d2aa6223364324e69784314ba7d961faf2018cdda11e385f0481933b3d59ec18

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
20/09/2024, 06:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d2aa6223364324e69784314ba7d961faf2018cdda11e385f0481933b3d59ec18N.exe
Size

128KB
MD5

78090ef4bfc6cf47c2abb36639bf2690
SHA1

4d4d3278bda005cb28407c65d7bda682f0ff95b5
SHA256

d2aa6223364324e69784314ba7d961faf2018cdda11e385f0481933b3d59ec18
SHA512

fab6adbc1d4bdfb89847a8c48ec59d7d6d7784762afb35c16dd4c1ec7165919b2cb6be101ff7fc97c75047a871133fdb3d8b56f0fd431c49a846486f86ccaad6
SSDEEP

3072:8UjEH1kbFKYmRSy/OG1r95JDoeAk7DxSvITW/cbFGS9n:8UuxY/y/v1rjJPAohCw9n

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 26 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cbgjqo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bhfcpb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bdmddc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cinfhigl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Boplllob.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cmgechbh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cbgjqo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	d2aa6223364324e69784314ba7d961faf2018cdda11e385f0481933b3d59ec18N.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdanpb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bbikgk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bdmddc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Beejng32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cinfhigl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Boplllob.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Baadng32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bhfcpb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cbdnko32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bbikgk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bobhal32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Baadng32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bobhal32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmgechbh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cdanpb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	d2aa6223364324e69784314ba7d961faf2018cdda11e385f0481933b3d59ec18N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Beejng32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cbdnko32.exe

Executes dropped EXE 13 IoCs

pid	Process
2740	Beejng32.exe
2612	Bbikgk32.exe
2696	Bhfcpb32.exe
2660	Boplllob.exe
536	Bdmddc32.exe
1588	Bobhal32.exe
2680	Baadng32.exe
2344	Cmgechbh.exe
1596	Cdanpb32.exe
1824	Cbdnko32.exe
2944	Cinfhigl.exe
2568	Cbgjqo32.exe
2436	Ceegmj32.exe

Loads dropped DLL 30 IoCs

pid	Process
2852	d2aa6223364324e69784314ba7d961faf2018cdda11e385f0481933b3d59ec18N.exe
2852	d2aa6223364324e69784314ba7d961faf2018cdda11e385f0481933b3d59ec18N.exe
2740	Beejng32.exe
2740	Beejng32.exe
2612	Bbikgk32.exe
2612	Bbikgk32.exe
2696	Bhfcpb32.exe
2696	Bhfcpb32.exe
2660	Boplllob.exe
2660	Boplllob.exe
536	Bdmddc32.exe
536	Bdmddc32.exe
1588	Bobhal32.exe
1588	Bobhal32.exe
2680	Baadng32.exe
2680	Baadng32.exe
2344	Cmgechbh.exe
2344	Cmgechbh.exe
1596	Cdanpb32.exe
1596	Cdanpb32.exe
1824	Cbdnko32.exe
1824	Cbdnko32.exe
2944	Cinfhigl.exe
2944	Cinfhigl.exe
2568	Cbgjqo32.exe
2568	Cbgjqo32.exe
2452	WerFault.exe
2452	WerFault.exe
2452	WerFault.exe
2452	WerFault.exe

Drops file in System32 directory 39 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Cmgechbh.exe	Baadng32.exe
File created	C:\Windows\SysWOW64\Llaemaih.dll	Cinfhigl.exe
File created	C:\Windows\SysWOW64\Bdmddc32.exe	Boplllob.exe
File opened for modification	C:\Windows\SysWOW64\Bbikgk32.exe	Beejng32.exe
File created	C:\Windows\SysWOW64\Abacpl32.dll	Beejng32.exe
File opened for modification	C:\Windows\SysWOW64\Cdanpb32.exe	Cmgechbh.exe
File opened for modification	C:\Windows\SysWOW64\Cbdnko32.exe	Cdanpb32.exe
File created	C:\Windows\SysWOW64\Eoqbnm32.dll	d2aa6223364324e69784314ba7d961faf2018cdda11e385f0481933b3d59ec18N.exe
File opened for modification	C:\Windows\SysWOW64\Bdmddc32.exe	Boplllob.exe
File created	C:\Windows\SysWOW64\Gnnffg32.dll	Baadng32.exe
File created	C:\Windows\SysWOW64\Cdanpb32.exe	Cmgechbh.exe
File created	C:\Windows\SysWOW64\Gfpifm32.dll	Cdanpb32.exe
File created	C:\Windows\SysWOW64\Cbgjqo32.exe	Cinfhigl.exe
File opened for modification	C:\Windows\SysWOW64\Cbgjqo32.exe	Cinfhigl.exe
File opened for modification	C:\Windows\SysWOW64\Ceegmj32.exe	Cbgjqo32.exe
File created	C:\Windows\SysWOW64\Beejng32.exe	d2aa6223364324e69784314ba7d961faf2018cdda11e385f0481933b3d59ec18N.exe
File opened for modification	C:\Windows\SysWOW64\Cinfhigl.exe	Cbdnko32.exe
File created	C:\Windows\SysWOW64\Aincgi32.dll	Cmgechbh.exe
File created	C:\Windows\SysWOW64\Mblnbcjf.dll	Cbdnko32.exe
File created	C:\Windows\SysWOW64\Aoogfhfp.dll	Cbgjqo32.exe
File opened for modification	C:\Windows\SysWOW64\Boplllob.exe	Bhfcpb32.exe
File created	C:\Windows\SysWOW64\Bbikgk32.exe	Beejng32.exe
File created	C:\Windows\SysWOW64\Bhfcpb32.exe	Bbikgk32.exe
File created	C:\Windows\SysWOW64\Liggabfp.dll	Bhfcpb32.exe
File created	C:\Windows\SysWOW64\Cjnolikh.dll	Boplllob.exe
File created	C:\Windows\SysWOW64\Bobhal32.exe	Bdmddc32.exe
File created	C:\Windows\SysWOW64\Baadng32.exe	Bobhal32.exe
File opened for modification	C:\Windows\SysWOW64\Beejng32.exe	d2aa6223364324e69784314ba7d961faf2018cdda11e385f0481933b3d59ec18N.exe
File created	C:\Windows\SysWOW64\Boplllob.exe	Bhfcpb32.exe
File opened for modification	C:\Windows\SysWOW64\Bobhal32.exe	Bdmddc32.exe
File created	C:\Windows\SysWOW64\Imklkg32.dll	Bdmddc32.exe
File created	C:\Windows\SysWOW64\Ljacemio.dll	Bobhal32.exe
File opened for modification	C:\Windows\SysWOW64\Cmgechbh.exe	Baadng32.exe
File created	C:\Windows\SysWOW64\Cbdnko32.exe	Cdanpb32.exe
File opened for modification	C:\Windows\SysWOW64\Bhfcpb32.exe	Bbikgk32.exe
File opened for modification	C:\Windows\SysWOW64\Baadng32.exe	Bobhal32.exe
File created	C:\Windows\SysWOW64\Cinfhigl.exe	Cbdnko32.exe
File created	C:\Windows\SysWOW64\Ceegmj32.exe	Cbgjqo32.exe
File created	C:\Windows\SysWOW64\Mlcpdacl.dll	Bbikgk32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2452	2436	WerFault.exe	42

System Location Discovery: System Language Discovery 1 TTPs 14 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmgechbh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d2aa6223364324e69784314ba7d961faf2018cdda11e385f0481933b3d59ec18N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bbikgk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bdmddc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cinfhigl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cbgjqo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beejng32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Boplllob.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdanpb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bobhal32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Baadng32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhfcpb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cbdnko32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceegmj32.exe

Modifies registry class 42 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}	d2aa6223364324e69784314ba7d961faf2018cdda11e385f0481933b3d59ec18N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Beejng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Abacpl32.dll"	Beejng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aincgi32.dll"	Cmgechbh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eoqbnm32.dll"	d2aa6223364324e69784314ba7d961faf2018cdda11e385f0481933b3d59ec18N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imklkg32.dll"	Bdmddc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfpifm32.dll"	Cdanpb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cbgjqo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	d2aa6223364324e69784314ba7d961faf2018cdda11e385f0481933b3d59ec18N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlcpdacl.dll"	Bbikgk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Boplllob.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bdmddc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljacemio.dll"	Bobhal32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cbdnko32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cinfhigl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cbgjqo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	d2aa6223364324e69784314ba7d961faf2018cdda11e385f0481933b3d59ec18N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bhfcpb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cjnolikh.dll"	Boplllob.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Baadng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cdanpb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cdanpb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	d2aa6223364324e69784314ba7d961faf2018cdda11e385f0481933b3d59ec18N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	d2aa6223364324e69784314ba7d961faf2018cdda11e385f0481933b3d59ec18N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bbikgk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Baadng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gnnffg32.dll"	Baadng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mblnbcjf.dll"	Cbdnko32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Beejng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Liggabfp.dll"	Bhfcpb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bhfcpb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bobhal32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bobhal32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bbikgk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bdmddc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cmgechbh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Llaemaih.dll"	Cinfhigl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cinfhigl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Boplllob.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cmgechbh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cbdnko32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aoogfhfp.dll"	Cbgjqo32.exe

Suspicious use of WriteProcessMemory 56 IoCs

description	pid	Process	procid_target
PID 2852 wrote to memory of 2740	2852	d2aa6223364324e69784314ba7d961faf2018cdda11e385f0481933b3d59ec18N.exe	30
PID 2852 wrote to memory of 2740	2852	d2aa6223364324e69784314ba7d961faf2018cdda11e385f0481933b3d59ec18N.exe	30
PID 2852 wrote to memory of 2740	2852	d2aa6223364324e69784314ba7d961faf2018cdda11e385f0481933b3d59ec18N.exe	30
PID 2852 wrote to memory of 2740	2852	d2aa6223364324e69784314ba7d961faf2018cdda11e385f0481933b3d59ec18N.exe	30
PID 2740 wrote to memory of 2612	2740	Beejng32.exe	31
PID 2740 wrote to memory of 2612	2740	Beejng32.exe	31
PID 2740 wrote to memory of 2612	2740	Beejng32.exe	31
PID 2740 wrote to memory of 2612	2740	Beejng32.exe	31
PID 2612 wrote to memory of 2696	2612	Bbikgk32.exe	32
PID 2612 wrote to memory of 2696	2612	Bbikgk32.exe	32
PID 2612 wrote to memory of 2696	2612	Bbikgk32.exe	32
PID 2612 wrote to memory of 2696	2612	Bbikgk32.exe	32
PID 2696 wrote to memory of 2660	2696	Bhfcpb32.exe	33
PID 2696 wrote to memory of 2660	2696	Bhfcpb32.exe	33
PID 2696 wrote to memory of 2660	2696	Bhfcpb32.exe	33
PID 2696 wrote to memory of 2660	2696	Bhfcpb32.exe	33
PID 2660 wrote to memory of 536	2660	Boplllob.exe	34
PID 2660 wrote to memory of 536	2660	Boplllob.exe	34
PID 2660 wrote to memory of 536	2660	Boplllob.exe	34
PID 2660 wrote to memory of 536	2660	Boplllob.exe	34
PID 536 wrote to memory of 1588	536	Bdmddc32.exe	35
PID 536 wrote to memory of 1588	536	Bdmddc32.exe	35
PID 536 wrote to memory of 1588	536	Bdmddc32.exe	35
PID 536 wrote to memory of 1588	536	Bdmddc32.exe	35
PID 1588 wrote to memory of 2680	1588	Bobhal32.exe	36
PID 1588 wrote to memory of 2680	1588	Bobhal32.exe	36
PID 1588 wrote to memory of 2680	1588	Bobhal32.exe	36
PID 1588 wrote to memory of 2680	1588	Bobhal32.exe	36
PID 2680 wrote to memory of 2344	2680	Baadng32.exe	37
PID 2680 wrote to memory of 2344	2680	Baadng32.exe	37
PID 2680 wrote to memory of 2344	2680	Baadng32.exe	37
PID 2680 wrote to memory of 2344	2680	Baadng32.exe	37
PID 2344 wrote to memory of 1596	2344	Cmgechbh.exe	38
PID 2344 wrote to memory of 1596	2344	Cmgechbh.exe	38
PID 2344 wrote to memory of 1596	2344	Cmgechbh.exe	38
PID 2344 wrote to memory of 1596	2344	Cmgechbh.exe	38
PID 1596 wrote to memory of 1824	1596	Cdanpb32.exe	39
PID 1596 wrote to memory of 1824	1596	Cdanpb32.exe	39
PID 1596 wrote to memory of 1824	1596	Cdanpb32.exe	39
PID 1596 wrote to memory of 1824	1596	Cdanpb32.exe	39
PID 1824 wrote to memory of 2944	1824	Cbdnko32.exe	40
PID 1824 wrote to memory of 2944	1824	Cbdnko32.exe	40
PID 1824 wrote to memory of 2944	1824	Cbdnko32.exe	40
PID 1824 wrote to memory of 2944	1824	Cbdnko32.exe	40
PID 2944 wrote to memory of 2568	2944	Cinfhigl.exe	41
PID 2944 wrote to memory of 2568	2944	Cinfhigl.exe	41
PID 2944 wrote to memory of 2568	2944	Cinfhigl.exe	41
PID 2944 wrote to memory of 2568	2944	Cinfhigl.exe	41
PID 2568 wrote to memory of 2436	2568	Cbgjqo32.exe	42
PID 2568 wrote to memory of 2436	2568	Cbgjqo32.exe	42
PID 2568 wrote to memory of 2436	2568	Cbgjqo32.exe	42
PID 2568 wrote to memory of 2436	2568	Cbgjqo32.exe	42
PID 2436 wrote to memory of 2452	2436	Ceegmj32.exe	43
PID 2436 wrote to memory of 2452	2436	Ceegmj32.exe	43
PID 2436 wrote to memory of 2452	2436	Ceegmj32.exe	43
PID 2436 wrote to memory of 2452	2436	Ceegmj32.exe	43

C:\Users\Admin\AppData\Local\Temp\d2aa6223364324e69784314ba7d961faf2018cdda11e385f0481933b3d59ec18N.exe
"C:\Users\Admin\AppData\Local\Temp\d2aa6223364324e69784314ba7d961faf2018cdda11e385f0481933b3d59ec18N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2852
- C:\Windows\SysWOW64\Beejng32.exe
  C:\Windows\system32\Beejng32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2740
- - C:\Windows\SysWOW64\Bbikgk32.exe
    C:\Windows\system32\Bbikgk32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2612
  - - C:\Windows\SysWOW64\Bhfcpb32.exe
      C:\Windows\system32\Bhfcpb32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2696
    - - C:\Windows\SysWOW64\Boplllob.exe
        
        C:\Windows\system32\Boplllob.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2660
      - C:\Windows\SysWOW64\Bdmddc32.exe
        
        C:\Windows\system32\Bdmddc32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:536
        
        C:\Windows\SysWOW64\Bobhal32.exe
        
        C:\Windows\system32\Bobhal32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1588
        
        C:\Windows\SysWOW64\Baadng32.exe
        
        C:\Windows\system32\Baadng32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2680
        
        C:\Windows\SysWOW64\Cmgechbh.exe
        
        C:\Windows\system32\Cmgechbh.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2344
        
        C:\Windows\SysWOW64\Cdanpb32.exe
        
        C:\Windows\system32\Cdanpb32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1596
        
        C:\Windows\SysWOW64\Cbdnko32.exe
        
        C:\Windows\system32\Cbdnko32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1824
        
        C:\Windows\SysWOW64\Cinfhigl.exe
        
        C:\Windows\system32\Cinfhigl.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2944
        
        C:\Windows\SysWOW64\Cbgjqo32.exe
        
        C:\Windows\system32\Cbgjqo32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2568
        
        C:\Windows\SysWOW64\Ceegmj32.exe
        
        C:\Windows\system32\Ceegmj32.exe
        14⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2436
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2436 -s 140
        15⤵
        Loads dropped DLL
        Program crash
        
        PID:2452

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Baadng32.exe

Filesize
128KB

MD5
afbbef9264d2fedb639bab47443f94b8

SHA1
215055ba21174237da0cddce6f98baa53426e489

SHA256
963d50e223d550e9aed73a42f6b28f6a809411a41d51d3bbec09c446aba586a2

SHA512
1f1232e4c54d060e35a7135c652d45d14668d5def1e62ceb2a9b43ac700e6915d86beb91811ee854315116292a1d36ab856397ff4509868bc3a6f369e8dba43f

Download Submit
C:\Windows\SysWOW64\Bdmddc32.exe

Filesize
128KB

MD5
fa9aef401c44057efbbc9a58a6560875

SHA1
cd17cc1f719e8e0655e7887262b1475ea1e8da20

SHA256
aa1917f8946125b6bbf5287b81b740856486fe9dcf867896c7c9ad09fd54a5a2

SHA512
985689f09c64cae54098ba9dabfe5e4cf229c93840b485a4026b906195c984f052bc58690e0ed5b31d6c045fc64addcf9fc061821d66ef38448480fe030665d1

Download Submit
C:\Windows\SysWOW64\Cdanpb32.exe

Filesize
128KB

MD5
90cb3df122b470cc2c849a80dafec1f6

SHA1
b973ceda218b7d21d521469978bf805aff7d581f

SHA256
376818821e373276b29f0d614936d94099a2bb9f06c471c42466b098cbd519b5

SHA512
0abfaff5a021fef04a31d95a998c447c3060939a4fe5db50cc73b7b50cc186b27f028237f2e1447d550a7249aec8b308c189ba4538d2c156e4bbf40dd12c7d4f

Download Submit
C:\Windows\SysWOW64\Ceegmj32.exe

Filesize
128KB

MD5
e64f6b0fd152c4cd56f866f41a66f534

SHA1
2f4aede896fdeebe014c8c96431dc5e2ac886d1f

SHA256
936df20b098ab8c28da4d0a92ff9c26bf6540a7979bd4dec93866b69402134b2

SHA512
ac32efc458a11ba399d54744acbee6345b26d92d816ea0dc074778a2f169e18899c9c0fcca7dd265319276b84846eb8944758df889aac6037b6278e2aa908a6f

Download Submit
C:\Windows\SysWOW64\Cjnolikh.dll

Filesize
7KB

MD5
f142706f8221f1751a1613e7819badda

SHA1
caad8cdcad64f51830f1353e51835d590eaf2c17

SHA256
c1c5bb561f39066ad4921af903100e92945da14733679218a8ab54f1f2b81960

SHA512
1697a9d752ca1db10f2b5b1f78ee8e801a759630e9ba14a9a329b775d37d448f637fe7e33a5e32d00ca4944851c88c24ce3ec4189d3f6dc350395e7a6e1ab30c

Download Submit
\Windows\SysWOW64\Bbikgk32.exe

Filesize
128KB

MD5
5ffd5d1cee0a091d51ae627ab209fbd7

SHA1
95585dfb81c13fdc2896cfa859c5547ec5b852b4

SHA256
c921653509cc650605172047e0923b59320dd117c31adc4753ece2ffae97ba3c

SHA512
fc178ba14842307effa12537fd2b1bf78d13942d8170de1e0f12bf5084f6f962e12bd35d7759cfc1ee51dfd0c5fa60bf36494e96d04d4fd008021d87d15649e4

Download Submit
\Windows\SysWOW64\Beejng32.exe

Filesize
128KB

MD5
bce121a93ec1d92bed458cb80c98ffc4

SHA1
436b2af1843f269e0cf85816b619064c96f40080

SHA256
0b9df45e00b0f1c5b292ff3995d0683cb3cee83ff4ba2ef4ec43c0f024285f6e

SHA512
dbf268a50d319598c781fabdd917188eb9f5bae61b6ba021969b5da84440aec3fc536b6e0875118279bb627b862fed017033a05f7af37076510149c606d7be25

Download Submit
\Windows\SysWOW64\Bhfcpb32.exe

Filesize
128KB

MD5
f5a8d4a47882e822dc2c8f7c92c3f3da

SHA1
514d5f34e35649f3b3218c90eef4e5817ddc634b

SHA256
63309dc58126c54141cc7fac405c237611f77fb7394b91211dce60277fbfddf2

SHA512
c936e8da8422de306e2280f37af92ca66b86f147a953e9a66f09ed278f85b8fdf9283150b897556e7a67bd586ccdb594fb7016320d91780d71aeb507a0e71229

Download Submit
\Windows\SysWOW64\Bobhal32.exe

Filesize
128KB

MD5
0deacde78412741888e1515f74badd44

SHA1
3bf77e395dd8baef6794141ffcff1c1dd1dadc16

SHA256
aab06251c0698d03a49e8ea086087dbed6cfd57d6556c85eba8c8727c25d2a71

SHA512
7630559b47a7bb4c187a08a6fe10e5a2ab88f715672bc680e8be354fa2574c9525d5326ac8c809f076724e085627f528e3f5dd9f646debaacef6deee6690d3f0

Download Submit
\Windows\SysWOW64\Boplllob.exe

Filesize
128KB

MD5
6197172ff2b3f1737e0617da491ccbc5

SHA1
febc521636a8c99772973e654b9061a8324e7175

SHA256
999b3af94e6709c5714bb5a9e28b3e796da426eef1c8054060e413f84bea68d4

SHA512
27d1afbfd531d89210f5ee1b09826077eec07b309e3f6f0d764325ce4e90a55470f12ce7918f6d309f53ac0945683b2b3e28bf01af97d4e09f52bb3ccc723e5a

Download Submit
\Windows\SysWOW64\Cbdnko32.exe

Filesize
128KB

MD5
7d6052c2fe1cc6d20a2102d82a94d6cd

SHA1
7695d975345dc4e0fa1e60c0d6b8b05dc0e4b08b

SHA256
94b34e0e679a2497789656963e9f9e46650bf2b71136a599c02a8e862013335f

SHA512
8908590dc595e7a8c6ef9470444a2c4b165f41371b0d0e774fbd4aa6455fd5f6f25e8c4ce8ae8ad6d39997c286f2be28a695fb8f1692a8f22867e3ef99da4e6f

Download Submit
\Windows\SysWOW64\Cbgjqo32.exe

Filesize
128KB

MD5
edac5341b24a1eb85c962c7b82b60203

SHA1
b51c1597e2d17ac8930309dafed7689263b748ac

SHA256
fa93973d9b4a0b0b6e7e9758c8bb24413667ab2caa310088ae09c9803441d968

SHA512
a40ad438f6ca6a5211f8b9353baf1d9d4b7b54b81009c1083a5a734920cf85785b91ee7567c3645033ab5750525c5269b9f6398645f435a5e9baca493a483f55

Download Submit
\Windows\SysWOW64\Cinfhigl.exe

Filesize
128KB

MD5
bbd32cdb985fc8a95588f5da868af35c

SHA1
6c6c908f42b67239d58b1164d7cdf0c07018d85f

SHA256
5d5ab76d916f0f81886fb5656e2349621bd9952bf57cfc1e2ea80d4aba345bff

SHA512
fd3e6453063ad3b8af83be87515b0e5664464f75801b578ac860820ca6334b82c7b4fdf2db728640ed8ebd191d8988df31c260dd938ba53b74cf548600ad31bb

Download Submit
\Windows\SysWOW64\Cmgechbh.exe

Filesize
128KB

MD5
993b3e4449ede29ef2f202a85ca84fcc

SHA1
7c059237d94bcd6aefb8960a6c32f44263305ea7

SHA256
72b383585077d4e967669029d52a7668bc08d348dc83a6792d0cfa6a368ceb2a

SHA512
71db032ecba18395f7a41675d8b4553631986a78a1047caa2dec4334ea825a0cbf746266d6e9028380e5c4331bebdc0d85162e9c7b46714e0cf559d4694907cb

Download Submit
memory/536-183-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/536-67-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/536-75-0x0000000000320000-0x000000000035C000-memory.dmp

Filesize
240KB

Download
memory/536-92-0x0000000000320000-0x000000000035C000-memory.dmp

Filesize
240KB

Download
memory/1588-93-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1596-186-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1596-121-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1596-130-0x0000000000440000-0x000000000047C000-memory.dmp

Filesize
240KB

Download
memory/1824-187-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1824-142-0x0000000000340000-0x000000000037C000-memory.dmp

Filesize
240KB

Download
memory/2344-185-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2436-189-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2436-174-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2568-172-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2612-27-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2612-181-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2660-59-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2680-184-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2680-102-0x0000000000270000-0x00000000002AC000-memory.dmp

Filesize
240KB

Download
memory/2680-95-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2696-40-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2696-182-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2696-48-0x0000000000440000-0x000000000047C000-memory.dmp

Filesize
240KB

Download
memory/2740-180-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2740-14-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2852-0-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2852-179-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2852-13-0x0000000000250000-0x000000000028C000-memory.dmp

Filesize
240KB

Download
memory/2852-12-0x0000000000250000-0x000000000028C000-memory.dmp

Filesize
240KB

Download
memory/2944-148-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2944-188-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads