91082a74d4f43bdb3f01d256c7a888d81e234a1c4e8026ce40ddd1eb02cc5e8f

General

Target

91082a74d4f43bdb3f01d256c7a888d81e234a1c4e8026ce40ddd1eb02cc5e8fN.exe
Size

385KB
MD5

be880377f67fa1021371caab42f1d4d0
SHA1

1f0a44607831c180cf1ec5a63e26e819ec7755dc
SHA256

91082a74d4f43bdb3f01d256c7a888d81e234a1c4e8026ce40ddd1eb02cc5e8f
SHA512

e0d55fbdbecfae23b876a915a2bbab47b4b87628b5c74fdbad646ce634d30eb0adaaff3cffd83e1166259a354856a39db4676a0359250dab036312810fd63984
SSDEEP

12288:WFWy59SLWy5jy59SL3y59Ey59SLAy59SLZy5iy59SL:WYy7oWypy7o3y7Ey7oAy7oZyUy7o

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	91082a74d4f43bdb3f01d256c7a888d81e234a1c4e8026ce40ddd1eb02cc5e8fN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	91082a74d4f43bdb3f01d256c7a888d81e234a1c4e8026ce40ddd1eb02cc5e8fN.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cddjebgb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cddjebgb.exe

Executes dropped EXE 2 IoCs

pid	Process
2888	Cddjebgb.exe
2916	Ceegmj32.exe

Loads dropped DLL 8 IoCs

pid	Process
2876	91082a74d4f43bdb3f01d256c7a888d81e234a1c4e8026ce40ddd1eb02cc5e8fN.exe
2876	91082a74d4f43bdb3f01d256c7a888d81e234a1c4e8026ce40ddd1eb02cc5e8fN.exe
2888	Cddjebgb.exe
2888	Cddjebgb.exe
2752	WerFault.exe
2752	WerFault.exe
2752	WerFault.exe
2752	WerFault.exe

Drops file in System32 directory 6 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Ceegmj32.exe	Cddjebgb.exe
File opened for modification	C:\Windows\SysWOW64\Ceegmj32.exe	Cddjebgb.exe
File created	C:\Windows\SysWOW64\Aoogfhfp.dll	Cddjebgb.exe
File created	C:\Windows\SysWOW64\Cddjebgb.exe	91082a74d4f43bdb3f01d256c7a888d81e234a1c4e8026ce40ddd1eb02cc5e8fN.exe
File opened for modification	C:\Windows\SysWOW64\Cddjebgb.exe	91082a74d4f43bdb3f01d256c7a888d81e234a1c4e8026ce40ddd1eb02cc5e8fN.exe
File created	C:\Windows\SysWOW64\Bhdmagqq.dll	91082a74d4f43bdb3f01d256c7a888d81e234a1c4e8026ce40ddd1eb02cc5e8fN.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2752	2916	WerFault.exe	31

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	91082a74d4f43bdb3f01d256c7a888d81e234a1c4e8026ce40ddd1eb02cc5e8fN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cddjebgb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceegmj32.exe

Modifies registry class 9 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	91082a74d4f43bdb3f01d256c7a888d81e234a1c4e8026ce40ddd1eb02cc5e8fN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhdmagqq.dll"	91082a74d4f43bdb3f01d256c7a888d81e234a1c4e8026ce40ddd1eb02cc5e8fN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cddjebgb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	91082a74d4f43bdb3f01d256c7a888d81e234a1c4e8026ce40ddd1eb02cc5e8fN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	91082a74d4f43bdb3f01d256c7a888d81e234a1c4e8026ce40ddd1eb02cc5e8fN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	91082a74d4f43bdb3f01d256c7a888d81e234a1c4e8026ce40ddd1eb02cc5e8fN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aoogfhfp.dll"	Cddjebgb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cddjebgb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	91082a74d4f43bdb3f01d256c7a888d81e234a1c4e8026ce40ddd1eb02cc5e8fN.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2876 wrote to memory of 2888	2876	91082a74d4f43bdb3f01d256c7a888d81e234a1c4e8026ce40ddd1eb02cc5e8fN.exe	30
PID 2876 wrote to memory of 2888	2876	91082a74d4f43bdb3f01d256c7a888d81e234a1c4e8026ce40ddd1eb02cc5e8fN.exe	30
PID 2876 wrote to memory of 2888	2876	91082a74d4f43bdb3f01d256c7a888d81e234a1c4e8026ce40ddd1eb02cc5e8fN.exe	30
PID 2876 wrote to memory of 2888	2876	91082a74d4f43bdb3f01d256c7a888d81e234a1c4e8026ce40ddd1eb02cc5e8fN.exe	30
PID 2888 wrote to memory of 2916	2888	Cddjebgb.exe	31
PID 2888 wrote to memory of 2916	2888	Cddjebgb.exe	31
PID 2888 wrote to memory of 2916	2888	Cddjebgb.exe	31
PID 2888 wrote to memory of 2916	2888	Cddjebgb.exe	31
PID 2916 wrote to memory of 2752	2916	Ceegmj32.exe	32
PID 2916 wrote to memory of 2752	2916	Ceegmj32.exe	32
PID 2916 wrote to memory of 2752	2916	Ceegmj32.exe	32
PID 2916 wrote to memory of 2752	2916	Ceegmj32.exe	32

C:\Users\Admin\AppData\Local\Temp\91082a74d4f43bdb3f01d256c7a888d81e234a1c4e8026ce40ddd1eb02cc5e8fN.exe
"C:\Users\Admin\AppData\Local\Temp\91082a74d4f43bdb3f01d256c7a888d81e234a1c4e8026ce40ddd1eb02cc5e8fN.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2876
- C:\Windows\SysWOW64\Cddjebgb.exe
  C:\Windows\system32\Cddjebgb.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2888
- - C:\Windows\SysWOW64\Ceegmj32.exe
    C:\Windows\system32\Ceegmj32.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2916
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2916 -s 140
      4⤵
      Loads dropped DLL
      Program crash
      PID:2752

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Ceegmj32.exe

Filesize
385KB

MD5
5b46da3043896ae9f373747be2823404

SHA1
bc43773c3e4d6def2713760094d74be49ea8c235

SHA256
d1fd131013933ebd6bd8ec74ce951ec2a2ba5c242d0b5cd54bf2e0cfe088950f

SHA512
f811cfb5cca43cc6203e59a7e159a2da256c0a47c04752d96b7868c76c5c525de01675f4b762ea530be42c05182cc6141e07206d62134e1273bb561a8b344e9e

Download Submit
\Windows\SysWOW64\Cddjebgb.exe

Filesize
385KB

MD5
ee8e557e3c9c13fd76412900ce40b139

SHA1
d136f55f4a82e003c61872a7a1bf6027d2caa16b

SHA256
2dcc1697dc01b993b5170ce2141bd4a1a2e6a34e6dd73c2eb8e3edbc93c6a616

SHA512
18c95eb3feddd432ade30beb0ba542ed7045402fb14ba49c67238b36d08398492b6541e28290feb9b2fdc7ceaa00fca036fb6e3133450f6bc1f561ca0255445a

Download Submit
memory/2876-0-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/2876-12-0x00000000002E0000-0x000000000036B000-memory.dmp

Filesize
556KB

Download
memory/2876-11-0x00000000002E0000-0x000000000036B000-memory.dmp

Filesize
556KB

Download
memory/2876-35-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/2888-29-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/2888-30-0x00000000002D0000-0x000000000035B000-memory.dmp

Filesize
556KB

Download
memory/2888-37-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/2916-31-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/2916-38-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads