7857c554b83b3af2f6fef2e027a7c0f79ac8c881ca545edf93e6a94db3cac9b3

General

Target

d18203a3fe4546104d92362c1c4e7b80N.exe
Size

327KB
MD5

d18203a3fe4546104d92362c1c4e7b80
SHA1

bb6433e633b88b929bbe9672c79cfd9924bf8018
SHA256

7857c554b83b3af2f6fef2e027a7c0f79ac8c881ca545edf93e6a94db3cac9b3
SHA512

742bf9f0cbdb7e6b0613893b22a2560126f4e140f7a0671c857a26308f4c7dc7f102f07e15d01f10550ede094334af0cc44acbe0a01c67f07d1195e578433656
SSDEEP

3072:hRKpW+/Yed7oxxb4dfieE3nCEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEESLjb5m0z:haL/bBaq9E3Jj0+r+Mds9BY

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 12 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dfnjafap.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daconoae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhocqigp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	d18203a3fe4546104d92362c1c4e7b80N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	d18203a3fe4546104d92362c1c4e7b80N.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfnjafap.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Daconoae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dhocqigp.exe

Executes dropped EXE 6 IoCs

pid	Process
1616	Dfnjafap.exe
764	Dmgbnq32.exe
4880	Daconoae.exe
1240	Daekdooc.exe
4484	Dhocqigp.exe
4420	Dmllipeg.exe

Drops file in System32 directory 18 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Dhocqigp.exe	Daekdooc.exe
File created	C:\Windows\SysWOW64\Poahbe32.dll	d18203a3fe4546104d92362c1c4e7b80N.exe
File created	C:\Windows\SysWOW64\Daconoae.exe	Dmgbnq32.exe
File created	C:\Windows\SysWOW64\Daekdooc.exe	Daconoae.exe
File opened for modification	C:\Windows\SysWOW64\Daekdooc.exe	Daconoae.exe
File created	C:\Windows\SysWOW64\Ohmoom32.dll	Daconoae.exe
File created	C:\Windows\SysWOW64\Dhocqigp.exe	Daekdooc.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Dhocqigp.exe
File opened for modification	C:\Windows\SysWOW64\Dmgbnq32.exe	Dfnjafap.exe
File created	C:\Windows\SysWOW64\Dmgbnq32.exe	Dfnjafap.exe
File opened for modification	C:\Windows\SysWOW64\Daconoae.exe	Dmgbnq32.exe
File created	C:\Windows\SysWOW64\Elkadb32.dll	Daekdooc.exe
File created	C:\Windows\SysWOW64\Kngpec32.dll	Dhocqigp.exe
File created	C:\Windows\SysWOW64\Dfnjafap.exe	d18203a3fe4546104d92362c1c4e7b80N.exe
File created	C:\Windows\SysWOW64\Ihidnp32.dll	Dfnjafap.exe
File created	C:\Windows\SysWOW64\Oammoc32.dll	Dmgbnq32.exe
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Dhocqigp.exe
File opened for modification	C:\Windows\SysWOW64\Dfnjafap.exe	d18203a3fe4546104d92362c1c4e7b80N.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1204	4420	WerFault.exe	89

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhocqigp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d18203a3fe4546104d92362c1c4e7b80N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfnjafap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmgbnq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daconoae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daekdooc.exe

Modifies registry class 21 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elkadb32.dll"	Daekdooc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}	d18203a3fe4546104d92362c1c4e7b80N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dfnjafap.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	d18203a3fe4546104d92362c1c4e7b80N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oammoc32.dll"	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dmgbnq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dfnjafap.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dmgbnq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	d18203a3fe4546104d92362c1c4e7b80N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Poahbe32.dll"	d18203a3fe4546104d92362c1c4e7b80N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihidnp32.dll"	Dfnjafap.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohmoom32.dll"	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Daekdooc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	d18203a3fe4546104d92362c1c4e7b80N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	d18203a3fe4546104d92362c1c4e7b80N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dhocqigp.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 4028 wrote to memory of 1616	4028	d18203a3fe4546104d92362c1c4e7b80N.exe	84
PID 4028 wrote to memory of 1616	4028	d18203a3fe4546104d92362c1c4e7b80N.exe	84
PID 4028 wrote to memory of 1616	4028	d18203a3fe4546104d92362c1c4e7b80N.exe	84
PID 1616 wrote to memory of 764	1616	Dfnjafap.exe	85
PID 1616 wrote to memory of 764	1616	Dfnjafap.exe	85
PID 1616 wrote to memory of 764	1616	Dfnjafap.exe	85
PID 764 wrote to memory of 4880	764	Dmgbnq32.exe	86
PID 764 wrote to memory of 4880	764	Dmgbnq32.exe	86
PID 764 wrote to memory of 4880	764	Dmgbnq32.exe	86
PID 4880 wrote to memory of 1240	4880	Daconoae.exe	87
PID 4880 wrote to memory of 1240	4880	Daconoae.exe	87
PID 4880 wrote to memory of 1240	4880	Daconoae.exe	87
PID 1240 wrote to memory of 4484	1240	Daekdooc.exe	88
PID 1240 wrote to memory of 4484	1240	Daekdooc.exe	88
PID 1240 wrote to memory of 4484	1240	Daekdooc.exe	88
PID 4484 wrote to memory of 4420	4484	Dhocqigp.exe	89
PID 4484 wrote to memory of 4420	4484	Dhocqigp.exe	89
PID 4484 wrote to memory of 4420	4484	Dhocqigp.exe	89

C:\Users\Admin\AppData\Local\Temp\d18203a3fe4546104d92362c1c4e7b80N.exe
"C:\Users\Admin\AppData\Local\Temp\d18203a3fe4546104d92362c1c4e7b80N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4028
- C:\Windows\SysWOW64\Dfnjafap.exe
  C:\Windows\system32\Dfnjafap.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1616
- - C:\Windows\SysWOW64\Dmgbnq32.exe
    C:\Windows\system32\Dmgbnq32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:764
  - - C:\Windows\SysWOW64\Daconoae.exe
      C:\Windows\system32\Daconoae.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4880
    - - C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1240
      - C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4484
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4420
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4420 -s 408
        8⤵
        Program crash
        
        PID:1204

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4420 -ip 4420
1⤵
PID:1152

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Daconoae.exe

Filesize
327KB

MD5
b6d0875d11334ac9aea2150c5477a1bc

SHA1
b05f6c78519bba432d86b5ae42945608238d6ccf

SHA256
5f647dfc4af1506bd7e3555d05e49cd6d097600c317d21e932d7e6d07479f1f0

SHA512
6f502e90075557be6fc7e14d12c500e617d292740ea1cb7d0c7484eda8f24992b999954d0b4c34342c4a99f318d044c95e41c82e6d507bddf934264bb9b05e13

Download Submit
C:\Windows\SysWOW64\Daekdooc.exe

Filesize
327KB

MD5
0068bba3f655986128480049a7a91f7a

SHA1
e803c0ad40cc94851ea14517fdb2fc646243e279

SHA256
39c64e3a7370bebd2c5d0b560434bdaada1aca63cd28d6a7c7ab5f438a34136f

SHA512
4ff6d40edd376b4ab6001f0a81ebc781ab6ff1b8df1e059feba01b5b64b9c202d6d5ab86f9f92ff5fb5a11568bd4780925b597d623caef20804406b620415b91

Download Submit
C:\Windows\SysWOW64\Dfnjafap.exe

Filesize
327KB

MD5
4a518bdaa220d537e472b2879631018e

SHA1
35e5a011239fdac4632ad986a1cddecc5b459752

SHA256
b370542775d281a2ae2cc1f67ce682a3a337cd5a2373ed86b1735600a3f0facb

SHA512
e2bdbacbd5b516c6d17c5fff451eca2f7bc594aca7c131ccf90a5f35481ca2288e316505964f0906929237447b3a51e5d59fdb5f09d55b44da6b62d939df44c5

Download Submit
C:\Windows\SysWOW64\Dhocqigp.exe

Filesize
327KB

MD5
0870a7f994fb6ff54dd76f30012bf5ae

SHA1
c4478aaa9b4ec3d56befe3c1b6cbe2a440f78ecf

SHA256
2fa8286ddb2e425ee1338f747398f1743036f6f206d6461a7497adab1b77b01e

SHA512
7d587de18eab310b403b223446157569bc3b0adb1b5fa0ee4769b61c29cec761935acbe810b584096fe31c29d505de66146948e6ae7f87853058d98b7835ef15

Download Submit
C:\Windows\SysWOW64\Dmgbnq32.exe

Filesize
327KB

MD5
4d5f483321cfe288b3adef53cf7bc2fe

SHA1
36c086e82bb5e7c9342b4c985204cea3e783b691

SHA256
03fae5f89b0474fc7bf1f14a83c2d286a54e1935e0afafa06cbc6723c5287a0f

SHA512
491a8bed8fb19b532862f1d1728adc461374c50010c8bc0e1f0ae78527a2776ff519576ccd98ea75f914de9e5f491b8093ccfff8e70a7b8e96ef35f1d2199f76

Download Submit
C:\Windows\SysWOW64\Dmllipeg.exe

Filesize
327KB

MD5
2a8c0f5a6f7af56c908f162650fbea05

SHA1
68dc91892c6011e6fdcf409f92edbf62c601ee45

SHA256
dccefe4180fe75ac258a31390a68a564e04b1fb005bcb3baa2cde0ae1d764a61

SHA512
709a0686e0e0db6afb58d07b234902897201222acf519f8d007ac84ff8a0802c1f2c934a66c134d6105d82cafd369875d09d019e0a2d45276ef3922c7205282d

Download Submit
C:\Windows\SysWOW64\Elkadb32.dll

Filesize
7KB

MD5
56f1abae80121d62fc42899686e91d54

SHA1
b1c611bb922868e6f4d0ebf20bceb057953df617

SHA256
88671c235595166753e8aded430f931666083c654275f2f2537b59f21b1b36fe

SHA512
9e879a40ed00c55e45faac0266c6228e540ef348ec8da7f6802b36ea14fdbe6b9743034c1fc6703b3e5a97b4aae8ab15337491790c0739378d87818a4599813e

Download Submit
memory/764-16-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/764-57-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1240-31-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1240-54-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1616-7-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1616-59-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4028-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4028-61-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4420-48-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4420-50-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4484-39-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4484-52-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4880-24-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4880-55-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads