96e519c2c1cd14af4e4c77c9c9483ff6db857721173a5d0eb7e18453c8db8c8f

General

Target

7604c20a3857ff7a19951bd340c12820N.exe
Size

256KB
MD5

7604c20a3857ff7a19951bd340c12820
SHA1

b1f4b4c30fb4abd46b58c45895e9b96faca4b0cd
SHA256

96e519c2c1cd14af4e4c77c9c9483ff6db857721173a5d0eb7e18453c8db8c8f
SHA512

4f4d6829f6daf92abf43617a2527208da280866a8f5c45070c2320435d5d6d16ad5dcfb004d3fe58de0e2fe9dad2b0441cfa55158e819ce0e8c9f85fb72ec339
SSDEEP

6144:rT4cDsZ853XBpnTfwNPbAvjDAcXxxXfY09cnEWPDZj:rTGQBpnchWcZj

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 12 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daekdooc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dddhpjof.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	7604c20a3857ff7a19951bd340c12820N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	7604c20a3857ff7a19951bd340c12820N.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddakjkqi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dddhpjof.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhocqigp.exe

Executes dropped EXE 6 IoCs

pid	Process
3972	Ddakjkqi.exe
3620	Dogogcpo.exe
3732	Daekdooc.exe
5036	Dddhpjof.exe
4588	Dhocqigp.exe
4784	Dmllipeg.exe

Drops file in System32 directory 18 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Dogogcpo.exe	Ddakjkqi.exe
File opened for modification	C:\Windows\SysWOW64\Dogogcpo.exe	Ddakjkqi.exe
File created	C:\Windows\SysWOW64\Daekdooc.exe	Dogogcpo.exe
File created	C:\Windows\SysWOW64\Lbabpnmn.dll	Ddakjkqi.exe
File opened for modification	C:\Windows\SysWOW64\Daekdooc.exe	Dogogcpo.exe
File created	C:\Windows\SysWOW64\Amjknl32.dll	Daekdooc.exe
File created	C:\Windows\SysWOW64\Elkadb32.dll	Dddhpjof.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Dhocqigp.exe
File created	C:\Windows\SysWOW64\Kngpec32.dll	Dhocqigp.exe
File created	C:\Windows\SysWOW64\Ddakjkqi.exe	7604c20a3857ff7a19951bd340c12820N.exe
File created	C:\Windows\SysWOW64\Dddhpjof.exe	Daekdooc.exe
File created	C:\Windows\SysWOW64\Dhocqigp.exe	Dddhpjof.exe
File opened for modification	C:\Windows\SysWOW64\Dhocqigp.exe	Dddhpjof.exe
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Dhocqigp.exe
File opened for modification	C:\Windows\SysWOW64\Ddakjkqi.exe	7604c20a3857ff7a19951bd340c12820N.exe
File created	C:\Windows\SysWOW64\Gifhkeje.dll	7604c20a3857ff7a19951bd340c12820N.exe
File created	C:\Windows\SysWOW64\Ohmoom32.dll	Dogogcpo.exe
File opened for modification	C:\Windows\SysWOW64\Dddhpjof.exe	Daekdooc.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
748	4784	WerFault.exe	90

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dogogcpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daekdooc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dddhpjof.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhocqigp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7604c20a3857ff7a19951bd340c12820N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddakjkqi.exe

Modifies registry class 21 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohmoom32.dll"	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elkadb32.dll"	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	7604c20a3857ff7a19951bd340c12820N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Daekdooc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amjknl32.dll"	Daekdooc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gifhkeje.dll"	7604c20a3857ff7a19951bd340c12820N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbabpnmn.dll"	Ddakjkqi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	7604c20a3857ff7a19951bd340c12820N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Dhocqigp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	7604c20a3857ff7a19951bd340c12820N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	7604c20a3857ff7a19951bd340c12820N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	7604c20a3857ff7a19951bd340c12820N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhocqigp.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2540 wrote to memory of 3972	2540	7604c20a3857ff7a19951bd340c12820N.exe	84
PID 2540 wrote to memory of 3972	2540	7604c20a3857ff7a19951bd340c12820N.exe	84
PID 2540 wrote to memory of 3972	2540	7604c20a3857ff7a19951bd340c12820N.exe	84
PID 3972 wrote to memory of 3620	3972	Ddakjkqi.exe	85
PID 3972 wrote to memory of 3620	3972	Ddakjkqi.exe	85
PID 3972 wrote to memory of 3620	3972	Ddakjkqi.exe	85
PID 3620 wrote to memory of 3732	3620	Dogogcpo.exe	86
PID 3620 wrote to memory of 3732	3620	Dogogcpo.exe	86
PID 3620 wrote to memory of 3732	3620	Dogogcpo.exe	86
PID 3732 wrote to memory of 5036	3732	Daekdooc.exe	87
PID 3732 wrote to memory of 5036	3732	Daekdooc.exe	87
PID 3732 wrote to memory of 5036	3732	Daekdooc.exe	87
PID 5036 wrote to memory of 4588	5036	Dddhpjof.exe	88
PID 5036 wrote to memory of 4588	5036	Dddhpjof.exe	88
PID 5036 wrote to memory of 4588	5036	Dddhpjof.exe	88
PID 4588 wrote to memory of 4784	4588	Dhocqigp.exe	90
PID 4588 wrote to memory of 4784	4588	Dhocqigp.exe	90
PID 4588 wrote to memory of 4784	4588	Dhocqigp.exe	90

C:\Users\Admin\AppData\Local\Temp\7604c20a3857ff7a19951bd340c12820N.exe
"C:\Users\Admin\AppData\Local\Temp\7604c20a3857ff7a19951bd340c12820N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2540
- C:\Windows\SysWOW64\Ddakjkqi.exe
  C:\Windows\system32\Ddakjkqi.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3972
- - C:\Windows\SysWOW64\Dogogcpo.exe
    C:\Windows\system32\Dogogcpo.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3620
  - - C:\Windows\SysWOW64\Daekdooc.exe
      C:\Windows\system32\Daekdooc.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3732
    - - C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5036
      - C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4588
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4784
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4784 -s 404
        8⤵
        Program crash
        
        PID:748

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4784 -ip 4784
1⤵
PID:5012

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Daekdooc.exe

Filesize
256KB

MD5
096134644ab14f9f3b7e3cef944cd03b

SHA1
df71f24771899e5944b91963f574697af948a8cf

SHA256
974fed52b480e3085e544c39f769c31f4bca47229dd8b6930c84e3f60c900428

SHA512
4c22456ae50236042643478b9f6ee3cc543a55b1a3e04cca8a6288d746fc7870ae72ef8126bf961e9b8a5c6b9ec443fb87dbeb5b55b2f27b8a6deb1725f5d6bf

Download Submit
C:\Windows\SysWOW64\Ddakjkqi.exe

Filesize
256KB

MD5
6115271333a5885277a6699a889a6662

SHA1
581aee8eef8021352ece33f47c1ed52b5f0e78e8

SHA256
5d702a0be708f3ff690df732432ac5f06dd83030956a51b6c816c0b0593d4359

SHA512
21b7dd7ce1886eb30327416ab52c698515d301d0f6e4a2919717dc56b6dd79e5df05de9e17c70a118bd9a51afdecf570d8c3898986ee5b34c9747140a42630dd

Download Submit
C:\Windows\SysWOW64\Dddhpjof.exe

Filesize
256KB

MD5
49fb2a8a5b0dba2be851235aa12806be

SHA1
b4d684c4a9fc4f3ae4b6ccba0a3faa0958afe32b

SHA256
9029a48caea07094acecf4a9206d24c27b3d0ece70afb9c19a3daf689d53826f

SHA512
86ed18c273559a68fbcb3e0ca2f3de931407573f5f738e6a94caf6f5b4dab229a139556352ea8da40ce12c2340899c0fc22608b907b125a473bac5d4505e2ac8

Download Submit
C:\Windows\SysWOW64\Dhocqigp.exe

Filesize
256KB

MD5
9948cf51e4b34f35bc335afe08631159

SHA1
fdf506e567e34a155ef08f0197b250a6fc2236c4

SHA256
9f759b9803704de2b1e52f3f088ac98e0527d1c02840f489fa0ee00abfe2565d

SHA512
84c086159c7ef6fcbc456d34ede972b59235ae138374acdb08cd21d35d07f41113533c55c6229ac88bc3509b88ffb1ef64e30b0fc3ff2062f1037c350fa1225c

Download Submit
C:\Windows\SysWOW64\Dmllipeg.exe

Filesize
256KB

MD5
fd4b345294abc105acc2720797005553

SHA1
0b4558d66507dbd382025729eccae363b89d49f0

SHA256
eeb1e4d6f93d9f89c5032193431ffad5d7cc672b30fa9836bedc8daad3209f26

SHA512
8429f08358ff87f43b924dc760b672ccaa845f970bb1e778f89f9ab58fbd85eaf4a74b70816daf96323db6b5f41bc38c5f0db298f795294681526d0832883562

Download Submit
C:\Windows\SysWOW64\Dogogcpo.exe

Filesize
256KB

MD5
c3f74bc6f2472c32388714a987fd4d91

SHA1
292e139681ed9f37d153b2e7dcb780c7a30b07d7

SHA256
e3685cda74af9c69541069c47bc6e2c782760a704f8c6eb32736236549511dbb

SHA512
91eadc593576bfe557f0ef246bf0f4292a3b38520858a5d56766c7deb862621209fed3f8bde7bbb3bd262af2b6b14381eaa3695a81d2fc0d541db4c06f072f25

Download Submit
memory/2540-61-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2540-0-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3620-58-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3620-15-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3732-24-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3732-56-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3972-62-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3972-7-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4588-40-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4588-52-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4784-48-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4784-51-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5036-32-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5036-54-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads