fa386f6f14454406e8532bcea7bc592f5fb837e7592608d5b8b3dfcaf8b4759a

Analysis

max time kernel
119s
max time network
17s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
12/09/2024, 11:31

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2ceba4f52ef184d4b20b89c242925d30N.exe
Size

94KB
MD5

2ceba4f52ef184d4b20b89c242925d30
SHA1

af2d9bc3ea6eb9c0fed1a04da4d9e1ad1b5af086
SHA256

fa386f6f14454406e8532bcea7bc592f5fb837e7592608d5b8b3dfcaf8b4759a
SHA512

04c2260051988f977058861469fa921ba01398de610f5279aef44f15f1a4e81eb21a25046a64211c44cb30f94c94b5106c7fc212653e602948c519bbfef4f742
SSDEEP

1536:d+ucDzq52RSL8d6qaFqO1ZpmvQSS+AyI15CUwTAiO7BR9L4DT2EnINs:du3Sg6qQ1ZfP+/IHfAHO6+ob

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	2ceba4f52ef184d4b20b89c242925d30N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Caifjn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cgcnghpl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ccjoli32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Djdgic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cmpgpond.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cileqlmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cileqlmg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ckjamgmk.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ckmnbg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ckmnbg32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjonncab.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cgcnghpl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djdgic32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnimiblo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cnimiblo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cjonncab.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ccjoli32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmbcen32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	2ceba4f52ef184d4b20b89c242925d30N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ckjamgmk.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Caifjn32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmpgpond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dmbcen32.exe

Executes dropped EXE 12 IoCs

pid	Process
2696	Cileqlmg.exe
2656	Ckjamgmk.exe
2732	Cnimiblo.exe
2596	Ckmnbg32.exe
2620	Cjonncab.exe
3004	Caifjn32.exe
2760	Cgcnghpl.exe
2080	Cmpgpond.exe
1596	Ccjoli32.exe
1620	Djdgic32.exe
2424	Dmbcen32.exe
320	Dpapaj32.exe

Loads dropped DLL 27 IoCs

pid	Process
1668	2ceba4f52ef184d4b20b89c242925d30N.exe
1668	2ceba4f52ef184d4b20b89c242925d30N.exe
2696	Cileqlmg.exe
2696	Cileqlmg.exe
2656	Ckjamgmk.exe
2656	Ckjamgmk.exe
2732	Cnimiblo.exe
2732	Cnimiblo.exe
2596	Ckmnbg32.exe
2596	Ckmnbg32.exe
2620	Cjonncab.exe
2620	Cjonncab.exe
3004	Caifjn32.exe
3004	Caifjn32.exe
2760	Cgcnghpl.exe
2760	Cgcnghpl.exe
2080	Cmpgpond.exe
2080	Cmpgpond.exe
1596	Ccjoli32.exe
1596	Ccjoli32.exe
1620	Djdgic32.exe
1620	Djdgic32.exe
2424	Dmbcen32.exe
2424	Dmbcen32.exe
2376	WerFault.exe
2376	WerFault.exe
2376	WerFault.exe

Drops file in System32 directory 38 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Oeopijom.dll	Ckmnbg32.exe
File created	C:\Windows\SysWOW64\Dmbcen32.exe	Djdgic32.exe
File created	C:\Windows\SysWOW64\Pdkefp32.dll	Dmbcen32.exe
File opened for modification	C:\Windows\SysWOW64\ÿs.e¢e	Dpapaj32.exe
File created	C:\Windows\SysWOW64\Cileqlmg.exe	2ceba4f52ef184d4b20b89c242925d30N.exe
File created	C:\Windows\SysWOW64\Cmbfdl32.dll	2ceba4f52ef184d4b20b89c242925d30N.exe
File created	C:\Windows\SysWOW64\Ckjamgmk.exe	Cileqlmg.exe
File opened for modification	C:\Windows\SysWOW64\Ckjamgmk.exe	Cileqlmg.exe
File opened for modification	C:\Windows\SysWOW64\Ckmnbg32.exe	Cnimiblo.exe
File created	C:\Windows\SysWOW64\Cjonncab.exe	Ckmnbg32.exe
File opened for modification	C:\Windows\SysWOW64\Caifjn32.exe	Cjonncab.exe
File created	C:\Windows\SysWOW64\Cgcnghpl.exe	Caifjn32.exe
File created	C:\Windows\SysWOW64\Omakjj32.dll	Caifjn32.exe
File opened for modification	C:\Windows\SysWOW64\Cileqlmg.exe	2ceba4f52ef184d4b20b89c242925d30N.exe
File created	C:\Windows\SysWOW64\Cnimiblo.exe	Ckjamgmk.exe
File created	C:\Windows\SysWOW64\Ckmnbg32.exe	Cnimiblo.exe
File created	C:\Windows\SysWOW64\Jhogdg32.dll	Cnimiblo.exe
File opened for modification	C:\Windows\SysWOW64\Cgcnghpl.exe	Caifjn32.exe
File created	C:\Windows\SysWOW64\Cmpgpond.exe	Cgcnghpl.exe
File opened for modification	C:\Windows\SysWOW64\Djdgic32.exe	Ccjoli32.exe
File created	C:\Windows\SysWOW64\Ccofjipn.dll	Ccjoli32.exe
File created	C:\Windows\SysWOW64\Fbnbckhg.dll	Cileqlmg.exe
File created	C:\Windows\SysWOW64\Onaiomjo.dll	Cjonncab.exe
File created	C:\Windows\SysWOW64\Pcaibd32.dll	Cgcnghpl.exe
File created	C:\Windows\SysWOW64\Caifjn32.exe	Cjonncab.exe
File created	C:\Windows\SysWOW64\Ccjoli32.exe	Cmpgpond.exe
File created	C:\Windows\SysWOW64\Djdgic32.exe	Ccjoli32.exe
File opened for modification	C:\Windows\SysWOW64\Dmbcen32.exe	Djdgic32.exe
File created	C:\Windows\SysWOW64\Dpapaj32.exe	Dmbcen32.exe
File opened for modification	C:\Windows\SysWOW64\Dpapaj32.exe	Dmbcen32.exe
File created	C:\Windows\SysWOW64\ÿs.e¢e	Dpapaj32.exe
File opened for modification	C:\Windows\SysWOW64\Cjonncab.exe	Ckmnbg32.exe
File opened for modification	C:\Windows\SysWOW64\Ccjoli32.exe	Cmpgpond.exe
File created	C:\Windows\SysWOW64\Fikbiheg.dll	Djdgic32.exe
File opened for modification	C:\Windows\SysWOW64\Cmpgpond.exe	Cgcnghpl.exe
File opened for modification	C:\Windows\SysWOW64\Cnimiblo.exe	Ckjamgmk.exe
File created	C:\Windows\SysWOW64\Pobghn32.dll	Ckjamgmk.exe
File created	C:\Windows\SysWOW64\Ciohdhad.dll	Cmpgpond.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2376	320	WerFault.exe	42

System Location Discovery: System Language Discovery 1 TTPs 13 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2ceba4f52ef184d4b20b89c242925d30N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ccjoli32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cileqlmg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnimiblo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djdgic32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ckjamgmk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ckmnbg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjonncab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Caifjn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmpgpond.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgcnghpl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmbcen32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dpapaj32.exe

Modifies registry class 39 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ccjoli32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Djdgic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Djdgic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdkefp32.dll"	Dmbcen32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cileqlmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cgcnghpl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ciohdhad.dll"	Cmpgpond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhogdg32.dll"	Cnimiblo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cnimiblo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Onaiomjo.dll"	Cjonncab.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dmbcen32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	2ceba4f52ef184d4b20b89c242925d30N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbnbckhg.dll"	Cileqlmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cileqlmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dmbcen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oeopijom.dll"	Ckmnbg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cgcnghpl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ccjoli32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmbfdl32.dll"	2ceba4f52ef184d4b20b89c242925d30N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Omakjj32.dll"	Caifjn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cmpgpond.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ckjamgmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cjonncab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ccofjipn.dll"	Ccjoli32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ckjamgmk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Caifjn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Caifjn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	2ceba4f52ef184d4b20b89c242925d30N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	2ceba4f52ef184d4b20b89c242925d30N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pobghn32.dll"	Ckjamgmk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}	2ceba4f52ef184d4b20b89c242925d30N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cmpgpond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fikbiheg.dll"	Djdgic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ckmnbg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cjonncab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pcaibd32.dll"	Cgcnghpl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	2ceba4f52ef184d4b20b89c242925d30N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cnimiblo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ckmnbg32.exe

Suspicious use of WriteProcessMemory 52 IoCs

description	pid	Process	procid_target
PID 1668 wrote to memory of 2696	1668	2ceba4f52ef184d4b20b89c242925d30N.exe	31
PID 1668 wrote to memory of 2696	1668	2ceba4f52ef184d4b20b89c242925d30N.exe	31
PID 1668 wrote to memory of 2696	1668	2ceba4f52ef184d4b20b89c242925d30N.exe	31
PID 1668 wrote to memory of 2696	1668	2ceba4f52ef184d4b20b89c242925d30N.exe	31
PID 2696 wrote to memory of 2656	2696	Cileqlmg.exe	32
PID 2696 wrote to memory of 2656	2696	Cileqlmg.exe	32
PID 2696 wrote to memory of 2656	2696	Cileqlmg.exe	32
PID 2696 wrote to memory of 2656	2696	Cileqlmg.exe	32
PID 2656 wrote to memory of 2732	2656	Ckjamgmk.exe	33
PID 2656 wrote to memory of 2732	2656	Ckjamgmk.exe	33
PID 2656 wrote to memory of 2732	2656	Ckjamgmk.exe	33
PID 2656 wrote to memory of 2732	2656	Ckjamgmk.exe	33
PID 2732 wrote to memory of 2596	2732	Cnimiblo.exe	34
PID 2732 wrote to memory of 2596	2732	Cnimiblo.exe	34
PID 2732 wrote to memory of 2596	2732	Cnimiblo.exe	34
PID 2732 wrote to memory of 2596	2732	Cnimiblo.exe	34
PID 2596 wrote to memory of 2620	2596	Ckmnbg32.exe	35
PID 2596 wrote to memory of 2620	2596	Ckmnbg32.exe	35
PID 2596 wrote to memory of 2620	2596	Ckmnbg32.exe	35
PID 2596 wrote to memory of 2620	2596	Ckmnbg32.exe	35
PID 2620 wrote to memory of 3004	2620	Cjonncab.exe	36
PID 2620 wrote to memory of 3004	2620	Cjonncab.exe	36
PID 2620 wrote to memory of 3004	2620	Cjonncab.exe	36
PID 2620 wrote to memory of 3004	2620	Cjonncab.exe	36
PID 3004 wrote to memory of 2760	3004	Caifjn32.exe	37
PID 3004 wrote to memory of 2760	3004	Caifjn32.exe	37
PID 3004 wrote to memory of 2760	3004	Caifjn32.exe	37
PID 3004 wrote to memory of 2760	3004	Caifjn32.exe	37
PID 2760 wrote to memory of 2080	2760	Cgcnghpl.exe	38
PID 2760 wrote to memory of 2080	2760	Cgcnghpl.exe	38
PID 2760 wrote to memory of 2080	2760	Cgcnghpl.exe	38
PID 2760 wrote to memory of 2080	2760	Cgcnghpl.exe	38
PID 2080 wrote to memory of 1596	2080	Cmpgpond.exe	39
PID 2080 wrote to memory of 1596	2080	Cmpgpond.exe	39
PID 2080 wrote to memory of 1596	2080	Cmpgpond.exe	39
PID 2080 wrote to memory of 1596	2080	Cmpgpond.exe	39
PID 1596 wrote to memory of 1620	1596	Ccjoli32.exe	40
PID 1596 wrote to memory of 1620	1596	Ccjoli32.exe	40
PID 1596 wrote to memory of 1620	1596	Ccjoli32.exe	40
PID 1596 wrote to memory of 1620	1596	Ccjoli32.exe	40
PID 1620 wrote to memory of 2424	1620	Djdgic32.exe	41
PID 1620 wrote to memory of 2424	1620	Djdgic32.exe	41
PID 1620 wrote to memory of 2424	1620	Djdgic32.exe	41
PID 1620 wrote to memory of 2424	1620	Djdgic32.exe	41
PID 2424 wrote to memory of 320	2424	Dmbcen32.exe	42
PID 2424 wrote to memory of 320	2424	Dmbcen32.exe	42
PID 2424 wrote to memory of 320	2424	Dmbcen32.exe	42
PID 2424 wrote to memory of 320	2424	Dmbcen32.exe	42
PID 320 wrote to memory of 2376	320	Dpapaj32.exe	43
PID 320 wrote to memory of 2376	320	Dpapaj32.exe	43
PID 320 wrote to memory of 2376	320	Dpapaj32.exe	43
PID 320 wrote to memory of 2376	320	Dpapaj32.exe	43

C:\Users\Admin\AppData\Local\Temp\2ceba4f52ef184d4b20b89c242925d30N.exe
"C:\Users\Admin\AppData\Local\Temp\2ceba4f52ef184d4b20b89c242925d30N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1668
- C:\Windows\SysWOW64\Cileqlmg.exe
  C:\Windows\system32\Cileqlmg.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2696
- - C:\Windows\SysWOW64\Ckjamgmk.exe
    C:\Windows\system32\Ckjamgmk.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2656
  - - C:\Windows\SysWOW64\Cnimiblo.exe
      C:\Windows\system32\Cnimiblo.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2732
    - - C:\Windows\SysWOW64\Ckmnbg32.exe
        
        C:\Windows\system32\Ckmnbg32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2596
      - C:\Windows\SysWOW64\Cjonncab.exe
        
        C:\Windows\system32\Cjonncab.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2620
        
        C:\Windows\SysWOW64\Caifjn32.exe
        
        C:\Windows\system32\Caifjn32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3004
        
        C:\Windows\SysWOW64\Cgcnghpl.exe
        
        C:\Windows\system32\Cgcnghpl.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2760
        
        C:\Windows\SysWOW64\Cmpgpond.exe
        
        C:\Windows\system32\Cmpgpond.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2080
        
        C:\Windows\SysWOW64\Ccjoli32.exe
        
        C:\Windows\system32\Ccjoli32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1596
        
        C:\Windows\SysWOW64\Djdgic32.exe
        
        C:\Windows\system32\Djdgic32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1620
        
        C:\Windows\SysWOW64\Dmbcen32.exe
        
        C:\Windows\system32\Dmbcen32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2424
        
        C:\Windows\SysWOW64\Dpapaj32.exe
        
        C:\Windows\system32\Dpapaj32.exe
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:320
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 320 -s 144
        14⤵
        Loads dropped DLL
        Program crash
        
        PID:2376

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Cnimiblo.exe

Filesize
94KB

MD5
72dd01ba7e3d5fa41c7c748a763cd8e3

SHA1
a135da0ef3b0c10f098290dc1f9dc3469d965469

SHA256
33564117045f96a0957bbcc037133666d3a8c0b22e42f02b83ab105d1c03c753

SHA512
f7ace138d341586d89e5770307a88ddc226fa173be2b180c4e229256df61dd48ec61573f17620780d5a550ceb405bc6f4c062da70814ae0df8e8c2f5b2054268

Download Submit
C:\Windows\SysWOW64\Dmbcen32.exe

Filesize
94KB

MD5
eae06c89c8c6dce64b7082a97e8e8bb3

SHA1
7f8fc9eb0661e0a86b725234357f8c5d7e2445d8

SHA256
57df57313091efc5154bc8094f76a7e55a3220634ca7747ebc9a75f17e506b95

SHA512
19e6ff33f35551a699b2851dfcda4e50cbd513b13dda17fe61f88189280b25848c90f94a7ed186dc297fffc5e6891818fd2c4d3e3a0f8bc943c16c2329ab385d

Download Submit
C:\Windows\SysWOW64\Oeopijom.dll

Filesize
7KB

MD5
c4693c79f5b67e1ea312944a1bd4afc6

SHA1
dfb08127f586af56e3361942ca85f487d333ab0a

SHA256
df6a0f0036ca0bfc541a2b2fe53beb92f2dd4531b2dcc8c85d5dff43c7c8c101

SHA512
23c2f6c4d5b8b6a20a755505a9caf54f1731c6d460a90d60f7eb4751cf4b8023a0491f66ab6888749a6aab507514dab9ae67fa7a0bf9f3a7648720b056c30375

Download Submit
\Windows\SysWOW64\Caifjn32.exe

Filesize
94KB

MD5
1ab02211af198da6a569731a7ce15dc7

SHA1
ffb2836c0bc6bc6bacca71580facb953b590ef01

SHA256
5d88cc815c5ff3b4b3df31f8ebd80b9794976629b4ad87a47e21ae194e04e9c7

SHA512
84b00bc3eac06ab32a74c6b15bcf56b8b99138be8685c0127312a65a5b446774f8679ae4cc6bbbfdfd3d7ea704b6cc49aaa7763c3cca809acd5f6116d2331dc7

Download Submit
\Windows\SysWOW64\Ccjoli32.exe

Filesize
94KB

MD5
490952d4676bccd41734a38c86c161cc

SHA1
bae90815b72b906f190d95bfde6b962fdfe4a6b3

SHA256
4c890b5c24405b0a160fdcb9337f3ec5739b2a20f8539a74b6c6f00aead17512

SHA512
5de01abc2ffed68faa386f0045dbbb1dd8b0dba1ba9e0e61c877500bb961fe415aa516d90d2402be259e1fa292be98f4ede4d561dba2e0478bc73e7f3280e30d

Download Submit
\Windows\SysWOW64\Cgcnghpl.exe

Filesize
94KB

MD5
bf31ddf57850cc88f54a4ab3630b3bee

SHA1
9766be2d0883cc092321792fe6f3b4e526f52e99

SHA256
f656f9878b4320ce9ae35f4999196cfa725266fd8155bc80211b8b10b2978bae

SHA512
8aeeb41cae92228b940ae564fbefdbb9b511e57481c9e9d8b8b31c61cbba366738cd237d9948edc7870308e206c4d07b833480648f26928bd174bd07041c8647

Download Submit
\Windows\SysWOW64\Cileqlmg.exe

Filesize
94KB

MD5
0cc452403014947b90fb081863555993

SHA1
2c354890ae9109d9301700117ec3e7978661f57f

SHA256
e27ea41c5c9bc35a217ee0f7a4e4ce31baca15da396634ac511e0dca5c8764bb

SHA512
7280854320b5c99427237045810c26fe592e0119bed607bdf754ed9ada6cd3131aaa7a2ffc3db99354b31fefbead2f9affb8496f5203db62d2a098c58334d630

Download Submit
\Windows\SysWOW64\Cjonncab.exe

Filesize
94KB

MD5
89ccab83e4b85b0632ac807fe4110db0

SHA1
201a7eaf0eecf25318eed535b704a77dba19e79e

SHA256
d6798e7873a0f07218f968e86560480092df0b1417112cb35fc7117d5fce8cf8

SHA512
86ec7b37f92179a29b0647ca4c2e5440f0278fa954666beae4081bb98ffce704447bf47e93ed097232aa62bb7835f154272cc515fa5229ea0e2c869c1b6f5ff7

Download Submit
\Windows\SysWOW64\Ckjamgmk.exe

Filesize
94KB

MD5
efcb3815debd4fa70b4999609a2ae044

SHA1
8af64baaa9d6c72bd498f4c1a22bb6ccd4d2de96

SHA256
da23b4197e4e7e6086b42bab5fa3531553d282a1417b5ca9bc51a76dc6816ead

SHA512
49d05148d29ea003b57b4b21e0d0fe864a40493458a7de9bc403f504d82f08387ce539bcf78bb9a31c5754ea3f39b5e170c431e4b5fc20bac46f1f5715dc2c50

Download Submit
\Windows\SysWOW64\Ckmnbg32.exe

Filesize
94KB

MD5
a2a4d38a3f67c30a3ef3dab53c9d51a3

SHA1
51c34ebb66b89f001e9d69e2425e85adda945725

SHA256
f3b444d47f9fb440282e2d4aef03c6f3bbc37995f262af8fcfb6d218d1bf8973

SHA512
c733d4b7036809270d58b86fd68a2a69d2134c30a33359c6f09cbddfd7265005f80aa391ed34c2889c3816c3bd07bef77e9b56babe69d3e81c129b9b33552025

Download Submit
\Windows\SysWOW64\Cmpgpond.exe

Filesize
94KB

MD5
7e7b54876f728dfa17e13f24110446c6

SHA1
b17865818d1f9af337888082002e59ac67ca357f

SHA256
fe503d5fc6bef3c0b256f9d6fb21833b9bcad49a9a2bcba1c9f217cf3f714903

SHA512
bcb463474c435b18d8c19cc63d75db6259cc3048fc840f8b7899e721cb8a605865fb4ec6f328a032ea0d22544f7f264f0a4d969e76bf3e4f06e9c85f5d1682f7

Download Submit
\Windows\SysWOW64\Djdgic32.exe

Filesize
94KB

MD5
352f27e27a36b61f0f5ee81ac677e5d5

SHA1
6037173fa3c15be7c431ea5e5fe3854b3117d57f

SHA256
8b81a0dd4088eb6e5f431b67b837caab999a425df63751fce62796b8ebddb3da

SHA512
b8f31dd7f682c4b7c41cfe084341f79104f143a4acf8cebb60154e7a618bcf517dc0e4c65a41e2284149180b27b81ed5f289223f832aa9e78e2067d8c9aeb046

Download Submit
\Windows\SysWOW64\Dpapaj32.exe

Filesize
94KB

MD5
07bcc3ab809c88ffc0b102eab5607de0

SHA1
7be58f2c8616f59e3597e2ba26231579a168c930

SHA256
c8ad7a4687838205186301969d9777a0257ba900f2bc446aec57ac930dc5c88d

SHA512
a5ce553024dc805e10b9bc735cf8a7fb804263e6dff8ba112ef7073c16b3d936efbdd38778327d5a77fdb577093521771a425c990fd9294ffd50d62ad8dd0b86

Download Submit
memory/320-183-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1596-136-0x0000000000250000-0x0000000000285000-memory.dmp

Filesize
212KB

Download
memory/1596-180-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1596-124-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1620-181-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1620-138-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1620-151-0x0000000000250000-0x0000000000285000-memory.dmp

Filesize
212KB

Download
memory/1668-172-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1668-0-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1668-12-0x0000000000370000-0x00000000003A5000-memory.dmp

Filesize
212KB

Download
memory/1668-13-0x0000000000370000-0x00000000003A5000-memory.dmp

Filesize
212KB

Download
memory/2080-110-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2080-123-0x0000000000250000-0x0000000000285000-memory.dmp

Filesize
212KB

Download
memory/2080-179-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2424-160-0x0000000000310000-0x0000000000345000-memory.dmp

Filesize
212KB

Download
memory/2424-182-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2424-152-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2596-67-0x00000000002D0000-0x0000000000305000-memory.dmp

Filesize
212KB

Download
memory/2596-175-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2596-58-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2620-80-0x0000000000290000-0x00000000002C5000-memory.dmp

Filesize
212KB

Download
memory/2620-68-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2620-176-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2656-38-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2696-14-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2696-173-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2732-57-0x0000000000250000-0x0000000000285000-memory.dmp

Filesize
212KB

Download
memory/2732-174-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2732-40-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2760-178-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2760-103-0x00000000002A0000-0x00000000002D5000-memory.dmp

Filesize
212KB

Download
memory/2760-96-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3004-177-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3004-82-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3004-90-0x0000000000270000-0x00000000002A5000-memory.dmp

Filesize
212KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads