f60654d526dba4c74fd7810e35a396ad0f6ec13a4477285102e3ca1e17ed9a72

General

Target

f60654d526dba4c74fd7810e35a396ad0f6ec13a4477285102e3ca1e17ed9a72.exe
Size

128KB
MD5

cca2748d004fb614c3ab92a5bd63393f
SHA1

b85001e5472c53ae2a03985986cb73e5aacd9eac
SHA256

f60654d526dba4c74fd7810e35a396ad0f6ec13a4477285102e3ca1e17ed9a72
SHA512

c42554cd1f86012b1ba0633c59f60d8d9fd0bf1746b2a4445d55dc6b6862edb061da4459b19a2e398c9d005497790de5816d07ea2b7293afd26729ec511b2cc7
SSDEEP

3072:Itryv3Ysj/hF4Ezee5Wx7cEGrhkngpDvchkqbAIQxgFM9MD:KWvIM4e15Wx4brq2Ah1FM6D

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 10 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dddhpjof.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	f60654d526dba4c74fd7810e35a396ad0f6ec13a4477285102e3ca1e17ed9a72.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfnjafap.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dmgbnq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	f60654d526dba4c74fd7810e35a396ad0f6ec13a4477285102e3ca1e17ed9a72.exe

Executes dropped EXE 5 IoCs

pid	Process
3272	Dfnjafap.exe
4492	Dmgbnq32.exe
2940	Dogogcpo.exe
2380	Dddhpjof.exe
2872	Dmllipeg.exe

Drops file in System32 directory 15 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Dddhpjof.exe
File created	C:\Windows\SysWOW64\Poahbe32.dll	f60654d526dba4c74fd7810e35a396ad0f6ec13a4477285102e3ca1e17ed9a72.exe
File opened for modification	C:\Windows\SysWOW64\Dddhpjof.exe	Dogogcpo.exe
File created	C:\Windows\SysWOW64\Amjknl32.dll	Dogogcpo.exe
File created	C:\Windows\SysWOW64\Lbabpnmn.dll	Dmgbnq32.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Dddhpjof.exe
File created	C:\Windows\SysWOW64\Dfnjafap.exe	f60654d526dba4c74fd7810e35a396ad0f6ec13a4477285102e3ca1e17ed9a72.exe
File created	C:\Windows\SysWOW64\Dmgbnq32.exe	Dfnjafap.exe
File created	C:\Windows\SysWOW64\Ihidnp32.dll	Dfnjafap.exe
File created	C:\Windows\SysWOW64\Dogogcpo.exe	Dmgbnq32.exe
File opened for modification	C:\Windows\SysWOW64\Dogogcpo.exe	Dmgbnq32.exe
File created	C:\Windows\SysWOW64\Kngpec32.dll	Dddhpjof.exe
File opened for modification	C:\Windows\SysWOW64\Dfnjafap.exe	f60654d526dba4c74fd7810e35a396ad0f6ec13a4477285102e3ca1e17ed9a72.exe
File opened for modification	C:\Windows\SysWOW64\Dmgbnq32.exe	Dfnjafap.exe
File created	C:\Windows\SysWOW64\Dddhpjof.exe	Dogogcpo.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3428	2872	WerFault.exe	87

Modifies registry class 18 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	f60654d526dba4c74fd7810e35a396ad0f6ec13a4477285102e3ca1e17ed9a72.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Poahbe32.dll"	f60654d526dba4c74fd7810e35a396ad0f6ec13a4477285102e3ca1e17ed9a72.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amjknl32.dll"	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihidnp32.dll"	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dmgbnq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Dddhpjof.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	f60654d526dba4c74fd7810e35a396ad0f6ec13a4477285102e3ca1e17ed9a72.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}	f60654d526dba4c74fd7810e35a396ad0f6ec13a4477285102e3ca1e17ed9a72.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	f60654d526dba4c74fd7810e35a396ad0f6ec13a4477285102e3ca1e17ed9a72.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dddhpjof.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	f60654d526dba4c74fd7810e35a396ad0f6ec13a4477285102e3ca1e17ed9a72.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbabpnmn.dll"	Dmgbnq32.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 5048 wrote to memory of 3272	5048	f60654d526dba4c74fd7810e35a396ad0f6ec13a4477285102e3ca1e17ed9a72.exe	82
PID 5048 wrote to memory of 3272	5048	f60654d526dba4c74fd7810e35a396ad0f6ec13a4477285102e3ca1e17ed9a72.exe	82
PID 5048 wrote to memory of 3272	5048	f60654d526dba4c74fd7810e35a396ad0f6ec13a4477285102e3ca1e17ed9a72.exe	82
PID 3272 wrote to memory of 4492	3272	Dfnjafap.exe	83
PID 3272 wrote to memory of 4492	3272	Dfnjafap.exe	83
PID 3272 wrote to memory of 4492	3272	Dfnjafap.exe	83
PID 4492 wrote to memory of 2940	4492	Dmgbnq32.exe	85
PID 4492 wrote to memory of 2940	4492	Dmgbnq32.exe	85
PID 4492 wrote to memory of 2940	4492	Dmgbnq32.exe	85
PID 2940 wrote to memory of 2380	2940	Dogogcpo.exe	86
PID 2940 wrote to memory of 2380	2940	Dogogcpo.exe	86
PID 2940 wrote to memory of 2380	2940	Dogogcpo.exe	86
PID 2380 wrote to memory of 2872	2380	Dddhpjof.exe	87
PID 2380 wrote to memory of 2872	2380	Dddhpjof.exe	87
PID 2380 wrote to memory of 2872	2380	Dddhpjof.exe	87

C:\Users\Admin\AppData\Local\Temp\f60654d526dba4c74fd7810e35a396ad0f6ec13a4477285102e3ca1e17ed9a72.exe
"C:\Users\Admin\AppData\Local\Temp\f60654d526dba4c74fd7810e35a396ad0f6ec13a4477285102e3ca1e17ed9a72.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5048
- C:\Windows\SysWOW64\Dfnjafap.exe
  C:\Windows\system32\Dfnjafap.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3272
- - C:\Windows\SysWOW64\Dmgbnq32.exe
    C:\Windows\system32\Dmgbnq32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4492
  - - C:\Windows\SysWOW64\Dogogcpo.exe
      C:\Windows\system32\Dogogcpo.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2940
    - - C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2380
      - C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        6⤵
        Executes dropped EXE
        
        PID:2872
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2872 -s 408
        7⤵
        Program crash
        
        PID:3428

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2872 -ip 2872
1⤵
PID:1064

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Dddhpjof.exe

Filesize
128KB

MD5
4a9ddf5e615838399ec66f6869870e93

SHA1
d93232076a2422b75c8fdf2c5f828a536eca52ce

SHA256
4ff8c0c2ca73c414f62dabab0fb024177fcf77c58f9a71116a5668f648095a31

SHA512
ae7dee91e0ffec386d6cb59277443010c70aa55239263e257f041c7dab8dd5de3de971933e4898022f8c05475a4232ce83db5d33584befc1a80535b724282298

Download Submit
C:\Windows\SysWOW64\Dfnjafap.exe

Filesize
128KB

MD5
044ba23c6eaca93e51f36b599162dc73

SHA1
8a951ab1931972e214c445301f9291991557e9b9

SHA256
09434b4398378796196fb836c5686da273f05618312ef5fab6458de85567101b

SHA512
79036d7f2bb89eff9350e1223cd9122750aa4a9ee37cd7d60cb0bcfc8ebe9ef06c9c1db199e4d199738abaf7464be7b611d4c8079650d702d8b61e799f3496c8

Download Submit
C:\Windows\SysWOW64\Dmgbnq32.exe

Filesize
128KB

MD5
14499bb77d1d531d3c0fe8c3c428e608

SHA1
c53e0b6b9bdd75f44d92bfd4addd33c294879831

SHA256
9d718894683a0642c9708c5011cadfbfcde87fe37f2360acf6086c291961799e

SHA512
ecef34b176b8aa4388d6864cb1b5fba3db66a32e9ccf6f73162078912232efe2af4b616dee2f8d5c392e90a1bbc593534b78aa306bf9eeb3bca1fca9281565bc

Download Submit
C:\Windows\SysWOW64\Dmllipeg.exe

Filesize
128KB

MD5
d4e411dad53ac662913c968aece8eb37

SHA1
6e7d90e47c405f7591cdb16be932b7bcad5f917f

SHA256
9679671925672dd4eae69f0ca4a0f342b1ae9f8fa13298e15dfb2d22a89024de

SHA512
6e5b15149eb8eefa1543c73a1a1f0e8925c1ea4fb57d58edf306597153f63c9aeac879c6e60b85fcf03082782ef6288df42e27152e61b574b80d616521368834

Download Submit
C:\Windows\SysWOW64\Dogogcpo.exe

Filesize
128KB

MD5
45dadac6e6aadeb317b95fce339269b7

SHA1
1b6fd27c78f65d3b423a2366137aa4316f5893c4

SHA256
e2056852b9417800d066e86ba6df8ad3a0e6d68c9f00c9eed8207687fba6dff1

SHA512
a683b39a881858461c8b578632ce08febdb136dfb596bf0a5b6500f6f38c10ac23f75edb977d5d8e9de090e666d43df40f5c4b0a164a4d31a460ce66dbf11bb5

Download Submit
C:\Windows\SysWOW64\Kngpec32.dll

Filesize
7KB

MD5
d961c70e75a8fc675d785f0647fb2f00

SHA1
350bcb9b5cb704792182eec8a86ef2e30e45c5f7

SHA256
c360548935127c901a30b6131ea503681196d96a7fe45784fc80515cfdf75d24

SHA512
650f0df4dd8d32d9a341d67ba9bfc931e33ff45192d60d439b9762ecb296e90939e58761d2048cab48bcbb8804f30bf26316002d0243c4a67523d919296520fd

Download Submit
memory/2380-42-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2380-32-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2872-40-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2872-41-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2940-23-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2940-43-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3272-12-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3272-46-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4492-16-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4492-44-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5048-0-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5048-45-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads