Analysis

  • max time kernel
    119s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    05-10-2024 01:15

General

  • Target

    b2df81a66a1e5575fca7af1e9cd242b22e33bb1943fb3852efe0db51f1a522afN.exe

  • Size

    89KB

  • MD5

    dcfb14e4f1b8e2afc404021c7efd7380

  • SHA1

    49daf6476815d8aa0a92b54fbdd9c1986089edfb

  • SHA256

    b2df81a66a1e5575fca7af1e9cd242b22e33bb1943fb3852efe0db51f1a522af

  • SHA512

    5ac7e20cda937b315a97bd3f8d5ba52c82549b50c3b63f64aea5538e049ccea7de4319945ea8e5702368c2fd0d78f6527730e1f15e43871e287c9c6fc0965f89

  • SSDEEP

    1536:5nZr6C0pPeJQNjL3J7DJKYJTPOGDY4GDrbbbbbbVEI0Pc4lExkg8F:5nZr162J83zVY4GDbKc4lakgw

Score
10/10

Malware Config

Signatures

  • Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 20 IoCs
  • Executes dropped EXE 10 IoCs
  • Loads dropped DLL 24 IoCs
  • Drops file in System32 directory 30 IoCs
  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry class 33 IoCs
  • Suspicious use of WriteProcessMemory 44 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b2df81a66a1e5575fca7af1e9cd242b22e33bb1943fb3852efe0db51f1a522afN.exe
    "C:\Users\Admin\AppData\Local\Temp\b2df81a66a1e5575fca7af1e9cd242b22e33bb1943fb3852efe0db51f1a522afN.exe"
    1⤵
    • Adds autorun key to be loaded by Explorer.exe on startup
    • Loads dropped DLL
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:2844
    • C:\Windows\SysWOW64\Boplllob.exe
      C:\Windows\system32\Boplllob.exe
      2⤵
      • Adds autorun key to be loaded by Explorer.exe on startup
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:2736
      • C:\Windows\SysWOW64\Bmclhi32.exe
        C:\Windows\system32\Bmclhi32.exe
        3⤵
        • Adds autorun key to be loaded by Explorer.exe on startup
        • Executes dropped EXE
        • Loads dropped DLL
        • Drops file in System32 directory
        • System Location Discovery: System Language Discovery
        • Modifies registry class
        • Suspicious use of WriteProcessMemory
        PID:2916
        • C:\Windows\SysWOW64\Bobhal32.exe
          C:\Windows\system32\Bobhal32.exe
          4⤵
          • Adds autorun key to be loaded by Explorer.exe on startup
          • Executes dropped EXE
          • Loads dropped DLL
          • Drops file in System32 directory
          • System Location Discovery: System Language Discovery
          • Modifies registry class
          • Suspicious use of WriteProcessMemory
          PID:2696
          • C:\Windows\SysWOW64\Cpceidcn.exe
            C:\Windows\system32\Cpceidcn.exe
            5⤵
            • Adds autorun key to be loaded by Explorer.exe on startup
            • Executes dropped EXE
            • Loads dropped DLL
            • Drops file in System32 directory
            • System Location Discovery: System Language Discovery
            • Modifies registry class
            • Suspicious use of WriteProcessMemory
            PID:2660
            • C:\Windows\SysWOW64\Cfnmfn32.exe
              C:\Windows\system32\Cfnmfn32.exe
              6⤵
              • Adds autorun key to be loaded by Explorer.exe on startup
              • Executes dropped EXE
              • Loads dropped DLL
              • Drops file in System32 directory
              • System Location Discovery: System Language Discovery
              • Modifies registry class
              • Suspicious use of WriteProcessMemory
              PID:536
              • C:\Windows\SysWOW64\Cdanpb32.exe
                C:\Windows\system32\Cdanpb32.exe
                7⤵
                • Adds autorun key to be loaded by Explorer.exe on startup
                • Executes dropped EXE
                • Loads dropped DLL
                • Drops file in System32 directory
                • System Location Discovery: System Language Discovery
                • Modifies registry class
                • Suspicious use of WriteProcessMemory
                PID:1588
                • C:\Windows\SysWOW64\Cgpjlnhh.exe
                  C:\Windows\system32\Cgpjlnhh.exe
                  8⤵
                  • Adds autorun key to be loaded by Explorer.exe on startup
                  • Executes dropped EXE
                  • Loads dropped DLL
                  • Drops file in System32 directory
                  • System Location Discovery: System Language Discovery
                  • Modifies registry class
                  • Suspicious use of WriteProcessMemory
                  PID:2204
                  • C:\Windows\SysWOW64\Cphndc32.exe
                    C:\Windows\system32\Cphndc32.exe
                    9⤵
                    • Adds autorun key to be loaded by Explorer.exe on startup
                    • Executes dropped EXE
                    • Loads dropped DLL
                    • Drops file in System32 directory
                    • System Location Discovery: System Language Discovery
                    • Modifies registry class
                    • Suspicious use of WriteProcessMemory
                    PID:2512
                    • C:\Windows\SysWOW64\Cgbfamff.exe
                      C:\Windows\system32\Cgbfamff.exe
                      10⤵
                      • Adds autorun key to be loaded by Explorer.exe on startup
                      • Executes dropped EXE
                      • Loads dropped DLL
                      • Drops file in System32 directory
                      • System Location Discovery: System Language Discovery
                      • Modifies registry class
                      • Suspicious use of WriteProcessMemory
                      PID:1596
                      • C:\Windows\SysWOW64\Ceegmj32.exe
                        C:\Windows\system32\Ceegmj32.exe
                        11⤵
                        • Executes dropped EXE
                        • System Location Discovery: System Language Discovery
                        • Suspicious use of WriteProcessMemory
                        PID:1824
                        • C:\Windows\SysWOW64\WerFault.exe
                          C:\Windows\SysWOW64\WerFault.exe -u -p 1824 -s 140
                          12⤵
                          • Loads dropped DLL
                          • Program crash
                          PID:2792

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\SysWOW64\Boplllob.exe

    Filesize

    89KB

    MD5

    04687c70ba2112df73827303e6b6ae45

    SHA1

    c7606eca48d64ab8b2f1967cf9b2e24a319b62b0

    SHA256

    fe24edd2aeac3b63ccae0d81d3f5c591714415a0daf6f365172c76713f5e5a07

    SHA512

    2b1653867a9f86421f5de00566e81490416ccf0df0ca3e918a2adef8182e87528cd7afd21cfa4b00b2063dd5c5451b77141125de0140a74311bde363ba9f9d9a

  • C:\Windows\SysWOW64\Cfnmfn32.exe

    Filesize

    89KB

    MD5

    a7da3aad6bb4bf99632ac61e1dbf6513

    SHA1

    359039bb211e7d93e5716275ea07b8e92b23d608

    SHA256

    5684da8b2dd22cbeb5f905e69aeb896bc7ff42f368dd98b2184d0fd47c116b0b

    SHA512

    decf2e3a4a1e897a047fe9ced20381efd911a75fdc22f1bed4fa274d39bf7671a7480321fa06526a68e9f53f5bd48945ea651d9a89e585ab086c2ea9fc8f2780

  • C:\Windows\SysWOW64\Mabanhgg.dll

    Filesize

    7KB

    MD5

    4556658aa16af96df9adba3f30bae7fb

    SHA1

    65e3ef24db7f1d9eab9823660b2bd99f6370bc98

    SHA256

    fc4393f42affbb274595e556833b16db2d16d93c4898f2d9db38307f17bf0ad2

    SHA512

    842d59170393b8a17e5cfbd16fc09dbe27168bbf3a6e86cfc2ee0a17d463ecef82dc5270caba52b80ddb88ed78b4fbde55e35f40248a1143ee60880f9820a76f

  • \Windows\SysWOW64\Bmclhi32.exe

    Filesize

    89KB

    MD5

    3b60d6a598f371d10a8bce4189302bfa

    SHA1

    e99cea3526663afe578157ab051b8dfa99fd16a1

    SHA256

    2f0fd5acfdcc8aaefabab4a5cbb2514949bf79d65c575eb2dd94a227dcb4e226

    SHA512

    b7e3d79e34d966e778d8c414a774ffa3dfc1957efe2773a171ee487e23f775017aff1d5a06066e37c6e49cca75b67bcf887700a0dcc46b74582d9bbab2f79ed2

  • \Windows\SysWOW64\Bobhal32.exe

    Filesize

    89KB

    MD5

    1fcc28c91ca76ec36535ce3d993fec51

    SHA1

    7572d67dcd1327f78fd9aafc00b31d56ceb9c92a

    SHA256

    3f507b48a769583f604ad90d616264b8935f4bf974dbde557ec53461775a7a6b

    SHA512

    ee89b279a60191d850f7932f09c4595d7ebd8054e14833a30b701624dd9b0856093076dd139f6ea7ee95371cf994411ae08e7250ee0a1d35b6f334e75ac5c71a

  • \Windows\SysWOW64\Cdanpb32.exe

    Filesize

    89KB

    MD5

    4ecf3e2ba79beb68e04669c2c6a98d11

    SHA1

    b67aa0777e04af5972847f05baa46787db256957

    SHA256

    4fa691710558c6217f25661fd094b6cbf7c4906bc5b06a0bdef54d1454bec76f

    SHA512

    ffea3b7b305b09d93528b57639cc783643a0b649b1848f6285857ea4998ea15ad6126acf4d7b17083fa33d4718f078d84e41764a60b32a3a8889f77a863158c7

  • \Windows\SysWOW64\Ceegmj32.exe

    Filesize

    89KB

    MD5

    ce676005fdd31127836b4ccbcbe09ab5

    SHA1

    14270eb9527ffee6aee665047b29ac9e93ebe9a4

    SHA256

    c8bd0ce18276b16b0245af7fc596e8d14b9c3b5e568ee89a7cef7439759e5ce9

    SHA512

    4277f7c5432728f8019740a64a69e3487792e7477a0308f3228209fb72c6ef1eecdf8fe60b4e3b085ce129af351f4778a707b247777df87c890d90b567a1c5dd

  • \Windows\SysWOW64\Cgbfamff.exe

    Filesize

    89KB

    MD5

    34d40306fddf19154e292695d3d6548c

    SHA1

    41e6919f5336678d722eade54c2e993191da67ac

    SHA256

    95ab213921a76776678e767440b772f3a92bd4726541884cbf804e7a3327a6e8

    SHA512

    e8c365c0afafc6a9e7bb5dcef61fcb2b28440fa405062ab502d978f5612b75772a4b825710e02623e3d1c243bbb77d98389fb25b5e2d95d2b51433d5205ff05c

  • \Windows\SysWOW64\Cgpjlnhh.exe

    Filesize

    89KB

    MD5

    a0dde63e09b1506811b380688b07dd82

    SHA1

    8480504aff9e1b91a1184dcaa5fe0a005522298c

    SHA256

    6f56ad8776aa9847506c8d3d6ea02274ce31bccebfa3d9c06b55da02eac5ed51

    SHA512

    c7089d69e31538138a152b69dd12a065e9d282a1e9e41a0744a35aa34de94bac6741b6b6b1729b23f0abed3c66d9876b1dd6805fce94fcb4494fb6036f4646b1

  • \Windows\SysWOW64\Cpceidcn.exe

    Filesize

    89KB

    MD5

    79d8bedbc6345e139a72179d82684262

    SHA1

    3ed45e87a7576c03ff3c2a5601d8a9a8bc99c9e2

    SHA256

    56f660d338a2e9e877ffce0f6413247a6fc3a082c35539a4d0159bd5551250fc

    SHA512

    e6f5aef849752e18a460e21f89f97d0acc20d566d0f3e0b9912df8de3f4aeb007801aec2d6a025e5a2a43089c72ac52397edbb646b798d691b0fcfe6ae40c792

  • \Windows\SysWOW64\Cphndc32.exe

    Filesize

    89KB

    MD5

    0c7e8f25645835ccb4027ead73ae435a

    SHA1

    51e98e5bb3af23472d9da74891bee50fe811d554

    SHA256

    d1e6012b79dde3ca09e35711b33862c49642cf3b02ae4092dc45d010a54d80f8

    SHA512

    0175ad669140721556b6fe36e3726b39dca2515a7c3fdf158bb080dc27f4d61031b521a45eb8b1a4ebbb11480a2eb8aedd497a210e58a0be7c03657386a168c8

  • memory/536-144-0x0000000000400000-0x0000000000440000-memory.dmp

    Filesize

    256KB

  • memory/536-68-0x0000000000400000-0x0000000000440000-memory.dmp

    Filesize

    256KB

  • memory/536-80-0x0000000000250000-0x0000000000290000-memory.dmp

    Filesize

    256KB

  • memory/1588-143-0x0000000000400000-0x0000000000440000-memory.dmp

    Filesize

    256KB

  • memory/1588-87-0x0000000000400000-0x0000000000440000-memory.dmp

    Filesize

    256KB

  • memory/1596-122-0x0000000000400000-0x0000000000440000-memory.dmp

    Filesize

    256KB

  • memory/1596-140-0x0000000000400000-0x0000000000440000-memory.dmp

    Filesize

    256KB

  • memory/1824-135-0x0000000000400000-0x0000000000440000-memory.dmp

    Filesize

    256KB

  • memory/1824-147-0x0000000000400000-0x0000000000440000-memory.dmp

    Filesize

    256KB

  • memory/2204-141-0x0000000000400000-0x0000000000440000-memory.dmp

    Filesize

    256KB

  • memory/2204-95-0x0000000000400000-0x0000000000440000-memory.dmp

    Filesize

    256KB

  • memory/2204-103-0x0000000000250000-0x0000000000290000-memory.dmp

    Filesize

    256KB

  • memory/2512-112-0x0000000000400000-0x0000000000440000-memory.dmp

    Filesize

    256KB

  • memory/2512-142-0x0000000000400000-0x0000000000440000-memory.dmp

    Filesize

    256KB

  • memory/2660-60-0x0000000000400000-0x0000000000440000-memory.dmp

    Filesize

    256KB

  • memory/2696-41-0x0000000000400000-0x0000000000440000-memory.dmp

    Filesize

    256KB

  • memory/2696-145-0x0000000000400000-0x0000000000440000-memory.dmp

    Filesize

    256KB

  • memory/2696-49-0x00000000002D0000-0x0000000000310000-memory.dmp

    Filesize

    256KB

  • memory/2736-146-0x0000000000400000-0x0000000000440000-memory.dmp

    Filesize

    256KB

  • memory/2736-21-0x0000000000290000-0x00000000002D0000-memory.dmp

    Filesize

    256KB

  • memory/2736-14-0x0000000000400000-0x0000000000440000-memory.dmp

    Filesize

    256KB

  • memory/2844-0-0x0000000000400000-0x0000000000440000-memory.dmp

    Filesize

    256KB

  • memory/2844-148-0x0000000000400000-0x0000000000440000-memory.dmp

    Filesize

    256KB

  • memory/2844-13-0x0000000000270000-0x00000000002B0000-memory.dmp

    Filesize

    256KB

  • memory/2844-12-0x0000000000270000-0x00000000002B0000-memory.dmp

    Filesize

    256KB

  • memory/2916-33-0x0000000000400000-0x0000000000440000-memory.dmp

    Filesize

    256KB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.