ace870046e0fe00cce00ea6b0b3f4b66da9071319a78d73ebe8e5d7bc2198503

Analysis

max time kernel
33s
max time network
19s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
12-10-2024 03:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ace870046e0fe00cce00ea6b0b3f4b66da9071319a78d73ebe8e5d7bc2198503N.exe
Size

78KB
MD5

78c1a11f39329ef2b709642115a52f60
SHA1

1fe10a5614c779bfb9eaf8c2039a6a915344346a
SHA256

ace870046e0fe00cce00ea6b0b3f4b66da9071319a78d73ebe8e5d7bc2198503
SHA512

a025205011f20686fe542a7e1844bb25cbabda023c60bd688c61182f0736b7e36eff4d3d9f321746f95aecbdc8887799e3aca91304b09bedb9355e6074993c77
SSDEEP

1536:8nkTdADQPnbTZ/CuGMKsREYeIJWlS4awJiVJN+zL20gJi1ie:EkTaSDREYeIKBJiVJgzL20WKt

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Abinjdad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmelpa32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfpmog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cenmfbml.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qghgigkn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Abbhje32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Beggec32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cenmfbml.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qgfkchmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmgifa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qghgigkn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmgifa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Beggec32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	ace870046e0fe00cce00ea6b0b3f4b66da9071319a78d73ebe8e5d7bc2198503N.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qgfkchmp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Abinjdad.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmelpa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bfpmog32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ciglaa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ciglaa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	ace870046e0fe00cce00ea6b0b3f4b66da9071319a78d73ebe8e5d7bc2198503N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Abbhje32.exe

Executes dropped EXE 11 IoCs

pid	Process
2780	Qgfkchmp.exe
3052	Qghgigkn.exe
2980	Abbhje32.exe
2672	Abinjdad.exe
2960	Bmelpa32.exe
3024	Bmgifa32.exe
2628	Bfpmog32.exe
1560	Beggec32.exe
3004	Ciglaa32.exe
1756	Cenmfbml.exe
780	Coindgbi.exe

Loads dropped DLL 22 IoCs

pid	Process
1612	ace870046e0fe00cce00ea6b0b3f4b66da9071319a78d73ebe8e5d7bc2198503N.exe
1612	ace870046e0fe00cce00ea6b0b3f4b66da9071319a78d73ebe8e5d7bc2198503N.exe
2780	Qgfkchmp.exe
2780	Qgfkchmp.exe
3052	Qghgigkn.exe
3052	Qghgigkn.exe
2980	Abbhje32.exe
2980	Abbhje32.exe
2672	Abinjdad.exe
2672	Abinjdad.exe
2960	Bmelpa32.exe
2960	Bmelpa32.exe
3024	Bmgifa32.exe
3024	Bmgifa32.exe
2628	Bfpmog32.exe
2628	Bfpmog32.exe
1560	Beggec32.exe
1560	Beggec32.exe
3004	Ciglaa32.exe
3004	Ciglaa32.exe
1756	Cenmfbml.exe
1756	Cenmfbml.exe

Drops file in System32 directory 33 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Mokegi32.dll	Beggec32.exe
File created	C:\Windows\SysWOW64\Abinjdad.exe	Abbhje32.exe
File opened for modification	C:\Windows\SysWOW64\Bmelpa32.exe	Abinjdad.exe
File created	C:\Windows\SysWOW64\Cmpbigma.dll	Bmelpa32.exe
File created	C:\Windows\SysWOW64\Flhbop32.dll	Bmgifa32.exe
File opened for modification	C:\Windows\SysWOW64\Qgfkchmp.exe	ace870046e0fe00cce00ea6b0b3f4b66da9071319a78d73ebe8e5d7bc2198503N.exe
File created	C:\Windows\SysWOW64\Gaocdi32.dll	Qghgigkn.exe
File opened for modification	C:\Windows\SysWOW64\Qghgigkn.exe	Qgfkchmp.exe
File created	C:\Windows\SysWOW64\Abbhje32.exe	Qghgigkn.exe
File opened for modification	C:\Windows\SysWOW64\Abbhje32.exe	Qghgigkn.exe
File created	C:\Windows\SysWOW64\Bmgifa32.exe	Bmelpa32.exe
File opened for modification	C:\Windows\SysWOW64\Beggec32.exe	Bfpmog32.exe
File opened for modification	C:\Windows\SysWOW64\Cenmfbml.exe	Ciglaa32.exe
File opened for modification	C:\Windows\SysWOW64\Coindgbi.exe	Cenmfbml.exe
File created	C:\Windows\SysWOW64\Qgfkchmp.exe	ace870046e0fe00cce00ea6b0b3f4b66da9071319a78d73ebe8e5d7bc2198503N.exe
File created	C:\Windows\SysWOW64\Lnoipg32.dll	Qgfkchmp.exe
File created	C:\Windows\SysWOW64\Dcigjjli.dll	Abbhje32.exe
File created	C:\Windows\SysWOW64\Bmelpa32.exe	Abinjdad.exe
File created	C:\Windows\SysWOW64\Cenmfbml.exe	Ciglaa32.exe
File created	C:\Windows\SysWOW64\Coindgbi.exe	Cenmfbml.exe
File created	C:\Windows\SysWOW64\Qghgigkn.exe	Qgfkchmp.exe
File created	C:\Windows\SysWOW64\Bhhjdb32.dll	Abinjdad.exe
File created	C:\Windows\SysWOW64\Beggec32.exe	Bfpmog32.exe
File created	C:\Windows\SysWOW64\Ohodgb32.dll	Cenmfbml.exe
File created	C:\Windows\SysWOW64\Aiffeloi.dll	ace870046e0fe00cce00ea6b0b3f4b66da9071319a78d73ebe8e5d7bc2198503N.exe
File created	C:\Windows\SysWOW64\Bfpmog32.exe	Bmgifa32.exe
File created	C:\Windows\SysWOW64\Kbmamh32.dll	Bfpmog32.exe
File opened for modification	C:\Windows\SysWOW64\Ciglaa32.exe	Beggec32.exe
File created	C:\Windows\SysWOW64\Hlilhb32.dll	Ciglaa32.exe
File opened for modification	C:\Windows\SysWOW64\Abinjdad.exe	Abbhje32.exe
File opened for modification	C:\Windows\SysWOW64\Bmgifa32.exe	Bmelpa32.exe
File opened for modification	C:\Windows\SysWOW64\Bfpmog32.exe	Bmgifa32.exe
File created	C:\Windows\SysWOW64\Ciglaa32.exe	Beggec32.exe

System Location Discovery: System Language Discovery 1 TTPs 12 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmelpa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmgifa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfpmog32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beggec32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ciglaa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cenmfbml.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qghgigkn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Abinjdad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Abbhje32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Coindgbi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ace870046e0fe00cce00ea6b0b3f4b66da9071319a78d73ebe8e5d7bc2198503N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qgfkchmp.exe

Modifies registry class 36 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lnoipg32.dll"	Qgfkchmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Abbhje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmpbigma.dll"	Bmelpa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bmgifa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ciglaa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	ace870046e0fe00cce00ea6b0b3f4b66da9071319a78d73ebe8e5d7bc2198503N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Beggec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aiffeloi.dll"	ace870046e0fe00cce00ea6b0b3f4b66da9071319a78d73ebe8e5d7bc2198503N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	ace870046e0fe00cce00ea6b0b3f4b66da9071319a78d73ebe8e5d7bc2198503N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qghgigkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhhjdb32.dll"	Abinjdad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bmelpa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kbmamh32.dll"	Bfpmog32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Beggec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mokegi32.dll"	Beggec32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	ace870046e0fe00cce00ea6b0b3f4b66da9071319a78d73ebe8e5d7bc2198503N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gaocdi32.dll"	Qghgigkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qghgigkn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bmelpa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bmgifa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flhbop32.dll"	Bmgifa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bfpmog32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cenmfbml.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cenmfbml.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Abbhje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dcigjjli.dll"	Abbhje32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Abinjdad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohodgb32.dll"	Cenmfbml.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	ace870046e0fe00cce00ea6b0b3f4b66da9071319a78d73ebe8e5d7bc2198503N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Abinjdad.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bfpmog32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qgfkchmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qgfkchmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ciglaa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	ace870046e0fe00cce00ea6b0b3f4b66da9071319a78d73ebe8e5d7bc2198503N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlilhb32.dll"	Ciglaa32.exe

Suspicious use of WriteProcessMemory 44 IoCs

description	pid	Process	procid_target
PID 1612 wrote to memory of 2780	1612	ace870046e0fe00cce00ea6b0b3f4b66da9071319a78d73ebe8e5d7bc2198503N.exe	30
PID 1612 wrote to memory of 2780	1612	ace870046e0fe00cce00ea6b0b3f4b66da9071319a78d73ebe8e5d7bc2198503N.exe	30
PID 1612 wrote to memory of 2780	1612	ace870046e0fe00cce00ea6b0b3f4b66da9071319a78d73ebe8e5d7bc2198503N.exe	30
PID 1612 wrote to memory of 2780	1612	ace870046e0fe00cce00ea6b0b3f4b66da9071319a78d73ebe8e5d7bc2198503N.exe	30
PID 2780 wrote to memory of 3052	2780	Qgfkchmp.exe	31
PID 2780 wrote to memory of 3052	2780	Qgfkchmp.exe	31
PID 2780 wrote to memory of 3052	2780	Qgfkchmp.exe	31
PID 2780 wrote to memory of 3052	2780	Qgfkchmp.exe	31
PID 3052 wrote to memory of 2980	3052	Qghgigkn.exe	32
PID 3052 wrote to memory of 2980	3052	Qghgigkn.exe	32
PID 3052 wrote to memory of 2980	3052	Qghgigkn.exe	32
PID 3052 wrote to memory of 2980	3052	Qghgigkn.exe	32
PID 2980 wrote to memory of 2672	2980	Abbhje32.exe	33
PID 2980 wrote to memory of 2672	2980	Abbhje32.exe	33
PID 2980 wrote to memory of 2672	2980	Abbhje32.exe	33
PID 2980 wrote to memory of 2672	2980	Abbhje32.exe	33
PID 2672 wrote to memory of 2960	2672	Abinjdad.exe	34
PID 2672 wrote to memory of 2960	2672	Abinjdad.exe	34
PID 2672 wrote to memory of 2960	2672	Abinjdad.exe	34
PID 2672 wrote to memory of 2960	2672	Abinjdad.exe	34
PID 2960 wrote to memory of 3024	2960	Bmelpa32.exe	35
PID 2960 wrote to memory of 3024	2960	Bmelpa32.exe	35
PID 2960 wrote to memory of 3024	2960	Bmelpa32.exe	35
PID 2960 wrote to memory of 3024	2960	Bmelpa32.exe	35
PID 3024 wrote to memory of 2628	3024	Bmgifa32.exe	36
PID 3024 wrote to memory of 2628	3024	Bmgifa32.exe	36
PID 3024 wrote to memory of 2628	3024	Bmgifa32.exe	36
PID 3024 wrote to memory of 2628	3024	Bmgifa32.exe	36
PID 2628 wrote to memory of 1560	2628	Bfpmog32.exe	37
PID 2628 wrote to memory of 1560	2628	Bfpmog32.exe	37
PID 2628 wrote to memory of 1560	2628	Bfpmog32.exe	37
PID 2628 wrote to memory of 1560	2628	Bfpmog32.exe	37
PID 1560 wrote to memory of 3004	1560	Beggec32.exe	38
PID 1560 wrote to memory of 3004	1560	Beggec32.exe	38
PID 1560 wrote to memory of 3004	1560	Beggec32.exe	38
PID 1560 wrote to memory of 3004	1560	Beggec32.exe	38
PID 3004 wrote to memory of 1756	3004	Ciglaa32.exe	39
PID 3004 wrote to memory of 1756	3004	Ciglaa32.exe	39
PID 3004 wrote to memory of 1756	3004	Ciglaa32.exe	39
PID 3004 wrote to memory of 1756	3004	Ciglaa32.exe	39
PID 1756 wrote to memory of 780	1756	Cenmfbml.exe	40
PID 1756 wrote to memory of 780	1756	Cenmfbml.exe	40
PID 1756 wrote to memory of 780	1756	Cenmfbml.exe	40
PID 1756 wrote to memory of 780	1756	Cenmfbml.exe	40

C:\Users\Admin\AppData\Local\Temp\ace870046e0fe00cce00ea6b0b3f4b66da9071319a78d73ebe8e5d7bc2198503N.exe
"C:\Users\Admin\AppData\Local\Temp\ace870046e0fe00cce00ea6b0b3f4b66da9071319a78d73ebe8e5d7bc2198503N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1612
- C:\Windows\SysWOW64\Qgfkchmp.exe
  C:\Windows\system32\Qgfkchmp.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2780
- - C:\Windows\SysWOW64\Qghgigkn.exe
    C:\Windows\system32\Qghgigkn.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3052
  - - C:\Windows\SysWOW64\Abbhje32.exe
      C:\Windows\system32\Abbhje32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2980
    - - C:\Windows\SysWOW64\Abinjdad.exe
        
        C:\Windows\system32\Abinjdad.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2672
      - C:\Windows\SysWOW64\Bmelpa32.exe
        
        C:\Windows\system32\Bmelpa32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2960
        
        C:\Windows\SysWOW64\Bmgifa32.exe
        
        C:\Windows\system32\Bmgifa32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3024
        
        C:\Windows\SysWOW64\Bfpmog32.exe
        
        C:\Windows\system32\Bfpmog32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2628
        
        C:\Windows\SysWOW64\Beggec32.exe
        
        C:\Windows\system32\Beggec32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1560
        
        C:\Windows\SysWOW64\Ciglaa32.exe
        
        C:\Windows\system32\Ciglaa32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3004
        
        C:\Windows\SysWOW64\Cenmfbml.exe
        
        C:\Windows\system32\Cenmfbml.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1756
        
        C:\Windows\SysWOW64\Coindgbi.exe
        
        C:\Windows\system32\Coindgbi.exe
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:780

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Bfpmog32.exe

Filesize
78KB

MD5
7d22d177de595e2ae3593b0f21424a1b

SHA1
dfcffee6f963643b34241dce4f98f839f2b729d7

SHA256
17d9ea61db8d198d18af91c6a8d3cfec2f3c4e8bb24e19c60377627a57e2d5ca

SHA512
f190d4db345f5a379c19d817832d41e6395b9ff2b1ea5bdd6c38c474f4893e2bb61f1ae62051ade2d5521d7dfedccad0eeb1e613a6bd3fda68ca7704534428d0

Download Submit
C:\Windows\SysWOW64\Ciglaa32.exe

Filesize
78KB

MD5
bed70520de5da41e06eca13b3cb391ce

SHA1
b93d34b77f64ffeb063806a7cfa4fa187f13af4b

SHA256
502af3e8ee0108425826f7c67594600f60d7859824be7c060fda643cb3e0b190

SHA512
32236225bb8513a0c7fc0d9cd189e9e5e06e0619fd7ff013e4e17d3a4c069de520d733cc092752d179c78239feb19850a47f3f831ff2695d632d0eb4ed06e9d3

Download Submit
C:\Windows\SysWOW64\Coindgbi.exe

Filesize
78KB

MD5
d4bcbde6edc9ff098bb602f8c45c51b0

SHA1
b34b8c238b2fa3077d58b411ba91548b0405e033

SHA256
7b5a2fe5079a25d0685e51e99282d608e40da0122a5a7ef139e26e49a644c8e8

SHA512
02dbed8917b4fa61566203c56cd04f2a10dddd931b475100113f85b6c10661e47bab83c42906f9655549af41b6767d49a80f3f920f2acdbf76a4060655cda8ac

Download Submit
C:\Windows\SysWOW64\Qgfkchmp.exe

Filesize
78KB

MD5
4a7d298ab5d1ce7981c142a122225726

SHA1
d152ef03766d0c5f7d7104b55888317213706554

SHA256
513111b36d8f9031bc361446d57eb2957517e98d78cec6aa4adc9d6b652fb17f

SHA512
9859fde0cfdd46515c844fad4d2f27ebb050a8ba2b49916d877cc7ba0cec6347c265184b5bd7bed7db1f30f3cd3b5975332949dd117b5e7255a89d14b1ae2320

Download Submit
\Windows\SysWOW64\Abbhje32.exe

Filesize
78KB

MD5
cfc445cc60d9b2a33d5538692cf67adf

SHA1
9e12fd41f9389effa02a8cc0804c9176f8690b4f

SHA256
9e35eb43d06fada62605ad749ae4cf4d63fe8a7ca85bc9f26a08665840b77699

SHA512
655135f4be7735cd5dbb99e1e06089911d31b3b4aa916ecb496eb7b61c3c8b6e5f50821c1da606714aa32bfe6f33c9c796bba57bdb7af7eb006f995ea3ce30de

Download Submit
\Windows\SysWOW64\Abinjdad.exe

Filesize
78KB

MD5
474ff3be556b4563e6fa19511be967bb

SHA1
baa92fb6d707253d5bdae529718407b1ace34830

SHA256
46139ef8df2c577135205b586bdf3db007ca24d9ce2220944b9674e08069ba4d

SHA512
60d0d07ca448eb99c6775e119595d8ed4af46612bbf80f09e5a27d2f5254ecd0e4f886228c3cd1a1ae5666ce823631a629cab0434023af8a09463ae706997bd0

Download Submit
\Windows\SysWOW64\Beggec32.exe

Filesize
78KB

MD5
ff3a7afce6651e18f4b049a931c85ea6

SHA1
05121c3b20bd86421dff20907fc06ab27a323811

SHA256
c72e4d2e26b40490276bcb5ad6d5ce7fabf9a9a095cf4397eeb178ac59abb792

SHA512
114dc8aea41976cae0dd67581c1bd122ff41cb9ef1050a096c7be57e20c8b71108c10b508b209664d01eca6c4276e59b0c486611cba3d6edd8f6c31b1368a0e9

Download Submit
\Windows\SysWOW64\Bmelpa32.exe

Filesize
78KB

MD5
b232425c9380b2dfe96f400988876fb3

SHA1
4aad80b8b8a4cbb0c8ae808c5c8c564b5e801a1f

SHA256
52f51f5db8c1293b879e44cc91fffa3ba61ae8f82093e2193186e88959cc998d

SHA512
5f28806dfbb0a3476b5d53ccd758180a38bd092d4e6ceeb8cf1cfb18dc65faa856ac342edd120eba2180f7c8010ef62851478d713480251eead3e0fc89dfe053

Download Submit
\Windows\SysWOW64\Bmgifa32.exe

Filesize
78KB

MD5
ad14cda607124d70f278a36ad507ba46

SHA1
41874be3e57a8e4be27cdba80e992ea201dd0969

SHA256
29fa73487b36bd39938ec9a629c611ec094d9c11476ea7ff02db78e49ae21677

SHA512
d5161a9c9dca7036c5f85a9e6c1422054db5d9afd84f748e0d9c0424746a746c40bbca63f8a28780d82be5151fd005c368a928c8167b6beaf756113a2493d2f7

Download Submit
\Windows\SysWOW64\Cenmfbml.exe

Filesize
78KB

MD5
3a4c8701c309df9a68bc989dd9816e8a

SHA1
901081e063c23fd584bbc0df534d516f817aa1c1

SHA256
b9ba61c864df63258ff13e5b8959f7a5c47509f4a57d29a274351a9cdd77fd24

SHA512
7b266fb39336f14bcf90f4b14c9c97ca22746d2ca62a1e3703ac5969e020435a093dbcac497be0ed843ea4f30d0e48931212675645bbe3f4d88b03993374d06b

Download Submit
\Windows\SysWOW64\Qghgigkn.exe

Filesize
78KB

MD5
50e3a0066e9f687ffebfcfbc4f2137c3

SHA1
2eaf24bd17246c9e3259084c7599114923db8775

SHA256
c6d5a008dda8796b59ae229dcf6985cb23424d9148f41aa27cff49e8475317bf

SHA512
f5471b2d2d37610a5d22f8e6ceef251be8b4371405ed374553c015499111aae2ae7704d07c28b6a66c60dac7a92512d082372ceb557b481932921b52bb9e9342

Download Submit
memory/780-171-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/780-165-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1560-117-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1560-167-0x0000000000220000-0x0000000000261000-memory.dmp

Filesize
260KB

Download
memory/1560-166-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1612-48-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1612-0-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1612-49-0x00000000002A0000-0x00000000002E1000-memory.dmp

Filesize
260KB

Download
memory/1612-12-0x00000000002A0000-0x00000000002E1000-memory.dmp

Filesize
260KB

Download
memory/1612-11-0x00000000002A0000-0x00000000002E1000-memory.dmp

Filesize
260KB

Download
memory/1756-170-0x0000000000220000-0x0000000000261000-memory.dmp

Filesize
260KB

Download
memory/1756-163-0x0000000000220000-0x0000000000261000-memory.dmp

Filesize
260KB

Download
memory/1756-169-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1756-149-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2628-157-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2628-113-0x0000000000220000-0x0000000000261000-memory.dmp

Filesize
260KB

Download
memory/2628-162-0x0000000000220000-0x0000000000261000-memory.dmp

Filesize
260KB

Download
memory/2672-116-0x0000000000220000-0x0000000000261000-memory.dmp

Filesize
260KB

Download
memory/2672-114-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2672-69-0x0000000000220000-0x0000000000261000-memory.dmp

Filesize
260KB

Download
memory/2672-129-0x0000000000220000-0x0000000000261000-memory.dmp

Filesize
260KB

Download
memory/2780-26-0x00000000002C0000-0x0000000000301000-memory.dmp

Filesize
260KB

Download
memory/2780-19-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2960-76-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2960-132-0x0000000000220000-0x0000000000261000-memory.dmp

Filesize
260KB

Download
memory/2960-130-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2980-50-0x0000000000220000-0x0000000000261000-memory.dmp

Filesize
260KB

Download
memory/2980-56-0x0000000000220000-0x0000000000261000-memory.dmp

Filesize
260KB

Download
memory/2980-108-0x0000000000220000-0x0000000000261000-memory.dmp

Filesize
260KB

Download
memory/2980-98-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3004-168-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3004-146-0x0000000000220000-0x0000000000261000-memory.dmp

Filesize
260KB

Download
memory/3004-136-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3024-99-0x0000000001BB0000-0x0000000001BF1000-memory.dmp

Filesize
260KB

Download
memory/3024-93-0x0000000001BB0000-0x0000000001BF1000-memory.dmp

Filesize
260KB

Download
memory/3024-85-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3024-148-0x0000000001BB0000-0x0000000001BF1000-memory.dmp

Filesize
260KB

Download
memory/3024-145-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3052-83-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3052-36-0x0000000000220000-0x0000000000261000-memory.dmp

Filesize
260KB

Download
memory/3052-28-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads