbiheg.dll	Cfhkhd32.exe
File opened for modification	C:\Windows\SysWOW64\Cfkloq32.exe	cf7bc2401b872f1b45ed3925eac78760N.exe
File opened for modification	C:\Windows\SysWOW64\Ckhdggom.exe	Cmedlk32.exe
File created	C:\Windows\SysWOW64\Ajaclncd.dll	Cmedlk32.exe
File opened for modification	C:\Windows\SysWOW64\Cmedlk32.exe	Cfkloq32.exe
File created	C:\Windows\SysWOW64\Lmajfk32.dll	Cfkloq32.exe
File created	C:\Windows\SysWOW64\Jidmcq32.dll	Ckhdggom.exe
File created	C:\Windows\SysWOW64\Niebgj32.dll	Cchbgi32.exe
File created	C:\Windows\SysWOW64\Calcpm32.exe	Cnmfdb32.exe
File created	C:\Windows\SysWOW64\Oghnkh32.dll	cf7bc2401b872f1b45ed3925eac78760N.exe
File created	C:\Windows\SysWOW64\Cmedlk32.exe	Cfkloq32.exe
File created	C:\Windows\SysWOW64\Cchbgi32.exe	Cbffoabe.exe
File opened for modification	C:\Windows\SysWOW64\Cnmfdb32.exe	Cchbgi32.exe
File created	C:\Windows\SysWOW64\Ckhdggom.exe	Cmedlk32.exe
File created	C:\Windows\SysWOW64\Cinafkkd.exe	Cgoelh32.exe
File created	C:\Windows\SysWOW64\Acnenl32.dll	Cbffoabe.exe
File opened for modification	C:\Windows\SysWOW64\Calcpm32.exe	Cnmfdb32.exe
File opened for modification	C:\Windows\SysWOW64\Cfhkhd32.exe	Calcpm32.exe
File opened for modification	C:\Windows\SysWOW64\Cgoelh32.exe	Ckhdggom.exe
File created	C:\Windows\SysWOW64\Jhogdg32.dll	Cinafkkd.exe
File created	C:\Windows\SysWOW64\Hbocphim.dll	Ckmnbg32.exe
File opened for modification	C:\Windows\SysWOW64\Ckmnbg32.exe	Cinafkkd.exe
File opened for modification	C:\Windows\SysWOW64\Cchbgi32.exe	Cbffoabe.exe
File opened for modification	C:\Windows\SysWOW64\ÿs.e¢e	Dpapaj32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
896	2780	WerFault.exe	43

System Location Discovery: System Language Discovery 1 TTPs 14 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfkloq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Calcpm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfhkhd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgoelh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cinafkkd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cbffoabe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnmfdb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmbcen32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dpapaj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ckhdggom.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ckmnbg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cchbgi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cf7bc2401b872f1b45ed3925eac78760N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmedlk32.exe

Modifies registry class 42 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cgoelh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhogdg32.dll"	Cinafkkd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ofaejacl.dll"	Cnmfdb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ckhdggom.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnmfdb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Calcpm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Calcpm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cfhkhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmedlk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jidmcq32.dll"	Ckhdggom.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbocphim.dll"	Ckmnbg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Niebgj32.dll"	Cchbgi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	cf7bc2401b872f1b45ed3925eac78760N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	cf7bc2401b872f1b45ed3925eac78760N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmajfk32.dll"	Cfkloq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ajaclncd.dll"	Cmedlk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Acnenl32.dll"	Cbffoabe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cchbgi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fkdqjn32.dll"	Calcpm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	cf7bc2401b872f1b45ed3925eac78760N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cgoelh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cinafkkd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cfhkhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fikbiheg.dll"	Cfhkhd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	cf7bc2401b872f1b45ed3925eac78760N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cfkloq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ckhdggom.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmbcen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdkefp32.dll"	Dmbcen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oghnkh32.dll"	cf7bc2401b872f1b45ed3925eac78760N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cfkloq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmedlk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cinafkkd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ckmnbg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cnmfdb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	cf7bc2401b872f1b45ed3925eac78760N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ckmnbg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cbffoabe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cbffoabe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cchbgi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmbcen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eepejpil.dll"	Cgoelh32.exe

Suspicious use of WriteProcessMemory 56 IoCs

description	pid	Process	procid_target
PID 1392 wrote to memory of 2148	1392	cf7bc2401b872f1b45ed3925eac78760N.exe	31
PID 1392 wrote to memory of 2148	1392	cf7bc2401b872f1b45ed3925eac78760N.exe	31
PID 1392 wrote to memory of 2148	1392	cf7bc2401b872f1b45ed3925eac78760N.exe	31
PID 1392 wrote to memory of 2148	1392	cf7bc2401b872f1b45ed3925eac78760N.exe	31
PID 2148 wrote to memory of 2084	2148	Cfkloq32.exe	32
PID 2148 wrote to memory of 2084	2148	Cfkloq32.exe	32
PID 2148 wrote to memory of 2084	2148	Cfkloq32.exe	32
PID 2148 wrote to memory of 2084	2148	Cfkloq32.exe	32
PID 2084 wrote to memory of 2640	2084	Cmedlk32.exe	33
PID 2084 wrote to memory of 2640	2084	Cmedlk32.exe	33
PID 2084 wrote to memory of 2640	2084	Cmedlk32.exe	33
PID 2084 wrote to memory of 2640	2084	Cmedlk32.exe	33
PID 2640 wrote to memory of 2664	2640	Ckhdggom.exe	34
PID 2640 wrote to memory of 2664	2640	Ckhdggom.exe	34
PID 2640 wrote to memory of 2664	2640	Ckhdggom.exe	34
PID 2640 wrote to memory of 2664	2640	Ckhdggom.exe	34
PID 2664 wrote to memory of 2772	2664	Cgoelh32.exe	35
PID 2664 wrote to memory of 2772	2664	Cgoelh32.exe	35
PID 2664 wrote to memory of 2772	2664	Cgoelh32.exe	35
PID 2664 wrote to memory of 2772	2664	Cgoelh32.exe	35
PID 2772 wrote to memory of 2592	2772	Cinafkkd.exe	36
PID 2772 wrote to memory of 2592	2772	Cinafkkd.exe	36
PID 2772 wrote to memory of 2592	2772	Cinafkkd.exe	36
PID 2772 wrote to memory of 2592	2772	Cinafkkd.exe	36
PID 2592 wrote to memory of 2656	2592	Ckmnbg32.exe	37
PID 2592 wrote to memory of 2656	2592	Ckmnbg32.exe	37
PID 2592 wrote to memory of 2656	2592	Ckmnbg32.exe	37
PID 2592 wrote to memory of 2656	2592	Ckmnbg32.exe	37
PID 2656 wrote to memory of 1280	2656	Cbffoabe.exe	38
PID 2656 wrote to memory of 1280	2656	Cbffoabe.exe	38
PID 2656 wrote to memory of 1280	2656	Cbffoabe.exe	38
PID 2656 wrote to memory of 1280	2656	Cbffoabe.exe	38
PID 1280 wrote to memory of 2288	1280	Cchbgi32.exe	39
PID 1280 wrote to memory of 2288	1280	Cchbgi32.exe	39
PID 1280 wrote to memory of 2288	1280	Cchbgi32.exe	39
PID 1280 wrote to memory of 2288	1280	Cchbgi32.exe	39
PID 2288 wrote to memory of 2012	2288	Cnmfdb32.exe	40
PID 2288 wrote to memory of 2012	2288	Cnmfdb32.exe	40
PID 2288 wrote to memory of 2012	2288	Cnmfdb32.exe	40
PID 2288 wrote to memory of 2012	2288	Cnmfdb32.exe	40
PID 2012 wrote to memory of 2440	2012	Calcpm32.exe	41
PID 2012 wrote to memory of 2440	2012	Calcpm32.exe	41
PID 2012 wrote to memory of 2440	2012	Calcpm32.exe	41
PID 2012 wrote to memory of 2440	2012	Calcpm32.exe	41
PID 2440 wrote to memory of 1624	2440	Cfhkhd32.exe	42
PID 2440 wrote to memory of 1624	2440	Cfhkhd32.exe	42
PID 2440 wrote to memory of 1624	2440	Cfhkhd32.exe	42
PID 2440 wrote to memory of 1624	2440	Cfhkhd32.exe	42
PID 1624 wrote to memory of 2780	1624	Dmbcen32.exe	43
PID 1624 wrote to memory of 2780	1624	Dmbcen32.exe	43
PID 1624 wrote to memory of 2780	1624	Dmbcen32.exe	43
PID 1624 wrote to memory of 2780	1624	Dmbcen32.exe	43
PID 2780 wrote to memory of 896	2780	Dpapaj32.exe	44
PID 2780 wrote to memory of 896	2780	Dpapaj32.exe	44
PID 2780 wrote to memory of 896	2780	Dpapaj32.exe	44
PID 2780 wrote to memory of 896	2780	Dpapaj32.exe	44

C:\Users\Admin\AppData\Local\Temp\cf7bc2401b872f1b45ed3925eac78760N.exe
"C:\Users\Admin\AppData\Local\Temp\cf7bc2401b872f1b45ed3925eac78760N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1392
- C:\Windows\SysWOW64\Cfkloq32.exe
  C:\Windows\system32\Cfkloq32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2148
- - C:\Windows\SysWOW64\Cmedlk32.exe
    C:\Windows\system32\Cmedlk32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2084
  - - C:\Windows\SysWOW64\Ckhdggom.exe
      C:\Windows\system32\Ckhdggom.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2640
    - - C:\Windows\SysWOW64\Cgoelh32.exe
        
        C:\Windows\system32\Cgoelh32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2664
      - C:\Windows\SysWOW64\Cinafkkd.exe
        
        C:\Windows\system32\Cinafkkd.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2772
        
        C:\Windows\SysWOW64\Ckmnbg32.exe
        
        C:\Windows\system32\Ckmnbg32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2592
        
        C:\Windows\SysWOW64\Cbffoabe.exe
        
        C:\Windows\system32\Cbffoabe.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2656
        
        C:\Windows\SysWOW64\Cchbgi32.exe
        
        C:\Windows\system32\Cchbgi32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1280
        
        C:\Windows\SysWOW64\Cnmfdb32.exe
        
        C:\Windows\system32\Cnmfdb32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2288
        
        C:\Windows\SysWOW64\Calcpm32.exe
        
        C:\Windows\system32\Calcpm32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2012
        
        C:\Windows\SysWOW64\Cfhkhd32.exe
        
        C:\Windows\system32\Cfhkhd32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2440
        
        C:\Windows\SysWOW64\Dmbcen32.exe
        
        C:\Windows\system32\Dmbcen32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1624
        
        C:\Windows\SysWOW64\Dpapaj32.exe
        
        C:\Windows\system32\Dpapaj32.exe
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2780
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2780 -s 144
        15⤵
        Loads dropped DLL
        Program crash
        
        PID:896

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Cfkloq32.exe

Filesize
77KB

MD5
77f554b65295adf3b89996de333a6bb2

SHA1
b1c425701fe0d6557a69caa7a8e7fe16af971a1b

SHA256
59cf88f5884520d4ea731d5581dcda572cb1c60ab4ae620edb68a613f29a03ed

SHA512
8b54a2c4fa74246b49921234129603b35ed95469f6e8ce2a123582b66e325ccc4e73564b90f65f84090730c870f89dc0240c05f05408e050901533f30a70b9aa

Download Submit
C:\Windows\SysWOW64\Cmedlk32.exe

Filesize
77KB

MD5
2cb9b9ccb5a26d75f72b3882b4c383f8

SHA1
91867c1053ccb94ec92f70cbc26dcb20a305fd67

SHA256
727180679dcb30cf446c6ccdffae9388bbd322bc07341ad4927b3ae5bf34c166

SHA512
c44333c64b9d4c5e576e31298f75a376d954336b908d243c9300647f0a1320df504772d638b13a406064488baee3f461051382d505289947c89344a66f17a153

Download Submit
C:\Windows\SysWOW64\Dmbcen32.exe

Filesize
77KB

MD5
1dd87bebd121b58f9c20b1f24c134ace

SHA1
8a4ce83dbbc9181ef693ddc0a92cd2623670a783

SHA256
42a8fd6adabc0fa018affd8be4909a10ff1948e22407e50642afb4dd2dd983e2

SHA512
ff055f6153549cd45ad7b8f04f8cf7afb5715076e2223dc0e87400873d9d4161b4fdcabd975aacc1d4065d81117f67cd4b9860fab25eeb724aaf99955f97631b

Download Submit
\Windows\SysWOW64\Calcpm32.exe

Filesize
77KB

MD5
96f7323fb875b3e82663c73dc0502447

SHA1
3dc1b091f40c4a891376159f25588009776002b1

SHA256
3ec287ba60f79853dcc69b96409d6fe5c988de614309655ede7ba4717530615b

SHA512
3a038b1a4d58152e221379acbf5f030a1f1512a317b43f9e91d33b09929b89eef2546d117149fbb5bee7e6454543a2666446105333a54d31cfe20f852fca0641

Download Submit
\Windows\SysWOW64\Cbffoabe.exe

Filesize
77KB

MD5
7b0369173ad14b83cc16bebd3ce8dd8a

SHA1
ed305cb5ab5473db8a69d6610e82b544fd53db8d

SHA256
287d50757259796bf6034610ba382f1ef3b13724e5d2f70717d33cacdccfe30d

SHA512
9623e1111171d9005f96576caec4f24ff6ab36ff483da07f1cb84a3929f8ac04eddafced2e22590872b8cba4d3aa0f8b8e1ff64dbceb0ef59bd529fce2c75614

Download Submit
\Windows\SysWOW64\Cchbgi32.exe

Filesize
77KB

MD5
c9e1de1bb31313ac73988cc22566e633

SHA1
0f8eceb23ad21a15a65eee2c85dc7662cf585a67

SHA256
4a86dbf10e5e4922d6b13276a326b339e7034c67c984381308a38d9495acdb43

SHA512
96eb9f5f1488da2e4c38aaf0cb0efc0183e9c230c24b015622e5e9ae39873b9e695a5605ceab105d0343a74a7fce14b6eee465dd1e3b92e79a184b3da168e67c

Download Submit
\Windows\SysWOW64\Cfhkhd32.exe

Filesize
77KB

MD5
88bfe481ac9bef4caa022cdb42b37a17

SHA1
d3860bc894256e4f0b42c32162e3dc687eb31420

SHA256
3d4fbb9834daebf6df082d4318b5bc69ab05c160a4e85ca80ff77adcbfe6b3bc

SHA512
e049e14e08cbe4975403af05eb2eddf5201699ac30aeef85c8aebb5cfa26030a1f2f55694663153f99741dffe57f5675b8dcffbd28db891271cd7ecf48ba3e35

Download Submit
\Windows\SysWOW64\Cgoelh32.exe

Filesize
77KB

MD5
8293b8d11b1e69278f3298beedf7c463

SHA1
ae232828dea8e07faf2c30d8b38bd256376efc85

SHA256
decb3f1d6bf523ac735c41cef50e6b020eb8e1bf1dbda5a8106b2b5370ad4003

SHA512
7ab0af0f6e3a0af110550e26a15140adc6e95502b9d387e37e132d703dabcb3316eef7e3fcb298cdb05cf2177f404d590539586af23b806c8a5a01cf051ac9f3

Download Submit
\Windows\SysWOW64\Cinafkkd.exe

Filesize
77KB

MD5
56f7dfe0b0758a6c51109a997d1ccdfe

SHA1
724dcb2623482ea51c6b58bd1d0a88b19ac230ab

SHA256
52b563ca4f61dff5c0303d751378d86300aa1ef4491e5cc0ff22e36b25cc2b62

SHA512
13d8eed489c89a761973b116e33c1b07e06fb625ae54dc15542eba1ec7f5506e839d3e81aac891eec3272143f6a762d5bede229bc5df7646a79306fa6bb85b34

Download Submit
\Windows\SysWOW64\Ckhdggom.exe

Filesize
77KB

MD5
ae993293a7c5f1b451d770a5f5c50ba7

SHA1
2827544c70607fe7f761482d45548901fefba220

SHA256
9eb440a594a370fef9cc27f3525639e0d843ec942da5c939544fb9d6b2b598e4

SHA512
2b146c6e7924a049970be5ee931a41ad252c6ba2dbca36dba296d0c01cc90f3795554074d34ce89d8b723f8dc6466e8c30dfdaf195c65a6508b261d121400db0

Download Submit
\Windows\SysWOW64\Ckmnbg32.exe

Filesize
77KB

MD5
d2849cc16a0afa3e6d8607315f4e083b

SHA1
7c0093a48386dc7ed4769c8202333bb6273653c3

SHA256
8eed589b182af545685483389a1bc857d06b049e9361e2441b379c1bf3b60b44

SHA512
b3d767da80c8c9243faa666e88db05e7c0f607748e9a96beb157f5479b1cb081a9640f5e53cfe0c8e1f58d162b3c24bec455f87aac5fd4956727c4df1043958b

Download Submit
\Windows\SysWOW64\Cnmfdb32.exe

Filesize
77KB

MD5
56f687a552d05405a550f8de8fdd35b5

SHA1
e85db7be2357e333605ab3dd18a1e64661b3fceb

SHA256
53deb5df60cbcb101371db45c9daf4ae0fce0def70ab17ade91d8cc0a510557f

SHA512
7e6e3270b2f9c317f92aa686503301c6130078225de670d3057dd1f1b2dfb4f0f57f371f09bcde043d262b75a1202d8915c8b388cf3cd3f8ca1ba628aef1c858

Download Submit
\Windows\SysWOW64\Dpapaj32.exe

Filesize
77KB

MD5
c252b83020f8a4be3df3b91a8dea85b6

SHA1
2958b514777265f5eac84c5ae5e5df13d3edf560

SHA256
90cf68907d124c16400f3f816929640f0518abcee30391f1d98065e88b1f63b7

SHA512
0e200cbe263b4dac2a18d48b2d2a1b6a587f8e2f7b4c13991e6758dcb8ff2251af8b1329fb5d80b84879bd8a6218072e25d4bd4e0a0e8a818eb4f3acfbc5a474

Download Submit
memory/1280-115-0x0000000000440000-0x0000000000480000-memory.dmp

Filesize
256KB

Download
memory/1280-107-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1280-188-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1392-181-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1392-17-0x0000000000280000-0x00000000002C0000-memory.dmp

Filesize
256KB

Download
memory/1392-0-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1624-191-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2012-134-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2012-189-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2012-142-0x00000000002E0000-0x0000000000320000-memory.dmp

Filesize
256KB

Download
memory/2084-27-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2084-39-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/2084-182-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2148-26-0x0000000000440000-0x0000000000480000-memory.dmp

Filesize
256KB

Download
memory/2148-25-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2288-126-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2440-153-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2440-161-0x0000000000300000-0x0000000000340000-memory.dmp

Filesize
256KB

Download
memory/2440-190-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2592-186-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2592-88-0x0000000000280000-0x00000000002C0000-memory.dmp

Filesize
256KB

Download
memory/2592-80-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2640-183-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2640-52-0x0000000000270000-0x00000000002B0000-memory.dmp

Filesize
256KB

Download
memory/2656-187-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2656-94-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2664-184-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2664-66-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/2664-54-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2772-185-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2780-177-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2780-192-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads