7acedc2b228619e05d5d61d029b7a53c70117799737b338e2809355a75668566

Analysis

max time kernel
94s
max time network
97s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
05/08/2024, 22:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

16871d2e1adaed1d36f8d0d5c74032e0N.exe
Size

55KB
MD5

16871d2e1adaed1d36f8d0d5c74032e0
SHA1

a34a8ec8ebc4d0e744d16d913628e6ba11e03d73
SHA256

7acedc2b228619e05d5d61d029b7a53c70117799737b338e2809355a75668566
SHA512

2707f900ecb937e7006f4d7bd99c84f572554a78bcecedeaf5bae047284a19134bb1822416cab49670af5891f85d07dde7e3d093274e25f06a1cbc67a7b8f43a
SSDEEP

768:ivgjQWoVO29zzohW3vPjnwtIBqb089tmYF6fun+u327MwyWDN2p/1H5ZXdnh:2+QWoAOz5bnwtu87mYF+0v27vym2LV

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 20 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daekdooc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddonekbl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	16871d2e1adaed1d36f8d0d5c74032e0N.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfnjafap.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	16871d2e1adaed1d36f8d0d5c74032e0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfpgffpm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhocqigp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dknpmdfc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daconoae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfpgffpm.exe

Executes dropped EXE 10 IoCs

pid	Process
3488	Ddonekbl.exe
2260	Dfnjafap.exe
2828	Dodbbdbb.exe
540	Daconoae.exe
3724	Dfpgffpm.exe
3144	Dogogcpo.exe
4212	Daekdooc.exe
3996	Dhocqigp.exe
1604	Dknpmdfc.exe
2208	Dmllipeg.exe

Drops file in System32 directory 30 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Dfpgffpm.exe	Daconoae.exe
File created	C:\Windows\SysWOW64\Daekdooc.exe	Dogogcpo.exe
File opened for modification	C:\Windows\SysWOW64\Daekdooc.exe	Dogogcpo.exe
File created	C:\Windows\SysWOW64\Dhocqigp.exe	Daekdooc.exe
File created	C:\Windows\SysWOW64\Ddonekbl.exe	16871d2e1adaed1d36f8d0d5c74032e0N.exe
File created	C:\Windows\SysWOW64\Poahbe32.dll	Ddonekbl.exe
File opened for modification	C:\Windows\SysWOW64\Daconoae.exe	Dodbbdbb.exe
File created	C:\Windows\SysWOW64\Dfpgffpm.exe	Daconoae.exe
File created	C:\Windows\SysWOW64\Kmdjdl32.dll	Daconoae.exe
File opened for modification	C:\Windows\SysWOW64\Ddonekbl.exe	16871d2e1adaed1d36f8d0d5c74032e0N.exe
File created	C:\Windows\SysWOW64\Daconoae.exe	Dodbbdbb.exe
File created	C:\Windows\SysWOW64\Dogogcpo.exe	Dfpgffpm.exe
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Dknpmdfc.exe
File created	C:\Windows\SysWOW64\Kngpec32.dll	Dknpmdfc.exe
File created	C:\Windows\SysWOW64\Mjelcfha.dll	16871d2e1adaed1d36f8d0d5c74032e0N.exe
File opened for modification	C:\Windows\SysWOW64\Dogogcpo.exe	Dfpgffpm.exe
File created	C:\Windows\SysWOW64\Ohmoom32.dll	Dogogcpo.exe
File created	C:\Windows\SysWOW64\Elkadb32.dll	Daekdooc.exe
File opened for modification	C:\Windows\SysWOW64\Dknpmdfc.exe	Dhocqigp.exe
File created	C:\Windows\SysWOW64\Dodbbdbb.exe	Dfnjafap.exe
File opened for modification	C:\Windows\SysWOW64\Dhocqigp.exe	Daekdooc.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Dknpmdfc.exe
File opened for modification	C:\Windows\SysWOW64\Dodbbdbb.exe	Dfnjafap.exe
File created	C:\Windows\SysWOW64\Fnmnbf32.dll	Dfnjafap.exe
File created	C:\Windows\SysWOW64\Oammoc32.dll	Dodbbdbb.exe
File created	C:\Windows\SysWOW64\Dknpmdfc.exe	Dhocqigp.exe
File created	C:\Windows\SysWOW64\Nokpao32.dll	Dhocqigp.exe
File created	C:\Windows\SysWOW64\Dfnjafap.exe	Ddonekbl.exe
File opened for modification	C:\Windows\SysWOW64\Dfnjafap.exe	Ddonekbl.exe
File created	C:\Windows\SysWOW64\Lbabpnmn.dll	Dfpgffpm.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3896	2208	WerFault.exe	94

System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	16871d2e1adaed1d36f8d0d5c74032e0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfpgffpm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daekdooc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dknpmdfc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddonekbl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfnjafap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dodbbdbb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daconoae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dogogcpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhocqigp.exe

Modifies registry class 33 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhocqigp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	16871d2e1adaed1d36f8d0d5c74032e0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	16871d2e1adaed1d36f8d0d5c74032e0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfpgffpm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	16871d2e1adaed1d36f8d0d5c74032e0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nokpao32.dll"	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjelcfha.dll"	16871d2e1adaed1d36f8d0d5c74032e0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oammoc32.dll"	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmdjdl32.dll"	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Dknpmdfc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	16871d2e1adaed1d36f8d0d5c74032e0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Daekdooc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dknpmdfc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	16871d2e1adaed1d36f8d0d5c74032e0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnmnbf32.dll"	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohmoom32.dll"	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elkadb32.dll"	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dodbbdbb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbabpnmn.dll"	Dfpgffpm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Poahbe32.dll"	Ddonekbl.exe

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 4820 wrote to memory of 3488	4820	16871d2e1adaed1d36f8d0d5c74032e0N.exe	83
PID 4820 wrote to memory of 3488	4820	16871d2e1adaed1d36f8d0d5c74032e0N.exe	83
PID 4820 wrote to memory of 3488	4820	16871d2e1adaed1d36f8d0d5c74032e0N.exe	83
PID 3488 wrote to memory of 2260	3488	Ddonekbl.exe	84
PID 3488 wrote to memory of 2260	3488	Ddonekbl.exe	84
PID 3488 wrote to memory of 2260	3488	Ddonekbl.exe	84
PID 2260 wrote to memory of 2828	2260	Dfnjafap.exe	85
PID 2260 wrote to memory of 2828	2260	Dfnjafap.exe	85
PID 2260 wrote to memory of 2828	2260	Dfnjafap.exe	85
PID 2828 wrote to memory of 540	2828	Dodbbdbb.exe	87
PID 2828 wrote to memory of 540	2828	Dodbbdbb.exe	87
PID 2828 wrote to memory of 540	2828	Dodbbdbb.exe	87
PID 540 wrote to memory of 3724	540	Daconoae.exe	88
PID 540 wrote to memory of 3724	540	Daconoae.exe	88
PID 540 wrote to memory of 3724	540	Daconoae.exe	88
PID 3724 wrote to memory of 3144	3724	Dfpgffpm.exe	89
PID 3724 wrote to memory of 3144	3724	Dfpgffpm.exe	89
PID 3724 wrote to memory of 3144	3724	Dfpgffpm.exe	89
PID 3144 wrote to memory of 4212	3144	Dogogcpo.exe	90
PID 3144 wrote to memory of 4212	3144	Dogogcpo.exe	90
PID 3144 wrote to memory of 4212	3144	Dogogcpo.exe	90
PID 4212 wrote to memory of 3996	4212	Daekdooc.exe	92
PID 4212 wrote to memory of 3996	4212	Daekdooc.exe	92
PID 4212 wrote to memory of 3996	4212	Daekdooc.exe	92
PID 3996 wrote to memory of 1604	3996	Dhocqigp.exe	93
PID 3996 wrote to memory of 1604	3996	Dhocqigp.exe	93
PID 3996 wrote to memory of 1604	3996	Dhocqigp.exe	93
PID 1604 wrote to memory of 2208	1604	Dknpmdfc.exe	94
PID 1604 wrote to memory of 2208	1604	Dknpmdfc.exe	94
PID 1604 wrote to memory of 2208	1604	Dknpmdfc.exe	94

C:\Users\Admin\AppData\Local\Temp\16871d2e1adaed1d36f8d0d5c74032e0N.exe
"C:\Users\Admin\AppData\Local\Temp\16871d2e1adaed1d36f8d0d5c74032e0N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4820
- C:\Windows\SysWOW64\Ddonekbl.exe
  C:\Windows\system32\Ddonekbl.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3488
- - C:\Windows\SysWOW64\Dfnjafap.exe
    C:\Windows\system32\Dfnjafap.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2260
  - - C:\Windows\SysWOW64\Dodbbdbb.exe
      C:\Windows\system32\Dodbbdbb.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2828
    - - C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:540
      - C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3724
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3144
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4212
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3996
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1604
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        11⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2208
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2208 -s 396
        12⤵
        Program crash
        
        PID:3896

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 2208 -ip 2208
1⤵
PID:4928

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Daconoae.exe

Filesize
55KB

MD5
87b6b52500f35adf7fcd638dea643334

SHA1
07d7ad5575393dcde19569638eb2e3cd6fd72554

SHA256
e463521d972ec9cc02ba54e8c918a470bd7988fcd5d24e3e3c38e8e3590f1630

SHA512
3e5f8d367c089b640ebcc8cd0fb53b9b90afc60c20c064eaf993183cf260a256775f0215982ef8559353aaae064dede898b670f2a8622a330038d44f3223534e

Download Submit
C:\Windows\SysWOW64\Daekdooc.exe

Filesize
55KB

MD5
946f0381b31542a9ce04d2bf5c7bdab0

SHA1
c6ddcdb4b5c5f57c20a2c6d3d7d3846d83a24d2b

SHA256
3351530825f0d9ec8c6fdd2fb1a1f64ba813eb39895cdb5d0fb9c11471736d6f

SHA512
ee97da660adbfda1a981e804a37d616129e770958916c8b5022c540241089543110fa66c07598dda10f23ce4288b9103f69ace6e4fd5dfd82c4472cc3601e259

Download Submit
C:\Windows\SysWOW64\Ddonekbl.exe

Filesize
55KB

MD5
bf719d7bef1bb7e9b7609fb57f1aa9a3

SHA1
56e0694b382b1dbe7aaf8e0e3a4bb401be7509b6

SHA256
6be259e8ccf3767cae443d2f7d90fe6fcd11ba64a2e86260864b158e2fcbaad9

SHA512
6bd6587264f209a69410d0e87173d38c4dcc7b8fab3e09c4cb83bc78e4a821fa26d501100558b8d6c0846e28622261341e3168b0397417bde17bba7c2d5c8877

Download Submit
C:\Windows\SysWOW64\Dfnjafap.exe

Filesize
55KB

MD5
f31fa4cd57a5d70eb88f5b370e14cda3

SHA1
6ee12901928211a2fa4865a419cf9a25327294dd

SHA256
d7313ea73482379904afb3fe4e5667f7798baf30cc94fd3aef4fbe8a26ac47a7

SHA512
86a834e5a5dac015d545a75d63848ffcbacb45a4fc635d994010fa83f04182c151351da779698e3140cdbb8568554071a2bfe7d7298a517d5553293fb324a98d

Download Submit
C:\Windows\SysWOW64\Dfpgffpm.exe

Filesize
55KB

MD5
bde72853667533efeb05e2dbb836dbf2

SHA1
e33e5260e69293291fd78ad0df98242b34bb8054

SHA256
a5edec8173511243d4ae14424926792ca24614c8ddb7899f77e6cfd66cf29348

SHA512
74a9b8caeeced22e1b5dc3b9dd61905b2360420e40b25d8933c28deaa58f5421753896d2a8b7e5d8d838e34426f6072955b88dee91bc9a99de3f3d9a5a336889

Download Submit
C:\Windows\SysWOW64\Dhocqigp.exe

Filesize
55KB

MD5
3729caa53cfd6764f49751445ed9b196

SHA1
9b92d3f35006e176a372c77156c77f77be54a4ff

SHA256
ff544be9802182c8826cbc749c7d9d65d060308838b80aea72834e2de826a07e

SHA512
ba364dacab124df5d37d2d20c1629892889ce84e170ecf14f79d98f9388b14d4a15b6854c3562039d9ffb70c6058cea8e37b25054fcf86671dcefddee4b291d6

Download Submit
C:\Windows\SysWOW64\Dknpmdfc.exe

Filesize
55KB

MD5
23241f21527d2c702b590f42fec8c61e

SHA1
a33eb25927a4ac1f2e9aae2f625ccf2f7010be32

SHA256
3858f45f6290e465d77638e53420244920d93973c991fd4552870b5081d5a4db

SHA512
cec5af2971f3f4d83020e92e238497bb266612186316edd01e1df75e7b579ad99251724b645b7c29d98fe23a303224572cbb8a0830270db688e7e71c8dd5e049

Download Submit
C:\Windows\SysWOW64\Dmllipeg.exe

Filesize
55KB

MD5
bcdd7e3531a5aad5f6e0cf9b1f874245

SHA1
3b7e10d9e432adc5ac3d6d64db78b5a99483c949

SHA256
4ba9076d4734a0fb729aace45c87444c56a697b90793f074eef68e855e0df82a

SHA512
ec0e950f389588ede9986be8ef29ae445d6884158d4e068110ac8f375b7f6fbd07d3559a67c86f04a35a2b1a9c5005d8cce154ac5afeb13d763646614b68c432

Download Submit
C:\Windows\SysWOW64\Dodbbdbb.exe

Filesize
55KB

MD5
60d7b870493bebe7e7be93c2b80b94e9

SHA1
a7b3240825f43d54a60628a5db16b8ddcf3a7a63

SHA256
724742b4dc3aa25d34f04d61fd64bd0fecad6d268e180cbdce9385f8293e481d

SHA512
7a48ed2f147cbf51e46ad96286bf6bc3cd9723ed0da5da96cb4a80374346328a7435eb55c802d234f2f4133d9d3a670ea8442b119f1d92323d20027c3a5f5ba6

Download Submit
C:\Windows\SysWOW64\Dogogcpo.exe

Filesize
55KB

MD5
a08d6b2c7e82f94e565cad93ae1f1a52

SHA1
938fba4d59806eba405d34b99b8b127e38618c9d

SHA256
539cb6f8f865ea945789ce3af65d5f3a1c44f2929c35e59319582512b4beda55

SHA512
251ef22da5feb4f88db4003b4fa462d73248b3a1bc82f299af0718eace17645275d4631f319e42fb8ae59f286731b2fce6428928d307ed52f69210a65b0f4ac5

Download Submit
memory/540-98-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/540-32-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1604-85-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1604-73-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2208-81-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2208-84-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2260-21-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2828-29-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3144-53-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3488-13-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3488-96-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3724-40-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3724-92-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3996-64-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3996-87-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4212-56-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4212-89-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4820-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4820-100-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4820-5-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads