a65949f9d7d617ebf933f5909f7c8e5e04b4060142af73468466add44fa6e590

General

Target

7acafd284e5d51efc67eaae1a515495e_JC.exe
Size

91KB
MD5

7acafd284e5d51efc67eaae1a515495e
SHA1

c481f3ce2a973ae8775694de02607d0f6cd6e5a3
SHA256

a65949f9d7d617ebf933f5909f7c8e5e04b4060142af73468466add44fa6e590
SHA512

70db8bbf295202ba343bd4ef3e6d5e0e22273cb057f2584e720611f602d81da6f3ee0e8892cec421d7ddad73b83bea2cfa2e969c4f67fbf2702b878e2efc581c
SSDEEP

1536:OBDxJGWJf0K/m/TEq1uwskn7KGKYE6BXw5e+ZnfH:ODJGWmb/weuwdn7KGKYXindf

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daekdooc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dddhpjof.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	7acafd284e5d51efc67eaae1a515495e_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	7acafd284e5d51efc67eaae1a515495e_JC.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddakjkqi.exe

Executes dropped EXE 4 IoCs

pid	Process
2980	Ddakjkqi.exe
1704	Daekdooc.exe
4656	Dddhpjof.exe
2312	Dmllipeg.exe

Drops file in System32 directory 12 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Ddakjkqi.exe	7acafd284e5d51efc67eaae1a515495e_JC.exe
File created	C:\Windows\SysWOW64\Gifhkeje.dll	7acafd284e5d51efc67eaae1a515495e_JC.exe
File opened for modification	C:\Windows\SysWOW64\Dddhpjof.exe	Daekdooc.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Dddhpjof.exe
File created	C:\Windows\SysWOW64\Ddakjkqi.exe	7acafd284e5d51efc67eaae1a515495e_JC.exe
File created	C:\Windows\SysWOW64\Daekdooc.exe	Ddakjkqi.exe
File opened for modification	C:\Windows\SysWOW64\Daekdooc.exe	Ddakjkqi.exe
File created	C:\Windows\SysWOW64\Ohmoom32.dll	Ddakjkqi.exe
File created	C:\Windows\SysWOW64\Dddhpjof.exe	Daekdooc.exe
File created	C:\Windows\SysWOW64\Amjknl32.dll	Daekdooc.exe
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Dddhpjof.exe
File created	C:\Windows\SysWOW64\Kngpec32.dll	Dddhpjof.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3480	2312	WerFault.exe	88

Modifies registry class 15 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	7acafd284e5d51efc67eaae1a515495e_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohmoom32.dll"	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amjknl32.dll"	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Daekdooc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	7acafd284e5d51efc67eaae1a515495e_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	7acafd284e5d51efc67eaae1a515495e_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddakjkqi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gifhkeje.dll"	7acafd284e5d51efc67eaae1a515495e_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dddhpjof.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	7acafd284e5d51efc67eaae1a515495e_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	7acafd284e5d51efc67eaae1a515495e_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Dddhpjof.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 4456 wrote to memory of 2980	4456	7acafd284e5d51efc67eaae1a515495e_JC.exe	85
PID 4456 wrote to memory of 2980	4456	7acafd284e5d51efc67eaae1a515495e_JC.exe	85
PID 4456 wrote to memory of 2980	4456	7acafd284e5d51efc67eaae1a515495e_JC.exe	85
PID 2980 wrote to memory of 1704	2980	Ddakjkqi.exe	86
PID 2980 wrote to memory of 1704	2980	Ddakjkqi.exe	86
PID 2980 wrote to memory of 1704	2980	Ddakjkqi.exe	86
PID 1704 wrote to memory of 4656	1704	Daekdooc.exe	87
PID 1704 wrote to memory of 4656	1704	Daekdooc.exe	87
PID 1704 wrote to memory of 4656	1704	Daekdooc.exe	87
PID 4656 wrote to memory of 2312	4656	Dddhpjof.exe	88
PID 4656 wrote to memory of 2312	4656	Dddhpjof.exe	88
PID 4656 wrote to memory of 2312	4656	Dddhpjof.exe	88

C:\Users\Admin\AppData\Local\Temp\7acafd284e5d51efc67eaae1a515495e_JC.exe
"C:\Users\Admin\AppData\Local\Temp\7acafd284e5d51efc67eaae1a515495e_JC.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4456
- C:\Windows\SysWOW64\Ddakjkqi.exe
  C:\Windows\system32\Ddakjkqi.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2980
- - C:\Windows\SysWOW64\Daekdooc.exe
    C:\Windows\system32\Daekdooc.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1704
  - - C:\Windows\SysWOW64\Dddhpjof.exe
      C:\Windows\system32\Dddhpjof.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4656
    - - C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        5⤵
        Executes dropped EXE
        
        PID:2312
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2312 -s 396
        6⤵
        Program crash
        
        PID:3480

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 2312 -ip 2312
1⤵
PID:4356

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Daekdooc.exe

Filesize
91KB

MD5
a716feb30e83bc5f732a3c194479cfd4

SHA1
9a9309e3681daa8f7c7b242a8ff759d451ec3362

SHA256
c4566a6e135002f097a2dfa8c1e3a4fb39317aa51533d6a2cbc8d509db3e10c5

SHA512
09328390650cc0f82bd62e91e9eaa39a5de67c41d79b2214b6cac9456c1b52d7acf559ad261b9e6be32574664ec2e5006145f9890fe8fe4aecab65739615c955

Download Submit
C:\Windows\SysWOW64\Daekdooc.exe

Filesize
91KB

MD5
a716feb30e83bc5f732a3c194479cfd4

SHA1
9a9309e3681daa8f7c7b242a8ff759d451ec3362

SHA256
c4566a6e135002f097a2dfa8c1e3a4fb39317aa51533d6a2cbc8d509db3e10c5

SHA512
09328390650cc0f82bd62e91e9eaa39a5de67c41d79b2214b6cac9456c1b52d7acf559ad261b9e6be32574664ec2e5006145f9890fe8fe4aecab65739615c955

Download Submit
C:\Windows\SysWOW64\Ddakjkqi.exe

Filesize
91KB

MD5
792836912149e7543c3b93d11bcbd6b8

SHA1
4493be6a17526680d7f8d2b5223949eae15d5507

SHA256
76500efcf521f1d14ca9db77533f6ddb39a7cebc947e7bbce52f52db22ac1511

SHA512
adbca943c4ad544e6c9e7a8e1d40d70c389133bc77b824c678b8f3c1e4d322f38818b2676acc377c7689f4a845d3c814b13bd67e141d6b4a29991ac779f42ddb

Download Submit
C:\Windows\SysWOW64\Ddakjkqi.exe

Filesize
91KB

MD5
792836912149e7543c3b93d11bcbd6b8

SHA1
4493be6a17526680d7f8d2b5223949eae15d5507

SHA256
76500efcf521f1d14ca9db77533f6ddb39a7cebc947e7bbce52f52db22ac1511

SHA512
adbca943c4ad544e6c9e7a8e1d40d70c389133bc77b824c678b8f3c1e4d322f38818b2676acc377c7689f4a845d3c814b13bd67e141d6b4a29991ac779f42ddb

Download Submit
C:\Windows\SysWOW64\Dddhpjof.exe

Filesize
91KB

MD5
e95449795001a4df1d0fa5aa89d870f5

SHA1
b82f562e9679a99ccb29056b343ac2b25acd1ad1

SHA256
896d08a09bc70c031881e1d9d9ed7f7f5f50300d143c394a13bdc3664571cf6f

SHA512
bd8304f031671ce861b834051f419089a764b9704911d3d8f6e4dcf7b2681073450d9ff5aa896566a1f794b1221706811a5c44d7d8e4f36fa083cbaf492328fb

Download Submit
C:\Windows\SysWOW64\Dddhpjof.exe

Filesize
91KB

MD5
e95449795001a4df1d0fa5aa89d870f5

SHA1
b82f562e9679a99ccb29056b343ac2b25acd1ad1

SHA256
896d08a09bc70c031881e1d9d9ed7f7f5f50300d143c394a13bdc3664571cf6f

SHA512
bd8304f031671ce861b834051f419089a764b9704911d3d8f6e4dcf7b2681073450d9ff5aa896566a1f794b1221706811a5c44d7d8e4f36fa083cbaf492328fb

Download Submit
C:\Windows\SysWOW64\Dmllipeg.exe

Filesize
91KB

MD5
eff8f677df49807333c3ed9c83883948

SHA1
b6de1458fd7b5f53bf5b166abbce31d1b9957de7

SHA256
2973dc6576235fb161d0fe13107af8fea093f470c0fc4384be779046dc56ffd1

SHA512
2532ca8e90515d3851403d731c91ca14f8a81d64aea00cf292227a2971685fd5b99c36bf93518a90f6e57ed2e9286c7597ebe964431eb1b724f27231a2aa115c

Download Submit
C:\Windows\SysWOW64\Dmllipeg.exe

Filesize
91KB

MD5
eff8f677df49807333c3ed9c83883948

SHA1
b6de1458fd7b5f53bf5b166abbce31d1b9957de7

SHA256
2973dc6576235fb161d0fe13107af8fea093f470c0fc4384be779046dc56ffd1

SHA512
2532ca8e90515d3851403d731c91ca14f8a81d64aea00cf292227a2971685fd5b99c36bf93518a90f6e57ed2e9286c7597ebe964431eb1b724f27231a2aa115c

Download Submit
memory/1704-20-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1704-35-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2312-32-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2312-33-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2980-7-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2980-36-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4456-0-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4456-37-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4656-23-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4656-34-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads