8e53fd173a089b3e80e7eeae1a80060783a288ecf68f4d3528194780780d3b42

General

Target

cd9d69625e7c9cb47c662775c8174780N.exe
Size

1.2MB
MD5

cd9d69625e7c9cb47c662775c8174780
SHA1

5fa64329ec60101150506f671131c2d21dea3c86
SHA256

8e53fd173a089b3e80e7eeae1a80060783a288ecf68f4d3528194780780d3b42
SHA512

727e6ff5db824d3fce70b5ec9ad469874645dfc04ac7631537ed2834f865f819a0c1a0accf9a95ac58b2a8ba3a18f0d9209d968495b44df40237989232c62ef2
SSDEEP

24576:QN+7gu5YyCtCCm0BKh2kkkkK4kXkkkkkkkkhLX3a20R0v50+YR:bgu5RCtCXbazR0vk

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	cd9d69625e7c9cb47c662775c8174780N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	cd9d69625e7c9cb47c662775c8174780N.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gcghkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gcghkm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gbhhieao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gbhhieao.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gclafmej.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gclafmej.exe

Executes dropped EXE 4 IoCs

pid	Process
4808	Gcghkm32.exe
4720	Gbhhieao.exe
796	Gclafmej.exe
3152	Gbmadd32.exe

Drops file in System32 directory 12 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Gbmadd32.exe	Gclafmej.exe
File opened for modification	C:\Windows\SysWOW64\Gbmadd32.exe	Gclafmej.exe
File created	C:\Windows\SysWOW64\Hjmgbm32.dll	Gclafmej.exe
File created	C:\Windows\SysWOW64\Gcghkm32.exe	cd9d69625e7c9cb47c662775c8174780N.exe
File opened for modification	C:\Windows\SysWOW64\Gcghkm32.exe	cd9d69625e7c9cb47c662775c8174780N.exe
File created	C:\Windows\SysWOW64\Pqgpcnpb.dll	cd9d69625e7c9cb47c662775c8174780N.exe
File opened for modification	C:\Windows\SysWOW64\Gbhhieao.exe	Gcghkm32.exe
File opened for modification	C:\Windows\SysWOW64\Gclafmej.exe	Gbhhieao.exe
File created	C:\Windows\SysWOW64\Gbhhieao.exe	Gcghkm32.exe
File created	C:\Windows\SysWOW64\Jlkklm32.dll	Gcghkm32.exe
File created	C:\Windows\SysWOW64\Gclafmej.exe	Gbhhieao.exe
File created	C:\Windows\SysWOW64\Eocmgd32.dll	Gbhhieao.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3880	3152	WerFault.exe	93

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cd9d69625e7c9cb47c662775c8174780N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gcghkm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gbhhieao.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gclafmej.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gbmadd32.exe

Modifies registry class 15 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	cd9d69625e7c9cb47c662775c8174780N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Gbhhieao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjmgbm32.dll"	Gclafmej.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	cd9d69625e7c9cb47c662775c8174780N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	cd9d69625e7c9cb47c662775c8174780N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pqgpcnpb.dll"	cd9d69625e7c9cb47c662775c8174780N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Gcghkm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}	cd9d69625e7c9cb47c662775c8174780N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	cd9d69625e7c9cb47c662775c8174780N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlkklm32.dll"	Gcghkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Gcghkm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Gbhhieao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eocmgd32.dll"	Gbhhieao.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Gclafmej.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Gclafmej.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1708 wrote to memory of 4808	1708	cd9d69625e7c9cb47c662775c8174780N.exe	90
PID 1708 wrote to memory of 4808	1708	cd9d69625e7c9cb47c662775c8174780N.exe	90
PID 1708 wrote to memory of 4808	1708	cd9d69625e7c9cb47c662775c8174780N.exe	90
PID 4808 wrote to memory of 4720	4808	Gcghkm32.exe	91
PID 4808 wrote to memory of 4720	4808	Gcghkm32.exe	91
PID 4808 wrote to memory of 4720	4808	Gcghkm32.exe	91
PID 4720 wrote to memory of 796	4720	Gbhhieao.exe	92
PID 4720 wrote to memory of 796	4720	Gbhhieao.exe	92
PID 4720 wrote to memory of 796	4720	Gbhhieao.exe	92
PID 796 wrote to memory of 3152	796	Gclafmej.exe	93
PID 796 wrote to memory of 3152	796	Gclafmej.exe	93
PID 796 wrote to memory of 3152	796	Gclafmej.exe	93

C:\Users\Admin\AppData\Local\Temp\cd9d69625e7c9cb47c662775c8174780N.exe
"C:\Users\Admin\AppData\Local\Temp\cd9d69625e7c9cb47c662775c8174780N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1708
- C:\Windows\SysWOW64\Gcghkm32.exe
  C:\Windows\system32\Gcghkm32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4808
- - C:\Windows\SysWOW64\Gbhhieao.exe
    C:\Windows\system32\Gbhhieao.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4720
  - - C:\Windows\SysWOW64\Gclafmej.exe
      C:\Windows\system32\Gclafmej.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:796
    - - C:\Windows\SysWOW64\Gbmadd32.exe
        
        C:\Windows\system32\Gbmadd32.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3152
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3152 -s 416
        6⤵
        Program crash
        
        PID:3880

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3152 -ip 3152
1⤵
PID:3916

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4412,i,1602949858158667699,12464335823361976127,262144 --variations-seed-version --mojo-platform-channel-handle=4448 /prefetch:8
1⤵
PID:4572

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Gbhhieao.exe

Filesize
1.2MB

MD5
211aaf60c61acc808b1425a48fd08034

SHA1
15250bb84c9523562f1a33671f99405940073434

SHA256
2a4df7cfea6199de2505c5148dd7b16662365c22181421e16ea91d5af49fa880

SHA512
09cb5422584a67f710a373d2829424c8f60af957c901cfc2a43bcfef1a90d528a01b473373befdc002839e900a606a44279bae26a72278e09bc79673245aee63

Download Submit
C:\Windows\SysWOW64\Gbmadd32.exe

Filesize
1.2MB

MD5
9506e3fedf94b9b8f8bfe7e5bf9d8447

SHA1
073a5f6fab92cba7193d12aea4026cf43be91614

SHA256
35fc5cd18973da31e602ff77508abc5dd1d3b31ac9b7bcdf87359e24074c9465

SHA512
3c8d81576f25cc2bfc1faa4b30a2d070f3ad4d46236ddfbbefcc2d37f0c74dde6de3648fcd88df3e5b3156eed29c74eb6037c30d76b26c276236faab7159b814

Download Submit
C:\Windows\SysWOW64\Gcghkm32.exe

Filesize
1.2MB

MD5
050f8aa8cc70ded06db314cdb1fa0059

SHA1
7186707e7336742ba27f66e2f692a603a4468084

SHA256
74427ef1b1f39eb50b71e811f937c90e7b5ead27c531dd8349ebc08055eaaeb9

SHA512
d6bac99a8f0791a596883d220e3eadb133d75791eb5fc8ea05a94a0a2016246bc610f9ece61c98f5c10ef3924f88e790fd5e58df81c418d7b2bec9ea5453469b

Download Submit
C:\Windows\SysWOW64\Gclafmej.exe

Filesize
1.2MB

MD5
b4542ef5724ff4d4d00b38303185a257

SHA1
6e089358f854efbb6af69a0f0e453a95383d0730

SHA256
709735e2c84477c917aa83eab626034bf24f49f1e8766231fbf84f92f16a6e6d

SHA512
8e1f0ca6565871c8513daaf845abb2e6d2ecf155ce188dc94cec7325157b36dbe5e9c23cee3bb934ef985aafc6b8c8b81bcacad13d1101ac8e8c219ba4dd7d0a

Download Submit
memory/796-28-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/796-34-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1708-0-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1708-37-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3152-32-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3152-33-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4720-16-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4720-35-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4808-7-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4808-36-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads