957ce64f720eb3a1e4fb8da0730c8e72e7d11266690431224efdcb9cd2338a1d

Analysis

max time kernel
100s
max time network
119s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
24/08/2024, 22:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7c48c8d6e4ede3a729da845a6ac37f40N.exe
Size

94KB
MD5

7c48c8d6e4ede3a729da845a6ac37f40
SHA1

5f36e2163a8d798dd936c87770b0ec71e969c31f
SHA256

957ce64f720eb3a1e4fb8da0730c8e72e7d11266690431224efdcb9cd2338a1d
SHA512

d3317421f08e5b0e5a958aa73c8807bc1cefbe13114308444d6281097612ae5afca7419ba1a52e2aa6a74a5ffb65a64a234ec25319e058ca30393edda71438ae
SSDEEP

1536:fLNdzkogWZOxMYCbzaHpCFWnF5Cit7BR9L4DT2EnINs:TNdx5FWF5Rt6+ob

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 26 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daqbip32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Daekdooc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dknpmdfc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhmgki32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djgjlelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dhmgki32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkkcge32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dmgbnq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daconoae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmefhako.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhkjej32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dddhpjof.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	7c48c8d6e4ede3a729da845a6ac37f40N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	7c48c8d6e4ede3a729da845a6ac37f40N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Djgjlelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dddhpjof.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Daconoae.exe

Executes dropped EXE 13 IoCs

pid	Process
4184	Djgjlelk.exe
3656	Dmefhako.exe
2668	Daqbip32.exe
1232	Delnin32.exe
856	Dhkjej32.exe
3836	Dmgbnq32.exe
2104	Daconoae.exe
3840	Dhmgki32.exe
1692	Dkkcge32.exe
2124	Daekdooc.exe
800	Dddhpjof.exe
4288	Dknpmdfc.exe
1104	Dmllipeg.exe

Drops file in System32 directory 39 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Djgjlelk.exe	7c48c8d6e4ede3a729da845a6ac37f40N.exe
File created	C:\Windows\SysWOW64\Dhkjej32.exe	Delnin32.exe
File opened for modification	C:\Windows\SysWOW64\Dhkjej32.exe	Delnin32.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Dknpmdfc.exe
File created	C:\Windows\SysWOW64\Jdipdgch.dll	Dmefhako.exe
File created	C:\Windows\SysWOW64\Gmcfdb32.dll	Daqbip32.exe
File created	C:\Windows\SysWOW64\Jcbdhp32.dll	Dhmgki32.exe
File created	C:\Windows\SysWOW64\Dknpmdfc.exe	Dddhpjof.exe
File created	C:\Windows\SysWOW64\Daqbip32.exe	Dmefhako.exe
File opened for modification	C:\Windows\SysWOW64\Daconoae.exe	Dmgbnq32.exe
File created	C:\Windows\SysWOW64\Ohmoom32.dll	Dkkcge32.exe
File created	C:\Windows\SysWOW64\Ihidnp32.dll	Dhkjej32.exe
File created	C:\Windows\SysWOW64\Dddhpjof.exe	Daekdooc.exe
File opened for modification	C:\Windows\SysWOW64\Dddhpjof.exe	Daekdooc.exe
File created	C:\Windows\SysWOW64\Fpdaoioe.dll	Daconoae.exe
File opened for modification	C:\Windows\SysWOW64\Daekdooc.exe	Dkkcge32.exe
File created	C:\Windows\SysWOW64\Amjknl32.dll	Daekdooc.exe
File opened for modification	C:\Windows\SysWOW64\Dknpmdfc.exe	Dddhpjof.exe
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Dknpmdfc.exe
File opened for modification	C:\Windows\SysWOW64\Dmefhako.exe	Djgjlelk.exe
File created	C:\Windows\SysWOW64\Delnin32.exe	Daqbip32.exe
File opened for modification	C:\Windows\SysWOW64\Dmgbnq32.exe	Dhkjej32.exe
File created	C:\Windows\SysWOW64\Oammoc32.dll	Dmgbnq32.exe
File opened for modification	C:\Windows\SysWOW64\Dhmgki32.exe	Daconoae.exe
File opened for modification	C:\Windows\SysWOW64\Dkkcge32.exe	Dhmgki32.exe
File created	C:\Windows\SysWOW64\Kngpec32.dll	Dknpmdfc.exe
File opened for modification	C:\Windows\SysWOW64\Daqbip32.exe	Dmefhako.exe
File created	C:\Windows\SysWOW64\Jbpbca32.dll	Delnin32.exe
File created	C:\Windows\SysWOW64\Dmgbnq32.exe	Dhkjej32.exe
File created	C:\Windows\SysWOW64\Daconoae.exe	Dmgbnq32.exe
File created	C:\Windows\SysWOW64\Dkkcge32.exe	Dhmgki32.exe
File created	C:\Windows\SysWOW64\Daekdooc.exe	Dkkcge32.exe
File created	C:\Windows\SysWOW64\Nokpao32.dll	Dddhpjof.exe
File created	C:\Windows\SysWOW64\Djgjlelk.exe	7c48c8d6e4ede3a729da845a6ac37f40N.exe
File created	C:\Windows\SysWOW64\Beeppfin.dll	7c48c8d6e4ede3a729da845a6ac37f40N.exe
File created	C:\Windows\SysWOW64\Dmefhako.exe	Djgjlelk.exe
File created	C:\Windows\SysWOW64\Gidbim32.dll	Djgjlelk.exe
File opened for modification	C:\Windows\SysWOW64\Delnin32.exe	Daqbip32.exe
File created	C:\Windows\SysWOW64\Dhmgki32.exe	Daconoae.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3316	1104	WerFault.exe	96

System Location Discovery: System Language Discovery 1 TTPs 14 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dddhpjof.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7c48c8d6e4ede3a729da845a6ac37f40N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daqbip32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmgbnq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhmgki32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmefhako.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Delnin32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkkcge32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daekdooc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djgjlelk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daconoae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhkjej32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dknpmdfc.exe

Modifies registry class 42 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dkkcge32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	7c48c8d6e4ede3a729da845a6ac37f40N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Daqbip32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Beeppfin.dll"	7c48c8d6e4ede3a729da845a6ac37f40N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmcfdb32.dll"	Daqbip32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dmgbnq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbpbca32.dll"	Delnin32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amjknl32.dll"	Daekdooc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihidnp32.dll"	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpdaoioe.dll"	Daconoae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohmoom32.dll"	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Daekdooc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dkkcge32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	7c48c8d6e4ede3a729da845a6ac37f40N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gidbim32.dll"	Djgjlelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcbdhp32.dll"	Dhmgki32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	7c48c8d6e4ede3a729da845a6ac37f40N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}	7c48c8d6e4ede3a729da845a6ac37f40N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdipdgch.dll"	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	7c48c8d6e4ede3a729da845a6ac37f40N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Djgjlelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oammoc32.dll"	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nokpao32.dll"	Dddhpjof.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dknpmdfc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Djgjlelk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Delnin32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dhkjej32.exe

Suspicious use of WriteProcessMemory 39 IoCs

description	pid	Process	procid_target
PID 3596 wrote to memory of 4184	3596	7c48c8d6e4ede3a729da845a6ac37f40N.exe	84
PID 3596 wrote to memory of 4184	3596	7c48c8d6e4ede3a729da845a6ac37f40N.exe	84
PID 3596 wrote to memory of 4184	3596	7c48c8d6e4ede3a729da845a6ac37f40N.exe	84
PID 4184 wrote to memory of 3656	4184	Djgjlelk.exe	85
PID 4184 wrote to memory of 3656	4184	Djgjlelk.exe	85
PID 4184 wrote to memory of 3656	4184	Djgjlelk.exe	85
PID 3656 wrote to memory of 2668	3656	Dmefhako.exe	86
PID 3656 wrote to memory of 2668	3656	Dmefhako.exe	86
PID 3656 wrote to memory of 2668	3656	Dmefhako.exe	86
PID 2668 wrote to memory of 1232	2668	Daqbip32.exe	87
PID 2668 wrote to memory of 1232	2668	Daqbip32.exe	87
PID 2668 wrote to memory of 1232	2668	Daqbip32.exe	87
PID 1232 wrote to memory of 856	1232	Delnin32.exe	88
PID 1232 wrote to memory of 856	1232	Delnin32.exe	88
PID 1232 wrote to memory of 856	1232	Delnin32.exe	88
PID 856 wrote to memory of 3836	856	Dhkjej32.exe	89
PID 856 wrote to memory of 3836	856	Dhkjej32.exe	89
PID 856 wrote to memory of 3836	856	Dhkjej32.exe	89
PID 3836 wrote to memory of 2104	3836	Dmgbnq32.exe	90
PID 3836 wrote to memory of 2104	3836	Dmgbnq32.exe	90
PID 3836 wrote to memory of 2104	3836	Dmgbnq32.exe	90
PID 2104 wrote to memory of 3840	2104	Daconoae.exe	91
PID 2104 wrote to memory of 3840	2104	Daconoae.exe	91
PID 2104 wrote to memory of 3840	2104	Daconoae.exe	91
PID 3840 wrote to memory of 1692	3840	Dhmgki32.exe	92
PID 3840 wrote to memory of 1692	3840	Dhmgki32.exe	92
PID 3840 wrote to memory of 1692	3840	Dhmgki32.exe	92
PID 1692 wrote to memory of 2124	1692	Dkkcge32.exe	93
PID 1692 wrote to memory of 2124	1692	Dkkcge32.exe	93
PID 1692 wrote to memory of 2124	1692	Dkkcge32.exe	93
PID 2124 wrote to memory of 800	2124	Daekdooc.exe	94
PID 2124 wrote to memory of 800	2124	Daekdooc.exe	94
PID 2124 wrote to memory of 800	2124	Daekdooc.exe	94
PID 800 wrote to memory of 4288	800	Dddhpjof.exe	95
PID 800 wrote to memory of 4288	800	Dddhpjof.exe	95
PID 800 wrote to memory of 4288	800	Dddhpjof.exe	95
PID 4288 wrote to memory of 1104	4288	Dknpmdfc.exe	96
PID 4288 wrote to memory of 1104	4288	Dknpmdfc.exe	96
PID 4288 wrote to memory of 1104	4288	Dknpmdfc.exe	96

C:\Users\Admin\AppData\Local\Temp\7c48c8d6e4ede3a729da845a6ac37f40N.exe
"C:\Users\Admin\AppData\Local\Temp\7c48c8d6e4ede3a729da845a6ac37f40N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3596
- C:\Windows\SysWOW64\Djgjlelk.exe
  C:\Windows\system32\Djgjlelk.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4184
- - C:\Windows\SysWOW64\Dmefhako.exe
    C:\Windows\system32\Dmefhako.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3656
  - - C:\Windows\SysWOW64\Daqbip32.exe
      C:\Windows\system32\Daqbip32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2668
    - - C:\Windows\SysWOW64\Delnin32.exe
        
        C:\Windows\system32\Delnin32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1232
      - C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:856
        
        C:\Windows\SysWOW64\Dmgbnq32.exe
        
        C:\Windows\system32\Dmgbnq32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3836
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2104
        
        C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3840
        
        C:\Windows\SysWOW64\Dkkcge32.exe
        
        C:\Windows\system32\Dkkcge32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1692
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2124
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:800
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4288
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        14⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1104
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1104 -s 416
        15⤵
        Program crash
        
        PID:3316

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 1104 -ip 1104
1⤵
PID:4464

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Daconoae.exe

Filesize
94KB

MD5
9535889ed9b846cf5c65f6c7f4488774

SHA1
586b19590fc739f53f39ff57b53e2fcb3a21c58b

SHA256
3f0b1157f2739e286fea2d812023a5cef0adba17fe26d717f32b58eff727b8b6

SHA512
6d77afe372c8a1a13a0223163c2dfa7a4517052de2382eb3213ba67139757536bcb745810b8e7e3df08e169d905078b1f8dfceb5b2d8f53614552543eec0798a

Download Submit
C:\Windows\SysWOW64\Daekdooc.exe

Filesize
94KB

MD5
9dfda0765f866a9ad4574a689e1efa54

SHA1
9fee3c4da9235a941b157b16c261c68be833ece5

SHA256
8444fd27127a682f3e8a49c9b8049d48ace924723395b634125d52904e01f2fc

SHA512
adb51c5d299e6186956a378982f43a168a34b1c228bf19f1568cbfb626c37f6cd41a264392dfb99f1d665ad871376b9ce026846be231dd790a8b2be1a1309b7c

Download Submit
C:\Windows\SysWOW64\Daqbip32.exe

Filesize
94KB

MD5
6fd7ac18ef8ab9e3829de849bf550e9e

SHA1
e755a300dbe6317e2ed8444eb0cfffe096750a25

SHA256
404c410a5398d7b4f85cd2299c594da3425c35e339aea8f01f6a3394c85ace73

SHA512
1b7b6522b54e58d126695592cdf7a91e5c0c16b12314cdaad0f6a496d584e71b67fd8a33fb91f7c9d65e1052167c390fc76caaff238ccab52ec4c66bbbaf70d9

Download Submit
C:\Windows\SysWOW64\Dddhpjof.exe

Filesize
94KB

MD5
f7edcba3509eab46dfccb51c9b7d70bc

SHA1
62adc272ace889f0a2f9257101537641f847847b

SHA256
80d546e96ee0c987745b9eefc634d7cf4637fe48c06952f150d7ce6042c6a6a3

SHA512
7b51e284af375e0e410f800bde008eee627cabb5d5ecb17d33e52808aa9522044bafc66e6f2c2ba02244c98599c9a1ff11d2523d488ffd798bf2e2951b680e33

Download Submit
C:\Windows\SysWOW64\Delnin32.exe

Filesize
94KB

MD5
f419e1d35c06369426acfe776d51594c

SHA1
17e365345fe4e57f1665cd39c92fa31470b3f593

SHA256
d0d07af4ccc3129923917e049eb62e3dcad3b4cc0bbef2790fc37ba3e89c3423

SHA512
ef39ab42fb843d6061425800548c4b0360a6edd3616c522e52336729ee71f95599db2e7addcb7880c815f375111980e0498070c6dad909ae75ca10cfd1becb48

Download Submit
C:\Windows\SysWOW64\Dhkjej32.exe

Filesize
94KB

MD5
435b91f34bd6d32381742cbf2db475cf

SHA1
c45d948d57cf532e216be963a222f867cb61fb56

SHA256
fd51f1461fbfcdb18056fa459da215db57bcd5c29f8716cb6215b6e9194cf52c

SHA512
f3f477abb7b02052653f20145f09a37136908abf051ccf8095e0e5b036432854d544a51ad9cb7b7da61507ba8efc9eceb8fbc9221709927b7e5eecc11c39b69a

Download Submit
C:\Windows\SysWOW64\Dhmgki32.exe

Filesize
94KB

MD5
06ad6ee3b6dd8d2e5141ca81f6edf081

SHA1
c017e2d72b528da56555f17a1d4398c1f5644f20

SHA256
2bcd777607297fc32c670c570c3a9d308fa69dcb26885d0456e25cb53846b21a

SHA512
7956fd4b42175bbd6fb8c1ac53e28611a444f78e6103b80a5dfe958de7c11c742188fd7e96d52745b75dc5f237d6b51d440a325c6cb6f0596e4a136529592828

Download Submit
C:\Windows\SysWOW64\Djgjlelk.exe

Filesize
94KB

MD5
2ef02e527e0f911a412b5e7a238c1cd2

SHA1
712aaaa0edfbd01e51b0d50c1d3fa1a97148e581

SHA256
e9ca06161eaec1d8022dc086b496ac5203814d3e640586d87b3f97a3c5c3a20a

SHA512
6ea9a25cf0e0046b6c909b129d96a01b7fac96bc4d25ba53ee7846f576e1e1103cf16c814a64ce2501189141b59cd5d1df94aecd44cea7447e821d9c7ad35bca

Download Submit
C:\Windows\SysWOW64\Dkkcge32.exe

Filesize
94KB

MD5
66fa25722ffa2d224d24ac1a2ba2a8fa

SHA1
7887db8dbf31d625f7a5bdc0812400465e796da7

SHA256
93255da03b68228a073e73738d8b73287e6b0c0257c6720d7f5b74aebcfae043

SHA512
794b9f857d147ef57e03f0a7f20c0bc0845d13617992f1bd2d7905e713ab2eb4ba079660e891296f832e96bddde1d33bc71ec18882a5da4afd1c77c6f9cdeae4

Download Submit
C:\Windows\SysWOW64\Dknpmdfc.exe

Filesize
94KB

MD5
3bf01aed3f23e0dd1b2000a07a5ed2e7

SHA1
48df664f9c6470a4555c1dda2da357c73d0b8bc5

SHA256
7f1845ccf3bef4dc40b9fa817f4ec5d62bc457a3f607533e8ce57f02bbe0c505

SHA512
93288d7662e7036a208609c8267764a90da55769607286a63c6e375316f48183d4b4ae3061e5ad6df1ca6f0eee5fea9ac4f876e6017a7cd589de14f8e3ebf0a9

Download Submit
C:\Windows\SysWOW64\Dmefhako.exe

Filesize
94KB

MD5
7991cb102d571fc7bb99c1548104ce39

SHA1
8c2717702bd3b5833d12ddf8825a488b0b18e5e1

SHA256
f768fee9097d3cf9ac996f1bdae497831ad113136dae98103ca7eae89358cd63

SHA512
052229bcf9a23fdda77b6a0690d88cca1adfa6776f1ff65c86900f55519fc674d5447f5b71e650da4a515fa0f40d3e0a00bf07c95eda2ccc55473ff78cd8ef32

Download Submit
C:\Windows\SysWOW64\Dmgbnq32.exe

Filesize
94KB

MD5
d878aeee24913ff478d366210963e92c

SHA1
4745890985f3a4cef97296efa455c0a6b02f86c9

SHA256
2ce802869018c38213dc63afd457a71619cebbc65d3f2fe4b19c049b7356fdb4

SHA512
6f5e842df8a26c3a6d0ee643855fbfe955d6ae414fe27bca5a4818991daf3d1f05e24e8d19fe9c8dc07a93c1588938ac1377a3deeb74cbe43661f86d39e04a52

Download Submit
C:\Windows\SysWOW64\Dmllipeg.exe

Filesize
94KB

MD5
e90cea01fba61013bfef840aa1333ef4

SHA1
4a682a4bcdcc38f443c225fff77a2a9992d7d8f1

SHA256
8284dd4a9fe36fbc2312b93cd4f520dcfeb1f067cce9a5c4aafc2788ed9b812e

SHA512
2ae588e61f3b09b164b7d517fef24ebf19a3aa8a1808e4453dfcae4188bc2f33fcc4a1d5ae453c27c3358eb5178a76136ceb335e51d0c7eadb89ae7a93431b7f

Download Submit
C:\Windows\SysWOW64\Jbpbca32.dll

Filesize
7KB

MD5
8c0533226ac3e76774c3738db48cb9b1

SHA1
d25c7106ada76e283b7e2142a4aef56331382465

SHA256
120498ef0eb50dafe3123bdf3349a87b3dcb8c7e9cdbd97f3a288f05d39bfb3b

SHA512
d7fb4494e31be90b75fa132118f925d6aa124f17479ceeefabe432ce04519bffce90c4f92dabd0a680959b391b91cc0c147a732912a70fa2ff18eae483550f7d

Download Submit
memory/800-107-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/800-87-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/856-113-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/856-40-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1104-103-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1104-105-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1232-36-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1692-109-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1692-72-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2104-111-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2104-55-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2124-79-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2124-108-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2668-114-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2668-28-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3596-117-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3596-0-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3656-15-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3656-115-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3836-48-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3836-112-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3840-110-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3840-63-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4184-116-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4184-12-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4288-106-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4288-96-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads