bbadbe365885d2ecdf026c9c54e59b50ad7598d7227c359536d30f64e1161ba7

Analysis

max time kernel
101s
max time network
102s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
26/08/2024, 03:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

96a1751fe7cfa249c10df5ac4f9877e0N.exe
Size

67KB
MD5

96a1751fe7cfa249c10df5ac4f9877e0
SHA1

769f5dceefc1580a6a72f22dc5d97cca512dac3d
SHA256

bbadbe365885d2ecdf026c9c54e59b50ad7598d7227c359536d30f64e1161ba7
SHA512

8cffc66cdafd46848ef4d69815ef6d33b61607e78d5aba00eaf7a27e8cfb78b2751f67bd1a931622f7a28090c40d3d767bd52fb4874afff9579df4f7c369cc97
SSDEEP

1536:ky9yfbMJTXTNYkiMiNRn6nZHR6HBbtnRQWR/Rj:ks8bMJTjQRKdq9eWVx

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 20 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deokon32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daekdooc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Daekdooc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	96a1751fe7cfa249c10df5ac4f9877e0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	96a1751fe7cfa249c10df5ac4f9877e0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dddhpjof.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhkjej32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dodbbdbb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkkcge32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dhkjej32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhmgki32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dknpmdfc.exe

Executes dropped EXE 10 IoCs

pid	Process
2852	Dhkjej32.exe
2568	Dodbbdbb.exe
4668	Deokon32.exe
532	Dhmgki32.exe
4872	Dkkcge32.exe
1312	Dogogcpo.exe
3624	Daekdooc.exe
4216	Dddhpjof.exe
3052	Dknpmdfc.exe
2116	Dmllipeg.exe

Drops file in System32 directory 30 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Amfoeb32.dll	Dodbbdbb.exe
File created	C:\Windows\SysWOW64\Daekdooc.exe	Dogogcpo.exe
File created	C:\Windows\SysWOW64\Ohmoom32.dll	Dogogcpo.exe
File opened for modification	C:\Windows\SysWOW64\Dknpmdfc.exe	Dddhpjof.exe
File created	C:\Windows\SysWOW64\Jbpbca32.dll	96a1751fe7cfa249c10df5ac4f9877e0N.exe
File created	C:\Windows\SysWOW64\Dogogcpo.exe	Dkkcge32.exe
File created	C:\Windows\SysWOW64\Dknpmdfc.exe	Dddhpjof.exe
File created	C:\Windows\SysWOW64\Kngpec32.dll	Dknpmdfc.exe
File created	C:\Windows\SysWOW64\Dodbbdbb.exe	Dhkjej32.exe
File created	C:\Windows\SysWOW64\Dkkcge32.exe	Dhmgki32.exe
File created	C:\Windows\SysWOW64\Fnmnbf32.dll	Dhkjej32.exe
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Dknpmdfc.exe
File created	C:\Windows\SysWOW64\Dhkjej32.exe	96a1751fe7cfa249c10df5ac4f9877e0N.exe
File opened for modification	C:\Windows\SysWOW64\Dodbbdbb.exe	Dhkjej32.exe
File opened for modification	C:\Windows\SysWOW64\Dkkcge32.exe	Dhmgki32.exe
File opened for modification	C:\Windows\SysWOW64\Dogogcpo.exe	Dkkcge32.exe
File opened for modification	C:\Windows\SysWOW64\Dddhpjof.exe	Daekdooc.exe
File opened for modification	C:\Windows\SysWOW64\Dhkjej32.exe	96a1751fe7cfa249c10df5ac4f9877e0N.exe
File opened for modification	C:\Windows\SysWOW64\Dhmgki32.exe	Deokon32.exe
File created	C:\Windows\SysWOW64\Dddhpjof.exe	Daekdooc.exe
File created	C:\Windows\SysWOW64\Deokon32.exe	Dodbbdbb.exe
File created	C:\Windows\SysWOW64\Fpdaoioe.dll	Deokon32.exe
File created	C:\Windows\SysWOW64\Jcbdhp32.dll	Dhmgki32.exe
File created	C:\Windows\SysWOW64\Amjknl32.dll	Daekdooc.exe
File created	C:\Windows\SysWOW64\Nokpao32.dll	Dddhpjof.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Dknpmdfc.exe
File created	C:\Windows\SysWOW64\Dhmgki32.exe	Deokon32.exe
File created	C:\Windows\SysWOW64\Lbabpnmn.dll	Dkkcge32.exe
File opened for modification	C:\Windows\SysWOW64\Daekdooc.exe	Dogogcpo.exe
File opened for modification	C:\Windows\SysWOW64\Deokon32.exe	Dodbbdbb.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4492	2116	WerFault.exe	93

System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhkjej32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deokon32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhmgki32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dddhpjof.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dknpmdfc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	96a1751fe7cfa249c10df5ac4f9877e0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkkcge32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dogogcpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daekdooc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dodbbdbb.exe

Modifies registry class 33 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Daekdooc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	96a1751fe7cfa249c10df5ac4f9877e0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	96a1751fe7cfa249c10df5ac4f9877e0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dodbbdbb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dhmgki32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amjknl32.dll"	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amfoeb32.dll"	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Dknpmdfc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnmnbf32.dll"	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbpbca32.dll"	96a1751fe7cfa249c10df5ac4f9877e0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dknpmdfc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohmoom32.dll"	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Daekdooc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	96a1751fe7cfa249c10df5ac4f9877e0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpdaoioe.dll"	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dddhpjof.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	96a1751fe7cfa249c10df5ac4f9877e0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}	96a1751fe7cfa249c10df5ac4f9877e0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcbdhp32.dll"	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbabpnmn.dll"	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nokpao32.dll"	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dknpmdfc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dddhpjof.exe

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 4052 wrote to memory of 2852	4052	96a1751fe7cfa249c10df5ac4f9877e0N.exe	84
PID 4052 wrote to memory of 2852	4052	96a1751fe7cfa249c10df5ac4f9877e0N.exe	84
PID 4052 wrote to memory of 2852	4052	96a1751fe7cfa249c10df5ac4f9877e0N.exe	84
PID 2852 wrote to memory of 2568	2852	Dhkjej32.exe	85
PID 2852 wrote to memory of 2568	2852	Dhkjej32.exe	85
PID 2852 wrote to memory of 2568	2852	Dhkjej32.exe	85
PID 2568 wrote to memory of 4668	2568	Dodbbdbb.exe	86
PID 2568 wrote to memory of 4668	2568	Dodbbdbb.exe	86
PID 2568 wrote to memory of 4668	2568	Dodbbdbb.exe	86
PID 4668 wrote to memory of 532	4668	Deokon32.exe	87
PID 4668 wrote to memory of 532	4668	Deokon32.exe	87
PID 4668 wrote to memory of 532	4668	Deokon32.exe	87
PID 532 wrote to memory of 4872	532	Dhmgki32.exe	88
PID 532 wrote to memory of 4872	532	Dhmgki32.exe	88
PID 532 wrote to memory of 4872	532	Dhmgki32.exe	88
PID 4872 wrote to memory of 1312	4872	Dkkcge32.exe	89
PID 4872 wrote to memory of 1312	4872	Dkkcge32.exe	89
PID 4872 wrote to memory of 1312	4872	Dkkcge32.exe	89
PID 1312 wrote to memory of 3624	1312	Dogogcpo.exe	90
PID 1312 wrote to memory of 3624	1312	Dogogcpo.exe	90
PID 1312 wrote to memory of 3624	1312	Dogogcpo.exe	90
PID 3624 wrote to memory of 4216	3624	Daekdooc.exe	91
PID 3624 wrote to memory of 4216	3624	Daekdooc.exe	91
PID 3624 wrote to memory of 4216	3624	Daekdooc.exe	91
PID 4216 wrote to memory of 3052	4216	Dddhpjof.exe	92
PID 4216 wrote to memory of 3052	4216	Dddhpjof.exe	92
PID 4216 wrote to memory of 3052	4216	Dddhpjof.exe	92
PID 3052 wrote to memory of 2116	3052	Dknpmdfc.exe	93
PID 3052 wrote to memory of 2116	3052	Dknpmdfc.exe	93
PID 3052 wrote to memory of 2116	3052	Dknpmdfc.exe	93

C:\Users\Admin\AppData\Local\Temp\96a1751fe7cfa249c10df5ac4f9877e0N.exe
"C:\Users\Admin\AppData\Local\Temp\96a1751fe7cfa249c10df5ac4f9877e0N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4052
- C:\Windows\SysWOW64\Dhkjej32.exe
  C:\Windows\system32\Dhkjej32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2852
- - C:\Windows\SysWOW64\Dodbbdbb.exe
    C:\Windows\system32\Dodbbdbb.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2568
  - - C:\Windows\SysWOW64\Deokon32.exe
      C:\Windows\system32\Deokon32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4668
    - - C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:532
      - C:\Windows\SysWOW64\Dkkcge32.exe
        
        C:\Windows\system32\Dkkcge32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4872
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1312
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3624
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4216
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3052
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        11⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2116
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2116 -s 416
        12⤵
        Program crash
        
        PID:4492

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 2116 -ip 2116
1⤵
PID:2252

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Daekdooc.exe

Filesize
67KB

MD5
35cc689347769a3fbad708e82340bcd6

SHA1
4824160f345c81a4e8704ed68a0b236becc0f74f

SHA256
0773166e8f2457b67a5bc38d16706c965419de6a49a658cc53ffbb67a8cb0542

SHA512
a234d16979e5f56ed15a04e44270dd999f55df68bcc21acc1685ad779c4ae35c218a1560d4a54962d0ade4461f384c7a9c9082748a759c82fbe816771ff5e303

Download Submit
C:\Windows\SysWOW64\Dddhpjof.exe

Filesize
67KB

MD5
1d7fb92e6e80b8030cfddc37b5496db3

SHA1
7545f8419612ebae253e38501feaef303db89a0c

SHA256
6bbf65503da1a0302b37278307edf4c60ca5c0a46c1081e93b7b5c74764ebde0

SHA512
0ede1edea65723c26d189190c42cb119c72d7fb386ebc48cb68d38bfd8ddb56cb7910380ddacfb55792e154be96c10732704a0bb23575852e631989ef074be55

Download Submit
C:\Windows\SysWOW64\Deokon32.exe

Filesize
67KB

MD5
09c23efeb2d52bfa22803cc8eff18146

SHA1
94d545c3f3134127c811124be68dd2c1e1f89f3c

SHA256
01fcacaea08c468b39a6078a3390e2ffdc4c313a0c8f2411bf7a4c70fbbf22db

SHA512
7566376791ba22dff3020d1f6773ff94a822e00cfb52b4be5d2dc2335ea564161ba541dd764f8805c96cef0260dfe08d2c62101675298b54756f228e1c7104d2

Download Submit
C:\Windows\SysWOW64\Dhkjej32.exe

Filesize
67KB

MD5
7bb75cf90f4b0290fd2da79b76f269ad

SHA1
baf272b5132e6dcbd4fb9e210f6c6cf7f43f85d1

SHA256
9de93e8f98883ff9c62ad5b59db4c6f57bf765db3470178d2e3693b916b6cfc9

SHA512
99bc8cede1e5bc3f9abd4a5cd409aee2f1b27c12520e33f68b812626ef20fe02de5148eb6ce4075924114cb254727f16c7553a293bde77cb57b762d82c14f3ce

Download Submit
C:\Windows\SysWOW64\Dhmgki32.exe

Filesize
67KB

MD5
2d825c02c725c9f7812bce9b97ed5b5b

SHA1
5e14915771f3311417a20acdf057050da66688c3

SHA256
0ca4a331571a5a61fba374075fcf554ba864c74f9ab5dc79cccf908ed430ea0c

SHA512
f31e15849a638a911629cde7ef7eb9e7849a22da8585d2c18a173c31bec0b7c41caa507627869039d9562a53a89edcb3f762e93a289ef9ea18371613b201a683

Download Submit
C:\Windows\SysWOW64\Dkkcge32.exe

Filesize
67KB

MD5
3d38dac1de0e651659be07b93ea5613c

SHA1
ac095c3107ce516683192dac4e0da091479c08a2

SHA256
00a4e4680f75a7b9dbeeee75ca48bbeaf16a42e6f17548e571cfe96a6e6c1ffa

SHA512
21fd8e7dd52148d5123b182b50483de7ef1bced11a0d531870513e94200d336a0c9abc9447583f4754cc73d9cb3c5092aa77f8c596399ba1e5a5aab08a89f343

Download Submit
C:\Windows\SysWOW64\Dknpmdfc.exe

Filesize
67KB

MD5
d3ac84827bec7d3a38d040fa895b1127

SHA1
136909a62b44bdef8088c6a39fbe6c69e3cadff1

SHA256
8432a76e5cf25c9770232b9d6862f00c0994b785966074080eabc4c3bca50b33

SHA512
d9f184fbc4fc6720aa28e8a3e31888ec44471012f5d0b423b110a0452447f1faef0da8c6bf447ffb707c631bd85fe858cca27875b6cf20ec7cce389ae87357b5

Download Submit
C:\Windows\SysWOW64\Dmllipeg.exe

Filesize
67KB

MD5
6705f167813fc7741c75910329189e80

SHA1
bc3ab6255119eb8d67d97c1998a4ee5bd890eede

SHA256
d3cf04f5ff56402576c379d087a27ade9bab37be62dff85a89ba39dd63869627

SHA512
d39317101bdbb0e101efc107e90906a3d907c56831f43b0c1561734cf9a731ec482e802b4e0269262831801adde0d0493aca0a5ddfdcb15ca64cf7401bc669e4

Download Submit
C:\Windows\SysWOW64\Dodbbdbb.exe

Filesize
67KB

MD5
04c74585aa207f2ac7ce396482b59ee9

SHA1
4549938a189a7d9a92b9db768940f58820f4771e

SHA256
760dce28d43347c57181d367dac0533804a15e4723f0b5a4a147cb57bc46e2f9

SHA512
8c6d5d43fc99e165233373992bd760d9d4a8a2b8894cfbf7d109ccf86c419080ff45b0e8f746fcc1bcb500f59e75722c04420c9254188f0ddb0a2481a627d4e4

Download Submit
C:\Windows\SysWOW64\Dogogcpo.exe

Filesize
67KB

MD5
b252373fbcde325f3251a812056c2dbd

SHA1
30e49462e430369760e844fd5a760ef7bc045211

SHA256
073100592609dee0942f6c3cfa41634d2991c943cb5d3d24e6c29ede9100f76a

SHA512
31a9eabc63928da91efd56b91219a410c202be0f9797023769a7c6c02ac72c34601520185e8835b0adada91d3495fd3e4c3e1f4702931da7fb45e2bcbb2ac111

Download Submit
C:\Windows\SysWOW64\Jcbdhp32.dll

Filesize
7KB

MD5
ea653277c7fcf80820eeab446fd685a6

SHA1
a7bc4116dec01a7e1357c25e18db46b025cf5001

SHA256
502d101d7bd85a62587f9e1d68b1e7833e93ca15d1586686ba08d4eee7c1868c

SHA512
10f987862d9d669b770f3a507bfda8012d5f3ebe25aaebb15c9b7d0f50ce4a61d4f3895c35cdda2736200564605076aa0c44d834420e214abe0570f126d9234a

Download Submit
memory/532-32-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/532-87-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1312-48-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1312-85-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2116-81-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2116-79-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2568-16-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2568-89-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2852-7-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2852-90-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3052-71-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3052-82-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3624-56-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3624-84-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4052-91-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4052-0-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4216-83-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4216-63-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4668-88-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4668-23-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4872-86-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4872-40-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads