e110f4196ebfffa029cdd8e7d59a01edec847f5704f28b78ab33c51d89aeca3d

General

Target

d7b0876c4690be3f0d3065b3b84d2900N.exe
Size

211KB
MD5

d7b0876c4690be3f0d3065b3b84d2900
SHA1

0585918fd38c46f5208343b5fd9253d345380fe0
SHA256

e110f4196ebfffa029cdd8e7d59a01edec847f5704f28b78ab33c51d89aeca3d
SHA512

f0f43ccefe73ba0da9554ef166ae51a8447568c47b881b652285a8bc1bac6362c3f00ee11d4cec72367bab1e76812741068b776083f929956b0ac9f4ee662088
SSDEEP

6144:NJlIEqk0cEseYr75lHzpaF2e6UK+42GTQMJSZO5f7M0rx7/N:NJl+k8seYr75lTefkY660fII

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 12 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	d7b0876c4690be3f0d3065b3b84d2900N.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ccblbb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ccblbb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dgpeha32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmjmekgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	d7b0876c4690be3f0d3065b3b84d2900N.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ciihjmcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ciihjmcj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cpcpfg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cpcpfg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dgpeha32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dmjmekgn.exe

Executes dropped EXE 6 IoCs

pid	Process
324	Ciihjmcj.exe
4836	Cpcpfg32.exe
1132	Ccblbb32.exe
4172	Dgpeha32.exe
4568	Dmjmekgn.exe
1620	Diqnjl32.exe

Drops file in System32 directory 18 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Lpcgahca.dll	Ccblbb32.exe
File opened for modification	C:\Windows\SysWOW64\Dmjmekgn.exe	Dgpeha32.exe
File created	C:\Windows\SysWOW64\Diqnjl32.exe	Dmjmekgn.exe
File created	C:\Windows\SysWOW64\Cpcpfg32.exe	Ciihjmcj.exe
File opened for modification	C:\Windows\SysWOW64\Cpcpfg32.exe	Ciihjmcj.exe
File created	C:\Windows\SysWOW64\Ccblbb32.exe	Cpcpfg32.exe
File created	C:\Windows\SysWOW64\Jmbpjm32.dll	Ciihjmcj.exe
File created	C:\Windows\SysWOW64\Qahlom32.dll	Dmjmekgn.exe
File opened for modification	C:\Windows\SysWOW64\Dgpeha32.exe	Ccblbb32.exe
File created	C:\Windows\SysWOW64\Dmjmekgn.exe	Dgpeha32.exe
File opened for modification	C:\Windows\SysWOW64\Diqnjl32.exe	Dmjmekgn.exe
File created	C:\Windows\SysWOW64\Ciihjmcj.exe	d7b0876c4690be3f0d3065b3b84d2900N.exe
File opened for modification	C:\Windows\SysWOW64\Ciihjmcj.exe	d7b0876c4690be3f0d3065b3b84d2900N.exe
File created	C:\Windows\SysWOW64\Nppbddqg.dll	Cpcpfg32.exe
File created	C:\Windows\SysWOW64\Mgqaip32.dll	Dgpeha32.exe
File created	C:\Windows\SysWOW64\Fiplni32.dll	d7b0876c4690be3f0d3065b3b84d2900N.exe
File opened for modification	C:\Windows\SysWOW64\Ccblbb32.exe	Cpcpfg32.exe
File created	C:\Windows\SysWOW64\Dgpeha32.exe	Ccblbb32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1892	1620	WerFault.exe	96

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmjmekgn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Diqnjl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d7b0876c4690be3f0d3065b3b84d2900N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ciihjmcj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cpcpfg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ccblbb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgpeha32.exe

Modifies registry class 21 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	d7b0876c4690be3f0d3065b3b84d2900N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ciihjmcj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cpcpfg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ccblbb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpcgahca.dll"	Ccblbb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dgpeha32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dmjmekgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dgpeha32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	d7b0876c4690be3f0d3065b3b84d2900N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	d7b0876c4690be3f0d3065b3b84d2900N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}	d7b0876c4690be3f0d3065b3b84d2900N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fiplni32.dll"	d7b0876c4690be3f0d3065b3b84d2900N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmbpjm32.dll"	Ciihjmcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ciihjmcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nppbddqg.dll"	Cpcpfg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	d7b0876c4690be3f0d3065b3b84d2900N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cpcpfg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ccblbb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgqaip32.dll"	Dgpeha32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qahlom32.dll"	Dmjmekgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dmjmekgn.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2064 wrote to memory of 324	2064	d7b0876c4690be3f0d3065b3b84d2900N.exe	90
PID 2064 wrote to memory of 324	2064	d7b0876c4690be3f0d3065b3b84d2900N.exe	90
PID 2064 wrote to memory of 324	2064	d7b0876c4690be3f0d3065b3b84d2900N.exe	90
PID 324 wrote to memory of 4836	324	Ciihjmcj.exe	91
PID 324 wrote to memory of 4836	324	Ciihjmcj.exe	91
PID 324 wrote to memory of 4836	324	Ciihjmcj.exe	91
PID 4836 wrote to memory of 1132	4836	Cpcpfg32.exe	92
PID 4836 wrote to memory of 1132	4836	Cpcpfg32.exe	92
PID 4836 wrote to memory of 1132	4836	Cpcpfg32.exe	92
PID 1132 wrote to memory of 4172	1132	Ccblbb32.exe	93
PID 1132 wrote to memory of 4172	1132	Ccblbb32.exe	93
PID 1132 wrote to memory of 4172	1132	Ccblbb32.exe	93
PID 4172 wrote to memory of 4568	4172	Dgpeha32.exe	94
PID 4172 wrote to memory of 4568	4172	Dgpeha32.exe	94
PID 4172 wrote to memory of 4568	4172	Dgpeha32.exe	94
PID 4568 wrote to memory of 1620	4568	Dmjmekgn.exe	96
PID 4568 wrote to memory of 1620	4568	Dmjmekgn.exe	96
PID 4568 wrote to memory of 1620	4568	Dmjmekgn.exe	96

C:\Users\Admin\AppData\Local\Temp\d7b0876c4690be3f0d3065b3b84d2900N.exe
"C:\Users\Admin\AppData\Local\Temp\d7b0876c4690be3f0d3065b3b84d2900N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2064
- C:\Windows\SysWOW64\Ciihjmcj.exe
  C:\Windows\system32\Ciihjmcj.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:324
- - C:\Windows\SysWOW64\Cpcpfg32.exe
    C:\Windows\system32\Cpcpfg32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4836
  - - C:\Windows\SysWOW64\Ccblbb32.exe
      C:\Windows\system32\Ccblbb32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:1132
    - - C:\Windows\SysWOW64\Dgpeha32.exe
        
        C:\Windows\system32\Dgpeha32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4172
      - C:\Windows\SysWOW64\Dmjmekgn.exe
        
        C:\Windows\system32\Dmjmekgn.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4568
        
        C:\Windows\SysWOW64\Diqnjl32.exe
        
        C:\Windows\system32\Diqnjl32.exe
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1620
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1620 -s 420
        8⤵
        Program crash
        
        PID:1892

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1620 -ip 1620
1⤵
PID:1940

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4344,i,11391966286255097843,10588851088187498028,262144 --variations-seed-version --mojo-platform-channel-handle=3904 /prefetch:8
1⤵
PID:1484

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Ccblbb32.exe

Filesize
211KB

MD5
5ae2e861f98b208d2a2904a6bfa121ac

SHA1
e77c4bea27618ce304c27330cdfdb98bbdddb9ba

SHA256
e9057295aab9bec501710bf02a414d5879a3b0b4e6f5eac5c2e3dd5884f2374f

SHA512
3596d01d3180af71ac3152dc07780717b1603a205195ca728b010da6fceba919665d2d472e2be23769a47e53860b0d72b0dd08693665cfba8cc95781584f8c66

Download Submit
C:\Windows\SysWOW64\Ciihjmcj.exe

Filesize
211KB

MD5
0030aad0fb5f66ecb4aa3365cc61125f

SHA1
fdedab52e38b631d6c50a65b5c3f315543648fa3

SHA256
b9f723827943f2cc4b20d232d404da24a1371685e82de9c4332a588579df1464

SHA512
3e331e529b1722fd4b5bad8082d38a02bbfe19a120074c0c890bc113949fcf6714fd5f8c6e3acf2042ec8ebed1b606849ae43078c8062afeb44750e377a867cd

Download Submit
C:\Windows\SysWOW64\Cpcpfg32.exe

Filesize
211KB

MD5
682fccf483f41d453db4926879ef4ae9

SHA1
c3046e338bf080d9284dca7becd177e3c99d15d0

SHA256
679fa36641e5e249ca6a8298534e2fd3e50cbc298b68eacdbdfe4c3f91d4440c

SHA512
5bbfcb316c63834dbe40e33e379fa0af47f18b080c0f51617a1f9d4d0ccbd0bc4b2c2aa69ffd58b604063985102ac44cb6915a17ffc4092a4c0c4ad0c61ad0b6

Download Submit
C:\Windows\SysWOW64\Dgpeha32.exe

Filesize
211KB

MD5
edbccf33dde0c678e97ba4fd10470557

SHA1
a31b7ffe6fb0a6dac09dd0e8a61ac9f3fad9a201

SHA256
c048c69c795c2a60f39e7d1b42a0716ce2dac6d88c397d94bdf2edd3fba3d419

SHA512
b97093b9a5bbcf413041a35992257150f438e39951d3798696b2aad05922c288a8c2bd4290aa59424049d915e286a87ca4fc04e575cfee0f3955745743b8b4eb

Download Submit
C:\Windows\SysWOW64\Diqnjl32.exe

Filesize
211KB

MD5
c8eaa4507829f63382005a8bad5c00de

SHA1
0068330590e7018f4971f19d6ead0aaa0ee64ec3

SHA256
5e9c877d802321ff2234b9a65dd482fc9aeb4b005b3ea194954d208725254ac8

SHA512
3dc9ea4b75d33a21d9dfc61ad7d9237b3ff10a4d518a126512524a9c483d47492607051e5c048d19edef571b3ac92e464eb4a516d8a2366c1a03f39f9d4c844e

Download Submit
C:\Windows\SysWOW64\Dmjmekgn.exe

Filesize
211KB

MD5
431bbfc2dfcb9ac2a8d4b4ebaa16395b

SHA1
4032db2ff5e726e755524be4f8ba220cd0e7c315

SHA256
f2dc3a14a8f6fce3175f8d0244abb7f673b30f505c77e364c2fd65b70ced36fc

SHA512
62d3db2747579ec8f964e42a616f3e9c9c2ff27700751f4c659eaf49c68d36578e696bdb3a25b8cd1e969acae7f421de424dcad544dbf048df27b761506003cf

Download Submit
C:\Windows\SysWOW64\Mgqaip32.dll

Filesize
7KB

MD5
a60619c5d6777dc425bbcc0ad19772d9

SHA1
e321eb3434dfd5d028670c4e5081b6918552b792

SHA256
0247896faa18948a65c47cfa9d6012f86f3c9e7252cb22c8b725345b4c26f40c

SHA512
9d34e39c662701632a9a5cd89ff174efe60f5c8aa8cbcf387fd555512f614535d2f0ff02596d8a29d2d4a0cf7491e0586c9a039e0c93ff738c79a393c7cfcbdb

Download Submit
memory/324-12-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/324-53-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1132-24-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1132-52-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1620-47-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1620-49-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2064-0-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2064-54-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4172-32-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4172-51-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4568-39-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4568-50-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4836-20-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads