85cb136a244e1bfb1209c560e291765ee7870aca95c8ec1dd9e50826e6297271

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
02/08/2024, 23:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

85cb136a244e1bfb1209c560e291765ee7870aca95c8ec1dd9e50826e6297271.exe
Size

224KB
MD5

0913cd7ceafa0bf9a03a934d46b019a9
SHA1

c06a6fb678d731d153ad640121eb8f9251333244
SHA256

85cb136a244e1bfb1209c560e291765ee7870aca95c8ec1dd9e50826e6297271
SHA512

53f0e424547d0a94af0edde2fc2d349634f0f9657764494b7d31c984c0003893a4edd65f715ae15474d9695e6f8925acd88d8d376503f7f5a8aba8cf1e3ec470
SSDEEP

3072:4dkk7hFWU6SGTlP2OnjJd976HRy6TluWHnjJd976HRyFbLJorvWHnjJvBxjUSmkD:4Sk7hFWU6Hlp4PlXj4IyqrQ///NR5fL4

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 26 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhocqigp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daqbip32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daqbip32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Delnin32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddonekbl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhocqigp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	85cb136a244e1bfb1209c560e291765ee7870aca95c8ec1dd9e50826e6297271.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfnjafap.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	85cb136a244e1bfb1209c560e291765ee7870aca95c8ec1dd9e50826e6297271.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daconoae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daekdooc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfnjafap.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daconoae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfpgffpm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfpgffpm.exe

Executes dropped EXE 13 IoCs

pid	Process
1188	Dobfld32.exe
4780	Daqbip32.exe
3688	Delnin32.exe
3472	Ddonekbl.exe
2624	Dfnjafap.exe
3244	Daconoae.exe
4212	Ddakjkqi.exe
3224	Dfpgffpm.exe
708	Dogogcpo.exe
1604	Daekdooc.exe
4172	Dhocqigp.exe
2860	Dgbdlf32.exe
2152	Dmllipeg.exe

Drops file in System32 directory 39 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Dgbdlf32.exe	Dhocqigp.exe
File created	C:\Windows\SysWOW64\Kngpec32.dll	Dgbdlf32.exe
File opened for modification	C:\Windows\SysWOW64\Daconoae.exe	Dfnjafap.exe
File opened for modification	C:\Windows\SysWOW64\Ddakjkqi.exe	Daconoae.exe
File created	C:\Windows\SysWOW64\Daekdooc.exe	Dogogcpo.exe
File created	C:\Windows\SysWOW64\Elkadb32.dll	Daekdooc.exe
File created	C:\Windows\SysWOW64\Jdipdgch.dll	Dobfld32.exe
File created	C:\Windows\SysWOW64\Delnin32.exe	Daqbip32.exe
File created	C:\Windows\SysWOW64\Ddakjkqi.exe	Daconoae.exe
File created	C:\Windows\SysWOW64\Oammoc32.dll	Dfnjafap.exe
File created	C:\Windows\SysWOW64\Gifhkeje.dll	Daconoae.exe
File created	C:\Windows\SysWOW64\Lbabpnmn.dll	Dfpgffpm.exe
File opened for modification	C:\Windows\SysWOW64\Daekdooc.exe	Dogogcpo.exe
File created	C:\Windows\SysWOW64\Dgbdlf32.exe	Dhocqigp.exe
File opened for modification	C:\Windows\SysWOW64\Daqbip32.exe	Dobfld32.exe
File opened for modification	C:\Windows\SysWOW64\Dfnjafap.exe	Ddonekbl.exe
File created	C:\Windows\SysWOW64\Daconoae.exe	Dfnjafap.exe
File created	C:\Windows\SysWOW64\Kmdjdl32.dll	Ddakjkqi.exe
File created	C:\Windows\SysWOW64\Ohmoom32.dll	Dogogcpo.exe
File opened for modification	C:\Windows\SysWOW64\Dobfld32.exe	85cb136a244e1bfb1209c560e291765ee7870aca95c8ec1dd9e50826e6297271.exe
File created	C:\Windows\SysWOW64\Alcidkmm.dll	85cb136a244e1bfb1209c560e291765ee7870aca95c8ec1dd9e50826e6297271.exe
File created	C:\Windows\SysWOW64\Daqbip32.exe	Dobfld32.exe
File opened for modification	C:\Windows\SysWOW64\Ddonekbl.exe	Delnin32.exe
File opened for modification	C:\Windows\SysWOW64\Dfpgffpm.exe	Ddakjkqi.exe
File created	C:\Windows\SysWOW64\Gfghpl32.dll	Dhocqigp.exe
File opened for modification	C:\Windows\SysWOW64\Delnin32.exe	Daqbip32.exe
File created	C:\Windows\SysWOW64\Dfpgffpm.exe	Ddakjkqi.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Dgbdlf32.exe
File created	C:\Windows\SysWOW64\Dfnjafap.exe	Ddonekbl.exe
File created	C:\Windows\SysWOW64\Poahbe32.dll	Ddonekbl.exe
File created	C:\Windows\SysWOW64\Dogogcpo.exe	Dfpgffpm.exe
File created	C:\Windows\SysWOW64\Dhocqigp.exe	Daekdooc.exe
File opened for modification	C:\Windows\SysWOW64\Dhocqigp.exe	Daekdooc.exe
File created	C:\Windows\SysWOW64\Dobfld32.exe	85cb136a244e1bfb1209c560e291765ee7870aca95c8ec1dd9e50826e6297271.exe
File created	C:\Windows\SysWOW64\Gmcfdb32.dll	Daqbip32.exe
File created	C:\Windows\SysWOW64\Mjelcfha.dll	Delnin32.exe
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Dgbdlf32.exe
File created	C:\Windows\SysWOW64\Ddonekbl.exe	Delnin32.exe
File opened for modification	C:\Windows\SysWOW64\Dogogcpo.exe	Dfpgffpm.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1960	2152	WerFault.exe	96

System Location Discovery: System Language Discovery 1 TTPs 14 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfnjafap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfpgffpm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhocqigp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgbdlf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddonekbl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dobfld32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Delnin32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddakjkqi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	85cb136a244e1bfb1209c560e291765ee7870aca95c8ec1dd9e50826e6297271.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daqbip32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daconoae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dogogcpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daekdooc.exe

Modifies registry class 42 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmcfdb32.dll"	Daqbip32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elkadb32.dll"	Daekdooc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdipdgch.dll"	Dobfld32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oammoc32.dll"	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohmoom32.dll"	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Daekdooc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfghpl32.dll"	Dhocqigp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	85cb136a244e1bfb1209c560e291765ee7870aca95c8ec1dd9e50826e6297271.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gifhkeje.dll"	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhocqigp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	85cb136a244e1bfb1209c560e291765ee7870aca95c8ec1dd9e50826e6297271.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Delnin32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Daconoae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Daqbip32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmdjdl32.dll"	Ddakjkqi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	85cb136a244e1bfb1209c560e291765ee7870aca95c8ec1dd9e50826e6297271.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjelcfha.dll"	Delnin32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Daconoae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	85cb136a244e1bfb1209c560e291765ee7870aca95c8ec1dd9e50826e6297271.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Delnin32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbabpnmn.dll"	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dgbdlf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	85cb136a244e1bfb1209c560e291765ee7870aca95c8ec1dd9e50826e6297271.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Alcidkmm.dll"	85cb136a244e1bfb1209c560e291765ee7870aca95c8ec1dd9e50826e6297271.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Poahbe32.dll"	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddonekbl.exe

Suspicious use of WriteProcessMemory 39 IoCs

description	pid	Process	procid_target
PID 1512 wrote to memory of 1188	1512	85cb136a244e1bfb1209c560e291765ee7870aca95c8ec1dd9e50826e6297271.exe	82
PID 1512 wrote to memory of 1188	1512	85cb136a244e1bfb1209c560e291765ee7870aca95c8ec1dd9e50826e6297271.exe	82
PID 1512 wrote to memory of 1188	1512	85cb136a244e1bfb1209c560e291765ee7870aca95c8ec1dd9e50826e6297271.exe	82
PID 1188 wrote to memory of 4780	1188	Dobfld32.exe	84
PID 1188 wrote to memory of 4780	1188	Dobfld32.exe	84
PID 1188 wrote to memory of 4780	1188	Dobfld32.exe	84
PID 4780 wrote to memory of 3688	4780	Daqbip32.exe	85
PID 4780 wrote to memory of 3688	4780	Daqbip32.exe	85
PID 4780 wrote to memory of 3688	4780	Daqbip32.exe	85
PID 3688 wrote to memory of 3472	3688	Delnin32.exe	86
PID 3688 wrote to memory of 3472	3688	Delnin32.exe	86
PID 3688 wrote to memory of 3472	3688	Delnin32.exe	86
PID 3472 wrote to memory of 2624	3472	Ddonekbl.exe	88
PID 3472 wrote to memory of 2624	3472	Ddonekbl.exe	88
PID 3472 wrote to memory of 2624	3472	Ddonekbl.exe	88
PID 2624 wrote to memory of 3244	2624	Dfnjafap.exe	89
PID 2624 wrote to memory of 3244	2624	Dfnjafap.exe	89
PID 2624 wrote to memory of 3244	2624	Dfnjafap.exe	89
PID 3244 wrote to memory of 4212	3244	Daconoae.exe	90
PID 3244 wrote to memory of 4212	3244	Daconoae.exe	90
PID 3244 wrote to memory of 4212	3244	Daconoae.exe	90
PID 4212 wrote to memory of 3224	4212	Ddakjkqi.exe	91
PID 4212 wrote to memory of 3224	4212	Ddakjkqi.exe	91
PID 4212 wrote to memory of 3224	4212	Ddakjkqi.exe	91
PID 3224 wrote to memory of 708	3224	Dfpgffpm.exe	92
PID 3224 wrote to memory of 708	3224	Dfpgffpm.exe	92
PID 3224 wrote to memory of 708	3224	Dfpgffpm.exe	92
PID 708 wrote to memory of 1604	708	Dogogcpo.exe	93
PID 708 wrote to memory of 1604	708	Dogogcpo.exe	93
PID 708 wrote to memory of 1604	708	Dogogcpo.exe	93
PID 1604 wrote to memory of 4172	1604	Daekdooc.exe	94
PID 1604 wrote to memory of 4172	1604	Daekdooc.exe	94
PID 1604 wrote to memory of 4172	1604	Daekdooc.exe	94
PID 4172 wrote to memory of 2860	4172	Dhocqigp.exe	95
PID 4172 wrote to memory of 2860	4172	Dhocqigp.exe	95
PID 4172 wrote to memory of 2860	4172	Dhocqigp.exe	95
PID 2860 wrote to memory of 2152	2860	Dgbdlf32.exe	96
PID 2860 wrote to memory of 2152	2860	Dgbdlf32.exe	96
PID 2860 wrote to memory of 2152	2860	Dgbdlf32.exe	96

C:\Users\Admin\AppData\Local\Temp\85cb136a244e1bfb1209c560e291765ee7870aca95c8ec1dd9e50826e6297271.exe
"C:\Users\Admin\AppData\Local\Temp\85cb136a244e1bfb1209c560e291765ee7870aca95c8ec1dd9e50826e6297271.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1512
- C:\Windows\SysWOW64\Dobfld32.exe
  C:\Windows\system32\Dobfld32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1188
- - C:\Windows\SysWOW64\Daqbip32.exe
    C:\Windows\system32\Daqbip32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4780
  - - C:\Windows\SysWOW64\Delnin32.exe
      C:\Windows\system32\Delnin32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3688
    - - C:\Windows\SysWOW64\Ddonekbl.exe
        
        C:\Windows\system32\Ddonekbl.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3472
      - C:\Windows\SysWOW64\Dfnjafap.exe
        
        C:\Windows\system32\Dfnjafap.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2624
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3244
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4212
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3224
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:708
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1604
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4172
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2860
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        14⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2152
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2152 -s 396
        15⤵
        Program crash
        
        PID:1960

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 2152 -ip 2152
1⤵
PID:672

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Daconoae.exe

Filesize
224KB

MD5
29a64d4799dcab842813564cb12879a6

SHA1
e84cd550f957bb8b320e8c36f7a614f05a7d3e33

SHA256
4b7da2473969521b0c5b1267da12bd66e3a6d5dcc03131372a5b49ceed10c928

SHA512
8bceaec16a2932840371d1c7c387ae1c12a67ff2612c4167238cdfd77764dc6bd52bb5aa3f31858b5594c01c11ab884ad5588a662d20f871c6bd4f0ffa991c4d

Download Submit
C:\Windows\SysWOW64\Daekdooc.exe

Filesize
224KB

MD5
3b4c22db700ac722f888831faf2bf27e

SHA1
d4195544072a8ea0c6f66c2066f4281a3af4c89d

SHA256
4fd88169095fdd6f2e45c9e9166dfe05659ba8b0b5504e307a1de88ed7376470

SHA512
91f6db5f24370c95cb6b998a530f2d56451921c53a8dced9b20fd8824b3f821261009299d15deb762bf19d8c6d4870c70ccec55575dc96c82a51258cbbafa4cb

Download Submit
C:\Windows\SysWOW64\Daqbip32.exe

Filesize
224KB

MD5
86a7861ec90ab0ead0eddc6ad8f81a51

SHA1
aa01913eeb8ec0c6863cd3b9e82a230a22e54ddf

SHA256
35ade3c18e337888ba6d093ef75aaf8c5934ae35629d8c36bc14b0dd511e79f7

SHA512
45653578ebea5d402d66bbc5083ab8bb86b480f740caf06fa6ce1c970eb03a48b6f542cc79ceeaf15bdf33cc6ff83899c622a0d7318bc3a67cad26fef131ee19

Download Submit
C:\Windows\SysWOW64\Ddakjkqi.exe

Filesize
224KB

MD5
896dbe8ecf01f2ebdcab495d0cbe3535

SHA1
49625a41c6b01d5e7270a5cff7cc324f55ed0a77

SHA256
21e434ab4f84fec16706881eb362b42eddd8dd17977350d6d936d221b95c94c1

SHA512
3771a19293c6003dc9d6688c98c8fde5551f70c788d050363db7130a2fe138ea0ad04134db9e2ee50eb2cd8c839d1c2b0c5c153db6d29c1beddeee09bf34d374

Download Submit
C:\Windows\SysWOW64\Ddonekbl.exe

Filesize
224KB

MD5
a64496897f757f5f412d0ed531041b99

SHA1
0909cad586542ab2cc7bc3ab85d62145fffad20d

SHA256
58711b90af5adbb1da388f968ddfba9453f02ac46e9432c5bd0ae42159c3aa66

SHA512
1ab802f29a4885d00c446bfad261cca736593042fd4f1eba00103a6b024ae93b96179865a56dbd16382f305a038783473df8d56ed21cad75d5f2d0c82814f33f

Download Submit
C:\Windows\SysWOW64\Delnin32.exe

Filesize
224KB

MD5
5bf57ce127d6d71beb10e34a4bf69114

SHA1
32f049c2c21075d8a51676ab99d6ac41e4cfd98c

SHA256
9015eb300dbe0e36a859b9817a5559b5c18b31f5c0b01dec79dadf1386046f2e

SHA512
ace39ef06287f08cb13de3ccd496fe56f8b0e3d135ad23e4ca43b0cea52ae2d788a9d6b3534926181dadab9626d257f3975350378e26e30dc7603144888628d4

Download Submit
C:\Windows\SysWOW64\Dfnjafap.exe

Filesize
224KB

MD5
e57e9ab329fa01aa0d3d6d339accea9e

SHA1
5e614bd95a0667540f86929514c7b1ebeed2fb5c

SHA256
acc2258156f53e963be2c50586289f3de89a2af843b3d24fb67fd770a14e00dd

SHA512
fc5dea41e0ffe67d6e599b12ef7af95f9e1893781287e1554019dede682240fd55f3d4ee21371f346835b54a05042d2aca1089405aeb9b31dd6c58d8c06f6028

Download Submit
C:\Windows\SysWOW64\Dfpgffpm.exe

Filesize
224KB

MD5
56f9736bd4f2edd005c8898d80c2644d

SHA1
b385f7ea059594b27cb6c2d2cb54982cdee891e8

SHA256
6ec22270322cfdfe60e36d19178026dcaa328a24f450b2a8de83f35c55e9f533

SHA512
302a432b5a77296daec5f73b3705eb9eb554c61cb3453c29e127978554d8ed0a0e98ce980fd4e0005cd41454d1372cde9b7b9c03b09c3131d53720155c8881a5

Download Submit
C:\Windows\SysWOW64\Dgbdlf32.exe

Filesize
224KB

MD5
57bd459fedbccf2e93a9a3edf9a6dbb9

SHA1
8bf384d37f5dcbee41882bfabf474915c6af9af7

SHA256
e4b6f261cfbc5a89099086a950c0b9729590c752d7d29587d298c79681b913c8

SHA512
36239dd043e98bb3ef30138c5abc658fc6819703e070547c8f0e50a7899b04b0bb9d4e81c0958b29b3d5cfc1661a4f2d70790f6400fd8acde73874d8de96785c

Download Submit
C:\Windows\SysWOW64\Dhocqigp.exe

Filesize
224KB

MD5
e500ddd2bfcafdd9f118e8665ef939e2

SHA1
509d4797a9cb820c471a00172cdb53b2be8e25e9

SHA256
cf93ae2cd602427d00bd157716883d16448c11f190e443aed250030840a0a040

SHA512
52b1e7d55a241795f2220453c5730341c23d3ae78adc7e8c1b5e829c9df1dabe1c944d7bb3cefc05cd448799cd127ac2e3282b17af6c31133a1b548c52f7ebca

Download Submit
C:\Windows\SysWOW64\Dmllipeg.exe

Filesize
224KB

MD5
af72a06162c059b1ed7550200fcc013e

SHA1
787a4d570e4aed39022cf084a2c8dadfe5781ba4

SHA256
926c9e24cbba5c8d8826c71f56c68808ed2f5dcf574c9748604c7ddffdc59cde

SHA512
1e3110b44681812122fcd77f9395b091531aa1f016a6b06d729eda1b9fd059757016471ca3e8902662976326cb9f59c2069e0a6772705212557afa5d540cc2bd

Download Submit
C:\Windows\SysWOW64\Dobfld32.exe

Filesize
224KB

MD5
e14de7ef72f428ae3cd9972e5f45e685

SHA1
39d2db9e7ed2f49ad1eeafc3c14051870dafe709

SHA256
826f679f346ac1417f28e6c952ef3b7329230dfc700d3d30e3d904041cfd1bcf

SHA512
d9416306311e42260fddf83717a065add8aab3a098dd8268839a1828735ccf21e5b7dfc208f07e33edd7a9c94ae3c7ef03a72c601eefb9453f5191c5993eae1c

Download Submit
C:\Windows\SysWOW64\Dogogcpo.exe

Filesize
224KB

MD5
6d2f4c4e4272b60a194598400076d75f

SHA1
cbc2d0fa06b396a55380fe0d8056e24300d82f13

SHA256
fe4a33755f9f6611fff5c957ac2858ac70beabb222f51981e390215b085bccd7

SHA512
18651271211590178f9cbf172ef9635e8e032694be9dbbb5e30c87b93198a73b4d98392bbdae5ccb8503420d68edceafbae8e153cc5ed164e55b11994eb836c0

Download Submit
memory/708-73-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/708-114-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/1188-9-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/1188-130-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/1512-132-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/1512-0-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/1512-5-0x0000000000432000-0x0000000000433000-memory.dmp

Filesize
4KB

Download
memory/1604-81-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/1604-113-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/2152-107-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/2152-104-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/2624-120-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/2624-40-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/2624-122-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/2860-96-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/2860-108-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/3224-116-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/3224-65-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/3244-121-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/3244-118-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/3244-49-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/3472-33-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/3472-128-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/3688-127-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/3688-29-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/3688-124-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/4172-110-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/4212-57-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/4212-119-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/4780-126-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/4780-17-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads