d3fc03c8f034843b226ffacffed9f984922926c2c24b070237c77f539b6205e5

Analysis

max time kernel
122s
max time network
128s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
25-08-2024 05:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d3fc03c8f034843b226ffacffed9f984922926c2c24b070237c77f539b6205e5.exe
Size

91KB
MD5

2edd69b50e9a645f95c856d37d1c258f
SHA1

c32ec0e0a30751cf1626cca76de100b50ba6e925
SHA256

d3fc03c8f034843b226ffacffed9f984922926c2c24b070237c77f539b6205e5
SHA512

7619a2944f5ea559f322fdff8a5aada6b3648fd082d23b3e72c9f5c90ae34f989d01192896ccdfbb2e53af7b084e5fceee7ad92bb949d519505318f806943cca
SSDEEP

1536:xCkkmgVNWiEmtQzEXcXtqKHiIjjbD6BpYo+/Lc/DVXqYYr/viVMi:xCkkmuhk3CUbMx+zc/p6Yo/vOMi

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	d3fc03c8f034843b226ffacffed9f984922926c2c24b070237c77f539b6205e5.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdpdnpif.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cdpdnpif.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Djafaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ddkgbc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dkjhjm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Egcfdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cpgecq32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddkgbc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfkclf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	d3fc03c8f034843b226ffacffed9f984922926c2c24b070237c77f539b6205e5.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Egcfdn32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ekghcq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Epeajo32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cpgecq32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djafaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dfkclf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkjhjm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dgqion32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dgqion32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ebockkal.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ebockkal.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ekghcq32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Epeajo32.exe

Executes dropped EXE 12 IoCs

pid	Process
2808	Cdpdnpif.exe
2796	Cpgecq32.exe
2772	Djafaf32.exe
2604	Ddkgbc32.exe
1976	Dfkclf32.exe
572	Dkjhjm32.exe
1988	Dgqion32.exe
2108	Egcfdn32.exe
2900	Ebockkal.exe
1456	Ekghcq32.exe
2172	Epeajo32.exe
2012	Flnndp32.exe

Loads dropped DLL 28 IoCs

pid	Process
2732	d3fc03c8f034843b226ffacffed9f984922926c2c24b070237c77f539b6205e5.exe
2732	d3fc03c8f034843b226ffacffed9f984922926c2c24b070237c77f539b6205e5.exe
2808	Cdpdnpif.exe
2808	Cdpdnpif.exe
2796	Cpgecq32.exe
2796	Cpgecq32.exe
2772	Djafaf32.exe
2772	Djafaf32.exe
2604	Ddkgbc32.exe
2604	Ddkgbc32.exe
1976	Dfkclf32.exe
1976	Dfkclf32.exe
572	Dkjhjm32.exe
572	Dkjhjm32.exe
1988	Dgqion32.exe
1988	Dgqion32.exe
2108	Egcfdn32.exe
2108	Egcfdn32.exe
2900	Ebockkal.exe
2900	Ebockkal.exe
1456	Ekghcq32.exe
1456	Ekghcq32.exe
2172	Epeajo32.exe
2172	Epeajo32.exe
1928	WerFault.exe
1928	WerFault.exe
1928	WerFault.exe
1928	WerFault.exe

Drops file in System32 directory 36 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Djafaf32.exe	Cpgecq32.exe
File created	C:\Windows\SysWOW64\Ejnbekph.dll	Ddkgbc32.exe
File opened for modification	C:\Windows\SysWOW64\Dfkclf32.exe	Ddkgbc32.exe
File opened for modification	C:\Windows\SysWOW64\Dkjhjm32.exe	Dfkclf32.exe
File created	C:\Windows\SysWOW64\Khqplf32.dll	Dfkclf32.exe
File opened for modification	C:\Windows\SysWOW64\Dgqion32.exe	Dkjhjm32.exe
File opened for modification	C:\Windows\SysWOW64\Ebockkal.exe	Egcfdn32.exe
File created	C:\Windows\SysWOW64\Flnndp32.exe	Epeajo32.exe
File created	C:\Windows\SysWOW64\Aankboko.dll	d3fc03c8f034843b226ffacffed9f984922926c2c24b070237c77f539b6205e5.exe
File created	C:\Windows\SysWOW64\Baboljno.dll	Djafaf32.exe
File created	C:\Windows\SysWOW64\Onndkg32.dll	Epeajo32.exe
File opened for modification	C:\Windows\SysWOW64\Cpgecq32.exe	Cdpdnpif.exe
File created	C:\Windows\SysWOW64\Lbogaf32.dll	Cpgecq32.exe
File created	C:\Windows\SysWOW64\Epeajo32.exe	Ekghcq32.exe
File created	C:\Windows\SysWOW64\Ebockkal.exe	Egcfdn32.exe
File created	C:\Windows\SysWOW64\Hehaja32.dll	Ebockkal.exe
File opened for modification	C:\Windows\SysWOW64\Cdpdnpif.exe	d3fc03c8f034843b226ffacffed9f984922926c2c24b070237c77f539b6205e5.exe
File created	C:\Windows\SysWOW64\Ddkgbc32.exe	Djafaf32.exe
File created	C:\Windows\SysWOW64\Dfkclf32.exe	Ddkgbc32.exe
File created	C:\Windows\SysWOW64\Ekghcq32.exe	Ebockkal.exe
File opened for modification	C:\Windows\SysWOW64\Epeajo32.exe	Ekghcq32.exe
File created	C:\Windows\SysWOW64\Eomohejp.dll	Ekghcq32.exe
File created	C:\Windows\SysWOW64\Cdpdnpif.exe	d3fc03c8f034843b226ffacffed9f984922926c2c24b070237c77f539b6205e5.exe
File opened for modification	C:\Windows\SysWOW64\Ddkgbc32.exe	Djafaf32.exe
File opened for modification	C:\Windows\SysWOW64\Djafaf32.exe	Cpgecq32.exe
File created	C:\Windows\SysWOW64\Dkjhjm32.exe	Dfkclf32.exe
File created	C:\Windows\SysWOW64\Dgqion32.exe	Dkjhjm32.exe
File opened for modification	C:\Windows\SysWOW64\Egcfdn32.exe	Dgqion32.exe
File opened for modification	C:\Windows\SysWOW64\Ekghcq32.exe	Ebockkal.exe
File opened for modification	C:\Windows\SysWOW64\Flnndp32.exe	Epeajo32.exe
File created	C:\Windows\SysWOW64\Cpgecq32.exe	Cdpdnpif.exe
File created	C:\Windows\SysWOW64\Kglenb32.dll	Cdpdnpif.exe
File created	C:\Windows\SysWOW64\Cpokpklp.dll	Dgqion32.exe
File created	C:\Windows\SysWOW64\Bdnnjcdh.dll	Egcfdn32.exe
File created	C:\Windows\SysWOW64\Elfkmcdp.dll	Dkjhjm32.exe
File created	C:\Windows\SysWOW64\Egcfdn32.exe	Dgqion32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1928	2012	WerFault.exe	41

System Location Discovery: System Language Discovery 1 TTPs 13 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Egcfdn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddkgbc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Epeajo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdpdnpif.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djafaf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfkclf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ekghcq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cpgecq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkjhjm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgqion32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ebockkal.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Flnndp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d3fc03c8f034843b226ffacffed9f984922926c2c24b070237c77f539b6205e5.exe

Modifies registry class 39 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	d3fc03c8f034843b226ffacffed9f984922926c2c24b070237c77f539b6205e5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kglenb32.dll"	Cdpdnpif.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cpgecq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dkjhjm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dgqion32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eomohejp.dll"	Ekghcq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	d3fc03c8f034843b226ffacffed9f984922926c2c24b070237c77f539b6205e5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aankboko.dll"	d3fc03c8f034843b226ffacffed9f984922926c2c24b070237c77f539b6205e5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejnbekph.dll"	Ddkgbc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dkjhjm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Onndkg32.dll"	Epeajo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cdpdnpif.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cdpdnpif.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ddkgbc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dfkclf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dfkclf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hehaja32.dll"	Ebockkal.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cpgecq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbogaf32.dll"	Cpgecq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Djafaf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ebockkal.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ekghcq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}	d3fc03c8f034843b226ffacffed9f984922926c2c24b070237c77f539b6205e5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dgqion32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpokpklp.dll"	Dgqion32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Egcfdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ekghcq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	d3fc03c8f034843b226ffacffed9f984922926c2c24b070237c77f539b6205e5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	d3fc03c8f034843b226ffacffed9f984922926c2c24b070237c77f539b6205e5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Baboljno.dll"	Djafaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khqplf32.dll"	Dfkclf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elfkmcdp.dll"	Dkjhjm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Djafaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ddkgbc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdnnjcdh.dll"	Egcfdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Egcfdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ebockkal.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Epeajo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Epeajo32.exe

Suspicious use of WriteProcessMemory 52 IoCs

description	pid	Process	procid_target
PID 2732 wrote to memory of 2808	2732	d3fc03c8f034843b226ffacffed9f984922926c2c24b070237c77f539b6205e5.exe	30
PID 2732 wrote to memory of 2808	2732	d3fc03c8f034843b226ffacffed9f984922926c2c24b070237c77f539b6205e5.exe	30
PID 2732 wrote to memory of 2808	2732	d3fc03c8f034843b226ffacffed9f984922926c2c24b070237c77f539b6205e5.exe	30
PID 2732 wrote to memory of 2808	2732	d3fc03c8f034843b226ffacffed9f984922926c2c24b070237c77f539b6205e5.exe	30
PID 2808 wrote to memory of 2796	2808	Cdpdnpif.exe	31
PID 2808 wrote to memory of 2796	2808	Cdpdnpif.exe	31
PID 2808 wrote to memory of 2796	2808	Cdpdnpif.exe	31
PID 2808 wrote to memory of 2796	2808	Cdpdnpif.exe	31
PID 2796 wrote to memory of 2772	2796	Cpgecq32.exe	32
PID 2796 wrote to memory of 2772	2796	Cpgecq32.exe	32
PID 2796 wrote to memory of 2772	2796	Cpgecq32.exe	32
PID 2796 wrote to memory of 2772	2796	Cpgecq32.exe	32
PID 2772 wrote to memory of 2604	2772	Djafaf32.exe	33
PID 2772 wrote to memory of 2604	2772	Djafaf32.exe	33
PID 2772 wrote to memory of 2604	2772	Djafaf32.exe	33
PID 2772 wrote to memory of 2604	2772	Djafaf32.exe	33
PID 2604 wrote to memory of 1976	2604	Ddkgbc32.exe	34
PID 2604 wrote to memory of 1976	2604	Ddkgbc32.exe	34
PID 2604 wrote to memory of 1976	2604	Ddkgbc32.exe	34
PID 2604 wrote to memory of 1976	2604	Ddkgbc32.exe	34
PID 1976 wrote to memory of 572	1976	Dfkclf32.exe	35
PID 1976 wrote to memory of 572	1976	Dfkclf32.exe	35
PID 1976 wrote to memory of 572	1976	Dfkclf32.exe	35
PID 1976 wrote to memory of 572	1976	Dfkclf32.exe	35
PID 572 wrote to memory of 1988	572	Dkjhjm32.exe	36
PID 572 wrote to memory of 1988	572	Dkjhjm32.exe	36
PID 572 wrote to memory of 1988	572	Dkjhjm32.exe	36
PID 572 wrote to memory of 1988	572	Dkjhjm32.exe	36
PID 1988 wrote to memory of 2108	1988	Dgqion32.exe	37
PID 1988 wrote to memory of 2108	1988	Dgqion32.exe	37
PID 1988 wrote to memory of 2108	1988	Dgqion32.exe	37
PID 1988 wrote to memory of 2108	1988	Dgqion32.exe	37
PID 2108 wrote to memory of 2900	2108	Egcfdn32.exe	38
PID 2108 wrote to memory of 2900	2108	Egcfdn32.exe	38
PID 2108 wrote to memory of 2900	2108	Egcfdn32.exe	38
PID 2108 wrote to memory of 2900	2108	Egcfdn32.exe	38
PID 2900 wrote to memory of 1456	2900	Ebockkal.exe	39
PID 2900 wrote to memory of 1456	2900	Ebockkal.exe	39
PID 2900 wrote to memory of 1456	2900	Ebockkal.exe	39
PID 2900 wrote to memory of 1456	2900	Ebockkal.exe	39
PID 1456 wrote to memory of 2172	1456	Ekghcq32.exe	40
PID 1456 wrote to memory of 2172	1456	Ekghcq32.exe	40
PID 1456 wrote to memory of 2172	1456	Ekghcq32.exe	40
PID 1456 wrote to memory of 2172	1456	Ekghcq32.exe	40
PID 2172 wrote to memory of 2012	2172	Epeajo32.exe	41
PID 2172 wrote to memory of 2012	2172	Epeajo32.exe	41
PID 2172 wrote to memory of 2012	2172	Epeajo32.exe	41
PID 2172 wrote to memory of 2012	2172	Epeajo32.exe	41
PID 2012 wrote to memory of 1928	2012	Flnndp32.exe	42
PID 2012 wrote to memory of 1928	2012	Flnndp32.exe	42
PID 2012 wrote to memory of 1928	2012	Flnndp32.exe	42
PID 2012 wrote to memory of 1928	2012	Flnndp32.exe	42

C:\Users\Admin\AppData\Local\Temp\d3fc03c8f034843b226ffacffed9f984922926c2c24b070237c77f539b6205e5.exe
"C:\Users\Admin\AppData\Local\Temp\d3fc03c8f034843b226ffacffed9f984922926c2c24b070237c77f539b6205e5.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2732
- C:\Windows\SysWOW64\Cdpdnpif.exe
  C:\Windows\system32\Cdpdnpif.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2808
- - C:\Windows\SysWOW64\Cpgecq32.exe
    C:\Windows\system32\Cpgecq32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2796
  - - C:\Windows\SysWOW64\Djafaf32.exe
      C:\Windows\system32\Djafaf32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2772
    - - C:\Windows\SysWOW64\Ddkgbc32.exe
        
        C:\Windows\system32\Ddkgbc32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2604
      - C:\Windows\SysWOW64\Dfkclf32.exe
        
        C:\Windows\system32\Dfkclf32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1976
        
        C:\Windows\SysWOW64\Dkjhjm32.exe
        
        C:\Windows\system32\Dkjhjm32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:572
        
        C:\Windows\SysWOW64\Dgqion32.exe
        
        C:\Windows\system32\Dgqion32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1988
        
        C:\Windows\SysWOW64\Egcfdn32.exe
        
        C:\Windows\system32\Egcfdn32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2108
        
        C:\Windows\SysWOW64\Ebockkal.exe
        
        C:\Windows\system32\Ebockkal.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2900
        
        C:\Windows\SysWOW64\Ekghcq32.exe
        
        C:\Windows\system32\Ekghcq32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1456
        
        C:\Windows\SysWOW64\Epeajo32.exe
        
        C:\Windows\system32\Epeajo32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2172
        
        C:\Windows\SysWOW64\Flnndp32.exe
        
        C:\Windows\system32\Flnndp32.exe
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2012
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2012 -s 140
        14⤵
        Loads dropped DLL
        Program crash
        
        PID:1928

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Ejnbekph.dll

Filesize
7KB

MD5
ce59a9b6f1a5e20e2b17d52086a895c0

SHA1
4d1acd53194122ce933d935f733b7f0258cb7ad3

SHA256
23e1b8f64ebff45bb32c8f56342c21a73996947f18003e9f900366511ce9b20e

SHA512
f75bd6da11cd9d5f813f4424ee15a7831bf09c75a40091df66b7f8c8aff1d2307008b7b95b2822cee09641111fd2659d9d389962764c3c6f3128139a18c97ef3

Download Submit
\Windows\SysWOW64\Cdpdnpif.exe

Filesize
91KB

MD5
4d906540484e566a4de485fba5373d5d

SHA1
2b97813588075a982cde5d099f0c2acba43ebd68

SHA256
0bcf76774ae259766a263512940a03dddf9abbce51d9e509f60493e46fd07416

SHA512
03706a6bd84b47073a401af3471479df6a82e98a60e456f29f500c7a7b408b807e1e05b8fa1a1def8f919c19166dc0056f166ac6354ca1c92e94919e393f7725

Download Submit
\Windows\SysWOW64\Cpgecq32.exe

Filesize
91KB

MD5
2582a1ac7e80ade96baceab9c5d13e7e

SHA1
99eea28a7feaa5432faefb5ac3aa561e4bdd0a2d

SHA256
57cf8dc6eb2ff66c87a8b72d94a070b70e8d6907ad7883fee214ee2a63e3091d

SHA512
c04616221b6ff23de4381a6cee0358764b76e0d88330b568fe671a7c2c1fb5127a64780599f09b6dcd35ee4dccfea134d29dea3b63816c4413eb9c39f5b995d1

Download Submit
\Windows\SysWOW64\Ddkgbc32.exe

Filesize
91KB

MD5
d0ba5bcdbf0f6faa42a079c85e2c8246

SHA1
7ffd12ed952c978ac857e33295cf228ad6cfc55e

SHA256
99b03f2ee840e638f6720a19b8847fa928f7e70e76ba83c0b6ec4e99bf9cdfca

SHA512
c0cc8fc991b57df0164cb44364bdc6d250d723339f3e8fb72d16794fc1952aa7c355359a305202a9dc2a95c13371e4d67c6fa75be51eba09698f71708dc5927e

Download Submit
\Windows\SysWOW64\Dfkclf32.exe

Filesize
91KB

MD5
e07ee792b682dd13f14ebd75b06aade8

SHA1
0036a4ded95bff4db34368e3591245bb73af402a

SHA256
3d14fa1f5714579e63f63a94d4298206d607c9e904d55b898cf47acf9c1dd589

SHA512
e552e61b55456d8a32bdb033133818823a2105e708e287f1670d87faad09c00ea3c7287f3f38f748202934e5f61ccd7e226d5d5fb4ee3e51394a8709ae18bd7f

Download Submit
\Windows\SysWOW64\Dgqion32.exe

Filesize
91KB

MD5
588ffa154612cffdb259ca487487bd7b

SHA1
b9bb37b76f19680699323f0e922ca676c6dad9b1

SHA256
2286fa513acb2234f79df13d0d3226776b7aa2a2dff61e9468e6b1680c8ba344

SHA512
f2dbbeee2fafd8c4e82bed3813c34da53e03d8c89c7a1119713837fb368c1652f5eaa91fef50ba013e1113f2e4df53efa7ee988cf8a8f4527fd3677f6b682e8c

Download Submit
\Windows\SysWOW64\Djafaf32.exe

Filesize
91KB

MD5
c053415a9823e0d54d35a87580ec3441

SHA1
7e0bcc3e18265c91d75101870d25727efad61c93

SHA256
87285d2517eb3f25a1e5da8e2c737901181f3d968be9bfc780f99e8049efe85e

SHA512
5578f6fe08e25927f5bec26b524312f495f0f7967cb517aea753acb6cbec540ead12817fe4b35fbfc0e5459cf3aa845434a7d38c0d29320bb9b4eb4e6e6846ee

Download Submit
\Windows\SysWOW64\Dkjhjm32.exe

Filesize
91KB

MD5
2de8e6d43656919564962d978b5e8daa

SHA1
8ea83d7fd488b9236e563e064269b0834994b9a7

SHA256
6a56afd0859816a7c3a834d86d26c91d42bd7535bcf04f51144c187a3f070be0

SHA512
cd905199e76e64a7f24fac69f6e1de737b1367b5604c739a01816088a1995ffeba8a79c60a1ad2466099d82465b37c625fef706378c9830e3951394ef9c191cc

Download Submit
\Windows\SysWOW64\Ebockkal.exe

Filesize
91KB

MD5
86348f8950f5a6ac1d674dca6e681390

SHA1
a2b3a7f84d0840e2eb03940c53e70d382c718afb

SHA256
9f8fdfd7fb35c97e2cc1414c8ca9a63da30c32eb8a9393547b90ad6cfcb3c0e7

SHA512
571cd5cda50ad57af48d3ad8ae89fb2025d5701b99b664d6bdcea3e95d6a2ec23e7db5ab9409bb342799ce11be7f3ffb5c1997fb819e40b30789b4121a013c5a

Download Submit
\Windows\SysWOW64\Egcfdn32.exe

Filesize
91KB

MD5
a6e35cefcd1374e9beb56599fc766143

SHA1
a96a995d73dea50c3327845013ab539fa06ec8d0

SHA256
83b5981070f8943679271f93555818829db0ee1bd0afd891c1ed85d5a05c4310

SHA512
63fb45b4ae30e3daeea7c770f03447e5e01e9db1cd7f779215f4dfd172ee30bd2d92bee2ac6246e9ee0c0519afe7c22ca8a2001708a8088309c1da97c9984a65

Download Submit
\Windows\SysWOW64\Ekghcq32.exe

Filesize
91KB

MD5
be857c5eb6c7c594d7a8feb8d209334d

SHA1
13d5e97edad7bc90014c07d032cb5408b6d21811

SHA256
80bf4c1b3cb51f2a3a51c99db77aa477685d823206c311b93fde4da91bfad35f

SHA512
2d3a616797cb0f919e27540638df405b7bc204a3f7de6a3bac30d285c4d21322b9d5712cbaffdfd3439e5f6afc8c85ea949748681837a755d1afb634f480a92b

Download Submit
\Windows\SysWOW64\Epeajo32.exe

Filesize
91KB

MD5
9bd3e80eab3007e7aeb90556d26f5e8e

SHA1
87e785b929eb91634a2142cf2fe20a418ad6d645

SHA256
761f0de64c565f197906ae29d78697c1cdd961894e180de96cf76c732e13436b

SHA512
56390cfca90edc6a5639186f18f396112b40313ad23d50dfffbbc15e981cfc9c5a429accd66cc9d1301ccc64e8637a9abbcc3530f7dee75b87a3d748ed29b60b

Download Submit
\Windows\SysWOW64\Flnndp32.exe

Filesize
91KB

MD5
375e5151f8b10ef6ff81fea4b0118b5e

SHA1
86349320843993c8a56d7da88520ca268bc61572

SHA256
277a70eb064e7f8ea05b4a46625e4914e2198d72421b9fe650fc4531f293d7b6

SHA512
4c058615a399b6936b3944e9d8fed718603556c31ffa6ddf95e314a44d59cfc13c9082ca34d0c42e103a0980aeafd5b58d385a2f3e1d8ca204b7423ffda826bc

Download Submit
memory/572-173-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/572-88-0x00000000002C0000-0x00000000002FD000-memory.dmp

Filesize
244KB

Download
memory/1456-147-0x0000000000220000-0x000000000025D000-memory.dmp

Filesize
244KB

Download
memory/1456-135-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1456-177-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1976-75-0x0000000000220000-0x000000000025D000-memory.dmp

Filesize
244KB

Download
memory/1976-172-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1988-105-0x0000000000220000-0x000000000025D000-memory.dmp

Filesize
244KB

Download
memory/1988-106-0x0000000000220000-0x000000000025D000-memory.dmp

Filesize
244KB

Download
memory/1988-174-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2012-179-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2108-108-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2108-118-0x0000000000220000-0x000000000025D000-memory.dmp

Filesize
244KB

Download
memory/2108-175-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2172-162-0x0000000000270000-0x00000000002AD000-memory.dmp

Filesize
244KB

Download
memory/2172-178-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2172-149-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2172-161-0x0000000000270000-0x00000000002AD000-memory.dmp

Filesize
244KB

Download
memory/2604-55-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2604-171-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2604-67-0x0000000000220000-0x000000000025D000-memory.dmp

Filesize
244KB

Download
memory/2732-17-0x0000000000250000-0x000000000028D000-memory.dmp

Filesize
244KB

Download
memory/2732-168-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2732-0-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2772-170-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2772-40-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2772-48-0x0000000000220000-0x000000000025D000-memory.dmp

Filesize
244KB

Download
memory/2796-169-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2796-38-0x0000000000220000-0x000000000025D000-memory.dmp

Filesize
244KB

Download
memory/2808-20-0x0000000000330000-0x000000000036D000-memory.dmp

Filesize
244KB

Download
memory/2808-18-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2900-176-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2900-126-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads