739a816bdad53b0733d8340e7279956e2a83e52da1f6e7221f4ef40425db55ae

Analysis

max time kernel
93s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
03/09/2024, 08:23

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

0e22de05d0ebf1f754db45357d3c0a70N.exe
Size

82KB
MD5

0e22de05d0ebf1f754db45357d3c0a70
SHA1

8e78abd8c931d21cd4c959237e8393a6684e0448
SHA256

739a816bdad53b0733d8340e7279956e2a83e52da1f6e7221f4ef40425db55ae
SHA512

2425c7e9ab579d4361eed0ef1e525b5f5ca5f0950ea5a629eb0f8f968cf84469ee730da303ee93e303df36ecf7e1d6efaaa77b7259562983dba41d1f470d0046
SSDEEP

1536:aHuTVIGNYBNnnALeO3/qi8m0nEko4X2L7jpm6+wDSmQFN6TiN1sJtvQu:Bmfo/enEkx8vpm6tm7N6TO1SpD

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 26 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	0e22de05d0ebf1f754db45357d3c0a70N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Calhnpgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmcibama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhocqigp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmcibama.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dejacond.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhmgki32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	0e22de05d0ebf1f754db45357d3c0a70N.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dobfld32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dkifae32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daqbip32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhfajjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhfajjoj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Calhnpgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dejacond.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daqbip32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhocqigp.exe

Executes dropped EXE 13 IoCs

pid	Process
1108	Calhnpgn.exe
3076	Dhfajjoj.exe
2908	Dmcibama.exe
3016	Dejacond.exe
3064	Dobfld32.exe
4132	Daqbip32.exe
4996	Dhkjej32.exe
1428	Dkifae32.exe
5060	Deokon32.exe
2368	Dhmgki32.exe
2724	Dogogcpo.exe
3220	Dhocqigp.exe
5108	Dmllipeg.exe

Drops file in System32 directory 39 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Dogogcpo.exe	Dhmgki32.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Dhocqigp.exe
File opened for modification	C:\Windows\SysWOW64\Calhnpgn.exe	0e22de05d0ebf1f754db45357d3c0a70N.exe
File created	C:\Windows\SysWOW64\Kmfjodai.dll	Dhfajjoj.exe
File created	C:\Windows\SysWOW64\Pdheac32.dll	Dhkjej32.exe
File created	C:\Windows\SysWOW64\Amfoeb32.dll	Dkifae32.exe
File created	C:\Windows\SysWOW64\Dhfajjoj.exe	Calhnpgn.exe
File opened for modification	C:\Windows\SysWOW64\Dhfajjoj.exe	Calhnpgn.exe
File created	C:\Windows\SysWOW64\Dobfld32.exe	Dejacond.exe
File opened for modification	C:\Windows\SysWOW64\Dobfld32.exe	Dejacond.exe
File created	C:\Windows\SysWOW64\Calhnpgn.exe	0e22de05d0ebf1f754db45357d3c0a70N.exe
File created	C:\Windows\SysWOW64\Dmcibama.exe	Dhfajjoj.exe
File created	C:\Windows\SysWOW64\Elkadb32.dll	Dogogcpo.exe
File created	C:\Windows\SysWOW64\Dejacond.exe	Dmcibama.exe
File created	C:\Windows\SysWOW64\Jdipdgch.dll	Dobfld32.exe
File created	C:\Windows\SysWOW64\Dhkjej32.exe	Daqbip32.exe
File created	C:\Windows\SysWOW64\Jbpbca32.dll	Daqbip32.exe
File created	C:\Windows\SysWOW64\Eokchkmi.dll	Calhnpgn.exe
File created	C:\Windows\SysWOW64\Hpnkaj32.dll	Dmcibama.exe
File opened for modification	C:\Windows\SysWOW64\Dkifae32.exe	Dhkjej32.exe
File created	C:\Windows\SysWOW64\Dhocqigp.exe	Dogogcpo.exe
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Dhocqigp.exe
File created	C:\Windows\SysWOW64\Deokon32.exe	Dkifae32.exe
File created	C:\Windows\SysWOW64\Dhmgki32.exe	Deokon32.exe
File created	C:\Windows\SysWOW64\Fpdaoioe.dll	Deokon32.exe
File created	C:\Windows\SysWOW64\Lbabpnmn.dll	Dhmgki32.exe
File opened for modification	C:\Windows\SysWOW64\Dhocqigp.exe	Dogogcpo.exe
File created	C:\Windows\SysWOW64\Kngpec32.dll	Dhocqigp.exe
File created	C:\Windows\SysWOW64\Naeheh32.dll	0e22de05d0ebf1f754db45357d3c0a70N.exe
File opened for modification	C:\Windows\SysWOW64\Dmcibama.exe	Dhfajjoj.exe
File opened for modification	C:\Windows\SysWOW64\Daqbip32.exe	Dobfld32.exe
File created	C:\Windows\SysWOW64\Dogogcpo.exe	Dhmgki32.exe
File created	C:\Windows\SysWOW64\Dkifae32.exe	Dhkjej32.exe
File opened for modification	C:\Windows\SysWOW64\Deokon32.exe	Dkifae32.exe
File opened for modification	C:\Windows\SysWOW64\Dhmgki32.exe	Deokon32.exe
File opened for modification	C:\Windows\SysWOW64\Dejacond.exe	Dmcibama.exe
File created	C:\Windows\SysWOW64\Alcidkmm.dll	Dejacond.exe
File created	C:\Windows\SysWOW64\Daqbip32.exe	Dobfld32.exe
File opened for modification	C:\Windows\SysWOW64\Dhkjej32.exe	Daqbip32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2212	5108	WerFault.exe	97

System Location Discovery: System Language Discovery 1 TTPs 14 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Calhnpgn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhfajjoj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dobfld32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daqbip32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkifae32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deokon32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhmgki32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0e22de05d0ebf1f754db45357d3c0a70N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmcibama.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dejacond.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dogogcpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhkjej32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhocqigp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe

Modifies registry class 42 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elkadb32.dll"	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Calhnpgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpnkaj32.dll"	Dmcibama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbpbca32.dll"	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdheac32.dll"	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Deokon32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdipdgch.dll"	Dobfld32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	0e22de05d0ebf1f754db45357d3c0a70N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	0e22de05d0ebf1f754db45357d3c0a70N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Naeheh32.dll"	0e22de05d0ebf1f754db45357d3c0a70N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmfjodai.dll"	Dhfajjoj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dejacond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhocqigp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	0e22de05d0ebf1f754db45357d3c0a70N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Alcidkmm.dll"	Dejacond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbabpnmn.dll"	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eokchkmi.dll"	Calhnpgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Calhnpgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmcibama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpdaoioe.dll"	Deokon32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhmgki32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhfajjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhfajjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dejacond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dobfld32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Daqbip32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dkifae32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Deokon32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	0e22de05d0ebf1f754db45357d3c0a70N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	0e22de05d0ebf1f754db45357d3c0a70N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amfoeb32.dll"	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmcibama.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhmgki32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Dhocqigp.exe

Suspicious use of WriteProcessMemory 39 IoCs

description	pid	Process	procid_target
PID 2784 wrote to memory of 1108	2784	0e22de05d0ebf1f754db45357d3c0a70N.exe	83
PID 2784 wrote to memory of 1108	2784	0e22de05d0ebf1f754db45357d3c0a70N.exe	83
PID 2784 wrote to memory of 1108	2784	0e22de05d0ebf1f754db45357d3c0a70N.exe	83
PID 1108 wrote to memory of 3076	1108	Calhnpgn.exe	84
PID 1108 wrote to memory of 3076	1108	Calhnpgn.exe	84
PID 1108 wrote to memory of 3076	1108	Calhnpgn.exe	84
PID 3076 wrote to memory of 2908	3076	Dhfajjoj.exe	85
PID 3076 wrote to memory of 2908	3076	Dhfajjoj.exe	85
PID 3076 wrote to memory of 2908	3076	Dhfajjoj.exe	85
PID 2908 wrote to memory of 3016	2908	Dmcibama.exe	86
PID 2908 wrote to memory of 3016	2908	Dmcibama.exe	86
PID 2908 wrote to memory of 3016	2908	Dmcibama.exe	86
PID 3016 wrote to memory of 3064	3016	Dejacond.exe	87
PID 3016 wrote to memory of 3064	3016	Dejacond.exe	87
PID 3016 wrote to memory of 3064	3016	Dejacond.exe	87
PID 3064 wrote to memory of 4132	3064	Dobfld32.exe	88
PID 3064 wrote to memory of 4132	3064	Dobfld32.exe	88
PID 3064 wrote to memory of 4132	3064	Dobfld32.exe	88
PID 4132 wrote to memory of 4996	4132	Daqbip32.exe	90
PID 4132 wrote to memory of 4996	4132	Daqbip32.exe	90
PID 4132 wrote to memory of 4996	4132	Daqbip32.exe	90
PID 4996 wrote to memory of 1428	4996	Dhkjej32.exe	91
PID 4996 wrote to memory of 1428	4996	Dhkjej32.exe	91
PID 4996 wrote to memory of 1428	4996	Dhkjej32.exe	91
PID 1428 wrote to memory of 5060	1428	Dkifae32.exe	92
PID 1428 wrote to memory of 5060	1428	Dkifae32.exe	92
PID 1428 wrote to memory of 5060	1428	Dkifae32.exe	92
PID 5060 wrote to memory of 2368	5060	Deokon32.exe	94
PID 5060 wrote to memory of 2368	5060	Deokon32.exe	94
PID 5060 wrote to memory of 2368	5060	Deokon32.exe	94
PID 2368 wrote to memory of 2724	2368	Dhmgki32.exe	95
PID 2368 wrote to memory of 2724	2368	Dhmgki32.exe	95
PID 2368 wrote to memory of 2724	2368	Dhmgki32.exe	95
PID 2724 wrote to memory of 3220	2724	Dogogcpo.exe	96
PID 2724 wrote to memory of 3220	2724	Dogogcpo.exe	96
PID 2724 wrote to memory of 3220	2724	Dogogcpo.exe	96
PID 3220 wrote to memory of 5108	3220	Dhocqigp.exe	97
PID 3220 wrote to memory of 5108	3220	Dhocqigp.exe	97
PID 3220 wrote to memory of 5108	3220	Dhocqigp.exe	97

C:\Users\Admin\AppData\Local\Temp\0e22de05d0ebf1f754db45357d3c0a70N.exe
"C:\Users\Admin\AppData\Local\Temp\0e22de05d0ebf1f754db45357d3c0a70N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2784
- C:\Windows\SysWOW64\Calhnpgn.exe
  C:\Windows\system32\Calhnpgn.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1108
- - C:\Windows\SysWOW64\Dhfajjoj.exe
    C:\Windows\system32\Dhfajjoj.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3076
  - - C:\Windows\SysWOW64\Dmcibama.exe
      C:\Windows\system32\Dmcibama.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2908
    - - C:\Windows\SysWOW64\Dejacond.exe
        
        C:\Windows\system32\Dejacond.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3016
      - C:\Windows\SysWOW64\Dobfld32.exe
        
        C:\Windows\system32\Dobfld32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3064
        
        C:\Windows\SysWOW64\Daqbip32.exe
        
        C:\Windows\system32\Daqbip32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4132
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4996
        
        C:\Windows\SysWOW64\Dkifae32.exe
        
        C:\Windows\system32\Dkifae32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1428
        
        C:\Windows\SysWOW64\Deokon32.exe
        
        C:\Windows\system32\Deokon32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5060
        
        C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2368
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2724
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3220
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        14⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5108
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5108 -s 396
        15⤵
        Program crash
        
        PID:2212

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 5108 -ip 5108
1⤵
PID:1904

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Calhnpgn.exe

Filesize
82KB

MD5
3d3fc57830caff1869dcde3250a1687c

SHA1
dfd32cff97198dd559787ce975bee5a56947c597

SHA256
5f4c5a064bbc3ab8fb2587d067341f579d953aeff1f15429bad3bce186f629ff

SHA512
24918195fb768953dd921686989b446e60d3d548591a3e5a8cc98d6092181e51ed461e75e3ff7a7b350c3c53f7f0707155d6b1f87e516abc1ff6a7de6c564686

Download Submit
C:\Windows\SysWOW64\Daqbip32.exe

Filesize
82KB

MD5
916117d6b58bd1f6b9fda28ed6350448

SHA1
309129f56c211037df0535954e1868f811b7c9ea

SHA256
53d7664df748dc406d6906211db919a3b7ae575269641543e667392cb89d7d2a

SHA512
4f9a59e9a7aaaa802d86cb60b8a5e9c8ded7683abf7b05f0e7a0e907cbca6c0936c3f807e0186f7cf97a21af6b9bc94f8af1732bde77cb57f0ef6bb78c3a96db

Download Submit
C:\Windows\SysWOW64\Dejacond.exe

Filesize
82KB

MD5
784f2ef0ed32e9648c08257b4bff9a9d

SHA1
1d5cb005e6c886c07ae672b27ea86ac3d9741622

SHA256
2b57014d3871e8d6985e93fe94f9778c3242fe439b31a69b232b6f70fcb9f143

SHA512
93aebd2e99ee052505bdae3abdcbd7b5b2c1b946b9d00fc8d23ed4ff6d473638ff31067b1e5363995d726f7802256c873af963184c2acb8e2791ac9c1387325c

Download Submit
C:\Windows\SysWOW64\Deokon32.exe

Filesize
82KB

MD5
dafdb6c7d6369aefaa20c2e2eb1d0a57

SHA1
02d6bca8267650e614614763ae65ad39708ce6a2

SHA256
80919fe6eb19c0e03c697e39a23e9499f3673bcd565e1e5c63f5946dfbdb27af

SHA512
97f2729a52969db3aeac7f242a8623d6eba4a15bfe056f35c7d65dcb3364ef5dc078bb3e03774a522f34fe908a79495e8d5b5b2434d979948da56aacce29f84c

Download Submit
C:\Windows\SysWOW64\Dhfajjoj.exe

Filesize
82KB

MD5
3c15852deca7a5de9182d16f234f10b2

SHA1
15db1a8df6085b66f61867228191a36ab2bf1671

SHA256
b3833fa3f23812b61b5a5db815654c04a02e4bb9afec798017ded6084e6c73bd

SHA512
87dce3a7611f934bbe9df1ce32648293f6643fb07e502b3890b7f937c0b67c3049f3c714dadb0c8ebcc9a7dca46a369d328f716d7787f222c6d1e5a831e4bee3

Download Submit
C:\Windows\SysWOW64\Dhkjej32.exe

Filesize
82KB

MD5
2cc61462a48484a97247dd16525154e6

SHA1
9382491bd370299df4a92f6bd3b86da07e2f1463

SHA256
740b67c777d63199a92e9444caf3b418ee434f4861ff4003aa774b19be1e8311

SHA512
47598f8d44df78ee3ed86c787cb2e3d99b920567aecf6995daf5be8184e7c7dc72638a58f69f63048a77e3a94bec3f57c13c5d65c7bd11692f88f9caef5b718b

Download Submit
C:\Windows\SysWOW64\Dhmgki32.exe

Filesize
82KB

MD5
b0f970629e00c0e124e904b3bdb51af3

SHA1
4e8b78309dd2463518fd80ea0dd6a89312e56c24

SHA256
0c125388918c873b56fef24b92c0e0712c7ea7902bb72208ef8581884b094135

SHA512
f2b785c32c97fbac57ec110a8823ef4ae2d61ffa12d0cfe4771c157eb3520452ddcc71c090ca225017031657231a4c4266973cedb5bac09dd97f1dfa870917bf

Download Submit
C:\Windows\SysWOW64\Dhocqigp.exe

Filesize
82KB

MD5
f043621de1ae3f7508d13b9a984ac8cd

SHA1
bc59806782adb8caff1cf1ee34996454ad3d3bb5

SHA256
f38d54fe182aad462c5710f5b11dc49e2eba7946000af285b57f74d453d64db8

SHA512
99a0a75fd189250bfe1296c1c3265d248dbeb62f31520d8632843ff160df02873a7d10a6ad51fccd5a7786eb8de1666aa7faf40fe8f3fca34b78e5e7c88d8917

Download Submit
C:\Windows\SysWOW64\Dkifae32.exe

Filesize
82KB

MD5
ad42402cce8a1e1788f7f15143ac9b8c

SHA1
ae3024e00d25e65caeb36ece710ce3205e750deb

SHA256
ffc4b372aec7529685fc5495e82fc6f1fcf38f5fe000a962a15c0f2a9eb2b709

SHA512
920c8b5b7800da4ab07e58bfea98382d5d7bddf4f8d0ae8d81f5d3137e6e913f552732853d3de0c8e106f0982c1a8064351a5b6d540f7fda96f4204c41564b66

Download Submit
C:\Windows\SysWOW64\Dmcibama.exe

Filesize
82KB

MD5
6877ae3316ee4ec084d3d89a282d90c9

SHA1
a867e183bf652b263e59a5e73286fd1c07ed7cf0

SHA256
f9dc2c9ac5a9f14485a8d5f31e2a215d1d6bf0af417a7cda881baf8d71263463

SHA512
8e1f847715ad2f521e21a40e801b2fd5c83f675a616015bd5b934c3fc77689ac698d79093321f0be95cc0707474aa1890a4f555b5bf3988dab8cd95a33e16c8e

Download Submit
C:\Windows\SysWOW64\Dmllipeg.exe

Filesize
82KB

MD5
672964cbb876f46de87a0a6bdd488bc5

SHA1
e4e72546fb4ea64b4f249d6cea83eeedbce523ba

SHA256
74fa9db1c330860035a5d8fbc723bb0d88db2b91ffe204227bc5fbefe917b8bc

SHA512
eabb8383388f11b18b7ec1a40db25b538c15ff011ae45759c079d390c32ab8e897b3e4e787ce32e2890cd33e5cf6841a90e72f3f484d7130e41a9e16be422cda

Download Submit
C:\Windows\SysWOW64\Dobfld32.exe

Filesize
82KB

MD5
75f0568a6a2b461fa0c7998a01f19feb

SHA1
67dc09c23c6a1063cfb88e3385ba52d0fde12849

SHA256
23223747e17317e57cb290387505602044345e712fffc6cb03dc84b57ad9ebde

SHA512
d003765f26fc0bf873d61bd76352f013cf0fa0afbb8e0cb004819f82fae3e80ee73fc4ef7260498f753f3d2d19b75cbc5c48c5f889f784c576bffce4d46839cd

Download Submit
C:\Windows\SysWOW64\Dogogcpo.exe

Filesize
82KB

MD5
d9335bf6be926f205c23cc34fc7819e4

SHA1
b54cba482a4f9a23147d10e9b72a8d831d4636b9

SHA256
8761209d53f1be3754893562a84ec816a6f88fb8eb1fb10780db6d076c8fd667

SHA512
8c355bccea4549c2cae16ef1682ee493e368ab8172e0eb95ec46f0822bc6552d8cd47583319d717ca45fdda001d539fea5cc722e5e91fecf154fbeafb548ae44

Download Submit
memory/1108-90-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1108-9-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1428-64-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1428-118-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2368-81-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2368-114-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2724-91-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2724-113-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2784-73-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2784-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/2784-0-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2908-107-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2908-24-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3016-110-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3016-32-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3064-116-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3064-41-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3076-16-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3076-98-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3220-100-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3220-112-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4132-115-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4132-48-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4996-56-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4996-119-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5060-78-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5060-117-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5108-111-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5108-108-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads