3072ec2a2067ba40bab69858eae7eea162ace18b2c4c0468609581f7bc4df08b

Analysis

max time kernel
143s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
15/10/2023, 19:45

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

c715b4e6ebebc84e3671f6392e628aa0_exe32.exe
Size

96KB
MD5

c715b4e6ebebc84e3671f6392e628aa0
SHA1

dbc3dc9d4040223906ad0830e343ef1c9bddf462
SHA256

3072ec2a2067ba40bab69858eae7eea162ace18b2c4c0468609581f7bc4df08b
SHA512

f274dea8445cd624f3a496ab9018f1a80965812c1b21b96f25b2de75b248cf84f075750798fe167c18ab74b2a469e6b5a5b812e6d32f644bd4521e9e1e68736a
SSDEEP

1536:20tRqvN5pzgJUuShYYMfLzWlc7OVAPgnDNBrcN4i6tBYuR3PlNPMAZ:zspzjuShYYMzzWlEOVAPgxed6BYudlNd

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfpgffpm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dddhpjof.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	c715b4e6ebebc84e3671f6392e628aa0_exe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	c715b4e6ebebc84e3671f6392e628aa0_exe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daconoae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfpgffpm.exe

Executes dropped EXE 4 IoCs

pid	Process
3644	Daconoae.exe
2356	Dfpgffpm.exe
4580	Dddhpjof.exe
216	Dmllipeg.exe

Drops file in System32 directory 12 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Kngpec32.dll	Dddhpjof.exe
File created	C:\Windows\SysWOW64\Daconoae.exe	c715b4e6ebebc84e3671f6392e628aa0_exe32.exe
File created	C:\Windows\SysWOW64\Kmdjdl32.dll	Daconoae.exe
File created	C:\Windows\SysWOW64\Dddhpjof.exe	Dfpgffpm.exe
File created	C:\Windows\SysWOW64\Amjknl32.dll	Dfpgffpm.exe
File opened for modification	C:\Windows\SysWOW64\Dddhpjof.exe	Dfpgffpm.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Dddhpjof.exe
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Dddhpjof.exe
File opened for modification	C:\Windows\SysWOW64\Daconoae.exe	c715b4e6ebebc84e3671f6392e628aa0_exe32.exe
File created	C:\Windows\SysWOW64\Oammoc32.dll	c715b4e6ebebc84e3671f6392e628aa0_exe32.exe
File created	C:\Windows\SysWOW64\Dfpgffpm.exe	Daconoae.exe
File opened for modification	C:\Windows\SysWOW64\Dfpgffpm.exe	Daconoae.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1612	216	WerFault.exe	86

Modifies registry class 15 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	c715b4e6ebebc84e3671f6392e628aa0_exe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oammoc32.dll"	c715b4e6ebebc84e3671f6392e628aa0_exe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfpgffpm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dddhpjof.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	c715b4e6ebebc84e3671f6392e628aa0_exe32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	c715b4e6ebebc84e3671f6392e628aa0_exe32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Daconoae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amjknl32.dll"	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	c715b4e6ebebc84e3671f6392e628aa0_exe32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	c715b4e6ebebc84e3671f6392e628aa0_exe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmdjdl32.dll"	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dddhpjof.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 4900 wrote to memory of 3644	4900	c715b4e6ebebc84e3671f6392e628aa0_exe32.exe	83
PID 4900 wrote to memory of 3644	4900	c715b4e6ebebc84e3671f6392e628aa0_exe32.exe	83
PID 4900 wrote to memory of 3644	4900	c715b4e6ebebc84e3671f6392e628aa0_exe32.exe	83
PID 3644 wrote to memory of 2356	3644	Daconoae.exe	84
PID 3644 wrote to memory of 2356	3644	Daconoae.exe	84
PID 3644 wrote to memory of 2356	3644	Daconoae.exe	84
PID 2356 wrote to memory of 4580	2356	Dfpgffpm.exe	85
PID 2356 wrote to memory of 4580	2356	Dfpgffpm.exe	85
PID 2356 wrote to memory of 4580	2356	Dfpgffpm.exe	85
PID 4580 wrote to memory of 216	4580	Dddhpjof.exe	86
PID 4580 wrote to memory of 216	4580	Dddhpjof.exe	86
PID 4580 wrote to memory of 216	4580	Dddhpjof.exe	86

C:\Users\Admin\AppData\Local\Temp\c715b4e6ebebc84e3671f6392e628aa0_exe32.exe
"C:\Users\Admin\AppData\Local\Temp\c715b4e6ebebc84e3671f6392e628aa0_exe32.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4900
- C:\Windows\SysWOW64\Daconoae.exe
  C:\Windows\system32\Daconoae.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3644
- - C:\Windows\SysWOW64\Dfpgffpm.exe
    C:\Windows\system32\Dfpgffpm.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2356
  - - C:\Windows\SysWOW64\Dddhpjof.exe
      C:\Windows\system32\Dddhpjof.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4580
    - - C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        5⤵
        Executes dropped EXE
        
        PID:216
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 216 -s 396
        6⤵
        Program crash
        
        PID:1612

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 216 -ip 216
1⤵
PID:4368

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Daconoae.exe

Filesize
96KB

MD5
4c48a763c83afb6c6d1471311087b54c

SHA1
7f7ceec87149bd4e3226ad9e4baf532cede5ff92

SHA256
10cc7519289804e30706de64b509fe0df33a2ffffcf264062b520f16e9d696ee

SHA512
32c6a1f4119dec7910e736f6733dac33eb1e08c8bce32f6487b949ad6770b4c7c0f7d310bb7730af8639651a1a6b2fa148307a6fcafadd133a6e4f35fd0f38ad

Download Submit
C:\Windows\SysWOW64\Daconoae.exe

Filesize
96KB

MD5
4c48a763c83afb6c6d1471311087b54c

SHA1
7f7ceec87149bd4e3226ad9e4baf532cede5ff92

SHA256
10cc7519289804e30706de64b509fe0df33a2ffffcf264062b520f16e9d696ee

SHA512
32c6a1f4119dec7910e736f6733dac33eb1e08c8bce32f6487b949ad6770b4c7c0f7d310bb7730af8639651a1a6b2fa148307a6fcafadd133a6e4f35fd0f38ad

Download Submit
C:\Windows\SysWOW64\Dddhpjof.exe

Filesize
96KB

MD5
498b0bcf93019f81d0632da62fb12a5d

SHA1
39e8aac782fb2bb6925e6e160f0292fa82d61503

SHA256
681cac52b5a4b6e65ca7e3ba84a332668dd6450b2d3fb46770390e6a7c5e3cbb

SHA512
b356a429eecdc1d8e536480dac5b1d7d8739b6b72f139803676bcf7c31b10d1b0ea15cdbf2362aae64487fb11f7f714e39c3bb0ae113950383d766d354ed5ca2

Download Submit
C:\Windows\SysWOW64\Dddhpjof.exe

Filesize
96KB

MD5
498b0bcf93019f81d0632da62fb12a5d

SHA1
39e8aac782fb2bb6925e6e160f0292fa82d61503

SHA256
681cac52b5a4b6e65ca7e3ba84a332668dd6450b2d3fb46770390e6a7c5e3cbb

SHA512
b356a429eecdc1d8e536480dac5b1d7d8739b6b72f139803676bcf7c31b10d1b0ea15cdbf2362aae64487fb11f7f714e39c3bb0ae113950383d766d354ed5ca2

Download Submit
C:\Windows\SysWOW64\Dddhpjof.exe

Filesize
96KB

MD5
498b0bcf93019f81d0632da62fb12a5d

SHA1
39e8aac782fb2bb6925e6e160f0292fa82d61503

SHA256
681cac52b5a4b6e65ca7e3ba84a332668dd6450b2d3fb46770390e6a7c5e3cbb

SHA512
b356a429eecdc1d8e536480dac5b1d7d8739b6b72f139803676bcf7c31b10d1b0ea15cdbf2362aae64487fb11f7f714e39c3bb0ae113950383d766d354ed5ca2

Download Submit
C:\Windows\SysWOW64\Dfpgffpm.exe

Filesize
96KB

MD5
85923a8ba9bfaf206ad2cf9c98395a51

SHA1
24dbda9d071c2851d3afe6d8483b9b07a4e1f832

SHA256
be5fe438579bf4c8ed16acc5e97e12332e5263b8ce611a0c1d3fe1ba07d6c5d8

SHA512
76fe721a2d9d765755ed492fa2f23eda0c13717b61c2d8e81e1596c05c04f2db4d4eb40bf0269389b47d75cff9c411027ad4f718c3e790e6cdabcda9e642cd28

Download Submit
C:\Windows\SysWOW64\Dfpgffpm.exe

Filesize
96KB

MD5
85923a8ba9bfaf206ad2cf9c98395a51

SHA1
24dbda9d071c2851d3afe6d8483b9b07a4e1f832

SHA256
be5fe438579bf4c8ed16acc5e97e12332e5263b8ce611a0c1d3fe1ba07d6c5d8

SHA512
76fe721a2d9d765755ed492fa2f23eda0c13717b61c2d8e81e1596c05c04f2db4d4eb40bf0269389b47d75cff9c411027ad4f718c3e790e6cdabcda9e642cd28

Download Submit
C:\Windows\SysWOW64\Dmllipeg.exe

Filesize
96KB

MD5
a572f07fa1cf03ff50c46cc8086d92a3

SHA1
50869bc18037b4f8ec706c62f5af23d55faa14a9

SHA256
933f38cf88d59eb8f29bda1ee819943bd270e5af957ce2f301d3a656651b0cc6

SHA512
4b31ee1a1bc22d6447b1f4b45ce1b775231b0bb7c74921c95f7edae687296a3b5a63e21a440e9bf9b09210aa19e0ec391b6ccb9f1834fd62cecdc9a4a7b73df2

Download Submit
C:\Windows\SysWOW64\Dmllipeg.exe

Filesize
96KB

MD5
a572f07fa1cf03ff50c46cc8086d92a3

SHA1
50869bc18037b4f8ec706c62f5af23d55faa14a9

SHA256
933f38cf88d59eb8f29bda1ee819943bd270e5af957ce2f301d3a656651b0cc6

SHA512
4b31ee1a1bc22d6447b1f4b45ce1b775231b0bb7c74921c95f7edae687296a3b5a63e21a440e9bf9b09210aa19e0ec391b6ccb9f1834fd62cecdc9a4a7b73df2

Download Submit
memory/216-34-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/216-33-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2356-16-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2356-37-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3644-9-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3644-36-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4580-24-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4580-35-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4900-0-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4900-5-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4900-38-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads