99ca10210cf21f2dccea2462eb492d64ee17ff63015be7dd5b61b3d003d8b022

Analysis

max time kernel
118s
max time network
125s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
18/10/2024, 01:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

99ca10210cf21f2dccea2462eb492d64ee17ff63015be7dd5b61b3d003d8b022.exe
Size

91KB
MD5

403695e0826bbfeb7007a5b063877d26
SHA1

cd1bbe691c12482f44019fa4604919e112381690
SHA256

99ca10210cf21f2dccea2462eb492d64ee17ff63015be7dd5b61b3d003d8b022
SHA512

c517af5493ef467ece26a0ff14f55f8f7bfa792e1909d364d1d5ef909f0e0e27b441904b04b09816b5bdcdcb2eaad297bb2b0aa67404b31a9e1c624be192bb08
SSDEEP

1536:PmipZCo3/fgPJHiyicsvSAwfn97ILXfdibTAn6v0DSztOZ/PwimYt/6kiV3REDNE:PmipZ1XgP1iyicsvSAwfn97IT2C68ym6

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 16 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfnmfn32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cgpjlnhh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cgpjlnhh.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	99ca10210cf21f2dccea2462eb492d64ee17ff63015be7dd5b61b3d003d8b022.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfnmfn32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cphndc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cphndc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cgbfamff.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cpceidcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cpceidcn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cpfaocal.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmjbhh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cgbfamff.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	99ca10210cf21f2dccea2462eb492d64ee17ff63015be7dd5b61b3d003d8b022.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cpfaocal.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmjbhh32.exe

Executes dropped EXE 8 IoCs

pid	Process
3020	Cpceidcn.exe
2916	Cfnmfn32.exe
2656	Cpfaocal.exe
2724	Cgpjlnhh.exe
536	Cmjbhh32.exe
1472	Cphndc32.exe
2108	Cgbfamff.exe
2088	Ceegmj32.exe

Loads dropped DLL 20 IoCs

pid	Process
2884	99ca10210cf21f2dccea2462eb492d64ee17ff63015be7dd5b61b3d003d8b022.exe
2884	99ca10210cf21f2dccea2462eb492d64ee17ff63015be7dd5b61b3d003d8b022.exe
3020	Cpceidcn.exe
3020	Cpceidcn.exe
2916	Cfnmfn32.exe
2916	Cfnmfn32.exe
2656	Cpfaocal.exe
2656	Cpfaocal.exe
2724	Cgpjlnhh.exe
2724	Cgpjlnhh.exe
536	Cmjbhh32.exe
536	Cmjbhh32.exe
1472	Cphndc32.exe
1472	Cphndc32.exe
2108	Cgbfamff.exe
2108	Cgbfamff.exe
2912	WerFault.exe
2912	WerFault.exe
2912	WerFault.exe
2912	WerFault.exe

Drops file in System32 directory 24 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Cpfaocal.exe	Cfnmfn32.exe
File opened for modification	C:\Windows\SysWOW64\Cgpjlnhh.exe	Cpfaocal.exe
File created	C:\Windows\SysWOW64\Ckpfcfnm.dll	Cgpjlnhh.exe
File created	C:\Windows\SysWOW64\Lbonaf32.dll	Cphndc32.exe
File created	C:\Windows\SysWOW64\Aoogfhfp.dll	Cgbfamff.exe
File created	C:\Windows\SysWOW64\Cpceidcn.exe	99ca10210cf21f2dccea2462eb492d64ee17ff63015be7dd5b61b3d003d8b022.exe
File created	C:\Windows\SysWOW64\Ndmjqgdd.dll	99ca10210cf21f2dccea2462eb492d64ee17ff63015be7dd5b61b3d003d8b022.exe
File created	C:\Windows\SysWOW64\Mabanhgg.dll	Cpceidcn.exe
File created	C:\Windows\SysWOW64\Cpfaocal.exe	Cfnmfn32.exe
File created	C:\Windows\SysWOW64\Cmjbhh32.exe	Cgpjlnhh.exe
File created	C:\Windows\SysWOW64\Ceegmj32.exe	Cgbfamff.exe
File opened for modification	C:\Windows\SysWOW64\Ceegmj32.exe	Cgbfamff.exe
File created	C:\Windows\SysWOW64\Cfnmfn32.exe	Cpceidcn.exe
File created	C:\Windows\SysWOW64\Dqcngnae.dll	Cfnmfn32.exe
File created	C:\Windows\SysWOW64\Cphndc32.exe	Cmjbhh32.exe
File opened for modification	C:\Windows\SysWOW64\Cphndc32.exe	Cmjbhh32.exe
File opened for modification	C:\Windows\SysWOW64\Cgbfamff.exe	Cphndc32.exe
File opened for modification	C:\Windows\SysWOW64\Cpceidcn.exe	99ca10210cf21f2dccea2462eb492d64ee17ff63015be7dd5b61b3d003d8b022.exe
File opened for modification	C:\Windows\SysWOW64\Cfnmfn32.exe	Cpceidcn.exe
File created	C:\Windows\SysWOW64\Cgpjlnhh.exe	Cpfaocal.exe
File created	C:\Windows\SysWOW64\Dojofhjd.dll	Cpfaocal.exe
File opened for modification	C:\Windows\SysWOW64\Cmjbhh32.exe	Cgpjlnhh.exe
File created	C:\Windows\SysWOW64\Lopdpdmj.dll	Cmjbhh32.exe
File created	C:\Windows\SysWOW64\Cgbfamff.exe	Cphndc32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2912	2088	WerFault.exe	37

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cpfaocal.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmjbhh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgpjlnhh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cphndc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgbfamff.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceegmj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	99ca10210cf21f2dccea2462eb492d64ee17ff63015be7dd5b61b3d003d8b022.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cpceidcn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfnmfn32.exe

Modifies registry class 27 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	99ca10210cf21f2dccea2462eb492d64ee17ff63015be7dd5b61b3d003d8b022.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cgbfamff.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cgbfamff.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cpceidcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cpceidcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dqcngnae.dll"	Cfnmfn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cpfaocal.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aoogfhfp.dll"	Cgbfamff.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	99ca10210cf21f2dccea2462eb492d64ee17ff63015be7dd5b61b3d003d8b022.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cphndc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dojofhjd.dll"	Cpfaocal.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cgpjlnhh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbonaf32.dll"	Cphndc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	99ca10210cf21f2dccea2462eb492d64ee17ff63015be7dd5b61b3d003d8b022.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cfnmfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lopdpdmj.dll"	Cmjbhh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmjbhh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	99ca10210cf21f2dccea2462eb492d64ee17ff63015be7dd5b61b3d003d8b022.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckpfcfnm.dll"	Cgpjlnhh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cgpjlnhh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	99ca10210cf21f2dccea2462eb492d64ee17ff63015be7dd5b61b3d003d8b022.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndmjqgdd.dll"	99ca10210cf21f2dccea2462eb492d64ee17ff63015be7dd5b61b3d003d8b022.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cfnmfn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmjbhh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cphndc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mabanhgg.dll"	Cpceidcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cpfaocal.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 2884 wrote to memory of 3020	2884	99ca10210cf21f2dccea2462eb492d64ee17ff63015be7dd5b61b3d003d8b022.exe	30
PID 2884 wrote to memory of 3020	2884	99ca10210cf21f2dccea2462eb492d64ee17ff63015be7dd5b61b3d003d8b022.exe	30
PID 2884 wrote to memory of 3020	2884	99ca10210cf21f2dccea2462eb492d64ee17ff63015be7dd5b61b3d003d8b022.exe	30
PID 2884 wrote to memory of 3020	2884	99ca10210cf21f2dccea2462eb492d64ee17ff63015be7dd5b61b3d003d8b022.exe	30
PID 3020 wrote to memory of 2916	3020	Cpceidcn.exe	31
PID 3020 wrote to memory of 2916	3020	Cpceidcn.exe	31
PID 3020 wrote to memory of 2916	3020	Cpceidcn.exe	31
PID 3020 wrote to memory of 2916	3020	Cpceidcn.exe	31
PID 2916 wrote to memory of 2656	2916	Cfnmfn32.exe	32
PID 2916 wrote to memory of 2656	2916	Cfnmfn32.exe	32
PID 2916 wrote to memory of 2656	2916	Cfnmfn32.exe	32
PID 2916 wrote to memory of 2656	2916	Cfnmfn32.exe	32
PID 2656 wrote to memory of 2724	2656	Cpfaocal.exe	33
PID 2656 wrote to memory of 2724	2656	Cpfaocal.exe	33
PID 2656 wrote to memory of 2724	2656	Cpfaocal.exe	33
PID 2656 wrote to memory of 2724	2656	Cpfaocal.exe	33
PID 2724 wrote to memory of 536	2724	Cgpjlnhh.exe	34
PID 2724 wrote to memory of 536	2724	Cgpjlnhh.exe	34
PID 2724 wrote to memory of 536	2724	Cgpjlnhh.exe	34
PID 2724 wrote to memory of 536	2724	Cgpjlnhh.exe	34
PID 536 wrote to memory of 1472	536	Cmjbhh32.exe	35
PID 536 wrote to memory of 1472	536	Cmjbhh32.exe	35
PID 536 wrote to memory of 1472	536	Cmjbhh32.exe	35
PID 536 wrote to memory of 1472	536	Cmjbhh32.exe	35
PID 1472 wrote to memory of 2108	1472	Cphndc32.exe	36
PID 1472 wrote to memory of 2108	1472	Cphndc32.exe	36
PID 1472 wrote to memory of 2108	1472	Cphndc32.exe	36
PID 1472 wrote to memory of 2108	1472	Cphndc32.exe	36
PID 2108 wrote to memory of 2088	2108	Cgbfamff.exe	37
PID 2108 wrote to memory of 2088	2108	Cgbfamff.exe	37
PID 2108 wrote to memory of 2088	2108	Cgbfamff.exe	37
PID 2108 wrote to memory of 2088	2108	Cgbfamff.exe	37
PID 2088 wrote to memory of 2912	2088	Ceegmj32.exe	38
PID 2088 wrote to memory of 2912	2088	Ceegmj32.exe	38
PID 2088 wrote to memory of 2912	2088	Ceegmj32.exe	38
PID 2088 wrote to memory of 2912	2088	Ceegmj32.exe	38

C:\Users\Admin\AppData\Local\Temp\99ca10210cf21f2dccea2462eb492d64ee17ff63015be7dd5b61b3d003d8b022.exe
"C:\Users\Admin\AppData\Local\Temp\99ca10210cf21f2dccea2462eb492d64ee17ff63015be7dd5b61b3d003d8b022.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2884
- C:\Windows\SysWOW64\Cpceidcn.exe
  C:\Windows\system32\Cpceidcn.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3020
- - C:\Windows\SysWOW64\Cfnmfn32.exe
    C:\Windows\system32\Cfnmfn32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2916
  - - C:\Windows\SysWOW64\Cpfaocal.exe
      C:\Windows\system32\Cpfaocal.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2656
    - - C:\Windows\SysWOW64\Cgpjlnhh.exe
        
        C:\Windows\system32\Cgpjlnhh.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2724
      - C:\Windows\SysWOW64\Cmjbhh32.exe
        
        C:\Windows\system32\Cmjbhh32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:536
        
        C:\Windows\SysWOW64\Cphndc32.exe
        
        C:\Windows\system32\Cphndc32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1472
        
        C:\Windows\SysWOW64\Cgbfamff.exe
        
        C:\Windows\system32\Cgbfamff.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2108
        
        C:\Windows\SysWOW64\Ceegmj32.exe
        
        C:\Windows\system32\Ceegmj32.exe
        9⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2088
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2088 -s 140
        10⤵
        Loads dropped DLL
        Program crash
        
        PID:2912

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Windows\SysWOW64\Ceegmj32.exe

Filesize
91KB

MD5
91171ebc07417208a22a7fffeb709277

SHA1
4106416a344bd78b377b76d0b41cf9aa2afe36bb

SHA256
f66761cafdd773decfae3a1a7a7e656e7430bf5b9e27a9300eb4e03e095ddf02

SHA512
f473c9ee3362df6a4d95101236644d170c173944fc2298c0cfc9a0b442d653fad997b90dae2cff5de6e2c7ae6514a8f3f68a83683c3d8d7170e757005a53fa9a

Download Submit
\Windows\SysWOW64\Cfnmfn32.exe

Filesize
91KB

MD5
f531c642ff5f973bfa601ce0f5edb00a

SHA1
836685f8b547291ef31947aa9fbf835df5343d80

SHA256
dcba667941ce53b5a80ebc9342abc640e6ac4bc69b8df3fb432511a997d4c4a9

SHA512
cd43224404929f3217ce06217ca4ba8cc2fabce624a90a5f507d3276f0106ccc515e63425f2e53d9051cc3f8091e7bdb7d87b977d4aa104d06c7a387ba1e78fb

Download Submit
\Windows\SysWOW64\Cgbfamff.exe

Filesize
91KB

MD5
e9a8223916837c4f59d08ad9924ea90a

SHA1
6797e9ee5292745805172118a2d5f57c8816c296

SHA256
50e278b0717a7d5c1f489de086ebee9828f924e206699c4a332a33507eeae05f

SHA512
d04be4dd8aec7ab2f03320cf69e43d5e62aaa5638a1bc7ac7ea105b67441fe86bc7d24b664e8e40c4e747c0b8cc0d2bbe31ba1241fd6ce0a852204bc6422e9a2

Download Submit
\Windows\SysWOW64\Cgpjlnhh.exe

Filesize
91KB

MD5
9f70dca20b4f55f74f9765242803a778

SHA1
22f7111670700dadd7cb74648cbafe070f10fc01

SHA256
3d0fea8b8cde8b8e02776ae90be1f7aa115d617c32366525d367da1efaeeea95

SHA512
9da9d081ac4899aaca0f8350409f6b8716086b54f0ace2f3b08c6f64371ec68e0e3e86ebcb10dc0d96baaf1458355f68042efbdd482f061aafeead4e7ea3a7a4

Download Submit
\Windows\SysWOW64\Cmjbhh32.exe

Filesize
91KB

MD5
a38fa0b3d85e05643639194f45815037

SHA1
0a9e169b7aeb9f40b7a02f3d31b6c5fcb678a623

SHA256
94dbc6683dddfe3183d3d0ec2d4c7766c397ef194301008c1242c6acbbb9d3d7

SHA512
34515fa475a505daf6db086d0b970cf2a76c4a46ff73dbb3a3b0a2f6f34bf7dcdd930bb38cce1dd821597ab62f88878f3d0374234fce67853a05a23e28dc76fe

Download Submit
\Windows\SysWOW64\Cpceidcn.exe

Filesize
91KB

MD5
0661257dd4425f39baec7e5fd69668dd

SHA1
1c791231f3a10e20c7ab53efb4a4c3bb70302f06

SHA256
f08abba1627ab2d1ad28174803e14ac92baf43ba75f355f09bb9351f9f517068

SHA512
6a51a642c94fb6af0708c5480504b8f758563530963876339f37e21014b70499e1f24ac205d58677520dbf20c9d1268ae6798e307f66549aea15005fb5a34d04

Download Submit
\Windows\SysWOW64\Cpfaocal.exe

Filesize
91KB

MD5
da13fffce0e85709385e33f8b5c0b9ce

SHA1
f3271708c1aad8f18b7834398cd01ded11db83a6

SHA256
384a2273b53bd331c39983f7743ce3475536008433e724392f7136ae61822eb3

SHA512
b42b6c3e27c95a004bbffeadfb34b7173fbf1d96e6589654d2a47ff063c82ccae5db9ea36a57fc4405dddc935875bce4bfdaf65a221ac9c14aeaf8add8bca930

Download Submit
\Windows\SysWOW64\Cphndc32.exe

Filesize
91KB

MD5
0ee8771191c081b2e809438e5fe2ec87

SHA1
5b84145a59e941e823ce65806c5494e01a50b0cc

SHA256
0c1a9bf5bb9c61e3dafc92d6d84f3edde10076da1f53f20ec62d281cc938d0be

SHA512
82637a25b53358910c722449b8cc0f246306157a714bc81c94f8d732e9abf66a174f48453d97333aefaef7e7ced84df721c494cc386fcb8f2e8c684d518e4d92

Download Submit
memory/536-111-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1472-109-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1472-78-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2088-104-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2088-117-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2108-113-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2108-91-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2656-47-0x0000000000300000-0x000000000033D000-memory.dmp

Filesize
244KB

Download
memory/2656-110-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2724-60-0x0000000000250000-0x000000000028D000-memory.dmp

Filesize
244KB

Download
memory/2724-112-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2884-11-0x00000000002D0000-0x000000000030D000-memory.dmp

Filesize
244KB

Download
memory/2884-116-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2884-0-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2916-114-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2916-34-0x00000000002D0000-0x000000000030D000-memory.dmp

Filesize
244KB

Download
memory/2916-26-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3020-115-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3020-13-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads