beb7847ce6e0ca6c83b2fb409e6f4763d6169c937dcd70f41da3a4bd182ba981

General

Target

178fbfabcd396d9297888ebe44da1fe0N.exe
Size

320KB
MD5

178fbfabcd396d9297888ebe44da1fe0
SHA1

3257bfecbd34b7351429d7335770ff7263d074a1
SHA256

beb7847ce6e0ca6c83b2fb409e6f4763d6169c937dcd70f41da3a4bd182ba981
SHA512

a62de6b3a8cae497b2c5c5fde7f7ee28514258994d150d4750b5e235374e0fc9bdf60ad29145edc65c4ecb22a1dae811b83afe67b1ea7cc3a6080b8da551a276
SSDEEP

6144:/Viq4AsT6vl6Y/m05XUEtMEX6vluZV4U/vlf0DrBqvl8ZV4U/vlfl+9Q:9iq5sT6v/m05XEvG6IveDVqvQ6IvP

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cchbgi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cchbgi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cegoqlof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cegoqlof.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	178fbfabcd396d9297888ebe44da1fe0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	178fbfabcd396d9297888ebe44da1fe0N.exe

Executes dropped EXE 3 IoCs

pid	Process
1996	Cchbgi32.exe
1992	Cegoqlof.exe
2852	Dpapaj32.exe

Loads dropped DLL 9 IoCs

pid	Process
1664	178fbfabcd396d9297888ebe44da1fe0N.exe
1664	178fbfabcd396d9297888ebe44da1fe0N.exe
1996	Cchbgi32.exe
1996	Cchbgi32.exe
1992	Cegoqlof.exe
1992	Cegoqlof.exe
3060	WerFault.exe
3060	WerFault.exe
3060	WerFault.exe

Drops file in System32 directory 11 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Nloone32.dll	Cchbgi32.exe
File created	C:\Windows\SysWOW64\Dpapaj32.exe	Cegoqlof.exe
File opened for modification	C:\Windows\SysWOW64\Dpapaj32.exe	Cegoqlof.exe
File created	C:\Windows\SysWOW64\Pdkefp32.dll	Cegoqlof.exe
File opened for modification	C:\Windows\SysWOW64\Cchbgi32.exe	178fbfabcd396d9297888ebe44da1fe0N.exe
File created	C:\Windows\SysWOW64\Acnenl32.dll	178fbfabcd396d9297888ebe44da1fe0N.exe
File opened for modification	C:\Windows\SysWOW64\Cegoqlof.exe	Cchbgi32.exe
File opened for modification	C:\Windows\SysWOW64\ÿs.e¢e	Dpapaj32.exe
File created	C:\Windows\SysWOW64\Cchbgi32.exe	178fbfabcd396d9297888ebe44da1fe0N.exe
File created	C:\Windows\SysWOW64\Cegoqlof.exe	Cchbgi32.exe
File created	C:\Windows\SysWOW64\ÿs.e¢e	Dpapaj32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3060	2852	WerFault.exe	33

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	178fbfabcd396d9297888ebe44da1fe0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cchbgi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cegoqlof.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dpapaj32.exe

Modifies registry class 12 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cchbgi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cegoqlof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdkefp32.dll"	Cegoqlof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cegoqlof.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	178fbfabcd396d9297888ebe44da1fe0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	178fbfabcd396d9297888ebe44da1fe0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	178fbfabcd396d9297888ebe44da1fe0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	178fbfabcd396d9297888ebe44da1fe0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	178fbfabcd396d9297888ebe44da1fe0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Acnenl32.dll"	178fbfabcd396d9297888ebe44da1fe0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cchbgi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nloone32.dll"	Cchbgi32.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1664 wrote to memory of 1996	1664	178fbfabcd396d9297888ebe44da1fe0N.exe	31
PID 1664 wrote to memory of 1996	1664	178fbfabcd396d9297888ebe44da1fe0N.exe	31
PID 1664 wrote to memory of 1996	1664	178fbfabcd396d9297888ebe44da1fe0N.exe	31
PID 1664 wrote to memory of 1996	1664	178fbfabcd396d9297888ebe44da1fe0N.exe	31
PID 1996 wrote to memory of 1992	1996	Cchbgi32.exe	32
PID 1996 wrote to memory of 1992	1996	Cchbgi32.exe	32
PID 1996 wrote to memory of 1992	1996	Cchbgi32.exe	32
PID 1996 wrote to memory of 1992	1996	Cchbgi32.exe	32
PID 1992 wrote to memory of 2852	1992	Cegoqlof.exe	33
PID 1992 wrote to memory of 2852	1992	Cegoqlof.exe	33
PID 1992 wrote to memory of 2852	1992	Cegoqlof.exe	33
PID 1992 wrote to memory of 2852	1992	Cegoqlof.exe	33
PID 2852 wrote to memory of 3060	2852	Dpapaj32.exe	34
PID 2852 wrote to memory of 3060	2852	Dpapaj32.exe	34
PID 2852 wrote to memory of 3060	2852	Dpapaj32.exe	34
PID 2852 wrote to memory of 3060	2852	Dpapaj32.exe	34

C:\Users\Admin\AppData\Local\Temp\178fbfabcd396d9297888ebe44da1fe0N.exe
"C:\Users\Admin\AppData\Local\Temp\178fbfabcd396d9297888ebe44da1fe0N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1664
- C:\Windows\SysWOW64\Cchbgi32.exe
  C:\Windows\system32\Cchbgi32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1996
- - C:\Windows\SysWOW64\Cegoqlof.exe
    C:\Windows\system32\Cegoqlof.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1992
  - - C:\Windows\SysWOW64\Dpapaj32.exe
      C:\Windows\system32\Dpapaj32.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2852
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2852 -s 144
        5⤵
        Loads dropped DLL
        Program crash
        
        PID:3060

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Windows\SysWOW64\Cchbgi32.exe

Filesize
320KB

MD5
fb1cb545eee09b0399aae0ac2bb12f2e

SHA1
3f192eec6c7226b139f9fb8e8bfc1385387b7ed8

SHA256
b354019bc981ef4d8734eb935f1ce9c5f9b9a8054ae49573cc86739d90f5066c

SHA512
08276829b677f98acf2dc3e045295c262d0712a1a6f6cb582697a0e0b7a939d44715d47bc224d125311a9d37aa59555e9ca73e63a6943a5a74c12626686a9941

Download Submit
\Windows\SysWOW64\Cegoqlof.exe

Filesize
320KB

MD5
93a06455dd861b1aac60b1f521cd9e64

SHA1
e4784e7b4c750a3083257a62e1f896a396fe4bfe

SHA256
2f2144378d4548448d59468b0e38881941652b9129ee19cc07ff2e4683a40397

SHA512
325288ebef6522b8829112b0be5fc650f2662f77e573da010fb5a037da069c350db0d9bd95caaec19283b19e6127d3982f8827c8bb28bffd214d7856a83907cd

Download Submit
\Windows\SysWOW64\Dpapaj32.exe

Filesize
320KB

MD5
f3b13465b5600e3c3027db313014ca0a

SHA1
b7f8530bb7b725ebed0d7ca04d9bdbcd3db9b9f2

SHA256
4ea08b5279956b72882c97f8669132a51cf6e446d8a2d0d5df52d8b21287413c

SHA512
eb861b32668eed4500875411adebc94bff5acff4b9cc622eb5ee941ee21c43afd95b06c055ecb6a4e55e22b6f28277678a8604e7a1226ac994439fc276ba020e

Download Submit
memory/1664-0-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1664-6-0x0000000000250000-0x0000000000285000-memory.dmp

Filesize
212KB

Download
memory/1664-46-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1992-26-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1992-33-0x00000000002E0000-0x0000000000315000-memory.dmp

Filesize
212KB

Download
memory/1992-48-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1996-24-0x0000000000280000-0x00000000002B5000-memory.dmp

Filesize
212KB

Download
memory/1996-47-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2852-49-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads