559c890970078868477f9aa07876d592856b51e23191aa8a51f601d33807fe26

General

Target

bede124283cd154cdba22b6cef6cd860N.exe
Size

487KB
MD5

bede124283cd154cdba22b6cef6cd860
SHA1

ed79cc268b329ac41e8f3e5db983b8d59b57d5b1
SHA256

559c890970078868477f9aa07876d592856b51e23191aa8a51f601d33807fe26
SHA512

94ddb34dbabbbe8685b55db17826366a566fc7b82c10daebe7e86d31c77a7093aadf777fddb0ef498a1d192fc8543ace38e10ffa8e2ea13a65ee946ecea2e88e
SSDEEP

6144:b81cyzN8sKI2y/JAQ///NR5fLYG3eujPQ///NR5f:bacyzN82Tx/NcZ7/N

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dknpmdfc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Doilmc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Doilmc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	bede124283cd154cdba22b6cef6cd860N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	bede124283cd154cdba22b6cef6cd860N.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhocqigp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dknpmdfc.exe

Executes dropped EXE 4 IoCs

pid	Process
1372	Dhocqigp.exe
4552	Dknpmdfc.exe
2272	Doilmc32.exe
4528	Dmllipeg.exe

Drops file in System32 directory 12 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Dhocqigp.exe	bede124283cd154cdba22b6cef6cd860N.exe
File created	C:\Windows\SysWOW64\Doilmc32.exe	Dknpmdfc.exe
File opened for modification	C:\Windows\SysWOW64\Doilmc32.exe	Dknpmdfc.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Doilmc32.exe
File created	C:\Windows\SysWOW64\Dhocqigp.exe	bede124283cd154cdba22b6cef6cd860N.exe
File created	C:\Windows\SysWOW64\Dknpmdfc.exe	Dhocqigp.exe
File opened for modification	C:\Windows\SysWOW64\Dknpmdfc.exe	Dhocqigp.exe
File created	C:\Windows\SysWOW64\Nokpao32.dll	Dhocqigp.exe
File created	C:\Windows\SysWOW64\Diphbb32.dll	Dknpmdfc.exe
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Doilmc32.exe
File created	C:\Windows\SysWOW64\Kngpec32.dll	Doilmc32.exe
File created	C:\Windows\SysWOW64\Elkadb32.dll	bede124283cd154cdba22b6cef6cd860N.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4928	4528	WerFault.exe	87

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhocqigp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dknpmdfc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Doilmc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bede124283cd154cdba22b6cef6cd860N.exe

Modifies registry class 15 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nokpao32.dll"	Dhocqigp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Doilmc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	bede124283cd154cdba22b6cef6cd860N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Doilmc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	bede124283cd154cdba22b6cef6cd860N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	bede124283cd154cdba22b6cef6cd860N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dknpmdfc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	bede124283cd154cdba22b6cef6cd860N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Diphbb32.dll"	Dknpmdfc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhocqigp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Doilmc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	bede124283cd154cdba22b6cef6cd860N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elkadb32.dll"	bede124283cd154cdba22b6cef6cd860N.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3680 wrote to memory of 1372	3680	bede124283cd154cdba22b6cef6cd860N.exe	84
PID 3680 wrote to memory of 1372	3680	bede124283cd154cdba22b6cef6cd860N.exe	84
PID 3680 wrote to memory of 1372	3680	bede124283cd154cdba22b6cef6cd860N.exe	84
PID 1372 wrote to memory of 4552	1372	Dhocqigp.exe	85
PID 1372 wrote to memory of 4552	1372	Dhocqigp.exe	85
PID 1372 wrote to memory of 4552	1372	Dhocqigp.exe	85
PID 4552 wrote to memory of 2272	4552	Dknpmdfc.exe	86
PID 4552 wrote to memory of 2272	4552	Dknpmdfc.exe	86
PID 4552 wrote to memory of 2272	4552	Dknpmdfc.exe	86
PID 2272 wrote to memory of 4528	2272	Doilmc32.exe	87
PID 2272 wrote to memory of 4528	2272	Doilmc32.exe	87
PID 2272 wrote to memory of 4528	2272	Doilmc32.exe	87

C:\Users\Admin\AppData\Local\Temp\bede124283cd154cdba22b6cef6cd860N.exe
"C:\Users\Admin\AppData\Local\Temp\bede124283cd154cdba22b6cef6cd860N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3680
- C:\Windows\SysWOW64\Dhocqigp.exe
  C:\Windows\system32\Dhocqigp.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1372
- - C:\Windows\SysWOW64\Dknpmdfc.exe
    C:\Windows\system32\Dknpmdfc.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4552
  - - C:\Windows\SysWOW64\Doilmc32.exe
      C:\Windows\system32\Doilmc32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2272
    - - C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4528
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4528 -s 396
        6⤵
        Program crash
        
        PID:4928

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4528 -ip 4528
1⤵
PID:3724

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Dhocqigp.exe

Filesize
487KB

MD5
fab0aa530937ae2e29462d19c0bacc1c

SHA1
12b9f10feec907814b80cd1f504570e033f47b22

SHA256
20fad86d1b519246522458668bbc84df11b8eb536d3da8cabed04666a5330c38

SHA512
74e420d2aea5ec8120082604212e54a1c46c64e57d683be5ab9a0ba00fcb49f7aeacae3a87337e4b79acf2f60d4656992bb8fde39d0b3e6fc0d6125fe08178b2

Download Submit
C:\Windows\SysWOW64\Dknpmdfc.exe

Filesize
487KB

MD5
3719d89a8a99748eac826f1cec9c3635

SHA1
52be97f00ae3fbfc84dc09bdd622372291146cd6

SHA256
3306b64836978b98400880090fad079b19ad8e69b998d4700a4fc217835597c9

SHA512
b9ec00d2837a0866834381340e1d21a1e1b6e8534d474cb363097c9b8c7ad1eddc31e09c26c27753cb108da79621a6cf3543723148a7c8f26777ac392efbd64f

Download Submit
C:\Windows\SysWOW64\Dmllipeg.exe

Filesize
487KB

MD5
c15492dd7aaf22986323483d475b941a

SHA1
f4d2f6db28979bdd04262a49628adcdb1d97b10a

SHA256
67b3068e15a1482b49383a21a2876b3fc5dbf4f7f014dbcfbbf5a9b63311ffeb

SHA512
af24af6f52d2769867e02b0ace6a03bcc353051721a7d7b3fdb06c43b194ec674a5247a4c5af485ed224a99aca47b409c56356cbf1551183b1f303e3ef4fb977

Download Submit
C:\Windows\SysWOW64\Doilmc32.exe

Filesize
487KB

MD5
dbb17248d68c5164a911bcf9a3afbd6c

SHA1
8032f83d0ad19f24144bbd1472a85a578927e4f7

SHA256
89d0b9b5fd27ac97abd9485692135c185744bae335581c0676b185dc0d861025

SHA512
4ecc45fb1beb5af78283d08992465b4069dc172983a6aac2c73b2bc3ad113626eccc1c65c303873f70ff3affb2735599cc3c8c723ab33201a1d7ac400695b730

Download Submit
memory/1372-39-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1372-14-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1372-41-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2272-37-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2272-29-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/3680-43-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/3680-0-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/3680-5-0x0000000000432000-0x0000000000433000-memory.dmp

Filesize
4KB

Download
memory/4528-33-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/4528-36-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/4528-34-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/4552-28-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/4552-38-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/4552-40-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads