581409e2870cef33b8083a9b799e04eed36819ccdf6636094250265ab79e4105

Analysis

max time kernel
98s
max time network
119s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
18/08/2024, 14:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cb67ed141190a03d8fc6780c7f053480N.exe
Size

384KB
MD5

cb67ed141190a03d8fc6780c7f053480
SHA1

ebb4f876d140459343b98f203cc223bf5688587e
SHA256

581409e2870cef33b8083a9b799e04eed36819ccdf6636094250265ab79e4105
SHA512

f5ccd8b1e7843cb10bfafc421e56011f093f9a026635b6457b0a06f4c2d82020c0b8a1f438b72217df1b4c05206e04d52a800c06cd950368bc9c4b4e02cf0708
SSDEEP

6144:9dY/BM+YlFiWFAkOCOu0EajNVBZr6y2WXxLO1UqWk2kkkkK4kXkkkkkkkkV:wXYlFiWVPh2kkkkK4kXkkkkkkkkV

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 26 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhkjej32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmgbnq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhmgki32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkkcge32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	cb67ed141190a03d8fc6780c7f053480N.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Deokon32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	cb67ed141190a03d8fc6780c7f053480N.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dgbdlf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Doilmc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dkkcge32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daekdooc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Doilmc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhkjej32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dodbbdbb.exe

Executes dropped EXE 13 IoCs

pid	Process
3904	Dhkjej32.exe
1032	Dodbbdbb.exe
4376	Dmgbnq32.exe
856	Deokon32.exe
3836	Dhmgki32.exe
832	Dkkcge32.exe
2252	Dmjocp32.exe
928	Daekdooc.exe
3192	Dddhpjof.exe
4652	Dhocqigp.exe
4196	Dgbdlf32.exe
1880	Doilmc32.exe
1268	Dmllipeg.exe

Drops file in System32 directory 39 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Jbpbca32.dll	cb67ed141190a03d8fc6780c7f053480N.exe
File opened for modification	C:\Windows\SysWOW64\Dmgbnq32.exe	Dodbbdbb.exe
File created	C:\Windows\SysWOW64\Ihidnp32.dll	Dodbbdbb.exe
File opened for modification	C:\Windows\SysWOW64\Dkkcge32.exe	Dhmgki32.exe
File created	C:\Windows\SysWOW64\Dddhpjof.exe	Daekdooc.exe
File opened for modification	C:\Windows\SysWOW64\Dhocqigp.exe	Dddhpjof.exe
File opened for modification	C:\Windows\SysWOW64\Dgbdlf32.exe	Dhocqigp.exe
File created	C:\Windows\SysWOW64\Doilmc32.exe	Dgbdlf32.exe
File created	C:\Windows\SysWOW64\Diphbb32.dll	Dgbdlf32.exe
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Doilmc32.exe
File created	C:\Windows\SysWOW64\Kngpec32.dll	Doilmc32.exe
File created	C:\Windows\SysWOW64\Dhkjej32.exe	cb67ed141190a03d8fc6780c7f053480N.exe
File opened for modification	C:\Windows\SysWOW64\Dodbbdbb.exe	Dhkjej32.exe
File created	C:\Windows\SysWOW64\Dmgbnq32.exe	Dodbbdbb.exe
File opened for modification	C:\Windows\SysWOW64\Deokon32.exe	Dmgbnq32.exe
File created	C:\Windows\SysWOW64\Dkkcge32.exe	Dhmgki32.exe
File created	C:\Windows\SysWOW64\Ohmoom32.dll	Dmjocp32.exe
File opened for modification	C:\Windows\SysWOW64\Dhmgki32.exe	Deokon32.exe
File created	C:\Windows\SysWOW64\Fpdaoioe.dll	Deokon32.exe
File opened for modification	C:\Windows\SysWOW64\Dmjocp32.exe	Dkkcge32.exe
File created	C:\Windows\SysWOW64\Daekdooc.exe	Dmjocp32.exe
File opened for modification	C:\Windows\SysWOW64\Dddhpjof.exe	Daekdooc.exe
File created	C:\Windows\SysWOW64\Dgbdlf32.exe	Dhocqigp.exe
File opened for modification	C:\Windows\SysWOW64\Doilmc32.exe	Dgbdlf32.exe
File created	C:\Windows\SysWOW64\Jcbdhp32.dll	Dhmgki32.exe
File created	C:\Windows\SysWOW64\Bobiobnp.dll	Dkkcge32.exe
File created	C:\Windows\SysWOW64\Amjknl32.dll	Daekdooc.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Doilmc32.exe
File opened for modification	C:\Windows\SysWOW64\Dhkjej32.exe	cb67ed141190a03d8fc6780c7f053480N.exe
File created	C:\Windows\SysWOW64\Dodbbdbb.exe	Dhkjej32.exe
File created	C:\Windows\SysWOW64\Deokon32.exe	Dmgbnq32.exe
File created	C:\Windows\SysWOW64\Amfoeb32.dll	Dmgbnq32.exe
File created	C:\Windows\SysWOW64\Dhmgki32.exe	Deokon32.exe
File created	C:\Windows\SysWOW64\Dmjocp32.exe	Dkkcge32.exe
File opened for modification	C:\Windows\SysWOW64\Daekdooc.exe	Dmjocp32.exe
File created	C:\Windows\SysWOW64\Dhocqigp.exe	Dddhpjof.exe
File created	C:\Windows\SysWOW64\Elkadb32.dll	Dddhpjof.exe
File created	C:\Windows\SysWOW64\Gfghpl32.dll	Dhocqigp.exe
File created	C:\Windows\SysWOW64\Fnmnbf32.dll	Dhkjej32.exe

Program crash 1 IoCs

pid	pid_target	Process
4044	1268	WerFault.exe

System Location Discovery: System Language Discovery 1 TTPs 14 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhkjej32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmgbnq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daekdooc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgbdlf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmjocp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dddhpjof.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cb67ed141190a03d8fc6780c7f053480N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhmgki32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkkcge32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhocqigp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Doilmc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dodbbdbb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deokon32.exe

Modifies registry class 42 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpdaoioe.dll"	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Doilmc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amfoeb32.dll"	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Diphbb32.dll"	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elkadb32.dll"	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dddhpjof.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhocqigp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	cb67ed141190a03d8fc6780c7f053480N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihidnp32.dll"	Dodbbdbb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcbdhp32.dll"	Dhmgki32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	cb67ed141190a03d8fc6780c7f053480N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amjknl32.dll"	Daekdooc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Doilmc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Doilmc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	cb67ed141190a03d8fc6780c7f053480N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	cb67ed141190a03d8fc6780c7f053480N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnmnbf32.dll"	Dhkjej32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dodbbdbb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhmgki32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmjocp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Daekdooc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dgbdlf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	cb67ed141190a03d8fc6780c7f053480N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bobiobnp.dll"	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohmoom32.dll"	Dmjocp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfghpl32.dll"	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbpbca32.dll"	cb67ed141190a03d8fc6780c7f053480N.exe

Suspicious use of WriteProcessMemory 39 IoCs

description	pid	Process	procid_target
PID 1632 wrote to memory of 3904	1632	cb67ed141190a03d8fc6780c7f053480N.exe	84
PID 1632 wrote to memory of 3904	1632	cb67ed141190a03d8fc6780c7f053480N.exe	84
PID 1632 wrote to memory of 3904	1632	cb67ed141190a03d8fc6780c7f053480N.exe	84
PID 3904 wrote to memory of 1032	3904	Dhkjej32.exe	85
PID 3904 wrote to memory of 1032	3904	Dhkjej32.exe	85
PID 3904 wrote to memory of 1032	3904	Dhkjej32.exe	85
PID 1032 wrote to memory of 4376	1032	Dodbbdbb.exe	86
PID 1032 wrote to memory of 4376	1032	Dodbbdbb.exe	86
PID 1032 wrote to memory of 4376	1032	Dodbbdbb.exe	86
PID 4376 wrote to memory of 856	4376	Dmgbnq32.exe	87
PID 4376 wrote to memory of 856	4376	Dmgbnq32.exe	87
PID 4376 wrote to memory of 856	4376	Dmgbnq32.exe	87
PID 856 wrote to memory of 3836	856	Deokon32.exe	88
PID 856 wrote to memory of 3836	856	Deokon32.exe	88
PID 856 wrote to memory of 3836	856	Deokon32.exe	88
PID 3836 wrote to memory of 832	3836	Dhmgki32.exe	89
PID 3836 wrote to memory of 832	3836	Dhmgki32.exe	89
PID 3836 wrote to memory of 832	3836	Dhmgki32.exe	89
PID 832 wrote to memory of 2252	832	Dkkcge32.exe	90
PID 832 wrote to memory of 2252	832	Dkkcge32.exe	90
PID 832 wrote to memory of 2252	832	Dkkcge32.exe	90
PID 2252 wrote to memory of 928	2252	Dmjocp32.exe	91
PID 2252 wrote to memory of 928	2252	Dmjocp32.exe	91
PID 2252 wrote to memory of 928	2252	Dmjocp32.exe	91
PID 928 wrote to memory of 3192	928	Daekdooc.exe	92
PID 928 wrote to memory of 3192	928	Daekdooc.exe	92
PID 928 wrote to memory of 3192	928	Daekdooc.exe	92
PID 3192 wrote to memory of 4652	3192	Dddhpjof.exe	93
PID 3192 wrote to memory of 4652	3192	Dddhpjof.exe	93
PID 3192 wrote to memory of 4652	3192	Dddhpjof.exe	93
PID 4652 wrote to memory of 4196	4652	Dhocqigp.exe	94
PID 4652 wrote to memory of 4196	4652	Dhocqigp.exe	94
PID 4652 wrote to memory of 4196	4652	Dhocqigp.exe	94
PID 4196 wrote to memory of 1880	4196	Dgbdlf32.exe	95
PID 4196 wrote to memory of 1880	4196	Dgbdlf32.exe	95
PID 4196 wrote to memory of 1880	4196	Dgbdlf32.exe	95
PID 1880 wrote to memory of 1268	1880	Doilmc32.exe	96
PID 1880 wrote to memory of 1268	1880	Doilmc32.exe	96
PID 1880 wrote to memory of 1268	1880	Doilmc32.exe	96

C:\Users\Admin\AppData\Local\Temp\cb67ed141190a03d8fc6780c7f053480N.exe
"C:\Users\Admin\AppData\Local\Temp\cb67ed141190a03d8fc6780c7f053480N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1632
- C:\Windows\SysWOW64\Dhkjej32.exe
  C:\Windows\system32\Dhkjej32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3904
- - C:\Windows\SysWOW64\Dodbbdbb.exe
    C:\Windows\system32\Dodbbdbb.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1032
  - - C:\Windows\SysWOW64\Dmgbnq32.exe
      C:\Windows\system32\Dmgbnq32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4376
    - - C:\Windows\SysWOW64\Deokon32.exe
        
        C:\Windows\system32\Deokon32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:856
      - C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3836
        
        C:\Windows\SysWOW64\Dkkcge32.exe
        
        C:\Windows\system32\Dkkcge32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:832
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2252
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:928
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3192
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4652
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4196
        
        C:\Windows\SysWOW64\Doilmc32.exe
        
        C:\Windows\system32\Doilmc32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1880
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        14⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1268
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1268 -s 396
        15⤵
        Program crash
        
        PID:4044

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1268 -ip 1268
1⤵
PID:4340

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Daekdooc.exe

Filesize
384KB

MD5
a83b359e4c994bacf714e0b3c62bcdf5

SHA1
744b9806f2b115978b18752f3c5f6ab8c0d049b2

SHA256
427dbd7aa178888a6afbb5cbf078afeae18f5a0070130af5515131630ea57619

SHA512
209010bdb1960d011b2ff1d2d51151c529aa732e0d08bb6b1a5a35e22c5f417a25bc8366de4b40b4d765a8e20f57014017394d6faaeb6166f5d86086120e4af2

Download Submit
C:\Windows\SysWOW64\Dddhpjof.exe

Filesize
384KB

MD5
4761bcaba4b3a5ecc92fc3ed2829e7dc

SHA1
098658c93bb7bc9086ce618361ebde7c4881ba83

SHA256
e8f008908c686c520b5305a6b466cf449cfa5d188b456944a5ac97339f3cccce

SHA512
f8336b27242ded18e7cf54f7c7c643ef8ea5e0a8d67e311f02bf9154cd32403511d5260b12dfd39b4b796a1934ebdea682e26ff598823b96561a2975c9946e7a

Download Submit
C:\Windows\SysWOW64\Deokon32.exe

Filesize
384KB

MD5
a65de5a5171e0c37ff38186ff0e8cfbb

SHA1
fd9d4166bebd25d803c825c954e93410e48f331c

SHA256
b29c845b6b23c77d8ec2147a6126b32cab4fa485ec386de99e3b6c931e0e992e

SHA512
740bc517a23240507f874216adbb66a578652284c5851a8fb0bba34ab581c13c4f6fc0cbeed883be22f8c4f820fd1c0ca1d8ad1bba57a96f6a0c5ec1be5e8bfa

Download Submit
C:\Windows\SysWOW64\Dgbdlf32.exe

Filesize
384KB

MD5
cd09fc63dd5ba45a90d592600c22eaa4

SHA1
775493970f7adc643be85bd5a181eb6b5dd6ea4d

SHA256
556179c5a9c6177ba241dcebf8a8b03a2c173583557a1b44900c733250394ca4

SHA512
13a2ba84afb043ae72139b969e46133fa68c8b9ac321a8a27209000684dd821c9960e1cf93c43f48eae041438f80749364134572641172f5a2fea04e37e50c05

Download Submit
C:\Windows\SysWOW64\Dhkjej32.exe

Filesize
384KB

MD5
27d9dd90a13e029613d3588eb2f31b7e

SHA1
e75304b5a470ac4684cb568d530a29350a6dc188

SHA256
cdcddd854ef79bfe8a4042e9d9eba887218de4a8d47df83c65c86b67b9288926

SHA512
115aa32431786c6d4ea99550e4a9698ff1c33b0af75b05721cc3b3093c49d87c820288b1bbb8ad49889b2a111b8c48f02de671806a1e80520c17b36b70d6150c

Download Submit
C:\Windows\SysWOW64\Dhmgki32.exe

Filesize
384KB

MD5
90a86d15ba39f6ac79310947b568bbb0

SHA1
a92eb915b617c78f75b10ea71fec9b5bbf8960f4

SHA256
4b40dc283502a1854a5d65f659b11e17806174c340df7cd5d34ef85c82862b76

SHA512
8e859fa9bc6b4555c05c794bd5ed410510c0d4538db45be4c9273d3e2dddb349d2de27d1ac2e79cae20f3c8c936e90d5576306fbdb0b1479a97359967b744be6

Download Submit
C:\Windows\SysWOW64\Dhocqigp.exe

Filesize
384KB

MD5
8e88ee542905161ca752e581e66cc8cf

SHA1
40d2f64bc7da6bbe45baafc0a5c700d3a0fdea6c

SHA256
654f73cf6573c9a05c4dcff4af87b4afc748e557ca9ee682f97bd9404534da24

SHA512
b4f75929d4ad5aa57d7386a2cef5c114db94a6c3ecdf41e611e64ffe74a3dfa8506e7d027e6de14038128bc458b84a78b3e07435081845fdf1f86622d3fd8dce

Download Submit
C:\Windows\SysWOW64\Dkkcge32.exe

Filesize
384KB

MD5
e078d644efbab1149e20ec4d4676770b

SHA1
491abd69a2641cbb26f81094e9df40416f8b781a

SHA256
d8ccbac41eabbf933da0a930f3dd5ecee45e8e85ad32b88d373eaba376ba331f

SHA512
32c19b70ea0eb433f996961628bd8e4167edcaf3c4adc766a0c920f6e97ec05b8846728d2ff87fd224337b41533c4f2ce1564f558bd81ab33c46611f893d77f3

Download Submit
C:\Windows\SysWOW64\Dmgbnq32.exe

Filesize
384KB

MD5
74cc41d351c431a0d0b915555124e7d0

SHA1
0962d6d99fa6560b9c7386af472e62023680dea3

SHA256
63e1114b2099fffdead450533d7407a1c2f6a9dcc8ae2525ba06c48a48e489d1

SHA512
6bcb1b15338319dbe6a32f5beaab66e2836a592a8fd7fb6fe73382bf65e9cc1b361663cd52ee970220e3ada832cb05bf1e37c6da0592084a305dfdbda5c533b4

Download Submit
C:\Windows\SysWOW64\Dmjocp32.exe

Filesize
384KB

MD5
54d8769dbb8c06e07783a8c942b50b80

SHA1
a7aa4cb748f2bf66e0cb144ff3ee14e094c214aa

SHA256
e9217970ac2ef37049c375a2bb0d8be7d1381fcb3e5b3ad8b2eb77a1220fc613

SHA512
63b0093ead85005091367f8a021959a7ccdb3ac36e57c3f5266ff476f24f509a2a99afd3c09d9293bcd8716c0a9c0928373b3de67d028fe3881dddfe793877fd

Download Submit
C:\Windows\SysWOW64\Dmllipeg.exe

Filesize
384KB

MD5
04fc516eb25ed3bc132e0df7e33eb577

SHA1
ab7336dca50cd3a906030c37273560d2a596320e

SHA256
b142aa9fc82a0ad26b6d13018ed4eaa74b6a326fa94cc7b983257a3c7b826c53

SHA512
bcddc4545fae9dbc4da708bc97fd6fb682e5f0d4987676202028c2965a15e5abade2e7ed38ca1cd2964850882dbc919092dab63da13c24971fdfaba6cb0805c2

Download Submit
C:\Windows\SysWOW64\Dodbbdbb.exe

Filesize
384KB

MD5
9a47dc48f8f91259e00336214eac78ab

SHA1
7c04c157a0b76310834153d45b73af6ebb4773d8

SHA256
df3b730a6eb1a25266a84f7d6a34aec02991d5105e1b8fe7b6f0d59c91d73918

SHA512
86464487f879f16c35832c9bcda490511584ff0cfa4774261c9c5059db79b8e61e1a8ce830db24c3d3e30c34932912393ac26726ec9fa311f4e8139f5953ee18

Download Submit
C:\Windows\SysWOW64\Doilmc32.exe

Filesize
384KB

MD5
e13942ece25676173f88180ed07c081e

SHA1
3c301ecda035b68a9e4e555808de7d8e6a0188e4

SHA256
11b004b7f0ec977a7091b0abc65ab2440a54ed0b4d87ca888a4607f2504638a6

SHA512
6ebc76cf9667a0a760eceb28338b4a100a5024be95d5395cca9bf26d16dd73556a48c70bff6fc49487923fb222e1a379e96c2a6469c8b2baa560cd70e3a8a976

Download Submit
memory/832-54-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/856-37-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/928-69-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1032-21-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1268-105-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1632-0-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1632-107-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1632-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/1880-101-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2252-61-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3192-77-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3836-45-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3904-9-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3904-106-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4196-93-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4376-29-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4652-85-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads