Analysis
-
max time kernel
102s -
max time network
108s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
25/08/2024, 07:05
Static task
static1
Behavioral task
behavioral1
Sample
0252e9d6becd47cb3e46ee16394cae70N.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
0252e9d6becd47cb3e46ee16394cae70N.exe
Resource
win10v2004-20240802-en
General
-
Target
0252e9d6becd47cb3e46ee16394cae70N.exe
-
Size
96KB
-
MD5
0252e9d6becd47cb3e46ee16394cae70
-
SHA1
7fd17793721ffe6744301b6c8738c1357fcfe69d
-
SHA256
a2ad970ef59fcd5644e4db39c4630ed9cb625515dbd7da601135caec94ccd5a7
-
SHA512
7a5ce09ad8b60f648b05ea73ebb05944058cc76e9f3810776bdb4c8e9a3b16604214552ea2742812ce79cac6276b5499df5041df167b7f046783f5ee7a29a520
-
SSDEEP
1536:uYUd1DF4T99X2VUinh6GZs5BJ/pI7HmUOlOl7DIe28YduV9jojTIvjrH:uYeDF5VfhFZs5BJ/pITbOlOpse7Yd69J
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 8 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dogogcpo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Daekdooc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Daekdooc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dgbdlf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dgbdlf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad 0252e9d6becd47cb3e46ee16394cae70N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" 0252e9d6becd47cb3e46ee16394cae70N.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dogogcpo.exe -
Executes dropped EXE 4 IoCs
pid Process 3100 Dogogcpo.exe 1756 Daekdooc.exe 3308 Dgbdlf32.exe 4908 Dmllipeg.exe -
Drops file in System32 directory 12 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Dogogcpo.exe 0252e9d6becd47cb3e46ee16394cae70N.exe File created C:\Windows\SysWOW64\Lbabpnmn.dll 0252e9d6becd47cb3e46ee16394cae70N.exe File opened for modification C:\Windows\SysWOW64\Daekdooc.exe Dogogcpo.exe File opened for modification C:\Windows\SysWOW64\Dgbdlf32.exe Daekdooc.exe File created C:\Windows\SysWOW64\Gfghpl32.dll Daekdooc.exe File created C:\Windows\SysWOW64\Dmllipeg.exe Dgbdlf32.exe File opened for modification C:\Windows\SysWOW64\Dmllipeg.exe Dgbdlf32.exe File created C:\Windows\SysWOW64\Dogogcpo.exe 0252e9d6becd47cb3e46ee16394cae70N.exe File created C:\Windows\SysWOW64\Daekdooc.exe Dogogcpo.exe File created C:\Windows\SysWOW64\Ohmoom32.dll Dogogcpo.exe File created C:\Windows\SysWOW64\Dgbdlf32.exe Daekdooc.exe File created C:\Windows\SysWOW64\Kngpec32.dll Dgbdlf32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 4396 4908 WerFault.exe 87 -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dogogcpo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Daekdooc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dgbdlf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dmllipeg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0252e9d6becd47cb3e46ee16394cae70N.exe -
Modifies registry class 15 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" 0252e9d6becd47cb3e46ee16394cae70N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dogogcpo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dgbdlf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll" Dgbdlf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dgbdlf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbabpnmn.dll" 0252e9d6becd47cb3e46ee16394cae70N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohmoom32.dll" Dogogcpo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dogogcpo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Daekdooc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfghpl32.dll" Daekdooc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717} 0252e9d6becd47cb3e46ee16394cae70N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node 0252e9d6becd47cb3e46ee16394cae70N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID 0252e9d6becd47cb3e46ee16394cae70N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Daekdooc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 0252e9d6becd47cb3e46ee16394cae70N.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 4596 wrote to memory of 3100 4596 0252e9d6becd47cb3e46ee16394cae70N.exe 84 PID 4596 wrote to memory of 3100 4596 0252e9d6becd47cb3e46ee16394cae70N.exe 84 PID 4596 wrote to memory of 3100 4596 0252e9d6becd47cb3e46ee16394cae70N.exe 84 PID 3100 wrote to memory of 1756 3100 Dogogcpo.exe 85 PID 3100 wrote to memory of 1756 3100 Dogogcpo.exe 85 PID 3100 wrote to memory of 1756 3100 Dogogcpo.exe 85 PID 1756 wrote to memory of 3308 1756 Daekdooc.exe 86 PID 1756 wrote to memory of 3308 1756 Daekdooc.exe 86 PID 1756 wrote to memory of 3308 1756 Daekdooc.exe 86 PID 3308 wrote to memory of 4908 3308 Dgbdlf32.exe 87 PID 3308 wrote to memory of 4908 3308 Dgbdlf32.exe 87 PID 3308 wrote to memory of 4908 3308 Dgbdlf32.exe 87
Processes
-
C:\Users\Admin\AppData\Local\Temp\0252e9d6becd47cb3e46ee16394cae70N.exe"C:\Users\Admin\AppData\Local\Temp\0252e9d6becd47cb3e46ee16394cae70N.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4596 -
C:\Windows\SysWOW64\Dogogcpo.exeC:\Windows\system32\Dogogcpo.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3100 -
C:\Windows\SysWOW64\Daekdooc.exeC:\Windows\system32\Daekdooc.exe3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1756 -
C:\Windows\SysWOW64\Dgbdlf32.exeC:\Windows\system32\Dgbdlf32.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3308 -
C:\Windows\SysWOW64\Dmllipeg.exeC:\Windows\system32\Dmllipeg.exe5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4908 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4908 -s 3406⤵
- Program crash
PID:4396
-
-
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 4908 -ip 49081⤵PID:2312
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
96KB
MD56e3bc5677983ca11538bc665471de549
SHA1ce9b8a2eadbf8bcceee5b4d60af9d5f2f11a4790
SHA256fa6f917904072a80a1af12b845416b95a3b0228236c2f8ba550f153a85fe98f4
SHA5128eb7fd3f7a11960765eaec72ce55f0adb73fdcfc46a1e9de73b30859780e91f73346ff35d28b0df5819b085aae6b2e378d6575df051b5c5cc443a1fe9c48cf37
-
Filesize
96KB
MD54cbe8f597be3d650db7054c3f9ee6cd7
SHA10d37f6b50145f1dc22f3646b68f985170acbb08b
SHA25633d71ab472fc60b891783d889aebc6a19d5db726555943ff9d578fb8021ecc85
SHA51241ecf391a904a48b363ef76ab9ecdf556fbbd5599ceb0272e81ee443b6bd9638ef1b8288eb381e55533cb44b48f1bef666a238e0c9685a1d43cb23b75168debd
-
Filesize
96KB
MD520995350d61cdc0e64750ea2768f0245
SHA16e20c8ef6d62c8255fee69edcf186d6f64eea5b2
SHA256bbae754ea00552a33abe38f62b1120d1340a7d8dd197205baf27f47442b1271e
SHA5122af993e8d33ce601f693a69a73701e66ae36bb3379be8d863300e201b85709d07cc16b245d56c7fa751a90971407d315e33c807706cc10da3f71d93710bc2e1e
-
Filesize
96KB
MD59837334a14397893dedd3f9cfd80d9e2
SHA190c6104032e4847cb3be6fb66160e27d88acd0a8
SHA256e0d959f63ff9a99dfca2ecdd2cf8346abe307ca23cf7a44fca8bdb380d20d69e
SHA512cc349c5062e9e696395033f390734a74ec48efc2e186585244e224ac54402b6f5ca4951c5c9de00240e751134da05db68d3b9e550eec469ed8cbc5f399c11065