5913db0bc30a8bed806d2a1f41d78a32aa79c69259b9aa33e1f16ba92dd718f0

General

Target

5913db0bc30a8bed806d2a1f41d78a32aa79c69259b9aa33e1f16ba92dd718f0.exe
Size

896KB
MD5

bbafd2f9941d58ec10eda01fc36f86fd
SHA1

3037a6833d5c45825dea518c3a3b8869ad3a56aa
SHA256

5913db0bc30a8bed806d2a1f41d78a32aa79c69259b9aa33e1f16ba92dd718f0
SHA512

ab89e60cc0d35728000c28f37909ab9d2ae5e8148a3d8c8c94ddb3bff0e009eab8b6e8bb378d9bc315824260cc4216a591cc9583868aeac0ca6789ef4587228a
SSDEEP

12288:smeaJ0yByvNv54B9f01ZmHByvNv5VwLonfBHLqF1Nw5ILonfByvNv5HV:o5vr4B9f01ZmQvrUENOVvr1

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 12 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dddhpjof.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dgbdlf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dfnjafap.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dmgbnq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmjocp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	5913db0bc30a8bed806d2a1f41d78a32aa79c69259b9aa33e1f16ba92dd718f0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	5913db0bc30a8bed806d2a1f41d78a32aa79c69259b9aa33e1f16ba92dd718f0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dgbdlf32.exe

Executes dropped EXE 6 IoCs

pid	Process
4272	Dfnjafap.exe
1052	Dmgbnq32.exe
1620	Dmjocp32.exe
4336	Dddhpjof.exe
4380	Dgbdlf32.exe
4696	Dmllipeg.exe

Drops file in System32 directory 18 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Poahbe32.dll	5913db0bc30a8bed806d2a1f41d78a32aa79c69259b9aa33e1f16ba92dd718f0.exe
File created	C:\Windows\SysWOW64\Dmgbnq32.exe	Dfnjafap.exe
File created	C:\Windows\SysWOW64\Dddhpjof.exe	Dmjocp32.exe
File opened for modification	C:\Windows\SysWOW64\Dddhpjof.exe	Dmjocp32.exe
File created	C:\Windows\SysWOW64\Dfnjafap.exe	5913db0bc30a8bed806d2a1f41d78a32aa79c69259b9aa33e1f16ba92dd718f0.exe
File opened for modification	C:\Windows\SysWOW64\Dmgbnq32.exe	Dfnjafap.exe
File created	C:\Windows\SysWOW64\Dmjocp32.exe	Dmgbnq32.exe
File created	C:\Windows\SysWOW64\Bobiobnp.dll	Dmgbnq32.exe
File created	C:\Windows\SysWOW64\Gfghpl32.dll	Dddhpjof.exe
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Dgbdlf32.exe
File opened for modification	C:\Windows\SysWOW64\Dfnjafap.exe	5913db0bc30a8bed806d2a1f41d78a32aa79c69259b9aa33e1f16ba92dd718f0.exe
File created	C:\Windows\SysWOW64\Dgbdlf32.exe	Dddhpjof.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Dgbdlf32.exe
File created	C:\Windows\SysWOW64\Ihidnp32.dll	Dfnjafap.exe
File opened for modification	C:\Windows\SysWOW64\Dmjocp32.exe	Dmgbnq32.exe
File created	C:\Windows\SysWOW64\Amjknl32.dll	Dmjocp32.exe
File opened for modification	C:\Windows\SysWOW64\Dgbdlf32.exe	Dddhpjof.exe
File created	C:\Windows\SysWOW64\Kngpec32.dll	Dgbdlf32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3976	4696	WerFault.exe	90

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dddhpjof.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgbdlf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5913db0bc30a8bed806d2a1f41d78a32aa79c69259b9aa33e1f16ba92dd718f0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfnjafap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmgbnq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmjocp32.exe

Modifies registry class 21 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	5913db0bc30a8bed806d2a1f41d78a32aa79c69259b9aa33e1f16ba92dd718f0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bobiobnp.dll"	Dmgbnq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amjknl32.dll"	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dmgbnq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dddhpjof.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dgbdlf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	5913db0bc30a8bed806d2a1f41d78a32aa79c69259b9aa33e1f16ba92dd718f0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}	5913db0bc30a8bed806d2a1f41d78a32aa79c69259b9aa33e1f16ba92dd718f0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Poahbe32.dll"	5913db0bc30a8bed806d2a1f41d78a32aa79c69259b9aa33e1f16ba92dd718f0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dmgbnq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	5913db0bc30a8bed806d2a1f41d78a32aa79c69259b9aa33e1f16ba92dd718f0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfghpl32.dll"	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dddhpjof.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	5913db0bc30a8bed806d2a1f41d78a32aa79c69259b9aa33e1f16ba92dd718f0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihidnp32.dll"	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dmjocp32.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 3528 wrote to memory of 4272	3528	5913db0bc30a8bed806d2a1f41d78a32aa79c69259b9aa33e1f16ba92dd718f0.exe	83
PID 3528 wrote to memory of 4272	3528	5913db0bc30a8bed806d2a1f41d78a32aa79c69259b9aa33e1f16ba92dd718f0.exe	83
PID 3528 wrote to memory of 4272	3528	5913db0bc30a8bed806d2a1f41d78a32aa79c69259b9aa33e1f16ba92dd718f0.exe	83
PID 4272 wrote to memory of 1052	4272	Dfnjafap.exe	84
PID 4272 wrote to memory of 1052	4272	Dfnjafap.exe	84
PID 4272 wrote to memory of 1052	4272	Dfnjafap.exe	84
PID 1052 wrote to memory of 1620	1052	Dmgbnq32.exe	85
PID 1052 wrote to memory of 1620	1052	Dmgbnq32.exe	85
PID 1052 wrote to memory of 1620	1052	Dmgbnq32.exe	85
PID 1620 wrote to memory of 4336	1620	Dmjocp32.exe	86
PID 1620 wrote to memory of 4336	1620	Dmjocp32.exe	86
PID 1620 wrote to memory of 4336	1620	Dmjocp32.exe	86
PID 4336 wrote to memory of 4380	4336	Dddhpjof.exe	87
PID 4336 wrote to memory of 4380	4336	Dddhpjof.exe	87
PID 4336 wrote to memory of 4380	4336	Dddhpjof.exe	87
PID 4380 wrote to memory of 4696	4380	Dgbdlf32.exe	90
PID 4380 wrote to memory of 4696	4380	Dgbdlf32.exe	90
PID 4380 wrote to memory of 4696	4380	Dgbdlf32.exe	90

C:\Users\Admin\AppData\Local\Temp\5913db0bc30a8bed806d2a1f41d78a32aa79c69259b9aa33e1f16ba92dd718f0.exe
"C:\Users\Admin\AppData\Local\Temp\5913db0bc30a8bed806d2a1f41d78a32aa79c69259b9aa33e1f16ba92dd718f0.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3528
- C:\Windows\SysWOW64\Dfnjafap.exe
  C:\Windows\system32\Dfnjafap.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4272
- - C:\Windows\SysWOW64\Dmgbnq32.exe
    C:\Windows\system32\Dmgbnq32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1052
  - - C:\Windows\SysWOW64\Dmjocp32.exe
      C:\Windows\system32\Dmjocp32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:1620
    - - C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4336
      - C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4380
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4696
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4696 -s 412
        8⤵
        Program crash
        
        PID:3976

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4696 -ip 4696
1⤵
PID:4288

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Dddhpjof.exe

Filesize
896KB

MD5
ea5094261e0b5c7d904129370dc05294

SHA1
6cc9164915d27bf6a2613573a4a5a5cc743f6a7b

SHA256
0e534cc7fdcd26bbd744e847d6e47654f26a46917ca070144cc7642146bb721d

SHA512
1937f550f50d9cdc826166dff2b39d3b72513f07b54a49f14dab7b3880f5cac7e2ba1db5f2673a2b60c45d5bd2169535d13c6a7e55e0a383055ea7b781322e0e

Download Submit
C:\Windows\SysWOW64\Dfnjafap.exe

Filesize
896KB

MD5
a8025e09c3e411c9565eb195a59cccbb

SHA1
1dad4f0bdea6f2c9886bf6987296269648c1ddf9

SHA256
8a50ee3288acc5510c9fd8f2d2e4eb226f74d32f5e02d35f0a401df456b4df2f

SHA512
67f7de1b6317435f9103cfb51e3fc0c0c3d42757c5103cd02913f25978f89fb0331524ff5c76bd3170e14ccfabfd820c3c3a072938ec8fc77998801d6bd82105

Download Submit
C:\Windows\SysWOW64\Dgbdlf32.exe

Filesize
896KB

MD5
a4f37112fd97705f0394c2b11b6b644c

SHA1
c3f0d7ed670f7130444bf97b09c3ef2b7d69f623

SHA256
9b31f86f2d5b42c7ef5d3eb0b3dd5ce6efee2285336cc80dd24e3a9010a4b27c

SHA512
337cdfbef8a72a8a03152a3ff59205cf7748d91865080b1b1fec7399c05a02665d5f5476aa34ccbf45de8befe2edb729eb1362a77f5941a71a0e5b684283c29a

Download Submit
C:\Windows\SysWOW64\Dmgbnq32.exe

Filesize
896KB

MD5
44a5df72f6521e3cc7bb24baa4aa2900

SHA1
98b026cd9b19a7070798f040053a94590622af43

SHA256
74cfd26771cc935dd5f7fe9add6d825efe2f4fee96e8f22c2bb1c316e60b6258

SHA512
3c476e07c0905df0afd852ae11746e2b729141441ace8caabc2b44c654b9e8bea02e7200d1c3ffa3a72f7ce998ab6b057c6cc89026b7533fd4858edbe7626670

Download Submit
C:\Windows\SysWOW64\Dmjocp32.exe

Filesize
896KB

MD5
f07fb04754a718a10e5442b16206a52b

SHA1
40557ce5a7279afea8b42693a7dd3c9f2d904b88

SHA256
9e19cd0583756a969a5054a73fbe65a194950e539459cc0762d18cdf689abb63

SHA512
3384bcda7909490ea64d2e485dfa66bc43270bd3b24c698ec0552e06d191c59d1239df29e55f16ec7eee8a7cdcc41214a01bcb327e81d5d51f1b3e91ab88e305

Download Submit
C:\Windows\SysWOW64\Dmllipeg.exe

Filesize
896KB

MD5
79364fdb710e0705793548eab493d48a

SHA1
5b39ed9697457a6cd85f6a204c9e1377d98c8599

SHA256
e81bbe07a2723d2e87fcff984e0a76ee8ccca222d672a4a9001186c71dca298e

SHA512
bd4b1d16809e685e05b0ee943fbdd23d896ab6739231d9952641948cdf3ed806581eea92fba933ddc580b4802bf6e02f4ce76139858b86371e84d842112afad3

Download Submit
C:\Windows\SysWOW64\Gfghpl32.dll

Filesize
7KB

MD5
bbf95330ae2ead979d5b1eb06a6062dd

SHA1
8cab1350c59a99f73a4b5384eeeeee4bc5aceefb

SHA256
2d822f2640a04390c76014bf2ee88bd1b604d68bd55efed2adcc1dd6a4ef1d5e

SHA512
444553adda28cdfe740d8b6438d0276ab3700d6186c625a61d96d431f94608f3aed672b4ed1571c89f05414090c88c358fbb62f7e1eb5b36ec85a465b8f88a99

Download Submit
memory/1052-15-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1052-56-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1620-29-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3528-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3528-59-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4272-7-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4272-58-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4336-36-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4380-40-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4380-52-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4696-47-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4696-51-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads