13c3e389c58c02d7b8d652a06156a5bc0645c5a956b62b4685b324410e5a6919

Analysis

max time kernel
122s
max time network
126s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
13/09/2024, 19:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

13c3e389c58c02d7b8d652a06156a5bc0645c5a956b62b4685b324410e5a6919.exe
Size

77KB
MD5

4a22eeaaf37bcd43af65bc7a3ae59a4a
SHA1

4f37dea43be11c2f074fe6f0529a9676ebf8d728
SHA256

13c3e389c58c02d7b8d652a06156a5bc0645c5a956b62b4685b324410e5a6919
SHA512

bd57ca4e54b335b81a572474f51dc2500373a31f7fea7f2b31da0f99837f9657bc27b8ac5e0515dd9abdaec8e3a4d9f28ec5b658a5ee8c734c7fd4ca1dcd0e3f
SSDEEP

1536:w1K3lGRRYl2D5EpRwjK4jsaWcE12LtSwfi+TjRC/D:2KVGRKl2WTwjKncVQwf1TjYD

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cagienkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Calcpm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dnpciaef.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	13c3e389c58c02d7b8d652a06156a5bc0645c5a956b62b4685b324410e5a6919.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	13c3e389c58c02d7b8d652a06156a5bc0645c5a956b62b4685b324410e5a6919.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cgoelh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cgoelh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Calcpm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cgfkmgnj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dnpciaef.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cbblda32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ckmnbg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cbffoabe.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cchbgi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cchbgi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ckmnbg32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cbffoabe.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjakccop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjakccop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cbblda32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cepipm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cepipm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cagienkb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cgfkmgnj.exe

Executes dropped EXE 12 IoCs

pid	Process
2256	Cbblda32.exe
2508	Cepipm32.exe
2028	Cgoelh32.exe
2696	Cagienkb.exe
2856	Ckmnbg32.exe
2588	Cbffoabe.exe
2608	Cchbgi32.exe
2172	Cjakccop.exe
1276	Calcpm32.exe
2292	Cgfkmgnj.exe
2644	Dnpciaef.exe
1440	Dpapaj32.exe

Loads dropped DLL 27 IoCs

pid	Process
2312	13c3e389c58c02d7b8d652a06156a5bc0645c5a956b62b4685b324410e5a6919.exe
2312	13c3e389c58c02d7b8d652a06156a5bc0645c5a956b62b4685b324410e5a6919.exe
2256	Cbblda32.exe
2256	Cbblda32.exe
2508	Cepipm32.exe
2508	Cepipm32.exe
2028	Cgoelh32.exe
2028	Cgoelh32.exe
2696	Cagienkb.exe
2696	Cagienkb.exe
2856	Ckmnbg32.exe
2856	Ckmnbg32.exe
2588	Cbffoabe.exe
2588	Cbffoabe.exe
2608	Cchbgi32.exe
2608	Cchbgi32.exe
2172	Cjakccop.exe
2172	Cjakccop.exe
1276	Calcpm32.exe
1276	Calcpm32.exe
2292	Cgfkmgnj.exe
2292	Cgfkmgnj.exe
2644	Dnpciaef.exe
2644	Dnpciaef.exe
2000	WerFault.exe
2000	WerFault.exe
2000	WerFault.exe

Drops file in System32 directory 38 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Cgoelh32.exe	Cepipm32.exe
File created	C:\Windows\SysWOW64\Ofaejacl.dll	Cjakccop.exe
File created	C:\Windows\SysWOW64\Dpapaj32.exe	Dnpciaef.exe
File created	C:\Windows\SysWOW64\ÿs.e¢e	Dpapaj32.exe
File opened for modification	C:\Windows\SysWOW64\ÿs.e¢e	Dpapaj32.exe
File created	C:\Windows\SysWOW64\Hbocphim.dll	Ckmnbg32.exe
File opened for modification	C:\Windows\SysWOW64\Cbblda32.exe	13c3e389c58c02d7b8d652a06156a5bc0645c5a956b62b4685b324410e5a6919.exe
File opened for modification	C:\Windows\SysWOW64\Ckmnbg32.exe	Cagienkb.exe
File created	C:\Windows\SysWOW64\Cbffoabe.exe	Ckmnbg32.exe
File created	C:\Windows\SysWOW64\Dnpciaef.exe	Cgfkmgnj.exe
File created	C:\Windows\SysWOW64\Pdkefp32.dll	Dnpciaef.exe
File created	C:\Windows\SysWOW64\Ednoihel.dll	13c3e389c58c02d7b8d652a06156a5bc0645c5a956b62b4685b324410e5a6919.exe
File created	C:\Windows\SysWOW64\Cepipm32.exe	Cbblda32.exe
File created	C:\Windows\SysWOW64\Cgoelh32.exe	Cepipm32.exe
File created	C:\Windows\SysWOW64\Cpmahlfd.dll	Calcpm32.exe
File opened for modification	C:\Windows\SysWOW64\Cbffoabe.exe	Ckmnbg32.exe
File created	C:\Windows\SysWOW64\Gpajfg32.dll	Cchbgi32.exe
File created	C:\Windows\SysWOW64\Pmiljc32.dll	Cgfkmgnj.exe
File created	C:\Windows\SysWOW64\Cjakccop.exe	Cchbgi32.exe
File created	C:\Windows\SysWOW64\Cgfkmgnj.exe	Calcpm32.exe
File created	C:\Windows\SysWOW64\Cagienkb.exe	Cgoelh32.exe
File opened for modification	C:\Windows\SysWOW64\Cagienkb.exe	Cgoelh32.exe
File created	C:\Windows\SysWOW64\Hbcfdk32.dll	Cgoelh32.exe
File created	C:\Windows\SysWOW64\Ckmnbg32.exe	Cagienkb.exe
File created	C:\Windows\SysWOW64\Cchbgi32.exe	Cbffoabe.exe
File created	C:\Windows\SysWOW64\Acnenl32.dll	Cbffoabe.exe
File opened for modification	C:\Windows\SysWOW64\Cjakccop.exe	Cchbgi32.exe
File created	C:\Windows\SysWOW64\Cbblda32.exe	13c3e389c58c02d7b8d652a06156a5bc0645c5a956b62b4685b324410e5a6919.exe
File opened for modification	C:\Windows\SysWOW64\Cepipm32.exe	Cbblda32.exe
File created	C:\Windows\SysWOW64\Gdgqdaoh.dll	Cbblda32.exe
File created	C:\Windows\SysWOW64\Jidmcq32.dll	Cepipm32.exe
File created	C:\Windows\SysWOW64\Jhogdg32.dll	Cagienkb.exe
File opened for modification	C:\Windows\SysWOW64\Cchbgi32.exe	Cbffoabe.exe
File created	C:\Windows\SysWOW64\Calcpm32.exe	Cjakccop.exe
File opened for modification	C:\Windows\SysWOW64\Calcpm32.exe	Cjakccop.exe
File opened for modification	C:\Windows\SysWOW64\Cgfkmgnj.exe	Calcpm32.exe
File opened for modification	C:\Windows\SysWOW64\Dnpciaef.exe	Cgfkmgnj.exe
File opened for modification	C:\Windows\SysWOW64\Dpapaj32.exe	Dnpciaef.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2000	1440	WerFault.exe	42

System Location Discovery: System Language Discovery 1 TTPs 13 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	13c3e389c58c02d7b8d652a06156a5bc0645c5a956b62b4685b324410e5a6919.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cchbgi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Calcpm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgfkmgnj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cepipm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgoelh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cagienkb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cbblda32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ckmnbg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cbffoabe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjakccop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dnpciaef.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dpapaj32.exe

Modifies registry class 39 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdkefp32.dll"	Dnpciaef.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	13c3e389c58c02d7b8d652a06156a5bc0645c5a956b62b4685b324410e5a6919.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cepipm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cagienkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cagienkb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cbffoabe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjakccop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpmahlfd.dll"	Calcpm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Calcpm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ednoihel.dll"	13c3e389c58c02d7b8d652a06156a5bc0645c5a956b62b4685b324410e5a6919.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cbblda32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cgoelh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhogdg32.dll"	Cagienkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbocphim.dll"	Ckmnbg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Acnenl32.dll"	Cbffoabe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cjakccop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ofaejacl.dll"	Cjakccop.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	13c3e389c58c02d7b8d652a06156a5bc0645c5a956b62b4685b324410e5a6919.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	13c3e389c58c02d7b8d652a06156a5bc0645c5a956b62b4685b324410e5a6919.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbcfdk32.dll"	Cgoelh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cgoelh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ckmnbg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cchbgi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Calcpm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dnpciaef.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cgfkmgnj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ckmnbg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmiljc32.dll"	Cgfkmgnj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cbblda32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cbffoabe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cchbgi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cgfkmgnj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	13c3e389c58c02d7b8d652a06156a5bc0645c5a956b62b4685b324410e5a6919.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	13c3e389c58c02d7b8d652a06156a5bc0645c5a956b62b4685b324410e5a6919.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdgqdaoh.dll"	Cbblda32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cepipm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jidmcq32.dll"	Cepipm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpajfg32.dll"	Cchbgi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dnpciaef.exe

Suspicious use of WriteProcessMemory 52 IoCs

description	pid	Process	procid_target
PID 2312 wrote to memory of 2256	2312	13c3e389c58c02d7b8d652a06156a5bc0645c5a956b62b4685b324410e5a6919.exe	31
PID 2312 wrote to memory of 2256	2312	13c3e389c58c02d7b8d652a06156a5bc0645c5a956b62b4685b324410e5a6919.exe	31
PID 2312 wrote to memory of 2256	2312	13c3e389c58c02d7b8d652a06156a5bc0645c5a956b62b4685b324410e5a6919.exe	31
PID 2312 wrote to memory of 2256	2312	13c3e389c58c02d7b8d652a06156a5bc0645c5a956b62b4685b324410e5a6919.exe	31
PID 2256 wrote to memory of 2508	2256	Cbblda32.exe	32
PID 2256 wrote to memory of 2508	2256	Cbblda32.exe	32
PID 2256 wrote to memory of 2508	2256	Cbblda32.exe	32
PID 2256 wrote to memory of 2508	2256	Cbblda32.exe	32
PID 2508 wrote to memory of 2028	2508	Cepipm32.exe	33
PID 2508 wrote to memory of 2028	2508	Cepipm32.exe	33
PID 2508 wrote to memory of 2028	2508	Cepipm32.exe	33
PID 2508 wrote to memory of 2028	2508	Cepipm32.exe	33
PID 2028 wrote to memory of 2696	2028	Cgoelh32.exe	34
PID 2028 wrote to memory of 2696	2028	Cgoelh32.exe	34
PID 2028 wrote to memory of 2696	2028	Cgoelh32.exe	34
PID 2028 wrote to memory of 2696	2028	Cgoelh32.exe	34
PID 2696 wrote to memory of 2856	2696	Cagienkb.exe	35
PID 2696 wrote to memory of 2856	2696	Cagienkb.exe	35
PID 2696 wrote to memory of 2856	2696	Cagienkb.exe	35
PID 2696 wrote to memory of 2856	2696	Cagienkb.exe	35
PID 2856 wrote to memory of 2588	2856	Ckmnbg32.exe	36
PID 2856 wrote to memory of 2588	2856	Ckmnbg32.exe	36
PID 2856 wrote to memory of 2588	2856	Ckmnbg32.exe	36
PID 2856 wrote to memory of 2588	2856	Ckmnbg32.exe	36
PID 2588 wrote to memory of 2608	2588	Cbffoabe.exe	37
PID 2588 wrote to memory of 2608	2588	Cbffoabe.exe	37
PID 2588 wrote to memory of 2608	2588	Cbffoabe.exe	37
PID 2588 wrote to memory of 2608	2588	Cbffoabe.exe	37
PID 2608 wrote to memory of 2172	2608	Cchbgi32.exe	38
PID 2608 wrote to memory of 2172	2608	Cchbgi32.exe	38
PID 2608 wrote to memory of 2172	2608	Cchbgi32.exe	38
PID 2608 wrote to memory of 2172	2608	Cchbgi32.exe	38
PID 2172 wrote to memory of 1276	2172	Cjakccop.exe	39
PID 2172 wrote to memory of 1276	2172	Cjakccop.exe	39
PID 2172 wrote to memory of 1276	2172	Cjakccop.exe	39
PID 2172 wrote to memory of 1276	2172	Cjakccop.exe	39
PID 1276 wrote to memory of 2292	1276	Calcpm32.exe	40
PID 1276 wrote to memory of 2292	1276	Calcpm32.exe	40
PID 1276 wrote to memory of 2292	1276	Calcpm32.exe	40
PID 1276 wrote to memory of 2292	1276	Calcpm32.exe	40
PID 2292 wrote to memory of 2644	2292	Cgfkmgnj.exe	41
PID 2292 wrote to memory of 2644	2292	Cgfkmgnj.exe	41
PID 2292 wrote to memory of 2644	2292	Cgfkmgnj.exe	41
PID 2292 wrote to memory of 2644	2292	Cgfkmgnj.exe	41
PID 2644 wrote to memory of 1440	2644	Dnpciaef.exe	42
PID 2644 wrote to memory of 1440	2644	Dnpciaef.exe	42
PID 2644 wrote to memory of 1440	2644	Dnpciaef.exe	42
PID 2644 wrote to memory of 1440	2644	Dnpciaef.exe	42
PID 1440 wrote to memory of 2000	1440	Dpapaj32.exe	43
PID 1440 wrote to memory of 2000	1440	Dpapaj32.exe	43
PID 1440 wrote to memory of 2000	1440	Dpapaj32.exe	43
PID 1440 wrote to memory of 2000	1440	Dpapaj32.exe	43

C:\Users\Admin\AppData\Local\Temp\13c3e389c58c02d7b8d652a06156a5bc0645c5a956b62b4685b324410e5a6919.exe
"C:\Users\Admin\AppData\Local\Temp\13c3e389c58c02d7b8d652a06156a5bc0645c5a956b62b4685b324410e5a6919.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2312
- C:\Windows\SysWOW64\Cbblda32.exe
  C:\Windows\system32\Cbblda32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2256
- - C:\Windows\SysWOW64\Cepipm32.exe
    C:\Windows\system32\Cepipm32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2508
  - - C:\Windows\SysWOW64\Cgoelh32.exe
      C:\Windows\system32\Cgoelh32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2028
    - - C:\Windows\SysWOW64\Cagienkb.exe
        
        C:\Windows\system32\Cagienkb.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2696
      - C:\Windows\SysWOW64\Ckmnbg32.exe
        
        C:\Windows\system32\Ckmnbg32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2856
        
        C:\Windows\SysWOW64\Cbffoabe.exe
        
        C:\Windows\system32\Cbffoabe.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2588
        
        C:\Windows\SysWOW64\Cchbgi32.exe
        
        C:\Windows\system32\Cchbgi32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2608
        
        C:\Windows\SysWOW64\Cjakccop.exe
        
        C:\Windows\system32\Cjakccop.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2172
        
        C:\Windows\SysWOW64\Calcpm32.exe
        
        C:\Windows\system32\Calcpm32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1276
        
        C:\Windows\SysWOW64\Cgfkmgnj.exe
        
        C:\Windows\system32\Cgfkmgnj.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2292
        
        C:\Windows\SysWOW64\Dnpciaef.exe
        
        C:\Windows\system32\Dnpciaef.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2644
        
        C:\Windows\SysWOW64\Dpapaj32.exe
        
        C:\Windows\system32\Dpapaj32.exe
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1440
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1440 -s 144
        14⤵
        Loads dropped DLL
        Program crash
        
        PID:2000

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Cbblda32.exe

Filesize
77KB

MD5
3e2414c8d8c4df33a6c66d756337adc5

SHA1
0978540904cabc3a8b1a130f1a0554eb8f544b1e

SHA256
868f124f2907d7e55e38236e8508cfedad145d4eff409765814fb6cc7fccd3d7

SHA512
7c2911318dd071007db67949f72301f28b677022aeac14c31b7c84cf3f1b7e2292799ded59de5be1c52aa5991259237217ed85daa9ce4cf174626c88cc8befa1

Download Submit
C:\Windows\SysWOW64\Cgfkmgnj.exe

Filesize
77KB

MD5
01a4d86dd885584f6f28b9c6e6dd3c8e

SHA1
06bfa145e9d5c990f1c5f0cfb6a0fc3b7563a29f

SHA256
bba1d337782811ff2397db7a2ba67e75b4f737c854f5133c45b317f5525ea069

SHA512
caedad2d258604790794eb730511ed065cd058e786972f3b7a280917c8cba4a00db2bc22ef65a6ab06fb1df5ee52f466a5b487be140cd5abf77dc44250a69eb5

Download Submit
C:\Windows\SysWOW64\Cjakccop.exe

Filesize
77KB

MD5
f6b81058501176282237f9b2a415daeb

SHA1
549cf44067518157f51816ef6159ad6ccab6532c

SHA256
ba3a30180288363a7805a894f126c08e4c319dfe451946d0b8f724815314ab1e

SHA512
cc3ec3aea722ca59d94a163d638fe0be5e4a66287b53e58aa5ef86475dcead7e20b30223d88a5f10d733bedce8ea3ae5be8cf6b0130f492b90487f8f8e374f1d

Download Submit
\Windows\SysWOW64\Cagienkb.exe

Filesize
77KB

MD5
ff83d58db08fe5b809713056b5309e91

SHA1
5e4e74832bfc9a080371b819633a4d2ec81e2298

SHA256
b471638879a39d0c34861898866c68db360e7a8e2bd5fd988312f26ebb6b8203

SHA512
116949856e55854b658483decb31400e49696c1da924dab576c3b8dd5e9c409328f04d1bc26dfd6a34bd89164e4faced921718b772c1024fdd953299be12bb59

Download Submit
\Windows\SysWOW64\Calcpm32.exe

Filesize
77KB

MD5
cd210dcfd4e17570144e07c832aaabbd

SHA1
b9f74774f2f42b3fac59314dee1984c2cd86b784

SHA256
09d5d782c2c9617c161c1e11d53a35abb02c137d11ad02fa01c9c52d4eaf1efa

SHA512
59d16e4ca42fbcdd7bba5ce1be5a56487c8d63770c28cbda249010ddaece441b83e4b88b7c808863b0835292259b6036adfb837fa658bcaa6603691746ee7a30

Download Submit
\Windows\SysWOW64\Cbffoabe.exe

Filesize
77KB

MD5
ff8b9b59d167d2ad5c94fe5617bd1a48

SHA1
1ec1e8eefc646cffc78d0c857381545b29744375

SHA256
fb1d2d626fbe6d18d4054814d4756ca2f9c9c83c2abf1343ca1dc60865a3a38e

SHA512
317ad2ab62b4b7253732783a2bddba59efe7dc4617a919f22a2810263972d276871b707903cd803683578401f3aaea3a1702eda42e1f4f17ce00b9f4f39560c8

Download Submit
\Windows\SysWOW64\Cchbgi32.exe

Filesize
77KB

MD5
39a6f5273904e9d7a53a6a132d43edea

SHA1
f116b8c48b2d97b89c1c37b5aa29381f8f5e81c8

SHA256
642e5a76b0f67130933d83600948d91f2df555e7f99e44adb5a84068339208a8

SHA512
e6873f0719c174861b09a2c98e72c18209f19a76326fe25cd32a3554ca9fc514e9daf7629808eadce260ded974f3055f2ffb62b8a28187706b75dfcf9eece6e2

Download Submit
\Windows\SysWOW64\Cepipm32.exe

Filesize
77KB

MD5
3b1889a2e8b8751aaae68d3d4b56db1c

SHA1
eb1942ae8114197a061892252c8494c0c475803c

SHA256
ae6bc5cc56228501cb58f645932c524679682bd73b2e597f7d8e8ddfc5a63d19

SHA512
791443ddef5ca7c401c00beb6b098a8a11007b21f3b262ea02c2668eb8c8f5e8cf4beb2792a0dcc2e5b5ee2c11bcb82fae9de291babb7c318230e1242af0f1f5

Download Submit
\Windows\SysWOW64\Cgoelh32.exe

Filesize
77KB

MD5
a29a000ddd1259d3362744439d4f24d4

SHA1
49ba91358ad798c8417bd653066d42a6e7ae1e7f

SHA256
89d20acc7f3baf4a4950f056449792d3c5442fb98b88704f4d28e180cdec1e21

SHA512
c127393f9ca149d8316c3d50ba8daaaeffb11f52cd4a44218f68b43c5913d13e536c5a53471341291da82c64aadd478495f36995c4f7e27a277652a31fa6b520

Download Submit
\Windows\SysWOW64\Ckmnbg32.exe

Filesize
77KB

MD5
54e8eee1a6f271054399a1fe46580a88

SHA1
98e6e52fa6291b3e4f5bd735e3962993e0a2015b

SHA256
fb3518de5160842cb5192fa5ae0bf26d3c94784027dba1e2a04bb0be9ff1a61f

SHA512
fdd20a1c433c2db1fb508d8b3abeabb4b20846eb604a9ef68fd430282bfb59d874066f614f48921bf4b06a7cb45cadd0564c1b69132a8f7b47fa2e1349b7c0ba

Download Submit
\Windows\SysWOW64\Dnpciaef.exe

Filesize
77KB

MD5
65ec8a5dc44b2cbcfbf273402c4f73dd

SHA1
855f6218d5d869c895f775079fe585f3f0150035

SHA256
e4d5fb0d7af7c0df978242afc574b549cb17ea157738299dd3076639941355a7

SHA512
3167ed1525eeecdd9febf7250b2f53cdbc343b7e41803584b05721a7b8fac9097cfc4f532f2b3b3004bc70e7f138fa593f8936fb491f47696587cb4f49e3089a

Download Submit
\Windows\SysWOW64\Dpapaj32.exe

Filesize
77KB

MD5
f665752070ed8e4ce3085d5a4e1a3e8c

SHA1
74f1dbd968865ee4629d9e1813894eee19fbb1e0

SHA256
bc92c4e52fa3135bd7b3d6c30da69bd00e9d430e67e7fe3ea4faa698a92c1fdd

SHA512
737521dd67c2b7db079cfde464adf51d75ce5c67090e64cf9765e071264d9310ac3216adfb06bbe7040ab25386896dc87eac247872a5a41719bcdbc588456458

Download Submit
memory/1276-173-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1276-119-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1440-158-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1440-176-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2028-45-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2028-167-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2172-113-0x0000000000440000-0x0000000000480000-memory.dmp

Filesize
256KB

Download
memory/2172-172-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2172-105-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2256-20-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2292-140-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/2292-174-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2292-132-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2312-165-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2312-17-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/2312-0-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2508-34-0x0000000000440000-0x0000000000480000-memory.dmp

Filesize
256KB

Download
memory/2508-166-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2508-26-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2588-79-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2588-87-0x00000000002E0000-0x0000000000320000-memory.dmp

Filesize
256KB

Download
memory/2588-170-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2608-171-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2644-175-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2696-168-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2696-53-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2696-61-0x00000000005D0000-0x0000000000610000-memory.dmp

Filesize
256KB

Download
memory/2856-169-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads