46686447e4669aa5376e282e9e92b22963cb9fc6d10f976a3cf33dcf44cb39ed

General

Target

53c2ced3b247f4c575969579d1aa2c20N.exe
Size

123KB
MD5

53c2ced3b247f4c575969579d1aa2c20
SHA1

30d35fbe21422e932d2deb7fc6664315bbed04cd
SHA256

46686447e4669aa5376e282e9e92b22963cb9fc6d10f976a3cf33dcf44cb39ed
SHA512

184b101ea538ad435db2497a59adb40ff8bb3fb6b9bc7daf110b1378753855c6daf65d75ce6ed08d86f9bd204c92c5ef2b483a14f5add0b574641750512d2791
SSDEEP

3072:xvFxr6pueADH4bYXmMy3WkRYSa9rR85DEn5k7r8:FWuVj4UXt+Wk4rQD85k/8

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 12 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	53c2ced3b247f4c575969579d1aa2c20N.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ddakjkqi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmjocp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	53c2ced3b247f4c575969579d1aa2c20N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dmjocp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dddhpjof.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfpgffpm.exe

Executes dropped EXE 6 IoCs

pid	Process
4828	Ddakjkqi.exe
3752	Dfpgffpm.exe
2956	Dogogcpo.exe
1828	Dmjocp32.exe
1824	Dddhpjof.exe
1604	Dmllipeg.exe

Drops file in System32 directory 18 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Gifhkeje.dll	53c2ced3b247f4c575969579d1aa2c20N.exe
File created	C:\Windows\SysWOW64\Kmdjdl32.dll	Ddakjkqi.exe
File opened for modification	C:\Windows\SysWOW64\Dogogcpo.exe	Dfpgffpm.exe
File created	C:\Windows\SysWOW64\Dmjocp32.exe	Dogogcpo.exe
File opened for modification	C:\Windows\SysWOW64\Ddakjkqi.exe	53c2ced3b247f4c575969579d1aa2c20N.exe
File created	C:\Windows\SysWOW64\Dfpgffpm.exe	Ddakjkqi.exe
File created	C:\Windows\SysWOW64\Dogogcpo.exe	Dfpgffpm.exe
File created	C:\Windows\SysWOW64\Dddhpjof.exe	Dmjocp32.exe
File opened for modification	C:\Windows\SysWOW64\Dddhpjof.exe	Dmjocp32.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Dddhpjof.exe
File created	C:\Windows\SysWOW64\Ddakjkqi.exe	53c2ced3b247f4c575969579d1aa2c20N.exe
File opened for modification	C:\Windows\SysWOW64\Dfpgffpm.exe	Ddakjkqi.exe
File created	C:\Windows\SysWOW64\Kngpec32.dll	Dddhpjof.exe
File created	C:\Windows\SysWOW64\Lbabpnmn.dll	Dfpgffpm.exe
File opened for modification	C:\Windows\SysWOW64\Dmjocp32.exe	Dogogcpo.exe
File created	C:\Windows\SysWOW64\Bobiobnp.dll	Dogogcpo.exe
File created	C:\Windows\SysWOW64\Amjknl32.dll	Dmjocp32.exe
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Dddhpjof.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2488	1604	WerFault.exe	89

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	53c2ced3b247f4c575969579d1aa2c20N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddakjkqi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfpgffpm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dogogcpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmjocp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dddhpjof.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe

Modifies registry class 21 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bobiobnp.dll"	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}	53c2ced3b247f4c575969579d1aa2c20N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	53c2ced3b247f4c575969579d1aa2c20N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	53c2ced3b247f4c575969579d1aa2c20N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gifhkeje.dll"	53c2ced3b247f4c575969579d1aa2c20N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbabpnmn.dll"	Dfpgffpm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	53c2ced3b247f4c575969579d1aa2c20N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	53c2ced3b247f4c575969579d1aa2c20N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amjknl32.dll"	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dddhpjof.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dfpgffpm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmdjdl32.dll"	Ddakjkqi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dfpgffpm.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 4124 wrote to memory of 4828	4124	53c2ced3b247f4c575969579d1aa2c20N.exe	84
PID 4124 wrote to memory of 4828	4124	53c2ced3b247f4c575969579d1aa2c20N.exe	84
PID 4124 wrote to memory of 4828	4124	53c2ced3b247f4c575969579d1aa2c20N.exe	84
PID 4828 wrote to memory of 3752	4828	Ddakjkqi.exe	85
PID 4828 wrote to memory of 3752	4828	Ddakjkqi.exe	85
PID 4828 wrote to memory of 3752	4828	Ddakjkqi.exe	85
PID 3752 wrote to memory of 2956	3752	Dfpgffpm.exe	86
PID 3752 wrote to memory of 2956	3752	Dfpgffpm.exe	86
PID 3752 wrote to memory of 2956	3752	Dfpgffpm.exe	86
PID 2956 wrote to memory of 1828	2956	Dogogcpo.exe	87
PID 2956 wrote to memory of 1828	2956	Dogogcpo.exe	87
PID 2956 wrote to memory of 1828	2956	Dogogcpo.exe	87
PID 1828 wrote to memory of 1824	1828	Dmjocp32.exe	88
PID 1828 wrote to memory of 1824	1828	Dmjocp32.exe	88
PID 1828 wrote to memory of 1824	1828	Dmjocp32.exe	88
PID 1824 wrote to memory of 1604	1824	Dddhpjof.exe	89
PID 1824 wrote to memory of 1604	1824	Dddhpjof.exe	89
PID 1824 wrote to memory of 1604	1824	Dddhpjof.exe	89

C:\Users\Admin\AppData\Local\Temp\53c2ced3b247f4c575969579d1aa2c20N.exe
"C:\Users\Admin\AppData\Local\Temp\53c2ced3b247f4c575969579d1aa2c20N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4124
- C:\Windows\SysWOW64\Ddakjkqi.exe
  C:\Windows\system32\Ddakjkqi.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4828
- - C:\Windows\SysWOW64\Dfpgffpm.exe
    C:\Windows\system32\Dfpgffpm.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3752
  - - C:\Windows\SysWOW64\Dogogcpo.exe
      C:\Windows\system32\Dogogcpo.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2956
    - - C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1828
      - C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1824
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1604
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1604 -s 408
        8⤵
        Program crash
        
        PID:2488

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 1604 -ip 1604
1⤵
PID:1976

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Amjknl32.dll

Filesize
7KB

MD5
7e1a3e281cdd863eb35c22c5201d987b

SHA1
18b83caae237c02a1c09b9ade400ecac300d7ccb

SHA256
1c0b49c2dd87a194b55017b69ca7e70c68282ae62b16d031bc8745e7672adaf0

SHA512
80ebcd2a9d87ab9bd11d0031bb433901cad5dd23aeaa6b0afab1a4396603321f009fb84e87ec9f9849565a1d5ec527bcef8ba9c0a6afa893d45475e52578de20

Download Submit
C:\Windows\SysWOW64\Ddakjkqi.exe

Filesize
123KB

MD5
25d2e289990614cdf041f78b3bb82d01

SHA1
efb7c5c9794ec2e252fca4cc197748b7eea24943

SHA256
4c368ab6828d776ef3b3fcf84d1dd02734277d527fcbcbac8f5fbd3e2378ab20

SHA512
4f4f7886a0c480047d3fe6e577c206c8f521bd87804c94ffc675e97b04283c16a9edde8393365abf44707d24d0863308c99db973011039d55f032deb86ee6a53

Download Submit
C:\Windows\SysWOW64\Dddhpjof.exe

Filesize
123KB

MD5
3acfb74fa785df45ea8706eafddd686c

SHA1
50bf7c2f0a58565d98342696203b37a9483044f5

SHA256
9c1cf8a6fea85fb0ffd498f8d39efc75d2f1cf5956930994efb133fb5e810062

SHA512
40dc1ff1b60e1d33b4843e6bcbe2d570c3bc123ac61937c1d780616fc2e7cd13323efde397e1a879ac1c04348f49962b860586e266b978247fb870b20cf388fe

Download Submit
C:\Windows\SysWOW64\Dfpgffpm.exe

Filesize
123KB

MD5
3adee920c3bca7ffb7dc229cdf17b6f7

SHA1
12db24680310139fe805a5779ce1734e333a1353

SHA256
d36714bdb5af50cf548b20a1e5213d3cca2372b0a88bdd990565d1fb31076522

SHA512
4c18fa28169c6900a9a9af2f72e753b567211cb817a08cd0c52cf9f699857ce8835f1f9b93d9ddc01c3bd3e31ffe6118f5da2971ffc7d669e0102da96d439211

Download Submit
C:\Windows\SysWOW64\Dmjocp32.exe

Filesize
123KB

MD5
8720e3badfa75d8276f188b4b0de5261

SHA1
7416530bfc2d614a4280eebce79d464ebf57c2af

SHA256
f42cbca5a5996bd140addb955f2f86eaadc915186687a5310a5a12b85ef440b5

SHA512
8f458e98543a25e70e8d9621af755cdfa5facee84da0b8abbe69306049c9970c0245f6bc60f58930e8a5903cad4fce8c6b73793b30501def5c9fe4386f6ffb57

Download Submit
C:\Windows\SysWOW64\Dmllipeg.exe

Filesize
123KB

MD5
6286ddc960ba8a9fb928ef17075e55f2

SHA1
b70fb6f1e2fd6a763ea6cb81d49f5b419c91db37

SHA256
580cb4f22bb8dbf16a76a282c141fc9735c55a49fa8a3ce688fdc015d396cc38

SHA512
0e1cc2be05113ffccb3c06501ddc6fcf932486ad04c3e48cf1abb9b98b364543127354210e6a2decd15fbc6f5261cef79adf8caaa0e9b6cd8d6f2540d8b72522

Download Submit
C:\Windows\SysWOW64\Dogogcpo.exe

Filesize
123KB

MD5
b513570b878e39730b6c5a635d21ccaa

SHA1
12e612d4c6cdf22265bad52f71fbfb16ae1fdc74

SHA256
1014755516bf9b4c700a1276bfc189be1a778d369e9c27e869ab737c508e0fc0

SHA512
d21dcfbc4cf31fb849a9b571777baeba12fa3b45da729c486751ba31a012244579492c63eb10b89a9608eb68b82fa33a88db3e5a89f6c06f3752b5cc4af14738

Download Submit
memory/1604-48-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1604-49-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1824-50-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1824-39-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1828-51-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1828-32-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2956-24-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2956-53-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3752-20-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4124-0-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4124-54-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4828-52-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4828-7-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads