b6b3da5583ae803afd729ab485a6496492ede1a80195ddc58c0e347febf496a0

Analysis

max time kernel
92s
max time network
96s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
03/09/2024, 19:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

eb58852b6ea79bec5601533238d86e30N.exe
Size

115KB
MD5

eb58852b6ea79bec5601533238d86e30
SHA1

95c64a9956b0806c3d1f3d346e05451c636dc23f
SHA256

b6b3da5583ae803afd729ab485a6496492ede1a80195ddc58c0e347febf496a0
SHA512

46e90e405e9980521fd5f8b34612e9ee7630abcd93523d5d2f11f8183ca722b70eb1cbd0098df38bbf5c2ab3d881c48a0e228f2c736bb7911a1034138fb9fc1b
SSDEEP

1536:hliBDR5yOMq76Q06UzFwBK2LSnyvCbrIRQW1ooQUPRMcu30MUwZkTKr4:OoOE5QXAdbrIR/SoQUP5u30KqTKr4

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 28 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dejacond.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dobfld32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	eb58852b6ea79bec5601533238d86e30N.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfknkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dddhpjof.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Djdmffnn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmgbnq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dknpmdfc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cegdnopg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cegdnopg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmgbnq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfpgffpm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djdmffnn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhkjej32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	eb58852b6ea79bec5601533238d86e30N.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dejacond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfknkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhkjej32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmjocp32.exe

Executes dropped EXE 14 IoCs

pid	Process
988	Cegdnopg.exe
2760	Djdmffnn.exe
652	Dejacond.exe
2828	Dfknkg32.exe
2108	Dobfld32.exe
348	Delnin32.exe
3116	Dhkjej32.exe
4120	Dmgbnq32.exe
1732	Deokon32.exe
3012	Dfpgffpm.exe
3256	Dmjocp32.exe
3172	Dddhpjof.exe
4860	Dknpmdfc.exe
2572	Dmllipeg.exe

Drops file in System32 directory 42 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Delnin32.exe	Dobfld32.exe
File created	C:\Windows\SysWOW64\Gmcfdb32.dll	Dobfld32.exe
File opened for modification	C:\Windows\SysWOW64\Dmjocp32.exe	Dfpgffpm.exe
File opened for modification	C:\Windows\SysWOW64\Cegdnopg.exe	eb58852b6ea79bec5601533238d86e30N.exe
File created	C:\Windows\SysWOW64\Dejacond.exe	Djdmffnn.exe
File created	C:\Windows\SysWOW64\Dfknkg32.exe	Dejacond.exe
File created	C:\Windows\SysWOW64\Dobfld32.exe	Dfknkg32.exe
File opened for modification	C:\Windows\SysWOW64\Dobfld32.exe	Dfknkg32.exe
File created	C:\Windows\SysWOW64\Bobiobnp.dll	Dfpgffpm.exe
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Dknpmdfc.exe
File created	C:\Windows\SysWOW64\Kngpec32.dll	Dknpmdfc.exe
File opened for modification	C:\Windows\SysWOW64\Dddhpjof.exe	Dmjocp32.exe
File created	C:\Windows\SysWOW64\Nokpao32.dll	Dddhpjof.exe
File created	C:\Windows\SysWOW64\Hdhpgj32.dll	Cegdnopg.exe
File opened for modification	C:\Windows\SysWOW64\Dejacond.exe	Djdmffnn.exe
File created	C:\Windows\SysWOW64\Ihidnp32.dll	Dhkjej32.exe
File created	C:\Windows\SysWOW64\Dfpgffpm.exe	Deokon32.exe
File created	C:\Windows\SysWOW64\Kmdjdl32.dll	Deokon32.exe
File created	C:\Windows\SysWOW64\Alcidkmm.dll	Dfknkg32.exe
File created	C:\Windows\SysWOW64\Delnin32.exe	Dobfld32.exe
File opened for modification	C:\Windows\SysWOW64\Dhkjej32.exe	Delnin32.exe
File opened for modification	C:\Windows\SysWOW64\Dknpmdfc.exe	Dddhpjof.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Dknpmdfc.exe
File created	C:\Windows\SysWOW64\Djdmffnn.exe	Cegdnopg.exe
File created	C:\Windows\SysWOW64\Dmgbnq32.exe	Dhkjej32.exe
File opened for modification	C:\Windows\SysWOW64\Dmgbnq32.exe	Dhkjej32.exe
File created	C:\Windows\SysWOW64\Dmjocp32.exe	Dfpgffpm.exe
File created	C:\Windows\SysWOW64\Jbpbca32.dll	Delnin32.exe
File created	C:\Windows\SysWOW64\Amfoeb32.dll	Dmgbnq32.exe
File created	C:\Windows\SysWOW64\Cegdnopg.exe	eb58852b6ea79bec5601533238d86e30N.exe
File opened for modification	C:\Windows\SysWOW64\Djdmffnn.exe	Cegdnopg.exe
File opened for modification	C:\Windows\SysWOW64\Dfpgffpm.exe	Deokon32.exe
File created	C:\Windows\SysWOW64\Dddhpjof.exe	Dmjocp32.exe
File created	C:\Windows\SysWOW64\Mgcail32.dll	eb58852b6ea79bec5601533238d86e30N.exe
File created	C:\Windows\SysWOW64\Hpnkaj32.dll	Djdmffnn.exe
File created	C:\Windows\SysWOW64\Amjknl32.dll	Dmjocp32.exe
File created	C:\Windows\SysWOW64\Dknpmdfc.exe	Dddhpjof.exe
File opened for modification	C:\Windows\SysWOW64\Dfknkg32.exe	Dejacond.exe
File created	C:\Windows\SysWOW64\Cogflbdn.dll	Dejacond.exe
File created	C:\Windows\SysWOW64\Dhkjej32.exe	Delnin32.exe
File created	C:\Windows\SysWOW64\Deokon32.exe	Dmgbnq32.exe
File opened for modification	C:\Windows\SysWOW64\Deokon32.exe	Dmgbnq32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2196	2572	WerFault.exe	99

System Location Discovery: System Language Discovery 1 TTPs 15 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dejacond.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfknkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmjocp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dddhpjof.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cegdnopg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djdmffnn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dobfld32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhkjej32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dknpmdfc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	eb58852b6ea79bec5601533238d86e30N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Delnin32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmgbnq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfpgffpm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deokon32.exe

Modifies registry class 45 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Alcidkmm.dll"	Dfknkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfknkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmcfdb32.dll"	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihidnp32.dll"	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bobiobnp.dll"	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmjocp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dknpmdfc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	eb58852b6ea79bec5601533238d86e30N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfknkg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dejacond.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgcail32.dll"	eb58852b6ea79bec5601533238d86e30N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Djdmffnn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpnkaj32.dll"	Djdmffnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbpbca32.dll"	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amfoeb32.dll"	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmdjdl32.dll"	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dknpmdfc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	eb58852b6ea79bec5601533238d86e30N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hdhpgj32.dll"	Cegdnopg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cegdnopg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cogflbdn.dll"	Dejacond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dejacond.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dobfld32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Delnin32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	eb58852b6ea79bec5601533238d86e30N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cegdnopg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Delnin32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	eb58852b6ea79bec5601533238d86e30N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Djdmffnn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Deokon32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfpgffpm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amjknl32.dll"	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nokpao32.dll"	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	eb58852b6ea79bec5601533238d86e30N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmgbnq32.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 552 wrote to memory of 988	552	eb58852b6ea79bec5601533238d86e30N.exe	83
PID 552 wrote to memory of 988	552	eb58852b6ea79bec5601533238d86e30N.exe	83
PID 552 wrote to memory of 988	552	eb58852b6ea79bec5601533238d86e30N.exe	83
PID 988 wrote to memory of 2760	988	Cegdnopg.exe	84
PID 988 wrote to memory of 2760	988	Cegdnopg.exe	84
PID 988 wrote to memory of 2760	988	Cegdnopg.exe	84
PID 2760 wrote to memory of 652	2760	Djdmffnn.exe	85
PID 2760 wrote to memory of 652	2760	Djdmffnn.exe	85
PID 2760 wrote to memory of 652	2760	Djdmffnn.exe	85
PID 652 wrote to memory of 2828	652	Dejacond.exe	86
PID 652 wrote to memory of 2828	652	Dejacond.exe	86
PID 652 wrote to memory of 2828	652	Dejacond.exe	86
PID 2828 wrote to memory of 2108	2828	Dfknkg32.exe	88
PID 2828 wrote to memory of 2108	2828	Dfknkg32.exe	88
PID 2828 wrote to memory of 2108	2828	Dfknkg32.exe	88
PID 2108 wrote to memory of 348	2108	Dobfld32.exe	89
PID 2108 wrote to memory of 348	2108	Dobfld32.exe	89
PID 2108 wrote to memory of 348	2108	Dobfld32.exe	89
PID 348 wrote to memory of 3116	348	Delnin32.exe	90
PID 348 wrote to memory of 3116	348	Delnin32.exe	90
PID 348 wrote to memory of 3116	348	Delnin32.exe	90
PID 3116 wrote to memory of 4120	3116	Dhkjej32.exe	91
PID 3116 wrote to memory of 4120	3116	Dhkjej32.exe	91
PID 3116 wrote to memory of 4120	3116	Dhkjej32.exe	91
PID 4120 wrote to memory of 1732	4120	Dmgbnq32.exe	93
PID 4120 wrote to memory of 1732	4120	Dmgbnq32.exe	93
PID 4120 wrote to memory of 1732	4120	Dmgbnq32.exe	93
PID 1732 wrote to memory of 3012	1732	Deokon32.exe	94
PID 1732 wrote to memory of 3012	1732	Deokon32.exe	94
PID 1732 wrote to memory of 3012	1732	Deokon32.exe	94
PID 3012 wrote to memory of 3256	3012	Dfpgffpm.exe	95
PID 3012 wrote to memory of 3256	3012	Dfpgffpm.exe	95
PID 3012 wrote to memory of 3256	3012	Dfpgffpm.exe	95
PID 3256 wrote to memory of 3172	3256	Dmjocp32.exe	96
PID 3256 wrote to memory of 3172	3256	Dmjocp32.exe	96
PID 3256 wrote to memory of 3172	3256	Dmjocp32.exe	96
PID 3172 wrote to memory of 4860	3172	Dddhpjof.exe	97
PID 3172 wrote to memory of 4860	3172	Dddhpjof.exe	97
PID 3172 wrote to memory of 4860	3172	Dddhpjof.exe	97
PID 4860 wrote to memory of 2572	4860	Dknpmdfc.exe	99
PID 4860 wrote to memory of 2572	4860	Dknpmdfc.exe	99
PID 4860 wrote to memory of 2572	4860	Dknpmdfc.exe	99

C:\Users\Admin\AppData\Local\Temp\eb58852b6ea79bec5601533238d86e30N.exe
"C:\Users\Admin\AppData\Local\Temp\eb58852b6ea79bec5601533238d86e30N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:552
- C:\Windows\SysWOW64\Cegdnopg.exe
  C:\Windows\system32\Cegdnopg.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:988
- - C:\Windows\SysWOW64\Djdmffnn.exe
    C:\Windows\system32\Djdmffnn.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2760
  - - C:\Windows\SysWOW64\Dejacond.exe
      C:\Windows\system32\Dejacond.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:652
    - - C:\Windows\SysWOW64\Dfknkg32.exe
        
        C:\Windows\system32\Dfknkg32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2828
      - C:\Windows\SysWOW64\Dobfld32.exe
        
        C:\Windows\system32\Dobfld32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2108
        
        C:\Windows\SysWOW64\Delnin32.exe
        
        C:\Windows\system32\Delnin32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:348
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3116
        
        C:\Windows\SysWOW64\Dmgbnq32.exe
        
        C:\Windows\system32\Dmgbnq32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4120
        
        C:\Windows\SysWOW64\Deokon32.exe
        
        C:\Windows\system32\Deokon32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1732
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3012
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3256
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3172
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4860
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        15⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2572
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2572 -s 404
        16⤵
        Program crash
        
        PID:2196

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 2572 -ip 2572
1⤵
PID:4960

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Cegdnopg.exe

Filesize
115KB

MD5
ce7a32a644a17cf0fccc4db13d8a6d59

SHA1
edd4bd11288e9a014ce2d8d93ab69adfbe31a254

SHA256
e9bf4def18059d32d140e156f0605cd0d7fb80422734b180b8dab6a8e69a1b75

SHA512
69a8fea6eeb41e8f2167fc93ee4f9e7bc65a345e3fdbec62b637604a830b2071ad44423dbb7c26fb2aa4acbbba5b02a9feda39d25cb06eb4c69266b37caff54c

Download Submit
C:\Windows\SysWOW64\Dddhpjof.exe

Filesize
115KB

MD5
88eb65fa6b34591882c04c297cc3d645

SHA1
c15a1ba421f332bf2af6de2d7c13a312bf183dad

SHA256
9cf81ce48b7d2e9ad551c09c2365f7f6e87789930e02dd0598fd0abc74170126

SHA512
cc2785d80d74e13e48e3da22aefca1963abf043dd37e73a68268f3ebdd0c6ab3080aac1cebb66ffd8d908b136c8de74e0cbe21c8d0ad2c2013ec818fcf80e88e

Download Submit
C:\Windows\SysWOW64\Dejacond.exe

Filesize
115KB

MD5
c38ed15324c5fa8b38ec87c4690c5876

SHA1
7a13b4fe703541812c235ae62586532b366d5b21

SHA256
b49b41c7759fab61584eba470c97a612ee632dfd23c3143d2f950f860fe8e95e

SHA512
455499eb0f5cde7652ceb516d1e71f5ab4e13100e589cf773246ae997f4b561f864c33d849820d6c15f6ea714a5edade0e19e164b03216676c30e8bc7eb2f627

Download Submit
C:\Windows\SysWOW64\Delnin32.exe

Filesize
115KB

MD5
bbe7c22b93929781ebb98be3406576e8

SHA1
9e16f14ea00376fffdf1a23bfd1a2e375f303156

SHA256
cdc019ebb2e5ca0caa5e8d9e04a44d141715d8e59c551f1dc41520d2c3652958

SHA512
07f6446d7b3365e003339fd8b8a006b555ad60cfef314704369ba88bfbed871ae84cdde818a67eda402d3ddb41903ab04004c99458fa2eb369013bc473472d8d

Download Submit
C:\Windows\SysWOW64\Deokon32.exe

Filesize
115KB

MD5
98afd981ebcd0ec7d94535809a129641

SHA1
94e76b482fdf34abd187370b985ba1c53c35bada

SHA256
a88ef7f7ef04bca41b65dda6d9352ca164171b75003807f9a861bbf21310d213

SHA512
2486411677afa55a3402b4cc58619c7e4a66805840c0bc0396eb0a7a2b4bd689db0a38e40a7a552e09f7c300bffe6902d3cb9b8edfb0952cb2c9f2b94a1dd451

Download Submit
C:\Windows\SysWOW64\Dfknkg32.exe

Filesize
115KB

MD5
6a7ae6b10bfc5cdea2d0a6ce31f0f362

SHA1
b3c9cec4748dabbc8aa0e9635af830d027f9ace8

SHA256
493ce5ef9d0f0ae1a2c8c68f461c7a95de7ab912aed40997304b92fb0936194d

SHA512
89f12adb84c030914dd865522106f06dc88b40ec63de3cc54540ad15751dfc7ed1384815ade9ba49bc4b29e5455af76f486e488b0a1bd26962b7518b12b06f74

Download Submit
C:\Windows\SysWOW64\Dfpgffpm.exe

Filesize
115KB

MD5
a46516b7e8f8be306fdd40be32fc7bc6

SHA1
b7136e0bdd3c6a668321dc25a6eb2db54f837e67

SHA256
3b93c0cd31eb6276d9f731528fc6c8086fe05daa8344c2e725957bf9cc386f43

SHA512
28e1b3e5cfe131d2c060a1e7ee4ab0f03e315eb27daaf93957a42c81fe0a8b87248d3e2e7a946e412ef4264d44bef08f421e8ec4ab8b49cb4aeff5319474b023

Download Submit
C:\Windows\SysWOW64\Dhkjej32.exe

Filesize
115KB

MD5
aa60b8ae2aecdce7c4e02da0dbd45337

SHA1
2d955521eafe47d24b771c75c07ad6b33368b212

SHA256
9c74fd4c3e51978fb57e27c57053c00d68f7a4a3a939273c532c47c886495cc2

SHA512
f97e545fc3c1315657772e550b63711cf7a43ca769d3e35c73112b6f4f401edd5fcb8046f78115f9093512e62d0ee1cb0000a86dd0725d3d61728314211f7a81

Download Submit
C:\Windows\SysWOW64\Djdmffnn.exe

Filesize
115KB

MD5
d265c840c6a5a0ba1a068575be3eeaa2

SHA1
d1c764ddb67823fd7591e5a32368e27596105209

SHA256
e7c865711b890776ab4eef07d51bb071c861c82ed92538ad9321e7fcc328f23b

SHA512
b4977bf69159ce1352eab08677ec20284a21a5feea2490d1673549223170a5452ca1150bfc262d3c2dd5822deff8db57ae9e3be6760f112137dd526a71b40f88

Download Submit
C:\Windows\SysWOW64\Dknpmdfc.exe

Filesize
115KB

MD5
afbd3f7d41907b33f45030808d24952a

SHA1
2190778d3825f5064a82261a97843b392a55e9ee

SHA256
c014337ca10d334c0a68f27ca78ca88957bb450156afbce63bf86a6a931821e6

SHA512
0d499f0e999a2c5e28e761133ba9ca57e6e6ee0a310cae3a1d64e2f5e9eb9ac4336a11540be858a2b11fe684000fc07f782270743cfa75a7ecbc42dd105e7090

Download Submit
C:\Windows\SysWOW64\Dmgbnq32.exe

Filesize
115KB

MD5
e0693db5240150da30008657abd6191f

SHA1
c525a5d42acb6e44567328f6ebc643e306488633

SHA256
6113d27963abe5eb7f04c05769f56784688be8c3d00e2ae797f8dfcc951b32f8

SHA512
1fa635f355c7678ae51d37f734579a91a7931c6c7f061c4abad709f3bde5468399f50590337c07e3a746a99fca463c29b58fcb6dd1314eae3a7f9129d723e7fe

Download Submit
C:\Windows\SysWOW64\Dmjocp32.exe

Filesize
115KB

MD5
533e2c23792c3184d575dee24b524de3

SHA1
9979866b03a5a50a9d2146437bb87118233bf434

SHA256
cfb9b004ec45b0f6e0dd33c25cd959eb070422f0c53f4cde1d1e70881de97046

SHA512
8cf96d5c36feef9c28b76ee8b7bc59258f44882331d9ecdb9051200a4aaf724915c2d04ea2a876df976af62f192d6035e53c6f5003055f94538688c97aebd449

Download Submit
C:\Windows\SysWOW64\Dmllipeg.exe

Filesize
115KB

MD5
a73a5ca4a20365ba453cf7eb6ad3d5c4

SHA1
68cfe62c4cf9e3cd8381612a64bb8b3b88fb7768

SHA256
80a1baa25319d8db1e1a4bfd14cf74670dc82041f7af1202ed7b2d71abfc838e

SHA512
d191849bb959412d71956c3b250a7860345f8c2ee99270d024108b692ab2ef5f98905474a47211160f64d5f9fde5e8a862c2e3064490d3c9ffe0916479fdd753

Download Submit
C:\Windows\SysWOW64\Dobfld32.exe

Filesize
115KB

MD5
b768bc12b8ae508120130a1204769d57

SHA1
c98e260784a4e0b170bc31a8dcda687711700f6d

SHA256
0ab27c901e3dc1382e8777eeeead020d5901698994870d7896d5360ab3100353

SHA512
c7bde0b29e44c8d18c973d9d42715d7005645b7fe90c4d885767cc9f72c0e43ef8cdad7fb43512c2cf939440d934436257ed62e1ff93a9f2f44cac441d8a6158

Download Submit
memory/348-122-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/348-49-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/552-0-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/552-128-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/552-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/652-24-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/652-125-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/988-127-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/988-9-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1732-118-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1732-73-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2108-123-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2108-40-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2572-112-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2572-114-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2760-16-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2760-126-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2828-32-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2828-124-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3012-81-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3012-117-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3116-56-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3116-121-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3172-116-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3172-97-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3256-119-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3256-91-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4120-64-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4120-120-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4860-115-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4860-104-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads