3c53dfde403c33767ef4d4bf7eaac338798b6d3694a2b58e6431285ce2b8ad87

Analysis

max time kernel
103s
max time network
105s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
18/08/2024, 01:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f883e82d457f53546bdc63e586d9ea80N.exe
Size

194KB
MD5

f883e82d457f53546bdc63e586d9ea80
SHA1

1f3f046b3d41f0c31f4c31ba934923af5e63e107
SHA256

3c53dfde403c33767ef4d4bf7eaac338798b6d3694a2b58e6431285ce2b8ad87
SHA512

5bebdb887e349cf3f6940b5ad37e26e0239a9ea625ac66440f49b46eca0858b874f114617cc6b40318f860ebd14735f5f381622727fbc6d35979c61ad6cf5188
SSDEEP

3072:E7THWYt1A4wPvVdSfUNRbCeR0pN03xWlJ7mlOD6pN03:E+nFPddSfUNRbCeKpNYxWlJ7mkD6pNY

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 28 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfknkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfnjafap.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddakjkqi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmcibama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfknkg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddakjkqi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhocqigp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	f883e82d457f53546bdc63e586d9ea80N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	f883e82d457f53546bdc63e586d9ea80N.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmefhako.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daconoae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhfajjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfpgffpm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djdmffnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Djdmffnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Delnin32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhfajjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmcibama.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dejacond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dejacond.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhocqigp.exe

Executes dropped EXE 14 IoCs

pid	Process
3636	Dhfajjoj.exe
2160	Djdmffnn.exe
2428	Dmcibama.exe
748	Dejacond.exe
1868	Dfknkg32.exe
2892	Dmefhako.exe
3524	Delnin32.exe
2036	Dfnjafap.exe
1732	Daconoae.exe
4744	Ddakjkqi.exe
2112	Dfpgffpm.exe
3364	Dogogcpo.exe
4576	Dhocqigp.exe
3688	Dmllipeg.exe

Drops file in System32 directory 42 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Dhfajjoj.exe	f883e82d457f53546bdc63e586d9ea80N.exe
File created	C:\Windows\SysWOW64\Delnin32.exe	Dmefhako.exe
File created	C:\Windows\SysWOW64\Gmcfdb32.dll	Dmefhako.exe
File opened for modification	C:\Windows\SysWOW64\Dfnjafap.exe	Delnin32.exe
File opened for modification	C:\Windows\SysWOW64\Dfpgffpm.exe	Ddakjkqi.exe
File created	C:\Windows\SysWOW64\Kmdjdl32.dll	Ddakjkqi.exe
File created	C:\Windows\SysWOW64\Cogflbdn.dll	Dejacond.exe
File opened for modification	C:\Windows\SysWOW64\Delnin32.exe	Dmefhako.exe
File opened for modification	C:\Windows\SysWOW64\Dhocqigp.exe	Dogogcpo.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Dhocqigp.exe
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Dhocqigp.exe
File created	C:\Windows\SysWOW64\Dhfajjoj.exe	f883e82d457f53546bdc63e586d9ea80N.exe
File created	C:\Windows\SysWOW64\Djdmffnn.exe	Dhfajjoj.exe
File created	C:\Windows\SysWOW64\Dmcibama.exe	Djdmffnn.exe
File created	C:\Windows\SysWOW64\Dfnjafap.exe	Delnin32.exe
File created	C:\Windows\SysWOW64\Oammoc32.dll	Dfnjafap.exe
File created	C:\Windows\SysWOW64\Gifhkeje.dll	Daconoae.exe
File created	C:\Windows\SysWOW64\Dhocqigp.exe	Dogogcpo.exe
File created	C:\Windows\SysWOW64\Gidbim32.dll	Dfknkg32.exe
File created	C:\Windows\SysWOW64\Ddakjkqi.exe	Daconoae.exe
File opened for modification	C:\Windows\SysWOW64\Ddakjkqi.exe	Daconoae.exe
File created	C:\Windows\SysWOW64\Dejacond.exe	Dmcibama.exe
File created	C:\Windows\SysWOW64\Hpnkaj32.dll	Dmcibama.exe
File opened for modification	C:\Windows\SysWOW64\Dfknkg32.exe	Dejacond.exe
File created	C:\Windows\SysWOW64\Poahbe32.dll	Delnin32.exe
File created	C:\Windows\SysWOW64\Lbabpnmn.dll	Dfpgffpm.exe
File created	C:\Windows\SysWOW64\Elkadb32.dll	Dogogcpo.exe
File created	C:\Windows\SysWOW64\Eokchkmi.dll	f883e82d457f53546bdc63e586d9ea80N.exe
File created	C:\Windows\SysWOW64\Hdhpgj32.dll	Dhfajjoj.exe
File created	C:\Windows\SysWOW64\Kmfjodai.dll	Djdmffnn.exe
File created	C:\Windows\SysWOW64\Dfknkg32.exe	Dejacond.exe
File created	C:\Windows\SysWOW64\Dogogcpo.exe	Dfpgffpm.exe
File opened for modification	C:\Windows\SysWOW64\Dogogcpo.exe	Dfpgffpm.exe
File created	C:\Windows\SysWOW64\Kngpec32.dll	Dhocqigp.exe
File opened for modification	C:\Windows\SysWOW64\Djdmffnn.exe	Dhfajjoj.exe
File opened for modification	C:\Windows\SysWOW64\Dmcibama.exe	Djdmffnn.exe
File created	C:\Windows\SysWOW64\Dmefhako.exe	Dfknkg32.exe
File created	C:\Windows\SysWOW64\Daconoae.exe	Dfnjafap.exe
File created	C:\Windows\SysWOW64\Dfpgffpm.exe	Ddakjkqi.exe
File opened for modification	C:\Windows\SysWOW64\Dejacond.exe	Dmcibama.exe
File opened for modification	C:\Windows\SysWOW64\Dmefhako.exe	Dfknkg32.exe
File opened for modification	C:\Windows\SysWOW64\Daconoae.exe	Dfnjafap.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
896	3688	WerFault.exe	98

System Location Discovery: System Language Discovery 1 TTPs 15 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Delnin32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfnjafap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhocqigp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djdmffnn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmcibama.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddakjkqi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dogogcpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f883e82d457f53546bdc63e586d9ea80N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhfajjoj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfknkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmefhako.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfpgffpm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dejacond.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daconoae.exe

Modifies registry class 45 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Djdmffnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gidbim32.dll"	Dfknkg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfnjafap.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbabpnmn.dll"	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Dhocqigp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	f883e82d457f53546bdc63e586d9ea80N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eokchkmi.dll"	f883e82d457f53546bdc63e586d9ea80N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Djdmffnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmfjodai.dll"	Djdmffnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpnkaj32.dll"	Dmcibama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmcibama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dejacond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Delnin32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hdhpgj32.dll"	Dhfajjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhfajjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elkadb32.dll"	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cogflbdn.dll"	Dejacond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfknkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmefhako.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Delnin32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmcfdb32.dll"	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmdjdl32.dll"	Ddakjkqi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	f883e82d457f53546bdc63e586d9ea80N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhfajjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oammoc32.dll"	Dfnjafap.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gifhkeje.dll"	Daconoae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfpgffpm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	f883e82d457f53546bdc63e586d9ea80N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	f883e82d457f53546bdc63e586d9ea80N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dejacond.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfknkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Poahbe32.dll"	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfnjafap.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	f883e82d457f53546bdc63e586d9ea80N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmcibama.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 4956 wrote to memory of 3636	4956	f883e82d457f53546bdc63e586d9ea80N.exe	84
PID 4956 wrote to memory of 3636	4956	f883e82d457f53546bdc63e586d9ea80N.exe	84
PID 4956 wrote to memory of 3636	4956	f883e82d457f53546bdc63e586d9ea80N.exe	84
PID 3636 wrote to memory of 2160	3636	Dhfajjoj.exe	85
PID 3636 wrote to memory of 2160	3636	Dhfajjoj.exe	85
PID 3636 wrote to memory of 2160	3636	Dhfajjoj.exe	85
PID 2160 wrote to memory of 2428	2160	Djdmffnn.exe	86
PID 2160 wrote to memory of 2428	2160	Djdmffnn.exe	86
PID 2160 wrote to memory of 2428	2160	Djdmffnn.exe	86
PID 2428 wrote to memory of 748	2428	Dmcibama.exe	87
PID 2428 wrote to memory of 748	2428	Dmcibama.exe	87
PID 2428 wrote to memory of 748	2428	Dmcibama.exe	87
PID 748 wrote to memory of 1868	748	Dejacond.exe	88
PID 748 wrote to memory of 1868	748	Dejacond.exe	88
PID 748 wrote to memory of 1868	748	Dejacond.exe	88
PID 1868 wrote to memory of 2892	1868	Dfknkg32.exe	89
PID 1868 wrote to memory of 2892	1868	Dfknkg32.exe	89
PID 1868 wrote to memory of 2892	1868	Dfknkg32.exe	89
PID 2892 wrote to memory of 3524	2892	Dmefhako.exe	90
PID 2892 wrote to memory of 3524	2892	Dmefhako.exe	90
PID 2892 wrote to memory of 3524	2892	Dmefhako.exe	90
PID 3524 wrote to memory of 2036	3524	Delnin32.exe	91
PID 3524 wrote to memory of 2036	3524	Delnin32.exe	91
PID 3524 wrote to memory of 2036	3524	Delnin32.exe	91
PID 2036 wrote to memory of 1732	2036	Dfnjafap.exe	92
PID 2036 wrote to memory of 1732	2036	Dfnjafap.exe	92
PID 2036 wrote to memory of 1732	2036	Dfnjafap.exe	92
PID 1732 wrote to memory of 4744	1732	Daconoae.exe	93
PID 1732 wrote to memory of 4744	1732	Daconoae.exe	93
PID 1732 wrote to memory of 4744	1732	Daconoae.exe	93
PID 4744 wrote to memory of 2112	4744	Ddakjkqi.exe	94
PID 4744 wrote to memory of 2112	4744	Ddakjkqi.exe	94
PID 4744 wrote to memory of 2112	4744	Ddakjkqi.exe	94
PID 2112 wrote to memory of 3364	2112	Dfpgffpm.exe	95
PID 2112 wrote to memory of 3364	2112	Dfpgffpm.exe	95
PID 2112 wrote to memory of 3364	2112	Dfpgffpm.exe	95
PID 3364 wrote to memory of 4576	3364	Dogogcpo.exe	96
PID 3364 wrote to memory of 4576	3364	Dogogcpo.exe	96
PID 3364 wrote to memory of 4576	3364	Dogogcpo.exe	96
PID 4576 wrote to memory of 3688	4576	Dhocqigp.exe	98
PID 4576 wrote to memory of 3688	4576	Dhocqigp.exe	98
PID 4576 wrote to memory of 3688	4576	Dhocqigp.exe	98

C:\Users\Admin\AppData\Local\Temp\f883e82d457f53546bdc63e586d9ea80N.exe
"C:\Users\Admin\AppData\Local\Temp\f883e82d457f53546bdc63e586d9ea80N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4956
- C:\Windows\SysWOW64\Dhfajjoj.exe
  C:\Windows\system32\Dhfajjoj.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3636
- - C:\Windows\SysWOW64\Djdmffnn.exe
    C:\Windows\system32\Djdmffnn.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2160
  - - C:\Windows\SysWOW64\Dmcibama.exe
      C:\Windows\system32\Dmcibama.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2428
    - - C:\Windows\SysWOW64\Dejacond.exe
        
        C:\Windows\system32\Dejacond.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:748
      - C:\Windows\SysWOW64\Dfknkg32.exe
        
        C:\Windows\system32\Dfknkg32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1868
        
        C:\Windows\SysWOW64\Dmefhako.exe
        
        C:\Windows\system32\Dmefhako.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2892
        
        C:\Windows\SysWOW64\Delnin32.exe
        
        C:\Windows\system32\Delnin32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3524
        
        C:\Windows\SysWOW64\Dfnjafap.exe
        
        C:\Windows\system32\Dfnjafap.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2036
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1732
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4744
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2112
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3364
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4576
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        15⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3688
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3688 -s 228
        16⤵
        Program crash
        
        PID:896

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3688 -ip 3688
1⤵
PID:1676

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Daconoae.exe

Filesize
194KB

MD5
f38041e104d3db720da96be4532d53ba

SHA1
23efb35f03c0641e0b3b7799be9e599413711d11

SHA256
6a277564cd87484b3ab9dab39b9d34192e475e4f1a954475bfc5a08023ab8d04

SHA512
a03a6ad59b07c2d836b3b118673eb76cd9a3417884d85c38ec5a0a436ac6f25635b5920928eda39e81f64f384ab933a3685d9a5d52eb08337c31493b4fd66022

Download Submit
C:\Windows\SysWOW64\Ddakjkqi.exe

Filesize
194KB

MD5
963d5d81578411c23a790cdf4fdcaab1

SHA1
f477b6909114f6f252788b40cb89184acb09c1c2

SHA256
68ddf499256397edffcec69d97364eef1eb03d01ea8f92e691e61d32dcfed879

SHA512
37841d537be89dc9bb1f03ef96c7783fe82d8bc8444e3bcb64b70c6ae51be5e6e864478fcd72e0e399430554d0d9de43f0be896d9ef7529e2f6421dc85ff73f4

Download Submit
C:\Windows\SysWOW64\Dejacond.exe

Filesize
194KB

MD5
356fb7571b07a959e645f7b237609090

SHA1
22cf7c0865e0196bcb24cddf05e52e20035a7c9f

SHA256
8750a8d67074e9f760c4ac4420db3239ca0bdafcc67560cdc43d8e2c0afbb9f8

SHA512
02a2e8351ca2366d98f80a08128c6fe5c7a2cea8b6bb37720ffe4dfdcc84e5fcf2613d2ce5afbde6c139a3a49918a23cbd4f9a2cc0c849e0061736514fa2471c

Download Submit
C:\Windows\SysWOW64\Delnin32.exe

Filesize
194KB

MD5
16e6ba0b3af7711696c21ea0b74da346

SHA1
137c85586309bf6dc197d02ee94d03a1884888a0

SHA256
1584a9b13822bc9285dd819688f4b7ad70af9804ea4f186a4fabfd6a987cc941

SHA512
5f352a0a29c2ea8f826ec9f30c9f43cdff75b0a9b70d733c1267e26cb532b51c044075adb1bff019d9da5d4cd2eb2d56fd89281ea4006c99d8ef2bb42bd3feac

Download Submit
C:\Windows\SysWOW64\Dfknkg32.exe

Filesize
194KB

MD5
b6199ae6c46d4c480b628e0b52cd8139

SHA1
7d521ec0e3a9b21f54dd2328dc22e9452df5381f

SHA256
8067a1ebe75a6ede1aeb94824e119576819423438caaa2a0432ca51249411619

SHA512
cb234891669d26ad6a1466310469103208847a46a43ba98572e556c064f1fdc3331373ee43c63d9059fcb6eb8aee1d96079a228756bd89baa12ea8d0f0060006

Download Submit
C:\Windows\SysWOW64\Dfnjafap.exe

Filesize
194KB

MD5
224553bb4cbd8c37d451fdfeb18963e7

SHA1
36f1e052b910d147b72723c01f5664ddae582022

SHA256
54bdbf2f02d7e581674ce8ee4b85a15f7934ee85683789d1a682cb537ba47042

SHA512
6e6c6efd30d712a4bba1b88e1e54d68f894e767a9efc3436973b4017a9a472aa5b24b7d5c7cbf3acc1896a2c49a8ffc6b46e564c69469b9bebf81ff7c744ce38

Download Submit
C:\Windows\SysWOW64\Dfpgffpm.exe

Filesize
194KB

MD5
47b6197152f866021e945ae861a51788

SHA1
37ce219ae4ed25e9e228a295e57570edf3b929e7

SHA256
71bb451c7f15bc4c6b1399fb9467ba4bc4345e3eec85c6b6654a2e89da78be79

SHA512
7ecadafe4f34ee1a7ee529f617147ff77d312455e4a2ac07e63d0b8fb50592ab74e123be34643de2126f07ab4a27336d851fc365dd4825a25b862b54b166ea3b

Download Submit
C:\Windows\SysWOW64\Dhfajjoj.exe

Filesize
194KB

MD5
32ee7250a1540b408b11bc7108a4e8f1

SHA1
6adaa0d941ee8e37aed257b14c713123ae57fe9d

SHA256
b83b527275afe214f9d1b257335d7fe50bb6fb2553216fdc09787514c8353b85

SHA512
9d947a8031645b0dd7fe12bd3906f38e44bdb6492f38823505eb0728a0fe2584f08a6a21c3ca00555a49d5720a98d6c1e9f38837be74487235596a63d169ccf7

Download Submit
C:\Windows\SysWOW64\Dhocqigp.exe

Filesize
194KB

MD5
26ca20827559ecf21a85ff5c7fb99288

SHA1
a57fa6ed0e67fdf1fddb347adf163054cc90bfbf

SHA256
94e0e162e9bb8a267cf6e77220bc63c9060b81485306f7b8df1bf17bf17daa12

SHA512
066a4c6eac323af1ac6ecdf3552546ad5894203c8d6be072270ca275050b693ef274e7aa44859fd8f1c77b263e3407c13cda76b11b9d4dcbcc2ad76e4a6ec415

Download Submit
C:\Windows\SysWOW64\Djdmffnn.exe

Filesize
194KB

MD5
c934913f6f0e362c2d978e9ab4f039e3

SHA1
1f3be31f217a606252b29266749214be1dbd759b

SHA256
133b06f33528ac602e42e1a72d707f1dba521bbeb65468c3bc87095cef7a23ae

SHA512
5d3cf000e901127680b31f3f606c660e127ae711bd8819c491397fb1889bb683f41d0c5449b7270a5ac8a3269c389198dc24b6c3f9e316889bea8b732ed2f3d7

Download Submit
C:\Windows\SysWOW64\Dmcibama.exe

Filesize
194KB

MD5
3e5aabac838d36fbbdc1f3be20aa83cd

SHA1
22956bc5f27a3d1bf27b1ece6350c1d0f205a8cf

SHA256
f4504ec0f89b5bee805ee7ad518a38b326f664cf00ce122000fa907f016941d7

SHA512
9c5801a4113bc577f91ad08b7baa37e55c7644e8e52b025b860a839398bb0472dba911e161f9692acb09e37e715fa09dd32335d17b79784b025cbd1fd9b8fc01

Download Submit
C:\Windows\SysWOW64\Dmefhako.exe

Filesize
194KB

MD5
941470c385a61817d34fbfd66c417312

SHA1
ea6ba8ce2d98be1703ed0f5e867202df0c64c04e

SHA256
caa966e57c9c55659a69cce93f99c9d7fe51702ad309d8bd5cfa03344ca4ec3d

SHA512
f17729a301b98ba912f1bffa70bf22137771551f1de80ec848ea87cb5fd46d9e38075b0f12df5eae90a91e6f85545ed31eb5707f023f64c4eae9d088071c041a

Download Submit
C:\Windows\SysWOW64\Dmllipeg.exe

Filesize
194KB

MD5
f8d7e2af1e35af0a687542da2ba495a6

SHA1
91c69057255abfc64b097e03856233771b2f7af6

SHA256
9e9511805f92a3563db0ddf697ee4c0c46a6e92a551879cc607a55707d0856bf

SHA512
ef6aa0486258de29c8ee80fe208fd6da3087c33562a08822fd4ef54852cc07bcae9ae793fe07645b08977242e58f6c70977bb89f847098fefb6d02744cff7d97

Download Submit
C:\Windows\SysWOW64\Dogogcpo.exe

Filesize
194KB

MD5
bb7f8aa7cc2813456e26e37c62cb97f8

SHA1
1d3a1bb0365efcaf936605e97816d060fb0b81eb

SHA256
f57e283cd68bead4fa97db122be691fb671e701dc2d0c0fa5aaf4b48419e6881

SHA512
cced92dddc11db752bfe64c661adceeb420343bd826f713b6b01c19ba69600be7a41523d893e63c615809a1c521f628ceb422b541825636be7080666bcdb7f7d

Download Submit
memory/748-133-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/748-33-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1732-71-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1732-124-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1868-40-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1868-142-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2036-64-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2036-129-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2112-92-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2112-120-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2160-16-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2160-137-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2428-24-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2428-135-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2892-48-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2892-130-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/3364-95-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/3364-118-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/3524-127-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/3524-55-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/3636-139-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/3636-12-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/3688-115-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/3688-111-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4576-116-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4576-103-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4744-122-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4744-80-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4956-0-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4956-141-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads