Overview

overview

10

Static

static

3

a32c975bac...1c.exe

windows7-x64

10

a32c975bac...1c.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24/08/2024, 00:24

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a32c975bac2b49af11cafe699e0a275acad3a5895bd39150baa8bd7a550dc91c.exe

  • Size

    91KB

  • MD5

    0aa1b33c95232ea25918da0c149f9614

  • SHA1

    4d4cb490b1b619a5f7815fb32e80aa280d1fbce6

  • SHA256

    a32c975bac2b49af11cafe699e0a275acad3a5895bd39150baa8bd7a550dc91c

  • SHA512

    4411a0df9860961fbe58f0c66e1f9ee69752729af7bdb0461c297e59d74558b8f03bac7b0753c19708811f63ba3c9ac94cd8be41a3b274e487259fff3f8dc713

  • SSDEEP

    1536:phOTECa6taOoKGGEynSKaGSpRScbYuthBhsVXrYr/viVMi:pF36t/GGEg4GoRSOYOhbCbo/vOMi

Score
10/10
discoverypersistence

Malware Config

Signatures

  • Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 16 IoCs
    persistence
  • Executes dropped EXE 8 IoCs
  • Drops file in System32 directory 24 IoCs
  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 27 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a32c975bac2b49af11cafe699e0a275acad3a5895bd39150baa8bd7a550dc91c.exe
    "C:\Users\Admin\AppData\Local\Temp\a32c975bac2b49af11cafe699e0a275acad3a5895bd39150baa8bd7a550dc91c.exe"
    1⤵
    • Adds autorun key to be loaded by Explorer.exe on startup
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:3764
    • C:\Windows\SysWOW64\Dodbbdbb.exe
      C:\Windows\system32\Dodbbdbb.exe
      2⤵
      • Adds autorun key to be loaded by Explorer.exe on startup
      • Executes dropped EXE
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:220
      • C:\Windows\SysWOW64\Daconoae.exe
        C:\Windows\system32\Daconoae.exe
        3⤵
        • Adds autorun key to be loaded by Explorer.exe on startup
        • Executes dropped EXE
        • Drops file in System32 directory
        • System Location Discovery: System Language Discovery
        • Modifies registry class
        • Suspicious use of WriteProcessMemory
        PID:1420
        • C:\Windows\SysWOW64\Ddakjkqi.exe
          C:\Windows\system32\Ddakjkqi.exe
          4⤵
          • Adds autorun key to be loaded by Explorer.exe on startup
          • Executes dropped EXE
          • Drops file in System32 directory
          • System Location Discovery: System Language Discovery
          • Modifies registry class
          • Suspicious use of WriteProcessMemory
          PID:2156
          • C:\Windows\SysWOW64\Dkkcge32.exe
            C:\Windows\system32\Dkkcge32.exe
            5⤵
            • Adds autorun key to be loaded by Explorer.exe on startup
            • Executes dropped EXE
            • Drops file in System32 directory
            • System Location Discovery: System Language Discovery
            • Modifies registry class
            • Suspicious use of WriteProcessMemory
            PID:3308
            • C:\Windows\SysWOW64\Daekdooc.exe
              C:\Windows\system32\Daekdooc.exe
              6⤵
              • Adds autorun key to be loaded by Explorer.exe on startup
              • Executes dropped EXE
              • Drops file in System32 directory
              • System Location Discovery: System Language Discovery
              • Modifies registry class
              • Suspicious use of WriteProcessMemory
              PID:4584
              • C:\Windows\SysWOW64\Dhocqigp.exe
                C:\Windows\system32\Dhocqigp.exe
                7⤵
                • Adds autorun key to be loaded by Explorer.exe on startup
                • Executes dropped EXE
                • Drops file in System32 directory
                • System Location Discovery: System Language Discovery
                • Modifies registry class
                • Suspicious use of WriteProcessMemory
                PID:4384
                • C:\Windows\SysWOW64\Dgbdlf32.exe
                  C:\Windows\system32\Dgbdlf32.exe
                  8⤵
                  • Adds autorun key to be loaded by Explorer.exe on startup
                  • Executes dropped EXE
                  • Drops file in System32 directory
                  • System Location Discovery: System Language Discovery
                  • Modifies registry class
                  • Suspicious use of WriteProcessMemory
                  PID:4432
                  • C:\Windows\SysWOW64\Dmllipeg.exe
                    C:\Windows\system32\Dmllipeg.exe
                    9⤵
                    • Executes dropped EXE
                    • System Location Discovery: System Language Discovery
                    PID:1976
                    • C:\Windows\SysWOW64\WerFault.exe
                      C:\Windows\SysWOW64\WerFault.exe -u -p 1976 -s 408
                      10⤵
                      • Program crash
                      PID:1952
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 1976 -ip 1976
    1⤵
      PID:4840

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Windows\SysWOW64\Daconoae.exe
      Filesize

      91KB

      MD5

      6a82aa3d02eccfd285228fe11d224927

      SHA1

      940f00a95e9f087403786fcf91638d7c6f36881e

      SHA256

      d75ac53ad3d3a6e4bb5453ae1e0a80a973c734bbeba46a2afd56d8b1cc72beba

      SHA512

      958c880444544c056c5c65ec78d5dfdc8c6379470517b4da88936dc82055484ffc17dfbdb6def4d878d170ac8a9f971884fe053b9575dc94f5e62aea32e0a3d9

      Download Submit

    • C:\Windows\SysWOW64\Daekdooc.exe
      Filesize

      91KB

      MD5

      8f8a6d38bd0c61e56a9244c5090a07d5

      SHA1

      fd83b5401034a6a1d29ec47ccb8419971d99bb32

      SHA256

      73a53ede0a6d432c663d598fa267a7d762a4da3719fb74a5cedd237d833c5674

      SHA512

      d3973fd32536515d33e812bb6a124b515d0ef05dd215ec54de34fa279d2c6420391b4833f01ab0849be1b746aa67f0b2f63a7aa2f7c6cd5504be69188bec950f

      Download Submit

    • C:\Windows\SysWOW64\Ddakjkqi.exe
      Filesize

      91KB

      MD5

      b56f9563de37cf6cdfc78220e1b8a6bd

      SHA1

      1e215c55779236a0270fc69ae79ea70684f0320e

      SHA256

      e1729165e13a5a41240bcdcd9547e63fa4688c4c9e076b8d8d9a4d75cafa912f

      SHA512

      f43a0e83572c302b6ab5b97515603ef31f2b93cd4c9c37e5d4ecb7454289dd7b8e6381314474d90abb96defa67a4d89019b3549b46e4c9d43f993d247b667945

      Download Submit

    • C:\Windows\SysWOW64\Dgbdlf32.exe
      Filesize

      91KB

      MD5

      200317a89b9fc2589684337943219eed

      SHA1

      24431f5d5bc747858fd53b6c975e99e058a45f64

      SHA256

      e5f5ac1d52e454a6b9d96bde2dbcd37fbaa080614cc615569fdb26ccf89d0031

      SHA512

      20ff60629eb1f9d6eeb61d1631b77e3632098980a4055916228eafa7eb688a0fff0d3c83d1f13b6d8146f32c7a6b9ccae6006e6fa1fe630d651f73ff48920c35

      Download Submit

    • C:\Windows\SysWOW64\Dhocqigp.exe
      Filesize

      91KB

      MD5

      06adb6284bac7bdfa8882eebb3d895ed

      SHA1

      03741305869ce98b0d65f345ef6f3394e3fd701f

      SHA256

      8c0af4efd61f16419537958c95a39a598cc7229e31937279ee153fb892667fab

      SHA512

      70f5167b3796e8dea63040caf18d5a3334b887b89497d88785ea4422a705e5b716e0612496dab7be6bbbd88eca50b1f3c41c9a9db1e7d7764fbeeed19a783217

      Download Submit

    • C:\Windows\SysWOW64\Dkkcge32.exe
      Filesize

      91KB

      MD5

      4910f4df74427c3cd6b2ec36f26bff1d

      SHA1

      4b3204e70a4d877f0cddd829ee3e60f5ad6edccd

      SHA256

      b93abeb4d08a64692b3064cd71f8dee06eb7d9dbc37c4afdc7ba7eac99c23eb3

      SHA512

      4240e88fca9c3ed61d266173237391821f13c0503b5b21e75010e0795da4f46f43b840c401a373cd08b89dc974ea3a8c4d9f939f2d0603c9df3577db9d098a38

      Download Submit

    • C:\Windows\SysWOW64\Dmllipeg.exe
      Filesize

      91KB

      MD5

      b11ccfe9aa87ef37840318c843b5e21d

      SHA1

      fa55ecfe416d61bfad3ed5d9199fb6d3444d2d22

      SHA256

      f9b6c697d206a43a4935b5e90ace868176ab7fc10e10bab0c3ee811e62a21bcd

      SHA512

      1111fd6eaa3fac4248685c3460b8a6057595af67a8dae34d13f363cb85322ffe7260b072ef9ff9d27fd962017c505c950c9a69a124a71b2cbd8ce27f1df951ec

      Download Submit

    • C:\Windows\SysWOW64\Dodbbdbb.exe
      Filesize

      91KB

      MD5

      9a02dc62056dc978bc653c3e75131551

      SHA1

      7b0d014171de82b7d837f2da5a69193133d0cf50

      SHA256

      2815330d4d640a40ba17f5b30a39d68c2efc684b6486ed30a2aba3bef75cdd60

      SHA512

      f6dce04af80d3ed9635d696e72b7871d244cf5ec16cfc57ae3ff43148ada35511a74d5f8792f6bd582c25dda367f86b9df6ef1c380f7afaddcf4fa4a57c6c572

      Download Submit

    • C:\Windows\SysWOW64\Ohmoom32.dll
      Filesize

      7KB

      MD5

      88e75782878397c9ad3b7ff8481e6727

      SHA1

      73c4f3ae23d66661aef9dd5a39b4fd21c8df94cb

      SHA256

      846b5f436092fb38d7efbbfe05d350c978f804f70dd0be4e265b1a42ca3810f1

      SHA512

      2c23281e558b6fa3ee4e1babf96fc91c572ab76b28dbc7478054036d754db728d103b62be36d97abf63728be0a2d23a5b145a40ccf1c6dfa576ea1fee007d07e

      Download Submit

    • memory/220-72-0x0000000000400000-0x000000000043D000-memory.dmp

      Filesize

      244KB

      Download

    • memory/220-7-0x0000000000400000-0x000000000043D000-memory.dmp

      Filesize

      244KB

      Download

    • memory/1420-70-0x0000000000400000-0x000000000043D000-memory.dmp

      Filesize

      244KB

      Download

    • memory/1420-15-0x0000000000400000-0x000000000043D000-memory.dmp

      Filesize

      244KB

      Download

    • memory/1976-65-0x0000000000400000-0x000000000043D000-memory.dmp

      Filesize

      244KB

      Download

    • memory/1976-63-0x0000000000400000-0x000000000043D000-memory.dmp

      Filesize

      244KB

      Download

    • memory/2156-23-0x0000000000400000-0x000000000043D000-memory.dmp

      Filesize

      244KB

      Download

    • memory/2156-69-0x0000000000400000-0x000000000043D000-memory.dmp

      Filesize

      244KB

      Download

    • memory/3308-31-0x0000000000400000-0x000000000043D000-memory.dmp

      Filesize

      244KB

      Download

    • memory/3308-68-0x0000000000400000-0x000000000043D000-memory.dmp

      Filesize

      244KB

      Download

    • memory/3764-73-0x0000000000400000-0x000000000043D000-memory.dmp

      Filesize

      244KB

      Download

    • memory/3764-0-0x0000000000400000-0x000000000043D000-memory.dmp

      Filesize

      244KB

      Download

    • memory/4384-47-0x0000000000400000-0x000000000043D000-memory.dmp

      Filesize

      244KB

      Download

    • memory/4384-67-0x0000000000400000-0x000000000043D000-memory.dmp

      Filesize

      244KB

      Download

    • memory/4432-55-0x0000000000400000-0x000000000043D000-memory.dmp

      Filesize

      244KB

      Download

    • memory/4432-66-0x0000000000400000-0x000000000043D000-memory.dmp

      Filesize

      244KB

      Download

    • memory/4584-39-0x0000000000400000-0x000000000043D000-memory.dmp

      Filesize

      244KB

      Download

    • memory/4584-71-0x0000000000400000-0x000000000043D000-memory.dmp

      Filesize

      244KB

      Download