3336efd8344d8d97d3875986562da937d51efc745b40e6ca675b2a5ecd000f3f

Analysis

max time kernel
100s
max time network
101s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
17/08/2024, 18:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7be9b6d4a5c35707fffa270ec4ae45d0N.exe
Size

96KB
MD5

7be9b6d4a5c35707fffa270ec4ae45d0
SHA1

2d58f51ed8991d39baf5abedc5e4388bf9b59658
SHA256

3336efd8344d8d97d3875986562da937d51efc745b40e6ca675b2a5ecd000f3f
SHA512

90df321071bc7536ff98e1d294ae0862da95d2fc0ee6455e2028f542bcc3c95f82bdd2b647ff644332f1aabe1e1edb6c0e5a79b8380825edb316eca27bb7e1bb
SSDEEP

1536:NMzgK6N813iPHZ/cYIaQM2kYSAgq851Idv8t9S3+FduV9jojTIvjr:NMzgBiK0YlH2ZkD51IqQ+d69jc0v

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 26 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhkjej32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dodbbdbb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Djdmffnn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djgjlelk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dddhpjof.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Doilmc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Djgjlelk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	7be9b6d4a5c35707fffa270ec4ae45d0N.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daconoae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmcibama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djdmffnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dejacond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Doilmc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dmcibama.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dejacond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	7be9b6d4a5c35707fffa270ec4ae45d0N.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daqbip32.exe

Executes dropped EXE 13 IoCs

pid	Process
4372	Djdmffnn.exe
1324	Dmcibama.exe
1668	Dejacond.exe
4560	Djgjlelk.exe
3920	Daqbip32.exe
1548	Dhkjej32.exe
5068	Dodbbdbb.exe
1472	Daconoae.exe
4924	Dhmgki32.exe
3740	Dogogcpo.exe
1368	Dddhpjof.exe
448	Doilmc32.exe
988	Dmllipeg.exe

Drops file in System32 directory 39 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Dejacond.exe	Dmcibama.exe
File created	C:\Windows\SysWOW64\Dejacond.exe	Dmcibama.exe
File created	C:\Windows\SysWOW64\Hpnkaj32.dll	Dmcibama.exe
File created	C:\Windows\SysWOW64\Daqbip32.exe	Djgjlelk.exe
File created	C:\Windows\SysWOW64\Doilmc32.exe	Dddhpjof.exe
File created	C:\Windows\SysWOW64\Kngpec32.dll	Doilmc32.exe
File opened for modification	C:\Windows\SysWOW64\Djgjlelk.exe	Dejacond.exe
File created	C:\Windows\SysWOW64\Dhkjej32.exe	Daqbip32.exe
File opened for modification	C:\Windows\SysWOW64\Daconoae.exe	Dodbbdbb.exe
File created	C:\Windows\SysWOW64\Oammoc32.dll	Dodbbdbb.exe
File created	C:\Windows\SysWOW64\Fpdaoioe.dll	Daconoae.exe
File created	C:\Windows\SysWOW64\Lbabpnmn.dll	Dhmgki32.exe
File created	C:\Windows\SysWOW64\Diphbb32.dll	Dddhpjof.exe
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Doilmc32.exe
File created	C:\Windows\SysWOW64\Beeppfin.dll	Dejacond.exe
File created	C:\Windows\SysWOW64\Jdipdgch.dll	Djgjlelk.exe
File created	C:\Windows\SysWOW64\Dodbbdbb.exe	Dhkjej32.exe
File created	C:\Windows\SysWOW64\Dhmgki32.exe	Daconoae.exe
File created	C:\Windows\SysWOW64\Dddhpjof.exe	Dogogcpo.exe
File created	C:\Windows\SysWOW64\Hdhpgj32.dll	7be9b6d4a5c35707fffa270ec4ae45d0N.exe
File created	C:\Windows\SysWOW64\Dmcibama.exe	Djdmffnn.exe
File created	C:\Windows\SysWOW64\Djgjlelk.exe	Dejacond.exe
File opened for modification	C:\Windows\SysWOW64\Dodbbdbb.exe	Dhkjej32.exe
File created	C:\Windows\SysWOW64\Fnmnbf32.dll	Dhkjej32.exe
File created	C:\Windows\SysWOW64\Dogogcpo.exe	Dhmgki32.exe
File opened for modification	C:\Windows\SysWOW64\Dddhpjof.exe	Dogogcpo.exe
File created	C:\Windows\SysWOW64\Djdmffnn.exe	7be9b6d4a5c35707fffa270ec4ae45d0N.exe
File opened for modification	C:\Windows\SysWOW64\Djdmffnn.exe	7be9b6d4a5c35707fffa270ec4ae45d0N.exe
File opened for modification	C:\Windows\SysWOW64\Dmcibama.exe	Djdmffnn.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Doilmc32.exe
File created	C:\Windows\SysWOW64\Jbpbca32.dll	Daqbip32.exe
File opened for modification	C:\Windows\SysWOW64\Dhmgki32.exe	Daconoae.exe
File opened for modification	C:\Windows\SysWOW64\Dogogcpo.exe	Dhmgki32.exe
File created	C:\Windows\SysWOW64\Amjknl32.dll	Dogogcpo.exe
File created	C:\Windows\SysWOW64\Kmfjodai.dll	Djdmffnn.exe
File opened for modification	C:\Windows\SysWOW64\Daqbip32.exe	Djgjlelk.exe
File opened for modification	C:\Windows\SysWOW64\Dhkjej32.exe	Daqbip32.exe
File created	C:\Windows\SysWOW64\Daconoae.exe	Dodbbdbb.exe
File opened for modification	C:\Windows\SysWOW64\Doilmc32.exe	Dddhpjof.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2416	988	WerFault.exe	96

System Location Discovery: System Language Discovery 1 TTPs 14 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7be9b6d4a5c35707fffa270ec4ae45d0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Doilmc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djdmffnn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmcibama.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daqbip32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhkjej32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dodbbdbb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daconoae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhmgki32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dddhpjof.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dejacond.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djgjlelk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dogogcpo.exe

Modifies registry class 42 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	7be9b6d4a5c35707fffa270ec4ae45d0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	7be9b6d4a5c35707fffa270ec4ae45d0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oammoc32.dll"	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpnkaj32.dll"	Dmcibama.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dodbbdbb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dddhpjof.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Doilmc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Djdmffnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dejacond.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Djgjlelk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dddhpjof.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}	7be9b6d4a5c35707fffa270ec4ae45d0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dejacond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Beeppfin.dll"	Dejacond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbpbca32.dll"	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbabpnmn.dll"	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amjknl32.dll"	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hdhpgj32.dll"	7be9b6d4a5c35707fffa270ec4ae45d0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	7be9b6d4a5c35707fffa270ec4ae45d0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Djdmffnn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dmcibama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Djgjlelk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpdaoioe.dll"	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Diphbb32.dll"	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Doilmc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdipdgch.dll"	Djgjlelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Doilmc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	7be9b6d4a5c35707fffa270ec4ae45d0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmfjodai.dll"	Djdmffnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dmcibama.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnmnbf32.dll"	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dhkjej32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Daconoae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dhmgki32.exe

Suspicious use of WriteProcessMemory 39 IoCs

description	pid	Process	procid_target
PID 4168 wrote to memory of 4372	4168	7be9b6d4a5c35707fffa270ec4ae45d0N.exe	84
PID 4168 wrote to memory of 4372	4168	7be9b6d4a5c35707fffa270ec4ae45d0N.exe	84
PID 4168 wrote to memory of 4372	4168	7be9b6d4a5c35707fffa270ec4ae45d0N.exe	84
PID 4372 wrote to memory of 1324	4372	Djdmffnn.exe	85
PID 4372 wrote to memory of 1324	4372	Djdmffnn.exe	85
PID 4372 wrote to memory of 1324	4372	Djdmffnn.exe	85
PID 1324 wrote to memory of 1668	1324	Dmcibama.exe	86
PID 1324 wrote to memory of 1668	1324	Dmcibama.exe	86
PID 1324 wrote to memory of 1668	1324	Dmcibama.exe	86
PID 1668 wrote to memory of 4560	1668	Dejacond.exe	87
PID 1668 wrote to memory of 4560	1668	Dejacond.exe	87
PID 1668 wrote to memory of 4560	1668	Dejacond.exe	87
PID 4560 wrote to memory of 3920	4560	Djgjlelk.exe	88
PID 4560 wrote to memory of 3920	4560	Djgjlelk.exe	88
PID 4560 wrote to memory of 3920	4560	Djgjlelk.exe	88
PID 3920 wrote to memory of 1548	3920	Daqbip32.exe	89
PID 3920 wrote to memory of 1548	3920	Daqbip32.exe	89
PID 3920 wrote to memory of 1548	3920	Daqbip32.exe	89
PID 1548 wrote to memory of 5068	1548	Dhkjej32.exe	90
PID 1548 wrote to memory of 5068	1548	Dhkjej32.exe	90
PID 1548 wrote to memory of 5068	1548	Dhkjej32.exe	90
PID 5068 wrote to memory of 1472	5068	Dodbbdbb.exe	91
PID 5068 wrote to memory of 1472	5068	Dodbbdbb.exe	91
PID 5068 wrote to memory of 1472	5068	Dodbbdbb.exe	91
PID 1472 wrote to memory of 4924	1472	Daconoae.exe	92
PID 1472 wrote to memory of 4924	1472	Daconoae.exe	92
PID 1472 wrote to memory of 4924	1472	Daconoae.exe	92
PID 4924 wrote to memory of 3740	4924	Dhmgki32.exe	93
PID 4924 wrote to memory of 3740	4924	Dhmgki32.exe	93
PID 4924 wrote to memory of 3740	4924	Dhmgki32.exe	93
PID 3740 wrote to memory of 1368	3740	Dogogcpo.exe	94
PID 3740 wrote to memory of 1368	3740	Dogogcpo.exe	94
PID 3740 wrote to memory of 1368	3740	Dogogcpo.exe	94
PID 1368 wrote to memory of 448	1368	Dddhpjof.exe	95
PID 1368 wrote to memory of 448	1368	Dddhpjof.exe	95
PID 1368 wrote to memory of 448	1368	Dddhpjof.exe	95
PID 448 wrote to memory of 988	448	Doilmc32.exe	96
PID 448 wrote to memory of 988	448	Doilmc32.exe	96
PID 448 wrote to memory of 988	448	Doilmc32.exe	96

C:\Users\Admin\AppData\Local\Temp\7be9b6d4a5c35707fffa270ec4ae45d0N.exe
"C:\Users\Admin\AppData\Local\Temp\7be9b6d4a5c35707fffa270ec4ae45d0N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4168
- C:\Windows\SysWOW64\Djdmffnn.exe
  C:\Windows\system32\Djdmffnn.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4372
- - C:\Windows\SysWOW64\Dmcibama.exe
    C:\Windows\system32\Dmcibama.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1324
  - - C:\Windows\SysWOW64\Dejacond.exe
      C:\Windows\system32\Dejacond.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:1668
    - - C:\Windows\SysWOW64\Djgjlelk.exe
        
        C:\Windows\system32\Djgjlelk.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4560
      - C:\Windows\SysWOW64\Daqbip32.exe
        
        C:\Windows\system32\Daqbip32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3920
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1548
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5068
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1472
        
        C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4924
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3740
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1368
        
        C:\Windows\SysWOW64\Doilmc32.exe
        
        C:\Windows\system32\Doilmc32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:448
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        14⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:988
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 988 -s 416
        15⤵
        Program crash
        
        PID:2416

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 988 -ip 988
1⤵
PID:3588

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Daconoae.exe

Filesize
96KB

MD5
a254e977e3fa3174152ac9530741522e

SHA1
172527ca5ef551afa37a491a2b9b79f7663b0e4c

SHA256
9592d8f555de67f0a73804313ade8fde64484371b658111729a4d3f6a805d76b

SHA512
f9300ff18ec49775e7888fb81c20394fcbf6767bb0cb313c54b8bdc882befd5184342be59a46b35d5367fe7790bb710f8775d4faabfcfa5179703787b9f12291

Download Submit
C:\Windows\SysWOW64\Daqbip32.exe

Filesize
96KB

MD5
6bd76ecf67a19508e4c03c0555b55795

SHA1
d69487bec28b6910786982fd13375456311dc5f0

SHA256
ec88e28db565de785787078c55213c4392736c245e96db5466c4625dcfcfa42b

SHA512
6a7f6b634dc168b1bb28b48effa1b7e60a80a7d8480aae7104e08665460142e57a62db4aa36a05a7f551ab3f14621c611978b147cb2f1afc5ea2280c31f21ecf

Download Submit
C:\Windows\SysWOW64\Dddhpjof.exe

Filesize
96KB

MD5
581843947cb845c038bf593a127ac847

SHA1
5a654993b16ac0b3cc1f096846f9786d00000a81

SHA256
827a44b93e42058ba7fdc745c305aa9fe03768a4d08b41338c7cac1147bf7505

SHA512
185c7030801e978f7092d49051b6dd8f68ca4100537bbd6b6904a09566ec597bf5b087f196fcda99708cff534eb1c29004c69bb082f3dfe4d69d59a26cdcc9b4

Download Submit
C:\Windows\SysWOW64\Dejacond.exe

Filesize
96KB

MD5
f8f8587671a1e8efd909844bc12488cb

SHA1
554e743f30f7633c9369c8c76278cd7d3b5ab4ce

SHA256
2ed3d6d839137c23af4ee6039c715c79670d143ea5da5ccb16586bcc0be6bea8

SHA512
0f8561f164599c5d2e6f5103125ee95996117d2013eacbd22abc570fd32f552fba2893b3981c9cf9a3db4f7a14529413335efc7eebe82f96a3f2d51c428ebe3e

Download Submit
C:\Windows\SysWOW64\Dhkjej32.exe

Filesize
96KB

MD5
09b7419dfa8ba8179574e7460a410971

SHA1
ebebc48ecbaa10d89c58ea6192d6de9839b50888

SHA256
6cf3f43a93fb9b4b625b6f07ae7727c77ac287a87766326d0bb2117d1d13f0e0

SHA512
1acb59c87a56e7163fe773c4384f867d9812cf4ed50c4b82c005bf560e6f2c9b1d60dc7f1b578d2b42ced5b11edd32649aa97092a677d5c54a758859829968c1

Download Submit
C:\Windows\SysWOW64\Dhmgki32.exe

Filesize
96KB

MD5
2ec050f5e3fad48e3df8eb3d701808b0

SHA1
aa813f9599514b434434b0a6f7eb7a40710fddab

SHA256
730a109dd7b83a1a9c2a85ceeb41b34c6d36fdfb0b4a768469e6ed8a129f885e

SHA512
a85c5df20f2593f2faff3d06a5338d94da670a68cf04ef40c1befb366e01d71642a4e4bc90f0b99b4d773abae54d6667160d872bb47830b1ba0995a31958e3a8

Download Submit
C:\Windows\SysWOW64\Djdmffnn.exe

Filesize
96KB

MD5
717f730d877e33d38f1578df78aee5bf

SHA1
34d438efd3a6b09f927c16bc12ecca4e2eff5f14

SHA256
117cf7a39e40ae2bdfacf6c9f0636e65f6f41114258234225bf39ea48e035280

SHA512
16dbff4f9db1278077c22e8d80784f2aac095a8beac3a714efca0ce1b579f10dedb4b044b894d3273320ca051959429dccfbbe105a6d9c49ca8c3bef2bc48f8d

Download Submit
C:\Windows\SysWOW64\Djgjlelk.exe

Filesize
96KB

MD5
1605cc5f3171b08a1d02a51a3a95610a

SHA1
393ff9d9fe3e21a37a0047a2486d169fd6bdab4b

SHA256
8d02c66e24bccef4d4241dc6dab717c25a3719e9ecd8aaeac2f78354f7df7a1c

SHA512
0e28fc5bec72f8cb840d2818b9245da606d9538b5044149d430613a38c9671791093d2106e78ca36c5a74225dac4ec4e00a31cbdc3e3465cc2ea490b076f44b9

Download Submit
C:\Windows\SysWOW64\Dmcibama.exe

Filesize
96KB

MD5
5edf2e2ca6474df4ebcf8dfed1a56b2d

SHA1
a0f01f6aa7b82a8c18382347a6e4cf1964f9f9e4

SHA256
a6ad702d8bc21c61ca7c88f58421a48d278eff2eea94e508e5b2be8c592855d9

SHA512
b88ed613513c5f3b78782b25306d71aed5b24834182e66cd8a53f9d89675e79f7aaa2ed0f096be6a1d519ac2dceee542fbd1519d39a5940de8051b218766dcd1

Download Submit
C:\Windows\SysWOW64\Dmllipeg.exe

Filesize
96KB

MD5
52f5092976aaa749d74e1502398f5b7c

SHA1
f85c1af712925a5144d71c568cd8372624554815

SHA256
a35551803ca664ca916862103015e62d0761363837a0ca8c66323b1cbbcee314

SHA512
4e0ea4108960f5b6734c9b934b1bd45b59d459aaab45cd177732dc924f21c8d1b610860eaa0b935b2e13e8777d5457ddc3228495d5a883755e27a8ce00858bab

Download Submit
C:\Windows\SysWOW64\Dodbbdbb.exe

Filesize
96KB

MD5
d6bded00e67a70c1ba0321ec5873364f

SHA1
827442758ed22af93343277a0974662e7c317d5e

SHA256
c9f667ccb0193b12b4e642da1b54870ed232c0f53d6b25121f65d25d08429a44

SHA512
b5a3ae17173a24bafda7916e015cbdcc2ee25033389dde439d51addf6ba92d09f552d97c1d1459d9e2bb93c06c24dcde5b44095a1275172a9fedd2d5a9f958b1

Download Submit
C:\Windows\SysWOW64\Dogogcpo.exe

Filesize
96KB

MD5
57dc8386f37acf1699b7be7eb551fd4e

SHA1
8e9acdd2c283346121cab37719b35aa2ed62d33b

SHA256
fd06fe60c13f5c72b808640cc3ed20058a71966438f3db2f91aa89fe3699c41c

SHA512
6a4fda5144b0481e9d579ee9797beb5f66daf4cac9bac9fb7377d20c1cce9bbff93dc8138327365663889b922c3ce9088444108ad2bb80a3557d5b7eec0e9da2

Download Submit
C:\Windows\SysWOW64\Doilmc32.exe

Filesize
96KB

MD5
3d33cfc2113c4b60981d5b0a63123bdb

SHA1
e7c5ab19a58f2b2b791faf8ca89c15567809fd1d

SHA256
c1b8869d8325c504e0f62ceeda341a3c4c2be133018fe62bc90658db2b1eeb12

SHA512
925180a822774113b4d8954d5d85d2b2ec82bcb917295d5b9e8f331a7f0a812c4b438b04b1a4f8f2bd9c8440b49ae5a069621c7bef157f057338f0abefdf5f94

Download Submit
C:\Windows\SysWOW64\Jdipdgch.dll

Filesize
7KB

MD5
a0796fbe745cf1438b6a016bc0e1b9ec

SHA1
2ca864fabba5ff83344d0b43497350d3c8b292ab

SHA256
396936ef0a5012142eb4bad40926b911986aa037e38d72693478dd37a79b9fe0

SHA512
734eea56509821426abfa798d74af3846c8a69bcc818330c23507eb0e2d117178f939b7de3c63f5e8e34e61727455fe99fe8d27977365ad9ba60f9dab7dad915

Download Submit
memory/448-96-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/448-106-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/988-103-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/988-105-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1324-115-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1324-16-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1368-107-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1368-87-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1472-64-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1472-109-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1548-47-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1548-112-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1668-24-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1668-114-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3740-111-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3740-80-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3920-118-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3920-39-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4168-0-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4168-117-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4372-8-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4372-116-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4560-113-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4560-31-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4924-71-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4924-108-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5068-55-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5068-110-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads