3e53b94b20777204cc858e77385c5dd26931e3fba1eab35c9f6c059ea296c344

Analysis

max time kernel
102s
max time network
102s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
23/08/2024, 05:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b34a190d9bf00e751fa37254128159d0N.exe
Size

332KB
MD5

b34a190d9bf00e751fa37254128159d0
SHA1

53c8d3d78db825c3e5f02868e73a44e0188f062e
SHA256

3e53b94b20777204cc858e77385c5dd26931e3fba1eab35c9f6c059ea296c344
SHA512

a9f1b580bd5eeac864d3ef57573a8b5672097321435a80a0aa81b12ca42b77e0007add47c95890bfed25096d91062bc151b615cda4795360aafc88afd0231a63
SSDEEP

6144:vxEYLBND9vv1kLVThr1R6xie8opqXgKTpgtYOWlGmMvkqAlDiyUvpQf4vt74mD5r:vx/Ndv1I1RFpogXnV4MlGN1AlDkvXvtP

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 20 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	b34a190d9bf00e751fa37254128159d0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dfnjafap.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	b34a190d9bf00e751fa37254128159d0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dfknkg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmgbnq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deokon32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dmjocp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Deokon32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfknkg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dmgbnq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Daekdooc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhocqigp.exe

Executes dropped EXE 10 IoCs

pid	Process
4612	Dfknkg32.exe
4448	Dmefhako.exe
3124	Dfnjafap.exe
1584	Dmgbnq32.exe
1912	Deokon32.exe
916	Dhmgki32.exe
3668	Dmjocp32.exe
3880	Daekdooc.exe
4968	Dhocqigp.exe
2008	Dmllipeg.exe

Drops file in System32 directory 30 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Dmgbnq32.exe	Dfnjafap.exe
File created	C:\Windows\SysWOW64\Daekdooc.exe	Dmjocp32.exe
File opened for modification	C:\Windows\SysWOW64\Dhocqigp.exe	Daekdooc.exe
File created	C:\Windows\SysWOW64\Cogflbdn.dll	b34a190d9bf00e751fa37254128159d0N.exe
File created	C:\Windows\SysWOW64\Gidbim32.dll	Dfknkg32.exe
File created	C:\Windows\SysWOW64\Amfoeb32.dll	Dmgbnq32.exe
File created	C:\Windows\SysWOW64\Dhmgki32.exe	Deokon32.exe
File created	C:\Windows\SysWOW64\Bobiobnp.dll	Dhmgki32.exe
File created	C:\Windows\SysWOW64\Ohmoom32.dll	Dmjocp32.exe
File created	C:\Windows\SysWOW64\Dhocqigp.exe	Daekdooc.exe
File opened for modification	C:\Windows\SysWOW64\Dfnjafap.exe	Dmefhako.exe
File created	C:\Windows\SysWOW64\Dmjocp32.exe	Dhmgki32.exe
File opened for modification	C:\Windows\SysWOW64\Dmjocp32.exe	Dhmgki32.exe
File created	C:\Windows\SysWOW64\Elkadb32.dll	Daekdooc.exe
File created	C:\Windows\SysWOW64\Dmefhako.exe	Dfknkg32.exe
File opened for modification	C:\Windows\SysWOW64\Dmefhako.exe	Dfknkg32.exe
File created	C:\Windows\SysWOW64\Deokon32.exe	Dmgbnq32.exe
File opened for modification	C:\Windows\SysWOW64\Dhmgki32.exe	Deokon32.exe
File opened for modification	C:\Windows\SysWOW64\Daekdooc.exe	Dmjocp32.exe
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Dhocqigp.exe
File created	C:\Windows\SysWOW64\Dfknkg32.exe	b34a190d9bf00e751fa37254128159d0N.exe
File created	C:\Windows\SysWOW64\Poahbe32.dll	Dmefhako.exe
File created	C:\Windows\SysWOW64\Kngpec32.dll	Dhocqigp.exe
File opened for modification	C:\Windows\SysWOW64\Dfknkg32.exe	b34a190d9bf00e751fa37254128159d0N.exe
File created	C:\Windows\SysWOW64\Dfnjafap.exe	Dmefhako.exe
File created	C:\Windows\SysWOW64\Fpdaoioe.dll	Deokon32.exe
File created	C:\Windows\SysWOW64\Dmgbnq32.exe	Dfnjafap.exe
File created	C:\Windows\SysWOW64\Ihidnp32.dll	Dfnjafap.exe
File opened for modification	C:\Windows\SysWOW64\Deokon32.exe	Dmgbnq32.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Dhocqigp.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1328	2008	WerFault.exe	94

System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhmgki32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daekdooc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfknkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmefhako.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfnjafap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmjocp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhocqigp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b34a190d9bf00e751fa37254128159d0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmgbnq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deokon32.exe

Modifies registry class 33 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elkadb32.dll"	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cogflbdn.dll"	b34a190d9bf00e751fa37254128159d0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dfnjafap.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dhmgki32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dhocqigp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	b34a190d9bf00e751fa37254128159d0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohmoom32.dll"	Dmjocp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dmjocp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	b34a190d9bf00e751fa37254128159d0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	b34a190d9bf00e751fa37254128159d0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihidnp32.dll"	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amfoeb32.dll"	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dfknkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpdaoioe.dll"	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	b34a190d9bf00e751fa37254128159d0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Poahbe32.dll"	Dmefhako.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gidbim32.dll"	Dfknkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bobiobnp.dll"	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Daekdooc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}	b34a190d9bf00e751fa37254128159d0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dfknkg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dfnjafap.exe

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 2472 wrote to memory of 4612	2472	b34a190d9bf00e751fa37254128159d0N.exe	84
PID 2472 wrote to memory of 4612	2472	b34a190d9bf00e751fa37254128159d0N.exe	84
PID 2472 wrote to memory of 4612	2472	b34a190d9bf00e751fa37254128159d0N.exe	84
PID 4612 wrote to memory of 4448	4612	Dfknkg32.exe	85
PID 4612 wrote to memory of 4448	4612	Dfknkg32.exe	85
PID 4612 wrote to memory of 4448	4612	Dfknkg32.exe	85
PID 4448 wrote to memory of 3124	4448	Dmefhako.exe	86
PID 4448 wrote to memory of 3124	4448	Dmefhako.exe	86
PID 4448 wrote to memory of 3124	4448	Dmefhako.exe	86
PID 3124 wrote to memory of 1584	3124	Dfnjafap.exe	87
PID 3124 wrote to memory of 1584	3124	Dfnjafap.exe	87
PID 3124 wrote to memory of 1584	3124	Dfnjafap.exe	87
PID 1584 wrote to memory of 1912	1584	Dmgbnq32.exe	88
PID 1584 wrote to memory of 1912	1584	Dmgbnq32.exe	88
PID 1584 wrote to memory of 1912	1584	Dmgbnq32.exe	88
PID 1912 wrote to memory of 916	1912	Deokon32.exe	89
PID 1912 wrote to memory of 916	1912	Deokon32.exe	89
PID 1912 wrote to memory of 916	1912	Deokon32.exe	89
PID 916 wrote to memory of 3668	916	Dhmgki32.exe	90
PID 916 wrote to memory of 3668	916	Dhmgki32.exe	90
PID 916 wrote to memory of 3668	916	Dhmgki32.exe	90
PID 3668 wrote to memory of 3880	3668	Dmjocp32.exe	91
PID 3668 wrote to memory of 3880	3668	Dmjocp32.exe	91
PID 3668 wrote to memory of 3880	3668	Dmjocp32.exe	91
PID 3880 wrote to memory of 4968	3880	Daekdooc.exe	93
PID 3880 wrote to memory of 4968	3880	Daekdooc.exe	93
PID 3880 wrote to memory of 4968	3880	Daekdooc.exe	93
PID 4968 wrote to memory of 2008	4968	Dhocqigp.exe	94
PID 4968 wrote to memory of 2008	4968	Dhocqigp.exe	94
PID 4968 wrote to memory of 2008	4968	Dhocqigp.exe	94

C:\Users\Admin\AppData\Local\Temp\b34a190d9bf00e751fa37254128159d0N.exe
"C:\Users\Admin\AppData\Local\Temp\b34a190d9bf00e751fa37254128159d0N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2472
- C:\Windows\SysWOW64\Dfknkg32.exe
  C:\Windows\system32\Dfknkg32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4612
- - C:\Windows\SysWOW64\Dmefhako.exe
    C:\Windows\system32\Dmefhako.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4448
  - - C:\Windows\SysWOW64\Dfnjafap.exe
      C:\Windows\system32\Dfnjafap.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3124
    - - C:\Windows\SysWOW64\Dmgbnq32.exe
        
        C:\Windows\system32\Dmgbnq32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1584
      - C:\Windows\SysWOW64\Deokon32.exe
        
        C:\Windows\system32\Deokon32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1912
        
        C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:916
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3668
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3880
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4968
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        11⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2008
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2008 -s 408
        12⤵
        Program crash
        
        PID:1328

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2008 -ip 2008
1⤵
PID:1056

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Amfoeb32.dll

Filesize
7KB

MD5
793610905252d13a9b9a2d772a05c90c

SHA1
8881e978e07dc13729d996c526510a74b9f5a109

SHA256
50eb8eb5bd607aa178bad1c5d675c78ad232195a718bb1fa77405a1b80dda968

SHA512
ae44d7c37bae107b5abdd51ac636c9a79dc6285a75004ff390468fdb5a70f52e413635a6987cb8d369f0fb81ae507509d5d2719611a3b2e4e435dd5b0fa1b8ab

Download Submit
C:\Windows\SysWOW64\Daekdooc.exe

Filesize
332KB

MD5
a387791feedbf9e7aac5fddd7079c266

SHA1
b8748b8153a88b18d8f10c906e044711a765fa4d

SHA256
519be71a864c2df4a3579312648a1f14597904b4c1258cb13562d7b5c29c9efd

SHA512
5d1b1f0ab9816a4df220fbf567cf52856d9ccdcee2ac332a574d78209edb29bf9b6c43d5ca7e88ff8b1199b7210c37a35a43a6284dcaced5ddeb2a9d096704c1

Download Submit
C:\Windows\SysWOW64\Deokon32.exe

Filesize
332KB

MD5
5971a476137f425ce350a5c317580dc0

SHA1
81a010981a2471406d1862e95a08d55b4ce53f20

SHA256
86fc4fe919c893598d47f1b31e611f3535cfca44ff40a430b733313c0851c906

SHA512
4262d2a40a3588e940f75f05e0e00d0e0f8dccfc0d99a3b0b1bd240064562c9f835d80c45407ee26f87b86357915a7418fb1ee5b5b815972964d684be235469c

Download Submit
C:\Windows\SysWOW64\Dfknkg32.exe

Filesize
332KB

MD5
24ac71c881e34ec4ff94d36e4eef5dfd

SHA1
5e7e96b9b2bc1d632c503f305e3a80c09c5a687d

SHA256
a120572a550846c3d9b23c71f702718fbe851f3e34b00f05d7f2c7b26174e77d

SHA512
30315ae7bf66f5280a38b76f0c8b9c721301e68fc36965420ba9c08871c5f8f9dc9dd27d336ffaa24e188b202e4730710b63e985e4e36ce8ddbc3ac0e53431bd

Download Submit
C:\Windows\SysWOW64\Dfnjafap.exe

Filesize
332KB

MD5
f0044046ef4521f61c792701d976031f

SHA1
f325e5a0eede987d797f66af6bf443563f9b4add

SHA256
ae7c9840a6eefb6bfd3cedfa56e6c5a0fb290894275f5a7fffa9b92fe6059999

SHA512
6e7a5cd63c7e76092851f394c11e05fb993ed6703952ce0715076e12821e542bdfea7d7cdde2d926e5e1ac3ceae118ba43698755473e00cc1f2b0edd056cb53d

Download Submit
C:\Windows\SysWOW64\Dhmgki32.exe

Filesize
332KB

MD5
ccb9bd4bcbd435960930a98dacb365ad

SHA1
b07b4b58f8be6443a525510cda13c40ca2d7312a

SHA256
d500da3b0fa33c669a6f7cb5c2dd341898288f4ed38ccd75eba8d9b2009c8fb0

SHA512
4e50d9453d477f618e57b0f4ed1af6ec302987f904403e342e67993af8e6e73fe857c192a4c3b96189b4feb8a09daab157630f2430411979f233f881e30a4bb0

Download Submit
C:\Windows\SysWOW64\Dhocqigp.exe

Filesize
332KB

MD5
af34a78a8dc0c4cb46f71b27bea24021

SHA1
f696100357600c5fda8fb56781e2635cf6a62e7b

SHA256
a75e64ad7d8082c46bb7e142cc2a87b72a8e6a063e2facd172921e7dc3b6e623

SHA512
d925ab2718fe9deb79f2255a11a519a786b255dad5ba619a26f61e35d334b43bdd9dfad06655b0070ffe183839db3c9a6411bda33fddbd0ea934fc76d39539f5

Download Submit
C:\Windows\SysWOW64\Dmefhako.exe

Filesize
332KB

MD5
7938f80187d8ebd1d8c82c7d251bfee2

SHA1
7b440745f7e69d60906693922f8899a3802b487e

SHA256
1052d3826345451ffff039d541fe492fed1fcf6ddc44fb0914f51219ee2aeacf

SHA512
fa5c2ce232350d42b575c89d948b3d94cfa766b9845e9d2690b4d1f522511a88375881a5b1657482d9dda854fdf5d91c8ee542b194a652f2e438a2a757871693

Download Submit
C:\Windows\SysWOW64\Dmgbnq32.exe

Filesize
332KB

MD5
2a6d187fcbe27499e14f331966cedbcb

SHA1
ca4c96aec9c09cac24008014e9326132abf2568c

SHA256
50c9720ba8de56655174a94d6d327caea04ada222b73bbc7d7ae58d60ffa2ba8

SHA512
10224c8e3cfc1afc301c07c21fc15158873b9f5b8d91f7acb11225ea59f73d751b65340995391a45650f9523f9e0237d06a3f51dfd3d570c0e77426a20629395

Download Submit
C:\Windows\SysWOW64\Dmjocp32.exe

Filesize
332KB

MD5
e21f35270c480785fb85405e657d3c6d

SHA1
7e4a799354c63a7f12de548d76b6dfc81487d357

SHA256
4eaee60d767803d7cf85f988e37dc64260f4497d7b6b8cc87b43238e68790f82

SHA512
5d25c4777e65dc8bf9e5a13d2a8d12a7da53f1e7355746dd2889955dab72502b82d345428dacc28abc5c734c317cc86e93049fbc8fe8649e9d630b7c9f4a66d5

Download Submit
C:\Windows\SysWOW64\Dmllipeg.exe

Filesize
332KB

MD5
978e01a4ea5ee2cfd439807f81f9e43b

SHA1
516fa94c1850ed484386680f7d681d67a1c6fb74

SHA256
31acc9d8cb0a767bd083d617b36dfbf37bc8a302bc2e6ecf0a1d26fca553be4e

SHA512
f582965992c9668edac99ff0474f39d7ce795295f87f62039bb13819110ad91cfa4ba8b2b320333a4452da4a879c748dc25ec5c49c4860b843f3572ef12bd614

Download Submit
memory/916-47-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/916-85-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1584-31-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1584-87-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1912-86-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1912-40-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2008-80-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2008-81-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2472-0-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2472-91-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3124-23-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3124-88-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3668-56-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3668-84-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3880-63-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3880-83-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4448-15-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4448-89-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4612-90-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4612-8-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4968-71-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4968-82-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads