e149afc9a9b19679b5574d445c866e8e7f2589d57148977563649a71613a651d

Analysis

max time kernel
93s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
05/09/2024, 08:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

542a5e53064286d863efed68b12d3d40N.exe
Size

96KB
MD5

542a5e53064286d863efed68b12d3d40
SHA1

05b91f25c54e2413941f7120029b962a1f341638
SHA256

e149afc9a9b19679b5574d445c866e8e7f2589d57148977563649a71613a651d
SHA512

d63582c29e011b515d9f2d248b3dfc18611f253398b92dbd716e22f93350f803b39155ec0071aedc49ffd3bc365300c5d126e1ec0d19a2a8db07e30714cce5d1
SSDEEP

1536:uvcpC0sgZ5nITC9iQZOBRRGxcxFjHUV2LF7RZObZUUWaegPYA:uoTZ5nITC9itDGxcxdHTFClUUWae

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 26 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	542a5e53064286d863efed68b12d3d40N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfknkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dkkcge32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfknkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daconoae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	542a5e53064286d863efed68b12d3d40N.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhkjej32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dddhpjof.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daekdooc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddmaok32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Delnin32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhkjej32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dodbbdbb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhmgki32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dgbdlf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daconoae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dodbbdbb.exe

Executes dropped EXE 13 IoCs

pid	Process
5048	Ddmaok32.exe
3084	Dfknkg32.exe
2352	Dobfld32.exe
1412	Delnin32.exe
4372	Dhkjej32.exe
1584	Dodbbdbb.exe
4684	Daconoae.exe
3272	Dhmgki32.exe
3668	Dkkcge32.exe
1300	Daekdooc.exe
4920	Dddhpjof.exe
5032	Dgbdlf32.exe
3564	Dmllipeg.exe

Drops file in System32 directory 39 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Alcidkmm.dll	Dfknkg32.exe
File created	C:\Windows\SysWOW64\Oammoc32.dll	Dodbbdbb.exe
File created	C:\Windows\SysWOW64\Dddhpjof.exe	Daekdooc.exe
File created	C:\Windows\SysWOW64\Amjknl32.dll	Daekdooc.exe
File created	C:\Windows\SysWOW64\Cogflbdn.dll	Ddmaok32.exe
File created	C:\Windows\SysWOW64\Dobfld32.exe	Dfknkg32.exe
File created	C:\Windows\SysWOW64\Dhkjej32.exe	Delnin32.exe
File created	C:\Windows\SysWOW64\Ohmoom32.dll	Dkkcge32.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Dgbdlf32.exe
File created	C:\Windows\SysWOW64\Kngpec32.dll	Dgbdlf32.exe
File created	C:\Windows\SysWOW64\Fnmnbf32.dll	Dhkjej32.exe
File created	C:\Windows\SysWOW64\Jcbdhp32.dll	Dhmgki32.exe
File opened for modification	C:\Windows\SysWOW64\Dgbdlf32.exe	Dddhpjof.exe
File opened for modification	C:\Windows\SysWOW64\Ddmaok32.exe	542a5e53064286d863efed68b12d3d40N.exe
File opened for modification	C:\Windows\SysWOW64\Dobfld32.exe	Dfknkg32.exe
File created	C:\Windows\SysWOW64\Dhmgki32.exe	Daconoae.exe
File opened for modification	C:\Windows\SysWOW64\Dhmgki32.exe	Daconoae.exe
File created	C:\Windows\SysWOW64\Fpdaoioe.dll	Daconoae.exe
File created	C:\Windows\SysWOW64\Ddmaok32.exe	542a5e53064286d863efed68b12d3d40N.exe
File opened for modification	C:\Windows\SysWOW64\Delnin32.exe	Dobfld32.exe
File opened for modification	C:\Windows\SysWOW64\Dhkjej32.exe	Delnin32.exe
File created	C:\Windows\SysWOW64\Dkkcge32.exe	Dhmgki32.exe
File opened for modification	C:\Windows\SysWOW64\Dkkcge32.exe	Dhmgki32.exe
File opened for modification	C:\Windows\SysWOW64\Daekdooc.exe	Dkkcge32.exe
File created	C:\Windows\SysWOW64\Dfknkg32.exe	Ddmaok32.exe
File opened for modification	C:\Windows\SysWOW64\Dfknkg32.exe	Ddmaok32.exe
File created	C:\Windows\SysWOW64\Delnin32.exe	Dobfld32.exe
File created	C:\Windows\SysWOW64\Daekdooc.exe	Dkkcge32.exe
File created	C:\Windows\SysWOW64\Jjjald32.dll	542a5e53064286d863efed68b12d3d40N.exe
File created	C:\Windows\SysWOW64\Daconoae.exe	Dodbbdbb.exe
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Dgbdlf32.exe
File created	C:\Windows\SysWOW64\Gfghpl32.dll	Dddhpjof.exe
File created	C:\Windows\SysWOW64\Gmcfdb32.dll	Dobfld32.exe
File created	C:\Windows\SysWOW64\Jbpbca32.dll	Delnin32.exe
File created	C:\Windows\SysWOW64\Dodbbdbb.exe	Dhkjej32.exe
File opened for modification	C:\Windows\SysWOW64\Dodbbdbb.exe	Dhkjej32.exe
File opened for modification	C:\Windows\SysWOW64\Daconoae.exe	Dodbbdbb.exe
File opened for modification	C:\Windows\SysWOW64\Dddhpjof.exe	Daekdooc.exe
File created	C:\Windows\SysWOW64\Dgbdlf32.exe	Dddhpjof.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3932	3564	WerFault.exe	95

System Location Discovery: System Language Discovery 1 TTPs 14 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daconoae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkkcge32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	542a5e53064286d863efed68b12d3d40N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfknkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dobfld32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhkjej32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dodbbdbb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddmaok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhmgki32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dddhpjof.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Delnin32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daekdooc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgbdlf32.exe

Modifies registry class 42 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	542a5e53064286d863efed68b12d3d40N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmcfdb32.dll"	Dobfld32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhmgki32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Daekdooc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	542a5e53064286d863efed68b12d3d40N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cogflbdn.dll"	Ddmaok32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnmnbf32.dll"	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Daconoae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amjknl32.dll"	Daekdooc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfghpl32.dll"	Dddhpjof.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dobfld32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dgbdlf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	542a5e53064286d863efed68b12d3d40N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfknkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oammoc32.dll"	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Daekdooc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Alcidkmm.dll"	Dfknkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhmgki32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	542a5e53064286d863efed68b12d3d40N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjjald32.dll"	542a5e53064286d863efed68b12d3d40N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbpbca32.dll"	Delnin32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcbdhp32.dll"	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dddhpjof.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	542a5e53064286d863efed68b12d3d40N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfknkg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpdaoioe.dll"	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohmoom32.dll"	Dkkcge32.exe

Suspicious use of WriteProcessMemory 39 IoCs

description	pid	Process	procid_target
PID 3276 wrote to memory of 5048	3276	542a5e53064286d863efed68b12d3d40N.exe	83
PID 3276 wrote to memory of 5048	3276	542a5e53064286d863efed68b12d3d40N.exe	83
PID 3276 wrote to memory of 5048	3276	542a5e53064286d863efed68b12d3d40N.exe	83
PID 5048 wrote to memory of 3084	5048	Ddmaok32.exe	84
PID 5048 wrote to memory of 3084	5048	Ddmaok32.exe	84
PID 5048 wrote to memory of 3084	5048	Ddmaok32.exe	84
PID 3084 wrote to memory of 2352	3084	Dfknkg32.exe	85
PID 3084 wrote to memory of 2352	3084	Dfknkg32.exe	85
PID 3084 wrote to memory of 2352	3084	Dfknkg32.exe	85
PID 2352 wrote to memory of 1412	2352	Dobfld32.exe	86
PID 2352 wrote to memory of 1412	2352	Dobfld32.exe	86
PID 2352 wrote to memory of 1412	2352	Dobfld32.exe	86
PID 1412 wrote to memory of 4372	1412	Delnin32.exe	87
PID 1412 wrote to memory of 4372	1412	Delnin32.exe	87
PID 1412 wrote to memory of 4372	1412	Delnin32.exe	87
PID 4372 wrote to memory of 1584	4372	Dhkjej32.exe	88
PID 4372 wrote to memory of 1584	4372	Dhkjej32.exe	88
PID 4372 wrote to memory of 1584	4372	Dhkjej32.exe	88
PID 1584 wrote to memory of 4684	1584	Dodbbdbb.exe	89
PID 1584 wrote to memory of 4684	1584	Dodbbdbb.exe	89
PID 1584 wrote to memory of 4684	1584	Dodbbdbb.exe	89
PID 4684 wrote to memory of 3272	4684	Daconoae.exe	90
PID 4684 wrote to memory of 3272	4684	Daconoae.exe	90
PID 4684 wrote to memory of 3272	4684	Daconoae.exe	90
PID 3272 wrote to memory of 3668	3272	Dhmgki32.exe	91
PID 3272 wrote to memory of 3668	3272	Dhmgki32.exe	91
PID 3272 wrote to memory of 3668	3272	Dhmgki32.exe	91
PID 3668 wrote to memory of 1300	3668	Dkkcge32.exe	92
PID 3668 wrote to memory of 1300	3668	Dkkcge32.exe	92
PID 3668 wrote to memory of 1300	3668	Dkkcge32.exe	92
PID 1300 wrote to memory of 4920	1300	Daekdooc.exe	93
PID 1300 wrote to memory of 4920	1300	Daekdooc.exe	93
PID 1300 wrote to memory of 4920	1300	Daekdooc.exe	93
PID 4920 wrote to memory of 5032	4920	Dddhpjof.exe	94
PID 4920 wrote to memory of 5032	4920	Dddhpjof.exe	94
PID 4920 wrote to memory of 5032	4920	Dddhpjof.exe	94
PID 5032 wrote to memory of 3564	5032	Dgbdlf32.exe	95
PID 5032 wrote to memory of 3564	5032	Dgbdlf32.exe	95
PID 5032 wrote to memory of 3564	5032	Dgbdlf32.exe	95

C:\Users\Admin\AppData\Local\Temp\542a5e53064286d863efed68b12d3d40N.exe
"C:\Users\Admin\AppData\Local\Temp\542a5e53064286d863efed68b12d3d40N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3276
- C:\Windows\SysWOW64\Ddmaok32.exe
  C:\Windows\system32\Ddmaok32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:5048
- - C:\Windows\SysWOW64\Dfknkg32.exe
    C:\Windows\system32\Dfknkg32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3084
  - - C:\Windows\SysWOW64\Dobfld32.exe
      C:\Windows\system32\Dobfld32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2352
    - - C:\Windows\SysWOW64\Delnin32.exe
        
        C:\Windows\system32\Delnin32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1412
      - C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4372
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1584
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4684
        
        C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3272
        
        C:\Windows\SysWOW64\Dkkcge32.exe
        
        C:\Windows\system32\Dkkcge32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3668
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1300
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4920
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5032
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        14⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3564
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3564 -s 396
        15⤵
        Program crash
        
        PID:3932

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 3564 -ip 3564
1⤵
PID:1008

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Daconoae.exe

Filesize
96KB

MD5
ea020395c747ac78d3e0e35b65117d2a

SHA1
b62298fe9deec439d46021dbb5c24a59d2c0b1f4

SHA256
79ca4cde5277305123b52b549d6b309c02d588d1eaab52925565218d56acd29a

SHA512
c656bdf449ad7254bd24bf258ffc471f5275d12827386e716b64d305184ace9ed7fc9cbd89f5316b27c24f7996689b15a600601fae67e6811cc8d154db8aa6f8

Download Submit
C:\Windows\SysWOW64\Daekdooc.exe

Filesize
96KB

MD5
8bacb7acebb6f2a9a4ecbd77aa2a260e

SHA1
07293942a3b47e2f7ba8d58faaba64fc93e7e355

SHA256
b5a28081378ce2fbead1e66f9d3184335d910bd44fe694e9384d240cd32355c9

SHA512
f9b3481f6420efba3fa929ce8da6f8bb24d1eb502ce598a64fc4e991661e22ac3083200295bd5580f1d34b8ecb5114a452a8952f5b7533388fd212b68754fcbe

Download Submit
C:\Windows\SysWOW64\Dddhpjof.exe

Filesize
96KB

MD5
e91b16fcceeabb2b969b2ae9556d2244

SHA1
12d6adb73da52d8da3174f9ad13d255aec730698

SHA256
f43dc84e0a15e6cb1aeccae01a19098a2b39d6626997658fe0e3daa92f909dfa

SHA512
6539afebb1f12114528d10ba2b9175f5166346be1710176727ef299ca57d549a80b3463546f001dab059d3011d7856f3d12627c4895e09af6f245a428e3d4f99

Download Submit
C:\Windows\SysWOW64\Ddmaok32.exe

Filesize
96KB

MD5
bb692bd0a03b5b14f4584e56b55ffb4e

SHA1
50c2e94698713d21c421ce2aa87ee7502ae47b77

SHA256
4d7c394818d6d2a4bdc55d5913638ec4074b84d60c70dec946dbd10ba3491386

SHA512
1b49676f2c8536e684e59448327e597e2ba45968a0650533b8e9ddc8c436a4e2ac676cd22678a6c69a25f33b00c067a80bd08c9faf17141262cc3114bc8a72a5

Download Submit
C:\Windows\SysWOW64\Delnin32.exe

Filesize
96KB

MD5
17343386684c7c82dc923f3bd61c75c0

SHA1
61527da3858364a3844cb4b95bacc707a0414b81

SHA256
3da98d8c2507de18ad2dcc8d1bfe18477237e16daac85f0e064561ea70b795d3

SHA512
6ee63afa504dfcfb3c704fb580b2fabfd51081f179f2fc51d94b105ba2b7d6cc076239dbad9767d661bbf200797997f198f42b9fc86cfb5d1254a5d3403e1ecb

Download Submit
C:\Windows\SysWOW64\Dfknkg32.exe

Filesize
96KB

MD5
febf44fcffa3c327a1eaf9578a9b5364

SHA1
42409be61c3ef89341694a0f1ab0621f865dfeba

SHA256
cb39f91df47f6504b152b6d001aaa5bc88b61d099b83c708c1e694e33bb4b752

SHA512
8e10b8c90df083579588ff219990e648c5b381969e9d497e8ccee4431eb88c5117beb95457bb511643a40437e81cb8b6b17c889d63954393f722f32e2d78f4ff

Download Submit
C:\Windows\SysWOW64\Dgbdlf32.exe

Filesize
96KB

MD5
6b9552ad206d293c09b241ec1e239aff

SHA1
cb1eb9b1533fa891123d558e84c0de086a3d2bc0

SHA256
cb52cffaf7e60c20f6cb24942b43641b7b2e3520bb45f5a0b37ea769f813f65c

SHA512
306376f555b88aa8c79dd3a25f11b3ff55ee51f962a3249ab6e2cf704667f0b35e41aa7640130b66242da163b26cb63134f11504c3b297cf2e700e4fd0ca6a12

Download Submit
C:\Windows\SysWOW64\Dhkjej32.exe

Filesize
96KB

MD5
6ebb39e2d41662d30c2c6ddaf1cd2bec

SHA1
20152f87a9d983cd6beaa28b964b6956e8c4a8c8

SHA256
265e419eb6b3079a0a80670e79f1f9b462c16aaedefd5f69e991a69cf0a9968a

SHA512
839d031b023a5bc97932e605f579a7476f35e2a7331fa908c1a83dfb5ca002cde3c8e2136cf7b72c48bb148c6a29fc46e36a287bb0e1ae10507f4e5f50224c79

Download Submit
C:\Windows\SysWOW64\Dhmgki32.exe

Filesize
96KB

MD5
7ebab0f1befdb5b7d1aac546cf886129

SHA1
503c1a97c38e3893dbfddf2f2a4639c31e90aede

SHA256
9d5cb181c8fe7fe0c208bffc73c0b7d03e1d0b020e60d16fa048e08ff4bb9407

SHA512
d85388bc7437419ccfa6dfa999124581047d7151a11f372187b70381b5c3afe012ff3060e877e858850246624dd19b81297be3cd22e3085eb24fc28b5a1c5c59

Download Submit
C:\Windows\SysWOW64\Dkkcge32.exe

Filesize
96KB

MD5
d7fd57edf0a7a5676b5b820c4f591e72

SHA1
a777917872a6343c621024183e1284c9d67e1a01

SHA256
69e5ebe0fd61c0a054b00e1ae6b0c78176ab69e5ab2c40f0e750fc1675f0acec

SHA512
98a1ac8f9299ae8f1a3dae4c3b49b74152344a773aa79c869ec2373ab6bd53ee81ac34906211806df54c5525c26c8f4bd55a754c3f8659d2f8fd4517f0956f52

Download Submit
C:\Windows\SysWOW64\Dmllipeg.exe

Filesize
96KB

MD5
d23cdbb3e3548b900f55474ba67860b1

SHA1
2e18b525c1570fec2999609473d055b491b428a8

SHA256
023911f3a9bc8bf03d61f38b271cd205ead8d056e40e6c5aa1f7c19e823d89a6

SHA512
9466385f089df277fadf5404f74aa2ab43f3b337feea1f318180e47085fddd8bbb134a0b8a150e11b60310d3061c3f12c06271bb7faa542fd115ea8e6e8e8744

Download Submit
C:\Windows\SysWOW64\Dobfld32.exe

Filesize
96KB

MD5
cfe630bbe690f9f2be9d3fdc3fbfb241

SHA1
852eb27004dbd76e2dddd197806a0de9696bd7e5

SHA256
aa25f96babbac18d76713d94eafe5f3e1d2173efaf2edf8e1798789d71cb13ba

SHA512
41258a93656318be319e4ae49b3958aeb7cb801f3c1115ad7f83f498eef749b49af6e88978e52d6fc849dabf08786206adb32bcbcc27106fa5575b27b17fd8bd

Download Submit
C:\Windows\SysWOW64\Dodbbdbb.exe

Filesize
96KB

MD5
ad1eb44950640a8ce77f7d09a0ed30c2

SHA1
14cd7c88125109d99dda2b8a1d57aa20e9a5b510

SHA256
f3ae4647a49b83c0cac41b7c9f27daf5ed8b69d238d20e91e4e7183b6d33c6e0

SHA512
086af31aff86f618318cdfdee683874628fed7995301d94a9cd7f6efa6bb154cdb9d72dea12236abffede69155f65ed36ce76661f51a1e0f4967c9c766edd9ca

Download Submit
memory/1300-80-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1300-113-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1412-125-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1412-32-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1584-49-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1584-121-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2352-127-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2352-24-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3084-129-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3084-16-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3272-64-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3272-117-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3276-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/3276-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3276-133-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3564-104-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3564-108-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3668-115-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3668-72-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4372-40-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4372-123-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4684-119-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4684-56-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4920-89-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4920-111-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5032-109-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5032-97-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5048-8-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5048-131-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads