690b60be2d5fe3707ebd3eca073a0dd832ec3fe8b8530d4eef9060038e0bd3a1

Analysis

max time kernel
142s
max time network
123s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
10-01-2024 18:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f10b7a7c480084a265bad0c598867db9.exe
Size

448KB
MD5

f10b7a7c480084a265bad0c598867db9
SHA1

d99cbd5e7ff922087f54bbeed8d637f5a84f2dfd
SHA256

690b60be2d5fe3707ebd3eca073a0dd832ec3fe8b8530d4eef9060038e0bd3a1
SHA512

51fefc5cada0fbfe74d3dc9408b9648cf3f4e08d6f138baedc8fa6320662670510a63b28c560a8aff7578c0b609a71c3a8f5d3bf59de7eab4a4bf1fff7dd27ed
SSDEEP

6144:vQ36wFBMJ8apdD5CWkdWxCzJ8apdD5CWfqkGLwmPJ8apdD5CWkdWxCzJ8apdD5CW:S28aedx8aFqkGLwm8aedx8a

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 28 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhnmij32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dccagcgk.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dcenlceh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dcenlceh.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Enfenplo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Enfenplo.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhnmij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Eqbddk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dlnbeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Eibbcm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	f10b7a7c480084a265bad0c598867db9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhpiojfb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dlnbeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dookgcij.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	f10b7a7c480084a265bad0c598867db9.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddigjkid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddigjkid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ehgppi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ejkima32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dccagcgk.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhpiojfb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Enhacojl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Enhacojl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eibbcm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dookgcij.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ehgppi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eqbddk32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ejkima32.exe

Executes dropped EXE 14 IoCs

pid	Process
2844	Dhnmij32.exe
2776	Dccagcgk.exe
2700	Dhpiojfb.exe
2824	Dcenlceh.exe
2680	Dlnbeh32.exe
2204	Ddigjkid.exe
548	Dookgcij.exe
2912	Ehgppi32.exe
1696	Eqbddk32.exe
880	Ejkima32.exe
1060	Enfenplo.exe
2748	Enhacojl.exe
1640	Eibbcm32.exe
2320	Fkckeh32.exe

Loads dropped DLL 32 IoCs

pid	Process
2652	f10b7a7c480084a265bad0c598867db9.exe
2652	f10b7a7c480084a265bad0c598867db9.exe
2844	Dhnmij32.exe
2844	Dhnmij32.exe
2776	Dccagcgk.exe
2776	Dccagcgk.exe
2700	Dhpiojfb.exe
2700	Dhpiojfb.exe
2824	Dcenlceh.exe
2824	Dcenlceh.exe
2680	Dlnbeh32.exe
2680	Dlnbeh32.exe
2204	Ddigjkid.exe
2204	Ddigjkid.exe
548	Dookgcij.exe
548	Dookgcij.exe
2912	Ehgppi32.exe
2912	Ehgppi32.exe
1696	Eqbddk32.exe
1696	Eqbddk32.exe
880	Ejkima32.exe
880	Ejkima32.exe
1060	Enfenplo.exe
1060	Enfenplo.exe
2748	Enhacojl.exe
2748	Enhacojl.exe
1640	Eibbcm32.exe
1640	Eibbcm32.exe
2944	WerFault.exe
2944	WerFault.exe
2944	WerFault.exe
2944	WerFault.exe

Drops file in System32 directory 42 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Dhnmij32.exe	f10b7a7c480084a265bad0c598867db9.exe
File opened for modification	C:\Windows\SysWOW64\Dccagcgk.exe	Dhnmij32.exe
File created	C:\Windows\SysWOW64\Eaklqfem.dll	Dccagcgk.exe
File created	C:\Windows\SysWOW64\Ehgppi32.exe	Dookgcij.exe
File opened for modification	C:\Windows\SysWOW64\Eqbddk32.exe	Ehgppi32.exe
File created	C:\Windows\SysWOW64\Dccagcgk.exe	Dhnmij32.exe
File created	C:\Windows\SysWOW64\Dcenlceh.exe	Dhpiojfb.exe
File created	C:\Windows\SysWOW64\Nnfbei32.dll	Dcenlceh.exe
File created	C:\Windows\SysWOW64\Enfenplo.exe	Ejkima32.exe
File created	C:\Windows\SysWOW64\Fkckeh32.exe	Eibbcm32.exe
File opened for modification	C:\Windows\SysWOW64\Dcenlceh.exe	Dhpiojfb.exe
File created	C:\Windows\SysWOW64\Ddigjkid.exe	Dlnbeh32.exe
File opened for modification	C:\Windows\SysWOW64\Enfenplo.exe	Ejkima32.exe
File created	C:\Windows\SysWOW64\Bjidgghp.dll	Dhpiojfb.exe
File opened for modification	C:\Windows\SysWOW64\Dlnbeh32.exe	Dcenlceh.exe
File opened for modification	C:\Windows\SysWOW64\Dookgcij.exe	Ddigjkid.exe
File created	C:\Windows\SysWOW64\Ejkima32.exe	Eqbddk32.exe
File created	C:\Windows\SysWOW64\Enhacojl.exe	Enfenplo.exe
File created	C:\Windows\SysWOW64\Ampehe32.dll	Enfenplo.exe
File created	C:\Windows\SysWOW64\Eibbcm32.exe	Enhacojl.exe
File opened for modification	C:\Windows\SysWOW64\Dhnmij32.exe	f10b7a7c480084a265bad0c598867db9.exe
File created	C:\Windows\SysWOW64\Iifjjk32.dll	Dhnmij32.exe
File created	C:\Windows\SysWOW64\Dhpiojfb.exe	Dccagcgk.exe
File opened for modification	C:\Windows\SysWOW64\Eibbcm32.exe	Enhacojl.exe
File opened for modification	C:\Windows\SysWOW64\Ddigjkid.exe	Dlnbeh32.exe
File created	C:\Windows\SysWOW64\Mledlaqd.dll	Dlnbeh32.exe
File created	C:\Windows\SysWOW64\Geemiobo.dll	Dookgcij.exe
File opened for modification	C:\Windows\SysWOW64\Enhacojl.exe	Enfenplo.exe
File created	C:\Windows\SysWOW64\Jhgnia32.dll	Enhacojl.exe
File opened for modification	C:\Windows\SysWOW64\Fkckeh32.exe	Eibbcm32.exe
File created	C:\Windows\SysWOW64\Dlnbeh32.exe	Dcenlceh.exe
File created	C:\Windows\SysWOW64\Dookgcij.exe	Ddigjkid.exe
File created	C:\Windows\SysWOW64\Jkhgfq32.dll	Ddigjkid.exe
File opened for modification	C:\Windows\SysWOW64\Ehgppi32.exe	Dookgcij.exe
File created	C:\Windows\SysWOW64\Eqbddk32.exe	Ehgppi32.exe
File created	C:\Windows\SysWOW64\Lfnjef32.dll	Ehgppi32.exe
File opened for modification	C:\Windows\SysWOW64\Ejkima32.exe	Eqbddk32.exe
File created	C:\Windows\SysWOW64\Mmjale32.dll	Eqbddk32.exe
File created	C:\Windows\SysWOW64\Lchkpi32.dll	Ejkima32.exe
File created	C:\Windows\SysWOW64\Clkmne32.dll	Eibbcm32.exe
File created	C:\Windows\SysWOW64\Fileil32.dll	f10b7a7c480084a265bad0c598867db9.exe
File opened for modification	C:\Windows\SysWOW64\Dhpiojfb.exe	Dccagcgk.exe

Program crash 1 IoCs

pid	pid_target	Process
2944	2320	WerFault.exe

Modifies registry class 45 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fileil32.dll"	f10b7a7c480084a265bad0c598867db9.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddigjkid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhgnia32.dll"	Enhacojl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clkmne32.dll"	Eibbcm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	f10b7a7c480084a265bad0c598867db9.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhnmij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dccagcgk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Geemiobo.dll"	Dookgcij.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Eqbddk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iifjjk32.dll"	Dhnmij32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dcenlceh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dlnbeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddigjkid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dookgcij.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkhgfq32.dll"	Ddigjkid.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ejkima32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lchkpi32.dll"	Ejkima32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Eibbcm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Eibbcm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	f10b7a7c480084a265bad0c598867db9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	f10b7a7c480084a265bad0c598867db9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Eqbddk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Enhacojl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Enhacojl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhnmij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eaklqfem.dll"	Dccagcgk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dcenlceh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dookgcij.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ampehe32.dll"	Enfenplo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dlnbeh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ehgppi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfnjef32.dll"	Ehgppi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dccagcgk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhpiojfb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bjidgghp.dll"	Dhpiojfb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhpiojfb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nnfbei32.dll"	Dcenlceh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmjale32.dll"	Eqbddk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ejkima32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Enfenplo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	f10b7a7c480084a265bad0c598867db9.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	f10b7a7c480084a265bad0c598867db9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mledlaqd.dll"	Dlnbeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ehgppi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Enfenplo.exe

Suspicious use of WriteProcessMemory 60 IoCs

description	pid	Process	procid_target
PID 2652 wrote to memory of 2844	2652	f10b7a7c480084a265bad0c598867db9.exe	30
PID 2652 wrote to memory of 2844	2652	f10b7a7c480084a265bad0c598867db9.exe	30
PID 2652 wrote to memory of 2844	2652	f10b7a7c480084a265bad0c598867db9.exe	30
PID 2652 wrote to memory of 2844	2652	f10b7a7c480084a265bad0c598867db9.exe	30
PID 2844 wrote to memory of 2776	2844	Dhnmij32.exe	29
PID 2844 wrote to memory of 2776	2844	Dhnmij32.exe	29
PID 2844 wrote to memory of 2776	2844	Dhnmij32.exe	29
PID 2844 wrote to memory of 2776	2844	Dhnmij32.exe	29
PID 2776 wrote to memory of 2700	2776	Dccagcgk.exe	28
PID 2776 wrote to memory of 2700	2776	Dccagcgk.exe	28
PID 2776 wrote to memory of 2700	2776	Dccagcgk.exe	28
PID 2776 wrote to memory of 2700	2776	Dccagcgk.exe	28
PID 2700 wrote to memory of 2824	2700	Dhpiojfb.exe	27
PID 2700 wrote to memory of 2824	2700	Dhpiojfb.exe	27
PID 2700 wrote to memory of 2824	2700	Dhpiojfb.exe	27
PID 2700 wrote to memory of 2824	2700	Dhpiojfb.exe	27
PID 2824 wrote to memory of 2680	2824	Dcenlceh.exe	26
PID 2824 wrote to memory of 2680	2824	Dcenlceh.exe	26
PID 2824 wrote to memory of 2680	2824	Dcenlceh.exe	26
PID 2824 wrote to memory of 2680	2824	Dcenlceh.exe	26
PID 2680 wrote to memory of 2204	2680	Dlnbeh32.exe	25
PID 2680 wrote to memory of 2204	2680	Dlnbeh32.exe	25
PID 2680 wrote to memory of 2204	2680	Dlnbeh32.exe	25
PID 2680 wrote to memory of 2204	2680	Dlnbeh32.exe	25
PID 2204 wrote to memory of 548	2204	Ddigjkid.exe	24
PID 2204 wrote to memory of 548	2204	Ddigjkid.exe	24
PID 2204 wrote to memory of 548	2204	Ddigjkid.exe	24
PID 2204 wrote to memory of 548	2204	Ddigjkid.exe	24
PID 548 wrote to memory of 2912	548	Dookgcij.exe	23
PID 548 wrote to memory of 2912	548	Dookgcij.exe	23
PID 548 wrote to memory of 2912	548	Dookgcij.exe	23
PID 548 wrote to memory of 2912	548	Dookgcij.exe	23
PID 2912 wrote to memory of 1696	2912	Ehgppi32.exe	22
PID 2912 wrote to memory of 1696	2912	Ehgppi32.exe	22
PID 2912 wrote to memory of 1696	2912	Ehgppi32.exe	22
PID 2912 wrote to memory of 1696	2912	Ehgppi32.exe	22
PID 1696 wrote to memory of 880	1696	Eqbddk32.exe	21
PID 1696 wrote to memory of 880	1696	Eqbddk32.exe	21
PID 1696 wrote to memory of 880	1696	Eqbddk32.exe	21
PID 1696 wrote to memory of 880	1696	Eqbddk32.exe	21
PID 880 wrote to memory of 1060	880	Ejkima32.exe	20
PID 880 wrote to memory of 1060	880	Ejkima32.exe	20
PID 880 wrote to memory of 1060	880	Ejkima32.exe	20
PID 880 wrote to memory of 1060	880	Ejkima32.exe	20
PID 1060 wrote to memory of 2748	1060	Enfenplo.exe	19
PID 1060 wrote to memory of 2748	1060	Enfenplo.exe	19
PID 1060 wrote to memory of 2748	1060	Enfenplo.exe	19
PID 1060 wrote to memory of 2748	1060	Enfenplo.exe	19
PID 2748 wrote to memory of 1640	2748	Enhacojl.exe	18
PID 2748 wrote to memory of 1640	2748	Enhacojl.exe	18
PID 2748 wrote to memory of 1640	2748	Enhacojl.exe	18
PID 2748 wrote to memory of 1640	2748	Enhacojl.exe	18
PID 1640 wrote to memory of 2320	1640	Eibbcm32.exe	17
PID 1640 wrote to memory of 2320	1640	Eibbcm32.exe	17
PID 1640 wrote to memory of 2320	1640	Eibbcm32.exe	17
PID 1640 wrote to memory of 2320	1640	Eibbcm32.exe	17
PID 2320 wrote to memory of 2944	2320	Fkckeh32.exe	16
PID 2320 wrote to memory of 2944	2320	Fkckeh32.exe	16
PID 2320 wrote to memory of 2944	2320	Fkckeh32.exe	16
PID 2320 wrote to memory of 2944	2320	Fkckeh32.exe	16

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2320 -s 140
1⤵
- Loads dropped DLL
- Program crash
PID:2944

C:\Windows\SysWOW64\Fkckeh32.exe
C:\Windows\system32\Fkckeh32.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2320

C:\Windows\SysWOW64\Eibbcm32.exe
C:\Windows\system32\Eibbcm32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1640

C:\Windows\SysWOW64\Enhacojl.exe
C:\Windows\system32\Enhacojl.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2748

C:\Windows\SysWOW64\Enfenplo.exe
C:\Windows\system32\Enfenplo.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1060

C:\Windows\SysWOW64\Ejkima32.exe
C:\Windows\system32\Ejkima32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:880

C:\Windows\SysWOW64\Eqbddk32.exe
C:\Windows\system32\Eqbddk32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1696

C:\Windows\SysWOW64\Ehgppi32.exe
C:\Windows\system32\Ehgppi32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2912

C:\Windows\SysWOW64\Dookgcij.exe
C:\Windows\system32\Dookgcij.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:548

C:\Windows\SysWOW64\Ddigjkid.exe
C:\Windows\system32\Ddigjkid.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2204

C:\Windows\SysWOW64\Dlnbeh32.exe
C:\Windows\system32\Dlnbeh32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2680

C:\Windows\SysWOW64\Dcenlceh.exe
C:\Windows\system32\Dcenlceh.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2824

C:\Windows\SysWOW64\Dhpiojfb.exe
C:\Windows\system32\Dhpiojfb.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2700

C:\Windows\SysWOW64\Dccagcgk.exe
C:\Windows\system32\Dccagcgk.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2776

C:\Windows\SysWOW64\Dhnmij32.exe
C:\Windows\system32\Dhnmij32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2844

C:\Users\Admin\AppData\Local\Temp\f10b7a7c480084a265bad0c598867db9.exe
"C:\Users\Admin\AppData\Local\Temp\f10b7a7c480084a265bad0c598867db9.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2652

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/548-207-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/548-95-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/548-107-0x0000000000220000-0x0000000000254000-memory.dmp

Filesize
208KB

Download
memory/880-210-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/880-137-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/880-151-0x00000000002D0000-0x0000000000304000-memory.dmp

Filesize
208KB

Download
memory/880-155-0x00000000002D0000-0x0000000000304000-memory.dmp

Filesize
208KB

Download
memory/1060-164-0x0000000000230000-0x0000000000264000-memory.dmp

Filesize
208KB

Download
memory/1060-211-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1060-156-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1640-195-0x00000000001B0000-0x00000000001E4000-memory.dmp

Filesize
208KB

Download
memory/1640-181-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1640-192-0x00000000001B0000-0x00000000001E4000-memory.dmp

Filesize
208KB

Download
memory/1640-213-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1696-123-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1696-209-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2204-87-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2320-214-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2320-194-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2652-200-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2652-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2652-6-0x0000000000220000-0x0000000000254000-memory.dmp

Filesize
208KB

Download
memory/2652-13-0x0000000000220000-0x0000000000254000-memory.dmp

Filesize
208KB

Download
memory/2680-81-0x0000000000220000-0x0000000000254000-memory.dmp

Filesize
208KB

Download
memory/2680-205-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2700-203-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2700-49-0x0000000000220000-0x0000000000254000-memory.dmp

Filesize
208KB

Download
memory/2700-44-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2748-167-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2748-212-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2748-174-0x00000000001B0000-0x00000000001E4000-memory.dmp

Filesize
208KB

Download
memory/2776-35-0x0000000000220000-0x0000000000254000-memory.dmp

Filesize
208KB

Download
memory/2776-202-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2824-204-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2824-55-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2824-63-0x0000000000220000-0x0000000000254000-memory.dmp

Filesize
208KB

Download
memory/2844-19-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2844-22-0x0000000000220000-0x0000000000254000-memory.dmp

Filesize
208KB

Download
memory/2912-114-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2912-121-0x00000000001B0000-0x00000000001E4000-memory.dmp

Filesize
208KB

Download
memory/2912-130-0x00000000001B0000-0x00000000001E4000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads