ea60db55b67ca87a1a624db4ee065f9cbbe0eb79d34cd455a5b10033c13dcab9

Analysis

max time kernel
149s
max time network
158s
platform
windows10-2004_x64
resource
win10v2004-20240704-en
resource tags

arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
submitted
08/07/2024, 06:00

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

ea60db55b67ca87a1a624db4ee065f9cbbe0eb79d34cd455a5b10033c13dcab9.exe
Size

94KB
MD5

43fef62372f718e94cd4449530f67dfc
SHA1

b201c2921b5c5425ca6d13cd1b45e1b02f413ad6
SHA256

ea60db55b67ca87a1a624db4ee065f9cbbe0eb79d34cd455a5b10033c13dcab9
SHA512

361d1b9283a91f758fd0a34f2f82eaa0c5a1222ed15de8cab527751b3c8c8e1462cbeba68850b0efe96e197ccb09448921fcc8b0daa8a9e56e269e7851317731
SSDEEP

1536:AOqlDTtF3HmCi+QUzIBbSgcIMQXc2LHbMQ262AjCsQ2PCZZrqOlNfVSLUKkJr4:AOqlDTrml+QoVoHbMQH2qC7ZQOlzSLUY

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 30 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	ea60db55b67ca87a1a624db4ee065f9cbbe0eb79d34cd455a5b10033c13dcab9.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	ea60db55b67ca87a1a624db4ee065f9cbbe0eb79d34cd455a5b10033c13dcab9.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfiafg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dkifae32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhocqigp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Calhnpgn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmcibama.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dobfld32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dejacond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfpgffpm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddjejl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddjejl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkifae32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Calhnpgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daqbip32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhkjej32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfiafg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmcibama.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dejacond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dobfld32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daqbip32.exe

Executes dropped EXE 15 IoCs

pid	Process
1352	Calhnpgn.exe
4540	Ddjejl32.exe
4404	Dfiafg32.exe
2160	Dmcibama.exe
3668	Dejacond.exe
4428	Dobfld32.exe
2712	Daqbip32.exe
1752	Dhkjej32.exe
2096	Dkifae32.exe
4568	Deokon32.exe
1112	Dhmgki32.exe
3116	Dfpgffpm.exe
3272	Dogogcpo.exe
2596	Dhocqigp.exe
4508	Dmllipeg.exe

Drops file in System32 directory 45 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Dhkjej32.exe	Daqbip32.exe
File opened for modification	C:\Windows\SysWOW64\Dhkjej32.exe	Daqbip32.exe
File created	C:\Windows\SysWOW64\Dkifae32.exe	Dhkjej32.exe
File created	C:\Windows\SysWOW64\Hfanhp32.dll	Calhnpgn.exe
File opened for modification	C:\Windows\SysWOW64\Dejacond.exe	Dmcibama.exe
File opened for modification	C:\Windows\SysWOW64\Dobfld32.exe	Dejacond.exe
File opened for modification	C:\Windows\SysWOW64\Calhnpgn.exe	ea60db55b67ca87a1a624db4ee065f9cbbe0eb79d34cd455a5b10033c13dcab9.exe
File opened for modification	C:\Windows\SysWOW64\Dhocqigp.exe	Dogogcpo.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Dhocqigp.exe
File created	C:\Windows\SysWOW64\Jdipdgch.dll	Dobfld32.exe
File created	C:\Windows\SysWOW64\Fpdaoioe.dll	Deokon32.exe
File created	C:\Windows\SysWOW64\Dfpgffpm.exe	Dhmgki32.exe
File created	C:\Windows\SysWOW64\Calhnpgn.exe	ea60db55b67ca87a1a624db4ee065f9cbbe0eb79d34cd455a5b10033c13dcab9.exe
File opened for modification	C:\Windows\SysWOW64\Ddjejl32.exe	Calhnpgn.exe
File opened for modification	C:\Windows\SysWOW64\Dmcibama.exe	Dfiafg32.exe
File created	C:\Windows\SysWOW64\Kmdjdl32.dll	Dhmgki32.exe
File opened for modification	C:\Windows\SysWOW64\Dogogcpo.exe	Dfpgffpm.exe
File created	C:\Windows\SysWOW64\Dhocqigp.exe	Dogogcpo.exe
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Dhocqigp.exe
File created	C:\Windows\SysWOW64\Kngpec32.dll	Dhocqigp.exe
File created	C:\Windows\SysWOW64\Ddjejl32.exe	Calhnpgn.exe
File opened for modification	C:\Windows\SysWOW64\Dfiafg32.exe	Ddjejl32.exe
File created	C:\Windows\SysWOW64\Kkmjgool.dll	Ddjejl32.exe
File created	C:\Windows\SysWOW64\Dhmgki32.exe	Deokon32.exe
File opened for modification	C:\Windows\SysWOW64\Dhmgki32.exe	Deokon32.exe
File opened for modification	C:\Windows\SysWOW64\Dfpgffpm.exe	Dhmgki32.exe
File created	C:\Windows\SysWOW64\Lbabpnmn.dll	Dfpgffpm.exe
File created	C:\Windows\SysWOW64\Hpnkaj32.dll	Dmcibama.exe
File created	C:\Windows\SysWOW64\Daqbip32.exe	Dobfld32.exe
File created	C:\Windows\SysWOW64\Jbpbca32.dll	Daqbip32.exe
File created	C:\Windows\SysWOW64\Dejacond.exe	Dmcibama.exe
File created	C:\Windows\SysWOW64\Alcidkmm.dll	Dejacond.exe
File opened for modification	C:\Windows\SysWOW64\Daqbip32.exe	Dobfld32.exe
File created	C:\Windows\SysWOW64\Pdheac32.dll	Dhkjej32.exe
File created	C:\Windows\SysWOW64\Deokon32.exe	Dkifae32.exe
File created	C:\Windows\SysWOW64\Naeheh32.dll	ea60db55b67ca87a1a624db4ee065f9cbbe0eb79d34cd455a5b10033c13dcab9.exe
File created	C:\Windows\SysWOW64\Dmcibama.exe	Dfiafg32.exe
File created	C:\Windows\SysWOW64\Kmfjodai.dll	Dfiafg32.exe
File opened for modification	C:\Windows\SysWOW64\Deokon32.exe	Dkifae32.exe
File created	C:\Windows\SysWOW64\Amfoeb32.dll	Dkifae32.exe
File created	C:\Windows\SysWOW64\Dogogcpo.exe	Dfpgffpm.exe
File created	C:\Windows\SysWOW64\Elkadb32.dll	Dogogcpo.exe
File created	C:\Windows\SysWOW64\Dfiafg32.exe	Ddjejl32.exe
File created	C:\Windows\SysWOW64\Dobfld32.exe	Dejacond.exe
File opened for modification	C:\Windows\SysWOW64\Dkifae32.exe	Dhkjej32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4740	4508	WerFault.exe	99

Modifies registry class 48 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dkifae32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	ea60db55b67ca87a1a624db4ee065f9cbbe0eb79d34cd455a5b10033c13dcab9.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddjejl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdheac32.dll"	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dkifae32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Naeheh32.dll"	ea60db55b67ca87a1a624db4ee065f9cbbe0eb79d34cd455a5b10033c13dcab9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmfjodai.dll"	Dfiafg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dejacond.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbabpnmn.dll"	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhocqigp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	ea60db55b67ca87a1a624db4ee065f9cbbe0eb79d34cd455a5b10033c13dcab9.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Calhnpgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfanhp32.dll"	Calhnpgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dejacond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Deokon32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfpgffpm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	ea60db55b67ca87a1a624db4ee065f9cbbe0eb79d34cd455a5b10033c13dcab9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kkmjgool.dll"	Ddjejl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfiafg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amfoeb32.dll"	Dkifae32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhkjej32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpdaoioe.dll"	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elkadb32.dll"	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddjejl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfiafg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmcibama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbpbca32.dll"	Daqbip32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	ea60db55b67ca87a1a624db4ee065f9cbbe0eb79d34cd455a5b10033c13dcab9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	ea60db55b67ca87a1a624db4ee065f9cbbe0eb79d34cd455a5b10033c13dcab9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Calhnpgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Alcidkmm.dll"	Dejacond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Dhocqigp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmcibama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpnkaj32.dll"	Dmcibama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdipdgch.dll"	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmdjdl32.dll"	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfpgffpm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhocqigp.exe

Suspicious use of WriteProcessMemory 45 IoCs

description	pid	Process	procid_target
PID 3252 wrote to memory of 1352	3252	ea60db55b67ca87a1a624db4ee065f9cbbe0eb79d34cd455a5b10033c13dcab9.exe	83
PID 3252 wrote to memory of 1352	3252	ea60db55b67ca87a1a624db4ee065f9cbbe0eb79d34cd455a5b10033c13dcab9.exe	83
PID 3252 wrote to memory of 1352	3252	ea60db55b67ca87a1a624db4ee065f9cbbe0eb79d34cd455a5b10033c13dcab9.exe	83
PID 1352 wrote to memory of 4540	1352	Calhnpgn.exe	84
PID 1352 wrote to memory of 4540	1352	Calhnpgn.exe	84
PID 1352 wrote to memory of 4540	1352	Calhnpgn.exe	84
PID 4540 wrote to memory of 4404	4540	Ddjejl32.exe	85
PID 4540 wrote to memory of 4404	4540	Ddjejl32.exe	85
PID 4540 wrote to memory of 4404	4540	Ddjejl32.exe	85
PID 4404 wrote to memory of 2160	4404	Dfiafg32.exe	86
PID 4404 wrote to memory of 2160	4404	Dfiafg32.exe	86
PID 4404 wrote to memory of 2160	4404	Dfiafg32.exe	86
PID 2160 wrote to memory of 3668	2160	Dmcibama.exe	88
PID 2160 wrote to memory of 3668	2160	Dmcibama.exe	88
PID 2160 wrote to memory of 3668	2160	Dmcibama.exe	88
PID 3668 wrote to memory of 4428	3668	Dejacond.exe	89
PID 3668 wrote to memory of 4428	3668	Dejacond.exe	89
PID 3668 wrote to memory of 4428	3668	Dejacond.exe	89
PID 4428 wrote to memory of 2712	4428	Dobfld32.exe	91
PID 4428 wrote to memory of 2712	4428	Dobfld32.exe	91
PID 4428 wrote to memory of 2712	4428	Dobfld32.exe	91
PID 2712 wrote to memory of 1752	2712	Daqbip32.exe	92
PID 2712 wrote to memory of 1752	2712	Daqbip32.exe	92
PID 2712 wrote to memory of 1752	2712	Daqbip32.exe	92
PID 1752 wrote to memory of 2096	1752	Dhkjej32.exe	93
PID 1752 wrote to memory of 2096	1752	Dhkjej32.exe	93
PID 1752 wrote to memory of 2096	1752	Dhkjej32.exe	93
PID 2096 wrote to memory of 4568	2096	Dkifae32.exe	94
PID 2096 wrote to memory of 4568	2096	Dkifae32.exe	94
PID 2096 wrote to memory of 4568	2096	Dkifae32.exe	94
PID 4568 wrote to memory of 1112	4568	Deokon32.exe	95
PID 4568 wrote to memory of 1112	4568	Deokon32.exe	95
PID 4568 wrote to memory of 1112	4568	Deokon32.exe	95
PID 1112 wrote to memory of 3116	1112	Dhmgki32.exe	96
PID 1112 wrote to memory of 3116	1112	Dhmgki32.exe	96
PID 1112 wrote to memory of 3116	1112	Dhmgki32.exe	96
PID 3116 wrote to memory of 3272	3116	Dfpgffpm.exe	97
PID 3116 wrote to memory of 3272	3116	Dfpgffpm.exe	97
PID 3116 wrote to memory of 3272	3116	Dfpgffpm.exe	97
PID 3272 wrote to memory of 2596	3272	Dogogcpo.exe	98
PID 3272 wrote to memory of 2596	3272	Dogogcpo.exe	98
PID 3272 wrote to memory of 2596	3272	Dogogcpo.exe	98
PID 2596 wrote to memory of 4508	2596	Dhocqigp.exe	99
PID 2596 wrote to memory of 4508	2596	Dhocqigp.exe	99
PID 2596 wrote to memory of 4508	2596	Dhocqigp.exe	99

C:\Users\Admin\AppData\Local\Temp\ea60db55b67ca87a1a624db4ee065f9cbbe0eb79d34cd455a5b10033c13dcab9.exe
"C:\Users\Admin\AppData\Local\Temp\ea60db55b67ca87a1a624db4ee065f9cbbe0eb79d34cd455a5b10033c13dcab9.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3252
- C:\Windows\SysWOW64\Calhnpgn.exe
  C:\Windows\system32\Calhnpgn.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1352
- - C:\Windows\SysWOW64\Ddjejl32.exe
    C:\Windows\system32\Ddjejl32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4540
  - - C:\Windows\SysWOW64\Dfiafg32.exe
      C:\Windows\system32\Dfiafg32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4404
    - - C:\Windows\SysWOW64\Dmcibama.exe
        
        C:\Windows\system32\Dmcibama.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2160
      - C:\Windows\SysWOW64\Dejacond.exe
        
        C:\Windows\system32\Dejacond.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3668
        
        C:\Windows\SysWOW64\Dobfld32.exe
        
        C:\Windows\system32\Dobfld32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4428
        
        C:\Windows\SysWOW64\Daqbip32.exe
        
        C:\Windows\system32\Daqbip32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2712
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1752
        
        C:\Windows\SysWOW64\Dkifae32.exe
        
        C:\Windows\system32\Dkifae32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2096
        
        C:\Windows\SysWOW64\Deokon32.exe
        
        C:\Windows\system32\Deokon32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4568
        
        C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1112
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3116
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3272
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2596
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        16⤵
        Executes dropped EXE
        
        PID:4508
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4508 -s 396
        17⤵
        Program crash
        
        PID:4740

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 4508 -ip 4508
1⤵
PID:1716

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Calhnpgn.exe

Filesize
94KB

MD5
055b0a1567a8f88cc09acb58ec7f0642

SHA1
79123b34cd2e872a40c4898412f6fea2143a3434

SHA256
fdd22f37803401654d7e82af90cc46defe8bf13efe6a41efc986c864aaaea84e

SHA512
40b3a881e0a26e7977982d6ad99640f7b8c0c6e41cddd2e8dbe3ef2a1b629efe33bf696d8c3a0b86c0ef0b36074936b619f91844cebf810f92bd5ea34dc08d50

Download Submit
C:\Windows\SysWOW64\Daqbip32.exe

Filesize
94KB

MD5
b71b486833eceaac77bac8e8de2964d3

SHA1
a9439c4b8ea7f995eeb9e4c7c8bda89f840f702d

SHA256
2e852ecbf711b3d37067612be8a573459fe368947af21a3e3293de9c6b720fed

SHA512
29c0c8136c4531297d067cc3e30a35c8ef044b4ffb55b8375220632292b81764d1090e987ed7f9df62aadc351c73b1a6df68e5e80ab994a5d940bffe0e837e7b

Download Submit
C:\Windows\SysWOW64\Ddjejl32.exe

Filesize
94KB

MD5
3ff4dda1f3d0407c025f348979c508e3

SHA1
c61085a319c3f806d9d3c30abff96662e1948c7f

SHA256
ed3f0349deda59018d04450876bc21a859f6aa8daffd385ad0f7bebbe0a3142c

SHA512
ab0a3e6f834271a5d514b4eba01fe2ebdb36163d8eceaeee635fc6c49a5b1494c48b38dd0489d31deb33a925417724e67976722e58c0940e7124d6cdcd3e803f

Download Submit
C:\Windows\SysWOW64\Dejacond.exe

Filesize
94KB

MD5
bcd0045b50f70b58e404ce88e9d80922

SHA1
cde0baf2c548bc9c0ed14bb707168bc54ab6d96e

SHA256
2cd63f913b225a61a64beb348afff1abc0d3867a2a01b4dee62235722025c4e6

SHA512
5aa2d5c12d20ab271580e7fb33d6e46aae8c8b28ee337fca80c3f5327c8d10f6bb948e32bab601892fe9647c53ff11cbf45a3f295889dff93f893fa03b5fe6da

Download Submit
C:\Windows\SysWOW64\Deokon32.exe

Filesize
94KB

MD5
62352f7e2e1ab280047eabc336966d02

SHA1
2b05f39d7fea37686e39adca1341d59db9f2b56a

SHA256
c789fcd0e335a04546b082bd28ae21aa0743675663d570e20292c5431bb90641

SHA512
0e821df6766f0c0b7154e1fc417f4b1412d7b3840601b44499608f53595b3934b90d7607f3e161406b908d683a9d2853e3f66686e6c1959d539bc62bc77cd8e8

Download Submit
C:\Windows\SysWOW64\Dfiafg32.exe

Filesize
94KB

MD5
3ee30fc416b5f7bff384e539c337b41d

SHA1
8965de527a986559b72100936b7f8c89974dd702

SHA256
53c5533e9a56c4e680dab58bb369468b492cafce24e4c45283322953e53014da

SHA512
5cceebb0107ee7044c6cbb58c37761423299c8a33b0cba749b06fb481d1f2c1ea16f14a531639b06c208db4cf497ad391c235a9c151108085ac67a2b66efe593

Download Submit
C:\Windows\SysWOW64\Dfpgffpm.exe

Filesize
94KB

MD5
f1e696b2a789d4713106d47777b0afc2

SHA1
e48b0e0f2126e8423cbcfa356bd3926e85f6fe01

SHA256
8fc5585ae3df9f0a16caeda6d67b28c10d2c550aa3b5939a731cc1c9049b6eea

SHA512
540b80ffebcce18990b3dc5e15a85b80f7e817375e9bcf92b08c651e58a644f4203d944c73e08b50f0d03ed47fca853ddee33f0bc661b0c87b67e3858e16c49c

Download Submit
C:\Windows\SysWOW64\Dhkjej32.exe

Filesize
94KB

MD5
e7c7b3cc29afd3fc8d22528d4a04e4d9

SHA1
58243b9a7f54eceb4f4f1ba90eb4a84d9a01549a

SHA256
5351172fa70ad49e6a2c15158a165df3f9c4d29c7418928f05c1d608b215eea3

SHA512
511bb274acf92b641204711c188e32cb28caa4593ad524e8488beadb6ae76f73386d9bdef03f814c165be1af70e9b11f5956820b402e23c806144b38e52a3861

Download Submit
C:\Windows\SysWOW64\Dhmgki32.exe

Filesize
94KB

MD5
881cc3e80346fdcf14e56cf901ff2484

SHA1
a496227465f24b46d9a9da9d156a15c4b91d2cd3

SHA256
bf0378939f3fd278fb52b2419610b537a0beb3ee5c284881073bb66d914f4180

SHA512
e0d546d90e787f4d2487fa58ee5667adfb4ea38b1a7d8dcac40e7aad2724fec08e2bf93e1cde5f02dae6aba229c489ff1079f88e0168e7bc6465aa6cf21ed20f

Download Submit
C:\Windows\SysWOW64\Dhocqigp.exe

Filesize
94KB

MD5
f3a40027be1987a9822c78a23a81a6d7

SHA1
6e0bc88765b6d0074416b2be16dbfed6e343e929

SHA256
c8af088a2ec1311309db836f83c8035fed5648f3c21c64b64d9ae95279fad135

SHA512
4b1a755e122ac01eacf23189ce8aedb377a6f24b03ad0ca896b906dbab4bbfc4ae4b22d57a38287965b513e98c463aac495a34008eae317ce6e07fa99361e1e1

Download Submit
C:\Windows\SysWOW64\Dkifae32.exe

Filesize
94KB

MD5
b4988ac6ff2810b1e02c7c19ebe7d7de

SHA1
4ab736c346bbfc2e8953e533bf089d8ca0d6aefa

SHA256
dbab622395b1f130becc099ff11aae444c0fd2f04576c37319da846e884ea7b4

SHA512
64c6ddce2effe0d28a2d96bde3f86633a0a0291ca54690ddeca1397ff69ac1b562a26472ac4ebcadea8c0e06c0a7af00e6400e41cdd54a8912729c8054911d47

Download Submit
C:\Windows\SysWOW64\Dmcibama.exe

Filesize
94KB

MD5
fffbd399912666a96b5e0169f0343d83

SHA1
a673af8018081a626ffd36134a23caaba3d24276

SHA256
0dafcf205b697e52516e65ddf0eb980788f877b7800faeccd6fb38c500f2af0c

SHA512
2ca734b7b1077670b6a3e86365cf0c197c417612215ccbdc45c1813ab1af6e71bf0fb92f095df0fe00b3b64dd48c315f11d9d48db1f430616da4a30a694ad76d

Download Submit
C:\Windows\SysWOW64\Dmllipeg.exe

Filesize
94KB

MD5
7b50bf34d1d33b9fcd3c1f4727bd1fa6

SHA1
986a2f31c78a915d3f31a3987b25a45c011b0f85

SHA256
ad645a9ee797163552ed5dd7508ddf2360ec9fce731a1cf6aac7c324d2c512ef

SHA512
7cc05664eb7d68dd1979499f01e6831fee4150045cdc521c534618770a9588d9190016794f312107ce5718b8a734ff1050832d2f58ce352c3d86561073decbcc

Download Submit
C:\Windows\SysWOW64\Dobfld32.exe

Filesize
94KB

MD5
e5b179c49b096168bb5172ab3f09fa2f

SHA1
268a03d781260264b6ae9ebe7e29bbb0dc5822b4

SHA256
24e47f69c87f6a733a8c20fb516bc85375378902f91e6596cae4930fa685a8a3

SHA512
2572c1a567f4a3554bd380e72fbdf0ed8dd95ebb291b975bb3c6e7f068d6b4e7206a7002595e206aed548493516430b6e571d738f09e9dd3290b841b60b77333

Download Submit
C:\Windows\SysWOW64\Dogogcpo.exe

Filesize
94KB

MD5
5ba89478726832dce0ce2965620ce3c4

SHA1
c15d5cb1c9540468fdc1ed039de810444cb64d2e

SHA256
03d88ad6316f7be8700ff67852d78cc52b0cc10f4eebe4c0b2d108386bf482c5

SHA512
288114790574d74ce1482a1270812a5f0f51c18fb812099735329967b224f19e230d4002b2591459e218f26e89255d72c4fb0c0c55578d1c45275757f6109231

Download Submit
memory/1112-95-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1352-9-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1352-94-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1752-133-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1752-65-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2096-73-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2096-132-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2160-117-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2160-33-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2596-118-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2596-129-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2712-56-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2712-135-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3116-104-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3252-5-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/3252-72-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3252-0-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3272-109-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3272-130-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3668-126-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3668-41-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4404-25-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4404-108-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4428-134-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4428-49-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4508-127-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4508-128-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4540-103-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4540-17-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4568-82-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4568-131-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads