d24614186b9641ce12d805ce403e1d06471989b28990d01bb44a0ece5886b23c

General

Target

d5f03c635287b55e020abc8c4d5bb7a0N.exe
Size

1.2MB
MD5

d5f03c635287b55e020abc8c4d5bb7a0
SHA1

bf60dae88638ba712c4aa964350d7eec8709929d
SHA256

d24614186b9641ce12d805ce403e1d06471989b28990d01bb44a0ece5886b23c
SHA512

60416bae2aab68a5bf06191e033601f18a3a734615e2c9aa3462d048fab7c67d6498073761df8af31fc09c0062c3009ead278c56379938dbacbcb873006dc7ee
SSDEEP

12288:xhUv2DVqvQ6Ivxv26IveDVqvQ6IvpW1nvv6IveDVqvQ6IvYvc6IveDVqvQ6IvGmw:xhF5hwq5hVW1nq5h3q5hL6X1q5h3q5h

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 10 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	d5f03c635287b55e020abc8c4d5bb7a0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhkjej32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddakjkqi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	d5f03c635287b55e020abc8c4d5bb7a0N.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhkjej32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddakjkqi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dkkcge32.exe

Executes dropped EXE 5 IoCs

pid	Process
748	Dhkjej32.exe
4864	Dodbbdbb.exe
940	Ddakjkqi.exe
1192	Dkkcge32.exe
1052	Dmllipeg.exe

Drops file in System32 directory 15 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Dkkcge32.exe
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Dkkcge32.exe
File created	C:\Windows\SysWOW64\Dodbbdbb.exe	Dhkjej32.exe
File opened for modification	C:\Windows\SysWOW64\Ddakjkqi.exe	Dodbbdbb.exe
File created	C:\Windows\SysWOW64\Gifhkeje.dll	Dodbbdbb.exe
File created	C:\Windows\SysWOW64\Jcbdhp32.dll	Ddakjkqi.exe
File opened for modification	C:\Windows\SysWOW64\Dhkjej32.exe	d5f03c635287b55e020abc8c4d5bb7a0N.exe
File created	C:\Windows\SysWOW64\Fnmnbf32.dll	Dhkjej32.exe
File created	C:\Windows\SysWOW64\Jbpbca32.dll	d5f03c635287b55e020abc8c4d5bb7a0N.exe
File created	C:\Windows\SysWOW64\Dkkcge32.exe	Ddakjkqi.exe
File created	C:\Windows\SysWOW64\Kngpec32.dll	Dkkcge32.exe
File created	C:\Windows\SysWOW64\Dhkjej32.exe	d5f03c635287b55e020abc8c4d5bb7a0N.exe
File opened for modification	C:\Windows\SysWOW64\Dodbbdbb.exe	Dhkjej32.exe
File created	C:\Windows\SysWOW64\Ddakjkqi.exe	Dodbbdbb.exe
File opened for modification	C:\Windows\SysWOW64\Dkkcge32.exe	Ddakjkqi.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1448	1052	WerFault.exe	91

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhkjej32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dodbbdbb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddakjkqi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkkcge32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d5f03c635287b55e020abc8c4d5bb7a0N.exe

Modifies registry class 18 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	d5f03c635287b55e020abc8c4d5bb7a0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhkjej32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	d5f03c635287b55e020abc8c4d5bb7a0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Dkkcge32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	d5f03c635287b55e020abc8c4d5bb7a0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbpbca32.dll"	d5f03c635287b55e020abc8c4d5bb7a0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dodbbdbb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dkkcge32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	d5f03c635287b55e020abc8c4d5bb7a0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnmnbf32.dll"	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gifhkeje.dll"	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dodbbdbb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcbdhp32.dll"	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dkkcge32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	d5f03c635287b55e020abc8c4d5bb7a0N.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 3080 wrote to memory of 748	3080	d5f03c635287b55e020abc8c4d5bb7a0N.exe	84
PID 3080 wrote to memory of 748	3080	d5f03c635287b55e020abc8c4d5bb7a0N.exe	84
PID 3080 wrote to memory of 748	3080	d5f03c635287b55e020abc8c4d5bb7a0N.exe	84
PID 748 wrote to memory of 4864	748	Dhkjej32.exe	86
PID 748 wrote to memory of 4864	748	Dhkjej32.exe	86
PID 748 wrote to memory of 4864	748	Dhkjej32.exe	86
PID 4864 wrote to memory of 940	4864	Dodbbdbb.exe	87
PID 4864 wrote to memory of 940	4864	Dodbbdbb.exe	87
PID 4864 wrote to memory of 940	4864	Dodbbdbb.exe	87
PID 940 wrote to memory of 1192	940	Ddakjkqi.exe	90
PID 940 wrote to memory of 1192	940	Ddakjkqi.exe	90
PID 940 wrote to memory of 1192	940	Ddakjkqi.exe	90
PID 1192 wrote to memory of 1052	1192	Dkkcge32.exe	91
PID 1192 wrote to memory of 1052	1192	Dkkcge32.exe	91
PID 1192 wrote to memory of 1052	1192	Dkkcge32.exe	91

C:\Users\Admin\AppData\Local\Temp\d5f03c635287b55e020abc8c4d5bb7a0N.exe
"C:\Users\Admin\AppData\Local\Temp\d5f03c635287b55e020abc8c4d5bb7a0N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3080
- C:\Windows\SysWOW64\Dhkjej32.exe
  C:\Windows\system32\Dhkjej32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:748
- - C:\Windows\SysWOW64\Dodbbdbb.exe
    C:\Windows\system32\Dodbbdbb.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4864
  - - C:\Windows\SysWOW64\Ddakjkqi.exe
      C:\Windows\system32\Ddakjkqi.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:940
    - - C:\Windows\SysWOW64\Dkkcge32.exe
        
        C:\Windows\system32\Dkkcge32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1192
      - C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1052
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1052 -s 404
        7⤵
        Program crash
        
        PID:1448

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 1052 -ip 1052
1⤵
PID:2668

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Ddakjkqi.exe

Filesize
1.2MB

MD5
e77ef8e3ef5d1f7acd0caf459fa0d95d

SHA1
70587307f7cfdbe248af61fcc077ce3a7f603340

SHA256
71339a1b607e8102fc113b5b5a66fa67fc034f58c2afa46e5a980f444b838b0d

SHA512
ef7f1a3fb613e5ca652ae91dad153e22bc3014483f6cea5047899e25c607c091d63ee7238a3df05700208a208f8793e2a0fc92129fc52deeac16f238a1405985

Download Submit
C:\Windows\SysWOW64\Dhkjej32.exe

Filesize
1.2MB

MD5
079ade361220a6d43ce173aea289a1e1

SHA1
1dd39dd541bf930710537778ba23ae757af22d11

SHA256
8271df1161a51e57859bf95f3100d1e9116dbb340f674593b9b0d808359cf42a

SHA512
71111cbcba59ca7bbfddea6a263a448c118ee8274456d8c8c6539c3bd142ddc481c1ed1e3ad71ffa3d59931d3efcd2081502f48df48f238f8b7574a99d9dc02c

Download Submit
C:\Windows\SysWOW64\Dkkcge32.exe

Filesize
1.2MB

MD5
08c705a9acb7f259fd7a8c2312692472

SHA1
6cde40a95e99a85448450a984c35d3800f42ebf9

SHA256
b2540c1860c782dd8f49a1e38697c1dbe862f144bfc9496ce89897ed80572e85

SHA512
47b62d4cecfd72351485089b36b14b6b9b02df332a9beecca85f8ad051dc80d560899f270135eeac1c0ac3b0816785702c484dd44793e02e58676cb8aa49b821

Download Submit
C:\Windows\SysWOW64\Dmllipeg.exe

Filesize
1.2MB

MD5
c4cac68a4d8c199af38c2d91b287a4ed

SHA1
ab901e9e88b80c80b5b523fbaa15eca4f349e972

SHA256
127131179da343330e17b1c655003ba71a8482205c8184203efa5e9163ec4f40

SHA512
7b26e9253faf1357273178b920bc8b509fd71a74dac7a08ea0ef949de23ec64fda7e67fa9b05071dc0a83f6125ef5ab54f7c2347e98727ad51f104557dfddd86

Download Submit
C:\Windows\SysWOW64\Dodbbdbb.exe

Filesize
1.2MB

MD5
0ba19a28e2ff655b867ca1dfde983374

SHA1
8ae49af72153655383f6a80388d1eeed76e14da9

SHA256
337ddb936ee95741c04ef5f9af5b3ff6f735e0104d121a1477398c21d3a5a216

SHA512
2032407432d115792e620e81169f23e29f0b65d49af3fab118e64a72a529c76b297f50ce6fcf6ac56c1dbcb0c69989960eefc9437c8bfb362f40b92f94d9efed

Download Submit
memory/748-9-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/748-48-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/940-29-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1052-41-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1052-44-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1192-37-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3080-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3080-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/3080-49-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4864-21-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads