0d7ccb52be4264294417268c818fd12532ea0c76ae92efed38220b407e9b9055

General

Target

0d7ccb52be4264294417268c818fd12532ea0c76ae92efed38220b407e9b9055.exe
Size

1.9MB
MD5

cfcb04e457a09a59778aa42f2b73eb6c
SHA1

dab1f102b1a73168518605a2fe72ad033e246cb6
SHA256

0d7ccb52be4264294417268c818fd12532ea0c76ae92efed38220b407e9b9055
SHA512

d7c6190d0190b808b8022986fa6132e347e6e1cc7d64b60e52f72608b7b2fc37c352e037a5762c521c549b746d5779d19a5eaaa5d78ace046b23cf0f402d1cbe
SSDEEP

24576:/TNIVyeNIVy2j5aaRLVtnX6ojNIVyeNIVy2jZNIVyeNIVy2j5aaRLVtnX6ojNIVi:yyjAi6yjQyjAi6yjx

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddmaok32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djgjlelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Djgjlelk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	0d7ccb52be4264294417268c818fd12532ea0c76ae92efed38220b407e9b9055.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	0d7ccb52be4264294417268c818fd12532ea0c76ae92efed38220b407e9b9055.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddjejl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddjejl32.exe

Executes dropped EXE 4 IoCs

pid	Process
3532	Ddjejl32.exe
3544	Ddmaok32.exe
704	Djgjlelk.exe
4940	Dmllipeg.exe

Drops file in System32 directory 12 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Jjjald32.dll	Ddjejl32.exe
File created	C:\Windows\SysWOW64\Djgjlelk.exe	Ddmaok32.exe
File opened for modification	C:\Windows\SysWOW64\Djgjlelk.exe	Ddmaok32.exe
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Djgjlelk.exe
File created	C:\Windows\SysWOW64\Ddjejl32.exe	0d7ccb52be4264294417268c818fd12532ea0c76ae92efed38220b407e9b9055.exe
File opened for modification	C:\Windows\SysWOW64\Ddjejl32.exe	0d7ccb52be4264294417268c818fd12532ea0c76ae92efed38220b407e9b9055.exe
File created	C:\Windows\SysWOW64\Hfanhp32.dll	0d7ccb52be4264294417268c818fd12532ea0c76ae92efed38220b407e9b9055.exe
File opened for modification	C:\Windows\SysWOW64\Ddmaok32.exe	Ddjejl32.exe
File created	C:\Windows\SysWOW64\Ddmaok32.exe	Ddjejl32.exe
File created	C:\Windows\SysWOW64\Beeppfin.dll	Ddmaok32.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Djgjlelk.exe
File created	C:\Windows\SysWOW64\Kngpec32.dll	Djgjlelk.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1656	4940	WerFault.exe	89

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddmaok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djgjlelk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0d7ccb52be4264294417268c818fd12532ea0c76ae92efed38220b407e9b9055.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddjejl32.exe

Modifies registry class 15 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Djgjlelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Djgjlelk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	0d7ccb52be4264294417268c818fd12532ea0c76ae92efed38220b407e9b9055.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfanhp32.dll"	0d7ccb52be4264294417268c818fd12532ea0c76ae92efed38220b407e9b9055.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Beeppfin.dll"	Ddmaok32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	0d7ccb52be4264294417268c818fd12532ea0c76ae92efed38220b407e9b9055.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	0d7ccb52be4264294417268c818fd12532ea0c76ae92efed38220b407e9b9055.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	0d7ccb52be4264294417268c818fd12532ea0c76ae92efed38220b407e9b9055.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddjejl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Djgjlelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	0d7ccb52be4264294417268c818fd12532ea0c76ae92efed38220b407e9b9055.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddjejl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjjald32.dll"	Ddjejl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddmaok32.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1632 wrote to memory of 3532	1632	0d7ccb52be4264294417268c818fd12532ea0c76ae92efed38220b407e9b9055.exe	84
PID 1632 wrote to memory of 3532	1632	0d7ccb52be4264294417268c818fd12532ea0c76ae92efed38220b407e9b9055.exe	84
PID 1632 wrote to memory of 3532	1632	0d7ccb52be4264294417268c818fd12532ea0c76ae92efed38220b407e9b9055.exe	84
PID 3532 wrote to memory of 3544	3532	Ddjejl32.exe	86
PID 3532 wrote to memory of 3544	3532	Ddjejl32.exe	86
PID 3532 wrote to memory of 3544	3532	Ddjejl32.exe	86
PID 3544 wrote to memory of 704	3544	Ddmaok32.exe	88
PID 3544 wrote to memory of 704	3544	Ddmaok32.exe	88
PID 3544 wrote to memory of 704	3544	Ddmaok32.exe	88
PID 704 wrote to memory of 4940	704	Djgjlelk.exe	89
PID 704 wrote to memory of 4940	704	Djgjlelk.exe	89
PID 704 wrote to memory of 4940	704	Djgjlelk.exe	89

C:\Users\Admin\AppData\Local\Temp\0d7ccb52be4264294417268c818fd12532ea0c76ae92efed38220b407e9b9055.exe
"C:\Users\Admin\AppData\Local\Temp\0d7ccb52be4264294417268c818fd12532ea0c76ae92efed38220b407e9b9055.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1632
- C:\Windows\SysWOW64\Ddjejl32.exe
  C:\Windows\system32\Ddjejl32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3532
- - C:\Windows\SysWOW64\Ddmaok32.exe
    C:\Windows\system32\Ddmaok32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3544
  - - C:\Windows\SysWOW64\Djgjlelk.exe
      C:\Windows\system32\Djgjlelk.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:704
    - - C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4940
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4940 -s 392
        6⤵
        Program crash
        
        PID:1656

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4940 -ip 4940
1⤵
PID:3448

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Ddjejl32.exe

Filesize
1.9MB

MD5
cff94386b13b6eb562194fbedb3cd9fb

SHA1
033dd76bb6365e61df6420de23a162ec8a3bfb4f

SHA256
19899fba0beb4f7e3ebb041af69ea7adfd64e9078e203400eb4b6ebd358997d4

SHA512
bb20da44ae37d22f9c6393f6eea9bcb2b2b32dd8b8dea51aa3d458f15dda27646aa04562ca2c21a37313bf2468119cb48b077275986743fd1c0d356c51e2a005

Download Submit
C:\Windows\SysWOW64\Ddmaok32.exe

Filesize
1.9MB

MD5
9926e5501b77906a113457bc042767d1

SHA1
115709b60286ca494d569c9eec84ceac2e5093d8

SHA256
1372d638699d4433974ac9fd3b95bd33c72bd7000b1939aa72339b8e7b7d4ce9

SHA512
f7a062d21e6cdfbe91fef2230f79f90e5162e9ed7b9ac7bd6952fdc5a3d052cd429e99e312b7810f6a1cebd15f345bc52cdf5111b73561d86e4bb737b3d5c719

Download Submit
C:\Windows\SysWOW64\Djgjlelk.exe

Filesize
1.9MB

MD5
284ba2f989333d8df3eeb54501ee0ad4

SHA1
924ace52955ef24a0d90cb0632000ebcd6e55c30

SHA256
a5c2642aa8e7cd53b603a41ec78799498eb7100c1104852044cebd62f81d038f

SHA512
67d103ab383a85060f8833531cdf3e4d2641002f9b53ad38abf57dc7d8630ac1f3ce8f02b9509a2ce1b01d2becdca9fba96321fcffb6c8a0c0ef4d7a20c5d975

Download Submit
C:\Windows\SysWOW64\Dmllipeg.exe

Filesize
1.9MB

MD5
92867f3408171d0462bffa380cf6e66c

SHA1
67bd14a8dfd54f641ee03d9b2254ec97a0d7290b

SHA256
1cc975afb0e6a470ada8cc4bab791f9c7df1f7ff5363c43ddc96dec6bd4cf9c0

SHA512
499a1b3ab1e8f861b8dd8d0078f427cb1802a7004aaeb5ab9b0db2dbe113080f024a80008f15a71ffd3514378fff701fabe880eecc551a8ee3d57d14219ab5e2

Download Submit
memory/704-37-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/704-24-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1632-5-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/1632-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1632-42-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3532-9-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3532-43-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3544-39-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3544-19-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4940-36-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4940-33-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads