eabad7818644e5dd1d42d59a578f3db877fa4bae27ffa31edc1c08b16c3dd950

General

Target

c63c3023b89b4c80b6d2ec0aeb3e79a0N.exe
Size

246KB
MD5

c63c3023b89b4c80b6d2ec0aeb3e79a0
SHA1

1e9727e2d09436f07f0486676cb9a24f8bc2abdc
SHA256

eabad7818644e5dd1d42d59a578f3db877fa4bae27ffa31edc1c08b16c3dd950
SHA512

d8e9a3f82eaa8356323408097be468977071c5ff9c5cc26a2bd4b5fff0475feff7ee89f69c67613512528fbbe934a5c482bfb05ad2199d89af8b8a96a2190d56
SSDEEP

3072:dhMQCnqbgf9lSBnTOh2B1xdLm102VZjuajDMyap9jCyFsWteYCWS3OF9HqoX:dG9l2TOh2B1xBm102VQlterS9HrX

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 10 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	c63c3023b89b4c80b6d2ec0aeb3e79a0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dknpmdfc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dknpmdfc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	c63c3023b89b4c80b6d2ec0aeb3e79a0N.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deokon32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daekdooc.exe

Executes dropped EXE 5 IoCs

pid	Process
4728	Deokon32.exe
400	Dogogcpo.exe
3924	Daekdooc.exe
1832	Dknpmdfc.exe
3108	Dmllipeg.exe

Drops file in System32 directory 15 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Dknpmdfc.exe	Daekdooc.exe
File created	C:\Windows\SysWOW64\Nokpao32.dll	Daekdooc.exe
File created	C:\Windows\SysWOW64\Amfoeb32.dll	c63c3023b89b4c80b6d2ec0aeb3e79a0N.exe
File created	C:\Windows\SysWOW64\Dogogcpo.exe	Deokon32.exe
File created	C:\Windows\SysWOW64\Kngpec32.dll	Dknpmdfc.exe
File opened for modification	C:\Windows\SysWOW64\Dogogcpo.exe	Deokon32.exe
File created	C:\Windows\SysWOW64\Daekdooc.exe	Dogogcpo.exe
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Dknpmdfc.exe
File created	C:\Windows\SysWOW64\Deokon32.exe	c63c3023b89b4c80b6d2ec0aeb3e79a0N.exe
File opened for modification	C:\Windows\SysWOW64\Daekdooc.exe	Dogogcpo.exe
File created	C:\Windows\SysWOW64\Ohmoom32.dll	Dogogcpo.exe
File created	C:\Windows\SysWOW64\Dknpmdfc.exe	Daekdooc.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Dknpmdfc.exe
File opened for modification	C:\Windows\SysWOW64\Deokon32.exe	c63c3023b89b4c80b6d2ec0aeb3e79a0N.exe
File created	C:\Windows\SysWOW64\Lbabpnmn.dll	Deokon32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1424	3108	WerFault.exe	88

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c63c3023b89b4c80b6d2ec0aeb3e79a0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deokon32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dogogcpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daekdooc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dknpmdfc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe

Modifies registry class 18 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Deokon32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Daekdooc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	c63c3023b89b4c80b6d2ec0aeb3e79a0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	c63c3023b89b4c80b6d2ec0aeb3e79a0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohmoom32.dll"	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nokpao32.dll"	Daekdooc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dknpmdfc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	c63c3023b89b4c80b6d2ec0aeb3e79a0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	c63c3023b89b4c80b6d2ec0aeb3e79a0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amfoeb32.dll"	c63c3023b89b4c80b6d2ec0aeb3e79a0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbabpnmn.dll"	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	c63c3023b89b4c80b6d2ec0aeb3e79a0N.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2532 wrote to memory of 4728	2532	c63c3023b89b4c80b6d2ec0aeb3e79a0N.exe	84
PID 2532 wrote to memory of 4728	2532	c63c3023b89b4c80b6d2ec0aeb3e79a0N.exe	84
PID 2532 wrote to memory of 4728	2532	c63c3023b89b4c80b6d2ec0aeb3e79a0N.exe	84
PID 4728 wrote to memory of 400	4728	Deokon32.exe	85
PID 4728 wrote to memory of 400	4728	Deokon32.exe	85
PID 4728 wrote to memory of 400	4728	Deokon32.exe	85
PID 400 wrote to memory of 3924	400	Dogogcpo.exe	86
PID 400 wrote to memory of 3924	400	Dogogcpo.exe	86
PID 400 wrote to memory of 3924	400	Dogogcpo.exe	86
PID 3924 wrote to memory of 1832	3924	Daekdooc.exe	87
PID 3924 wrote to memory of 1832	3924	Daekdooc.exe	87
PID 3924 wrote to memory of 1832	3924	Daekdooc.exe	87
PID 1832 wrote to memory of 3108	1832	Dknpmdfc.exe	88
PID 1832 wrote to memory of 3108	1832	Dknpmdfc.exe	88
PID 1832 wrote to memory of 3108	1832	Dknpmdfc.exe	88

C:\Users\Admin\AppData\Local\Temp\c63c3023b89b4c80b6d2ec0aeb3e79a0N.exe
"C:\Users\Admin\AppData\Local\Temp\c63c3023b89b4c80b6d2ec0aeb3e79a0N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2532
- C:\Windows\SysWOW64\Deokon32.exe
  C:\Windows\system32\Deokon32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4728
- - C:\Windows\SysWOW64\Dogogcpo.exe
    C:\Windows\system32\Dogogcpo.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:400
  - - C:\Windows\SysWOW64\Daekdooc.exe
      C:\Windows\system32\Daekdooc.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3924
    - - C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1832
      - C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3108
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3108 -s 404
        7⤵
        Program crash
        
        PID:1424

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 3108 -ip 3108
1⤵
PID:2156

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Daekdooc.exe

Filesize
246KB

MD5
3168aa522585185ef1b320d693b13f78

SHA1
06da8cc2b1819a6b365ccf233073a02545535861

SHA256
29115c03b665ed60e6dcfa2ee601c1dbca5b47d01c273e31b5329cf4c0fd2200

SHA512
86bb5a80f8dfc0a83e12e675158c7c28d67611db4bcb3966440c1c5614cef09b01a5125a7330ed41814ae0d502d42f6f29db29dbadbf127df7731f94d9fa580a

Download Submit
C:\Windows\SysWOW64\Deokon32.exe

Filesize
246KB

MD5
081de70c9a31c4a9ad3487521da66ac3

SHA1
668a974743504d320283a04fac3a4a369b84deb8

SHA256
d97dad40b2a88b5cfb2cda8b3df15efe51af5d9ccb9b2487be4c76ae10962e1e

SHA512
52d19f7b262521e182a223a8e72a49875cf516420205fb972cb93b5b54cc31d70548587a318f42c0529819355256b8a9adc106dd317e9ea8fa0681fd97c53aba

Download Submit
C:\Windows\SysWOW64\Dknpmdfc.exe

Filesize
246KB

MD5
15adeedbeab09de3971c8ad0171720af

SHA1
a0f2a3bbbcb46e36c659dfca48ff1680d8cdcda0

SHA256
d60e4e371d74ce0000abc2d8159c312af7dcb4d372615bfec6902af4a4e452e3

SHA512
dfc9454a5b6519141afd2cf41f9fffe644bf821ac9b0231500643246fc87dfa929cadd80453548eb1b0360d4d960da750158a804b41c7dd5f7a03772c63d7a35

Download Submit
C:\Windows\SysWOW64\Dmllipeg.exe

Filesize
246KB

MD5
df8dba78fdd7fe9edf4eb0854ea93fd3

SHA1
28c220692eff95298fc73c692da5b9c00bb7da31

SHA256
8b1b3577fc5d4d4a27d3191153b163d2a0cda6a27149026ecac1d77e18351e25

SHA512
aef697341b732c0398b5632147847b4252b29b7cd67ebf68486a8e66cff6dfa98af42f8d7a437707fe89f528c8afa33c1d5ca84c15e80316a12ade36202db847

Download Submit
C:\Windows\SysWOW64\Dogogcpo.exe

Filesize
246KB

MD5
39ae6a458e88d465511f94fdb5d7aac2

SHA1
fca4660fbf338081b3de9469d6dd9ad78ddec076

SHA256
8c01033e5f1e82aa2388d3d13f5db7e890fb59169c1a1be5737d6c424274cc6b

SHA512
841e5a9fef4b0f5448cdae96c90c69c9038b746be93741a016bc3a13b112d2b211c8d5b72f30f1c3ce992749131c593f651ef5deca1b5fbc2de62ad9580d4855

Download Submit
memory/400-49-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/400-16-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1832-32-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1832-46-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2532-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/2532-53-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2532-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3108-41-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3108-43-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3924-47-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3924-24-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4728-9-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4728-51-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads