f5a7d68b055f90fdf13c19e59e07d467a9a11357e5fa01770c7f82731f8c5c2e

Analysis

max time kernel
118s
max time network
119s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
09/09/2024, 01:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

21e9002704657db85e1f5a5023a094f0N.exe
Size

64KB
MD5

21e9002704657db85e1f5a5023a094f0
SHA1

a4cb2ca741449b8b4626e9b14689219e29044dfa
SHA256

f5a7d68b055f90fdf13c19e59e07d467a9a11357e5fa01770c7f82731f8c5c2e
SHA512

3cf3a3dbac71fd425224c31c7d35119f1bba73a5c10cc2e101ea130016182df5c514defe2e105aab6b224dd2acdce5cc64631659dacdd5bca8c83db46a2313c8
SSDEEP

768:fHy7vO8/O5NvI37QBjiza3X7TC4caBb3LlxH4DMgwx747JKIZ2p/1H5eXdnhaBGG:fHyD1OQXuLTCQIDMgwxE/2LisBMu/H1

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cgoelh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ckmnbg32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cgcnghpl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cgcnghpl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ccjoli32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cileqlmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ckhdggom.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cebeem32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cchbgi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmpgpond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ccjoli32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	21e9002704657db85e1f5a5023a094f0N.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cgoelh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cebeem32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dnpciaef.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cileqlmg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ckhdggom.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ckmnbg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cchbgi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmpgpond.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dnpciaef.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	21e9002704657db85e1f5a5023a094f0N.exe

Executes dropped EXE 11 IoCs

pid	Process
2844	Ckhdggom.exe
2720	Cileqlmg.exe
2740	Cgoelh32.exe
2636	Cebeem32.exe
2160	Ckmnbg32.exe
2944	Cchbgi32.exe
2700	Cgcnghpl.exe
1988	Cmpgpond.exe
316	Ccjoli32.exe
1000	Dnpciaef.exe
572	Dpapaj32.exe

Loads dropped DLL 25 IoCs

pid	Process
2460	21e9002704657db85e1f5a5023a094f0N.exe
2460	21e9002704657db85e1f5a5023a094f0N.exe
2844	Ckhdggom.exe
2844	Ckhdggom.exe
2720	Cileqlmg.exe
2720	Cileqlmg.exe
2740	Cgoelh32.exe
2740	Cgoelh32.exe
2636	Cebeem32.exe
2636	Cebeem32.exe
2160	Ckmnbg32.exe
2160	Ckmnbg32.exe
2944	Cchbgi32.exe
2944	Cchbgi32.exe
2700	Cgcnghpl.exe
2700	Cgcnghpl.exe
1988	Cmpgpond.exe
1988	Cmpgpond.exe
316	Ccjoli32.exe
316	Ccjoli32.exe
1000	Dnpciaef.exe
1000	Dnpciaef.exe
484	WerFault.exe
484	WerFault.exe
484	WerFault.exe

Drops file in System32 directory 35 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Cebeem32.exe	Cgoelh32.exe
File created	C:\Windows\SysWOW64\Jhogdg32.dll	Cebeem32.exe
File opened for modification	C:\Windows\SysWOW64\Cmpgpond.exe	Cgcnghpl.exe
File created	C:\Windows\SysWOW64\Pcaibd32.dll	Cgcnghpl.exe
File created	C:\Windows\SysWOW64\Pdkefp32.dll	Dnpciaef.exe
File opened for modification	C:\Windows\SysWOW64\Ckhdggom.exe	21e9002704657db85e1f5a5023a094f0N.exe
File created	C:\Windows\SysWOW64\Cileqlmg.exe	Ckhdggom.exe
File created	C:\Windows\SysWOW64\Acnenl32.dll	Ckmnbg32.exe
File created	C:\Windows\SysWOW64\Omakjj32.dll	Cchbgi32.exe
File created	C:\Windows\SysWOW64\Dnpciaef.exe	Ccjoli32.exe
File opened for modification	C:\Windows\SysWOW64\Dnpciaef.exe	Ccjoli32.exe
File opened for modification	C:\Windows\SysWOW64\Dpapaj32.exe	Dnpciaef.exe
File created	C:\Windows\SysWOW64\Cmbfdl32.dll	Ckhdggom.exe
File created	C:\Windows\SysWOW64\Cgoelh32.exe	Cileqlmg.exe
File created	C:\Windows\SysWOW64\Pmiljc32.dll	Ccjoli32.exe
File created	C:\Windows\SysWOW64\ÿs.e¢e	Dpapaj32.exe
File opened for modification	C:\Windows\SysWOW64\Cileqlmg.exe	Ckhdggom.exe
File created	C:\Windows\SysWOW64\Cgcnghpl.exe	Cchbgi32.exe
File created	C:\Windows\SysWOW64\Cmpgpond.exe	Cgcnghpl.exe
File opened for modification	C:\Windows\SysWOW64\Cebeem32.exe	Cgoelh32.exe
File created	C:\Windows\SysWOW64\Ckmnbg32.exe	Cebeem32.exe
File opened for modification	C:\Windows\SysWOW64\Cchbgi32.exe	Ckmnbg32.exe
File created	C:\Windows\SysWOW64\Jidmcq32.dll	Cileqlmg.exe
File created	C:\Windows\SysWOW64\Fnbkfl32.dll	Cgoelh32.exe
File created	C:\Windows\SysWOW64\Dpapaj32.exe	Dnpciaef.exe
File opened for modification	C:\Windows\SysWOW64\ÿs.e¢e	Dpapaj32.exe
File created	C:\Windows\SysWOW64\Ckhdggom.exe	21e9002704657db85e1f5a5023a094f0N.exe
File created	C:\Windows\SysWOW64\Ajaclncd.dll	21e9002704657db85e1f5a5023a094f0N.exe
File opened for modification	C:\Windows\SysWOW64\Ccjoli32.exe	Cmpgpond.exe
File created	C:\Windows\SysWOW64\Ciohdhad.dll	Cmpgpond.exe
File opened for modification	C:\Windows\SysWOW64\Cgoelh32.exe	Cileqlmg.exe
File created	C:\Windows\SysWOW64\Ccjoli32.exe	Cmpgpond.exe
File opened for modification	C:\Windows\SysWOW64\Cgcnghpl.exe	Cchbgi32.exe
File opened for modification	C:\Windows\SysWOW64\Ckmnbg32.exe	Cebeem32.exe
File created	C:\Windows\SysWOW64\Cchbgi32.exe	Ckmnbg32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
484	572	WerFault.exe	41

System Location Discovery: System Language Discovery 1 TTPs 12 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgcnghpl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmpgpond.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dnpciaef.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dpapaj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cebeem32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ckmnbg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cileqlmg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgoelh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cchbgi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ccjoli32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	21e9002704657db85e1f5a5023a094f0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ckhdggom.exe

Modifies registry class 36 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ckhdggom.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jidmcq32.dll"	Cileqlmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhogdg32.dll"	Cebeem32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cgcnghpl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmpgpond.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	21e9002704657db85e1f5a5023a094f0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmbfdl32.dll"	Ckhdggom.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ckmnbg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ajaclncd.dll"	21e9002704657db85e1f5a5023a094f0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cebeem32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdkefp32.dll"	Dnpciaef.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cgoelh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Omakjj32.dll"	Cchbgi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ciohdhad.dll"	Cmpgpond.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ccjoli32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	21e9002704657db85e1f5a5023a094f0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	21e9002704657db85e1f5a5023a094f0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ckhdggom.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cileqlmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cebeem32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmpgpond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dnpciaef.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	21e9002704657db85e1f5a5023a094f0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnbkfl32.dll"	Cgoelh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Acnenl32.dll"	Ckmnbg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cchbgi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmiljc32.dll"	Ccjoli32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ccjoli32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dnpciaef.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	21e9002704657db85e1f5a5023a094f0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cileqlmg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ckmnbg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cgcnghpl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cgoelh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cchbgi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pcaibd32.dll"	Cgcnghpl.exe

Suspicious use of WriteProcessMemory 48 IoCs

description	pid	Process	procid_target
PID 2460 wrote to memory of 2844	2460	21e9002704657db85e1f5a5023a094f0N.exe	31
PID 2460 wrote to memory of 2844	2460	21e9002704657db85e1f5a5023a094f0N.exe	31
PID 2460 wrote to memory of 2844	2460	21e9002704657db85e1f5a5023a094f0N.exe	31
PID 2460 wrote to memory of 2844	2460	21e9002704657db85e1f5a5023a094f0N.exe	31
PID 2844 wrote to memory of 2720	2844	Ckhdggom.exe	32
PID 2844 wrote to memory of 2720	2844	Ckhdggom.exe	32
PID 2844 wrote to memory of 2720	2844	Ckhdggom.exe	32
PID 2844 wrote to memory of 2720	2844	Ckhdggom.exe	32
PID 2720 wrote to memory of 2740	2720	Cileqlmg.exe	33
PID 2720 wrote to memory of 2740	2720	Cileqlmg.exe	33
PID 2720 wrote to memory of 2740	2720	Cileqlmg.exe	33
PID 2720 wrote to memory of 2740	2720	Cileqlmg.exe	33
PID 2740 wrote to memory of 2636	2740	Cgoelh32.exe	34
PID 2740 wrote to memory of 2636	2740	Cgoelh32.exe	34
PID 2740 wrote to memory of 2636	2740	Cgoelh32.exe	34
PID 2740 wrote to memory of 2636	2740	Cgoelh32.exe	34
PID 2636 wrote to memory of 2160	2636	Cebeem32.exe	35
PID 2636 wrote to memory of 2160	2636	Cebeem32.exe	35
PID 2636 wrote to memory of 2160	2636	Cebeem32.exe	35
PID 2636 wrote to memory of 2160	2636	Cebeem32.exe	35
PID 2160 wrote to memory of 2944	2160	Ckmnbg32.exe	36
PID 2160 wrote to memory of 2944	2160	Ckmnbg32.exe	36
PID 2160 wrote to memory of 2944	2160	Ckmnbg32.exe	36
PID 2160 wrote to memory of 2944	2160	Ckmnbg32.exe	36
PID 2944 wrote to memory of 2700	2944	Cchbgi32.exe	37
PID 2944 wrote to memory of 2700	2944	Cchbgi32.exe	37
PID 2944 wrote to memory of 2700	2944	Cchbgi32.exe	37
PID 2944 wrote to memory of 2700	2944	Cchbgi32.exe	37
PID 2700 wrote to memory of 1988	2700	Cgcnghpl.exe	38
PID 2700 wrote to memory of 1988	2700	Cgcnghpl.exe	38
PID 2700 wrote to memory of 1988	2700	Cgcnghpl.exe	38
PID 2700 wrote to memory of 1988	2700	Cgcnghpl.exe	38
PID 1988 wrote to memory of 316	1988	Cmpgpond.exe	39
PID 1988 wrote to memory of 316	1988	Cmpgpond.exe	39
PID 1988 wrote to memory of 316	1988	Cmpgpond.exe	39
PID 1988 wrote to memory of 316	1988	Cmpgpond.exe	39
PID 316 wrote to memory of 1000	316	Ccjoli32.exe	40
PID 316 wrote to memory of 1000	316	Ccjoli32.exe	40
PID 316 wrote to memory of 1000	316	Ccjoli32.exe	40
PID 316 wrote to memory of 1000	316	Ccjoli32.exe	40
PID 1000 wrote to memory of 572	1000	Dnpciaef.exe	41
PID 1000 wrote to memory of 572	1000	Dnpciaef.exe	41
PID 1000 wrote to memory of 572	1000	Dnpciaef.exe	41
PID 1000 wrote to memory of 572	1000	Dnpciaef.exe	41
PID 572 wrote to memory of 484	572	Dpapaj32.exe	42
PID 572 wrote to memory of 484	572	Dpapaj32.exe	42
PID 572 wrote to memory of 484	572	Dpapaj32.exe	42
PID 572 wrote to memory of 484	572	Dpapaj32.exe	42

C:\Users\Admin\AppData\Local\Temp\21e9002704657db85e1f5a5023a094f0N.exe
"C:\Users\Admin\AppData\Local\Temp\21e9002704657db85e1f5a5023a094f0N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2460
- C:\Windows\SysWOW64\Ckhdggom.exe
  C:\Windows\system32\Ckhdggom.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2844
- - C:\Windows\SysWOW64\Cileqlmg.exe
    C:\Windows\system32\Cileqlmg.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2720
  - - C:\Windows\SysWOW64\Cgoelh32.exe
      C:\Windows\system32\Cgoelh32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2740
    - - C:\Windows\SysWOW64\Cebeem32.exe
        
        C:\Windows\system32\Cebeem32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2636
      - C:\Windows\SysWOW64\Ckmnbg32.exe
        
        C:\Windows\system32\Ckmnbg32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2160
        
        C:\Windows\SysWOW64\Cchbgi32.exe
        
        C:\Windows\system32\Cchbgi32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2944
        
        C:\Windows\SysWOW64\Cgcnghpl.exe
        
        C:\Windows\system32\Cgcnghpl.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2700
        
        C:\Windows\SysWOW64\Cmpgpond.exe
        
        C:\Windows\system32\Cmpgpond.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1988
        
        C:\Windows\SysWOW64\Ccjoli32.exe
        
        C:\Windows\system32\Ccjoli32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:316
        
        C:\Windows\SysWOW64\Dnpciaef.exe
        
        C:\Windows\system32\Dnpciaef.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1000
        
        C:\Windows\SysWOW64\Dpapaj32.exe
        
        C:\Windows\system32\Dpapaj32.exe
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:572
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 572 -s 144
        13⤵
        Loads dropped DLL
        Program crash
        
        PID:484

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Cgoelh32.exe

Filesize
64KB

MD5
15b98780fb4b8aecd42975fc8b32d624

SHA1
92c97a91ed1d7363a292ee40fcd99644cc46b465

SHA256
69af6a41d2f61c587aa80a00716c31a949c68f464352ab124820a0243bb6ce9f

SHA512
2ad07507da90ea9a00d6faf336e6dead7224489e19c7b040fe25c7f8e414321a30f38550de15e55a652585c63aa3d4a6ddf4cf91bb863749042350aa5505721e

Download Submit
C:\Windows\SysWOW64\Ckmnbg32.exe

Filesize
64KB

MD5
c380aec5823aba832be51e5d926fec1f

SHA1
a733365f9d1fd7d1b13fb5d1d04ee52c50868f17

SHA256
9526b8648f8a347d1e475f7ac398392e837bac0602abb3629b8281e0e9b37cc3

SHA512
309af43add04b2d77b3140d033e522f8aebb1437f5674d1f99fa7f57a449f24d4baad72dcc853ca2a3d7dfc42d33d833cdbe2686ca88812a31043971ca71183f

Download Submit
\Windows\SysWOW64\Cchbgi32.exe

Filesize
64KB

MD5
9e13ec445abf41a0d7ef46337d298662

SHA1
b02c249670c41f543bf423d280bb7ac9f11c3a51

SHA256
52530b5747155a5c309870c4eb48cade4396c4b56695e76283f691db626a99cd

SHA512
0945e11ec781ed7dd2369a5044260d2f441c20828a321c27c250e9c870c2b6716686cbeafeb18f3ab0c32ffe3147631103397098bbea76ba3e0fcff169af4853

Download Submit
\Windows\SysWOW64\Ccjoli32.exe

Filesize
64KB

MD5
3dae532dce20eb0ced904e3c2d47812f

SHA1
2fafa55397dd92ee3194aa7d2e9441dc637d2d08

SHA256
7aa4bfae3d2b364bf0c3c693e6b3780a15a08d3edebb294acc43a43fba8bad13

SHA512
787a2d48f453154d6ef7be53f4ec91be6034ed4c524cb893719c475cedc57227d0b619e883682c104bad9183b2d00589d457b072028732ce7cd7eac0014ee13b

Download Submit
\Windows\SysWOW64\Cebeem32.exe

Filesize
64KB

MD5
b5168f6cc50efb9920c036359132419e

SHA1
31eccddb50fb58782003bc87307500b8309526d2

SHA256
00d8537195201556ebe194938231660e21388436102feeb50af596fcb75682a7

SHA512
7cd7a371cd2893f22827f283cf83ee301ae2a49c6d1adf423ca350251c292bde4d1acf17fe10d04d516f2a428e58f69d7d456e2f4c11fc9be7e668a670f94d1d

Download Submit
\Windows\SysWOW64\Cgcnghpl.exe

Filesize
64KB

MD5
396f7fc31d00304e4d844e26ff727a91

SHA1
d69681a30601bccd051e2ad283be47f183301d22

SHA256
9bc5146e49fa7403c31c714dd2628e6536849a99269cc5e9facd8b11e516aa56

SHA512
93eac29935d412b05f09bb0ee5905914a69dc526966457296e1b46c264ca2ecc36b70c2231532b0bb05b8acffc9b42938fe0300542f9d3d30e773d50c4a77f83

Download Submit
\Windows\SysWOW64\Cileqlmg.exe

Filesize
64KB

MD5
1012c7246ae84ce6bdd6b199998a5420

SHA1
4463d6459ea4f6caaaf9492a356743f10d46c8d0

SHA256
412844ae928f374090dedc5ccbd999e9476f04eb2f23fdfe478b1584c6f51408

SHA512
5100b324c49eb029cd91886a885826ce43fd21215ff61e2c401377fd2bad203b15afa857e33b069dab64c65e4f46490febcfb6545779e565d19d0fe9149a23c5

Download Submit
\Windows\SysWOW64\Ckhdggom.exe

Filesize
64KB

MD5
d0c744490897282ca751eba130286409

SHA1
3117605fb7817b252c6f2931ee864cd055b06b12

SHA256
463b9f7652ee1d34ac3f19ec5303d0ccd9cc1b0f0dddc5575f9362fc28828697

SHA512
7d7d5ee2f0cb3c76a2c4d2aa338cd9568d9ac902a8db78a45933026c601a7d0e0dcc25a033be46018612aa06854d610cd28935214af37de8a17389d3065c1444

Download Submit
\Windows\SysWOW64\Cmpgpond.exe

Filesize
64KB

MD5
3b2d43020bb518662057f5605dfcca15

SHA1
2a84186ccff30d9939acbad7b4e2d5ce19f869b8

SHA256
04fafe2ef5bf4dcd4cdf79e04ed41f496bbf7d7c4a7d08141b2c5783b0dc3165

SHA512
6efaaf0743590bff7d694d5e9731715187536622fa70164c253a60d86b347e35f14620c112331a7e29a41bc9bd33e04f979df3244210404b96b417a74b1aa650

Download Submit
\Windows\SysWOW64\Dnpciaef.exe

Filesize
64KB

MD5
33e20ee1b306f562871265614ae0077a

SHA1
59cdd4a2d3b2bddb57c8169dc904406094343a57

SHA256
01256b8e13fa5714e7a82371ddf9aef2ae780ba4891255d4a55751fc3c61d064

SHA512
f443bfdecd66a87fad4f738f9fbd800d380effb731c9fda74ff83a8e8991adcd86907fbe04d81086cccda8bcdb12f856d883caa5d20ec6b9ee5b8611eb49aade

Download Submit
\Windows\SysWOW64\Dpapaj32.exe

Filesize
64KB

MD5
947d7f92ea994850d7be670ea42ee074

SHA1
f5f5d8927729e0360df40226a0aa12b89c8bf2f9

SHA256
4c16e08b7a0117f82b3ad321770dba91de3e85a16347c7ad5977472f07566906

SHA512
929f4b16729beead7f143d8f74812b01986e9bf3fda47d0c79402a0fb79810f8e33e81efd2d5ced94b6a238427675a46f08a1a2d8a90e4a18c7d39feafaec52a

Download Submit
memory/316-121-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/316-163-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/572-147-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/572-165-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1000-134-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1000-164-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1988-108-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1988-162-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2160-69-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2160-159-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2460-7-0x00000000002D0000-0x0000000000303000-memory.dmp

Filesize
204KB

Download
memory/2460-154-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2460-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2636-61-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2700-161-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2700-95-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2720-33-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2740-41-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2740-49-0x0000000000320000-0x0000000000353000-memory.dmp

Filesize
204KB

Download
memory/2740-157-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2740-60-0x0000000000320000-0x0000000000353000-memory.dmp

Filesize
204KB

Download
memory/2844-21-0x0000000001F30000-0x0000000001F63000-memory.dmp

Filesize
204KB

Download
memory/2844-13-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2844-27-0x0000000001F30000-0x0000000001F63000-memory.dmp

Filesize
204KB

Download
memory/2844-155-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2944-160-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2944-82-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads