09748b8754de461ec6de5cef9527a5c7a7f821d178a9b696f4b989c1153040ad

Analysis

max time kernel
91s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
05/09/2024, 12:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

416d0161701184db3b4e21cf627a9b70N.exe
Size

85KB
MD5

416d0161701184db3b4e21cf627a9b70
SHA1

ca9746b27c658fc5ad1047af40fb26fc6218f780
SHA256

09748b8754de461ec6de5cef9527a5c7a7f821d178a9b696f4b989c1153040ad
SHA512

fc037131adf8698e49306e6065a0b0c897250e5bc2ee73e6d5110c5d1fa491e5ddf039c1bcd197bae84dfc19f8e4bf4739824a372a3fb72417d1f14c0991b19c
SSDEEP

1536:6fhNbS8UPnKKV7C+W8Iva8S2LHDMQ262AjCsQ2PCZZrqOlNfVSLUK+:6fzbSJo8Aa4HDMQH2qC7ZQOlzSLUK+

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfnjafap.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfpgffpm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	416d0161701184db3b4e21cf627a9b70N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dejacond.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddonekbl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhocqigp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dknpmdfc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	416d0161701184db3b4e21cf627a9b70N.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dejacond.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dknpmdfc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfnjafap.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Deagdn32.exe

Executes dropped EXE 11 IoCs

pid	Process
5100	Dejacond.exe
4792	Dobfld32.exe
3092	Ddonekbl.exe
4848	Dfnjafap.exe
832	Daconoae.exe
4804	Dfpgffpm.exe
5032	Dogogcpo.exe
2880	Deagdn32.exe
3908	Dhocqigp.exe
1644	Dknpmdfc.exe
2452	Dmllipeg.exe

Drops file in System32 directory 33 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Dogogcpo.exe	Dfpgffpm.exe
File created	C:\Windows\SysWOW64\Dhocqigp.exe	Deagdn32.exe
File created	C:\Windows\SysWOW64\Nokpao32.dll	Dhocqigp.exe
File created	C:\Windows\SysWOW64\Mjelcfha.dll	Dobfld32.exe
File opened for modification	C:\Windows\SysWOW64\Dfpgffpm.exe	Daconoae.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Dknpmdfc.exe
File created	C:\Windows\SysWOW64\Oammoc32.dll	Dfnjafap.exe
File opened for modification	C:\Windows\SysWOW64\Daconoae.exe	Dfnjafap.exe
File created	C:\Windows\SysWOW64\Dobfld32.exe	Dejacond.exe
File created	C:\Windows\SysWOW64\Daconoae.exe	Dfnjafap.exe
File created	C:\Windows\SysWOW64\Kmdjdl32.dll	Daconoae.exe
File created	C:\Windows\SysWOW64\Kahdohfm.dll	Dogogcpo.exe
File created	C:\Windows\SysWOW64\Kngpec32.dll	Dknpmdfc.exe
File created	C:\Windows\SysWOW64\Dejacond.exe	416d0161701184db3b4e21cf627a9b70N.exe
File created	C:\Windows\SysWOW64\Dfpgffpm.exe	Daconoae.exe
File opened for modification	C:\Windows\SysWOW64\Dogogcpo.exe	Dfpgffpm.exe
File created	C:\Windows\SysWOW64\Dfnjafap.exe	Ddonekbl.exe
File opened for modification	C:\Windows\SysWOW64\Dobfld32.exe	Dejacond.exe
File created	C:\Windows\SysWOW64\Ddonekbl.exe	Dobfld32.exe
File created	C:\Windows\SysWOW64\Poahbe32.dll	Ddonekbl.exe
File opened for modification	C:\Windows\SysWOW64\Deagdn32.exe	Dogogcpo.exe
File opened for modification	C:\Windows\SysWOW64\Dhocqigp.exe	Deagdn32.exe
File opened for modification	C:\Windows\SysWOW64\Dejacond.exe	416d0161701184db3b4e21cf627a9b70N.exe
File created	C:\Windows\SysWOW64\Elkadb32.dll	Deagdn32.exe
File opened for modification	C:\Windows\SysWOW64\Dknpmdfc.exe	Dhocqigp.exe
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Dknpmdfc.exe
File created	C:\Windows\SysWOW64\Deagdn32.exe	Dogogcpo.exe
File created	C:\Windows\SysWOW64\Alcidkmm.dll	Dejacond.exe
File opened for modification	C:\Windows\SysWOW64\Ddonekbl.exe	Dobfld32.exe
File opened for modification	C:\Windows\SysWOW64\Dfnjafap.exe	Ddonekbl.exe
File created	C:\Windows\SysWOW64\Lbabpnmn.dll	Dfpgffpm.exe
File created	C:\Windows\SysWOW64\Dknpmdfc.exe	Dhocqigp.exe
File created	C:\Windows\SysWOW64\Hpnkaj32.dll	416d0161701184db3b4e21cf627a9b70N.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3712	2452	WerFault.exe	96

System Location Discovery: System Language Discovery 1 TTPs 12 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhocqigp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dknpmdfc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dejacond.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddonekbl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfnjafap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfpgffpm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dogogcpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deagdn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	416d0161701184db3b4e21cf627a9b70N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dobfld32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daconoae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe

Modifies registry class 36 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kahdohfm.dll"	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nokpao32.dll"	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbabpnmn.dll"	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	416d0161701184db3b4e21cf627a9b70N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dejacond.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfpgffpm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Dknpmdfc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	416d0161701184db3b4e21cf627a9b70N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dejacond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddonekbl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dknpmdfc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	416d0161701184db3b4e21cf627a9b70N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oammoc32.dll"	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Poahbe32.dll"	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elkadb32.dll"	Deagdn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	416d0161701184db3b4e21cf627a9b70N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpnkaj32.dll"	416d0161701184db3b4e21cf627a9b70N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Alcidkmm.dll"	Dejacond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dobfld32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmdjdl32.dll"	Daconoae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Deagdn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	416d0161701184db3b4e21cf627a9b70N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjelcfha.dll"	Dobfld32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhocqigp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfnjafap.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dknpmdfc.exe

Suspicious use of WriteProcessMemory 33 IoCs

description	pid	Process	procid_target
PID 2088 wrote to memory of 5100	2088	416d0161701184db3b4e21cf627a9b70N.exe	83
PID 2088 wrote to memory of 5100	2088	416d0161701184db3b4e21cf627a9b70N.exe	83
PID 2088 wrote to memory of 5100	2088	416d0161701184db3b4e21cf627a9b70N.exe	83
PID 5100 wrote to memory of 4792	5100	Dejacond.exe	85
PID 5100 wrote to memory of 4792	5100	Dejacond.exe	85
PID 5100 wrote to memory of 4792	5100	Dejacond.exe	85
PID 4792 wrote to memory of 3092	4792	Dobfld32.exe	87
PID 4792 wrote to memory of 3092	4792	Dobfld32.exe	87
PID 4792 wrote to memory of 3092	4792	Dobfld32.exe	87
PID 3092 wrote to memory of 4848	3092	Ddonekbl.exe	88
PID 3092 wrote to memory of 4848	3092	Ddonekbl.exe	88
PID 3092 wrote to memory of 4848	3092	Ddonekbl.exe	88
PID 4848 wrote to memory of 832	4848	Dfnjafap.exe	90
PID 4848 wrote to memory of 832	4848	Dfnjafap.exe	90
PID 4848 wrote to memory of 832	4848	Dfnjafap.exe	90
PID 832 wrote to memory of 4804	832	Daconoae.exe	91
PID 832 wrote to memory of 4804	832	Daconoae.exe	91
PID 832 wrote to memory of 4804	832	Daconoae.exe	91
PID 4804 wrote to memory of 5032	4804	Dfpgffpm.exe	92
PID 4804 wrote to memory of 5032	4804	Dfpgffpm.exe	92
PID 4804 wrote to memory of 5032	4804	Dfpgffpm.exe	92
PID 5032 wrote to memory of 2880	5032	Dogogcpo.exe	93
PID 5032 wrote to memory of 2880	5032	Dogogcpo.exe	93
PID 5032 wrote to memory of 2880	5032	Dogogcpo.exe	93
PID 2880 wrote to memory of 3908	2880	Deagdn32.exe	94
PID 2880 wrote to memory of 3908	2880	Deagdn32.exe	94
PID 2880 wrote to memory of 3908	2880	Deagdn32.exe	94
PID 3908 wrote to memory of 1644	3908	Dhocqigp.exe	95
PID 3908 wrote to memory of 1644	3908	Dhocqigp.exe	95
PID 3908 wrote to memory of 1644	3908	Dhocqigp.exe	95
PID 1644 wrote to memory of 2452	1644	Dknpmdfc.exe	96
PID 1644 wrote to memory of 2452	1644	Dknpmdfc.exe	96
PID 1644 wrote to memory of 2452	1644	Dknpmdfc.exe	96

C:\Users\Admin\AppData\Local\Temp\416d0161701184db3b4e21cf627a9b70N.exe
"C:\Users\Admin\AppData\Local\Temp\416d0161701184db3b4e21cf627a9b70N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2088
- C:\Windows\SysWOW64\Dejacond.exe
  C:\Windows\system32\Dejacond.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:5100
- - C:\Windows\SysWOW64\Dobfld32.exe
    C:\Windows\system32\Dobfld32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4792
  - - C:\Windows\SysWOW64\Ddonekbl.exe
      C:\Windows\system32\Ddonekbl.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3092
    - - C:\Windows\SysWOW64\Dfnjafap.exe
        
        C:\Windows\system32\Dfnjafap.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4848
      - C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:832
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4804
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5032
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2880
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3908
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1644
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2452
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2452 -s 396
        13⤵
        Program crash
        
        PID:3712

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2452 -ip 2452
1⤵
PID:2608

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Daconoae.exe

Filesize
85KB

MD5
58a5c89b8a7171f0fbb7420e16023b2f

SHA1
ccee06aaf1b7a75f0d6ea1be17a37414b6aa0e16

SHA256
dd80634aa481f8edf00e4985cd71e8afeba2b62d48dff8ecee33aa79780c959e

SHA512
f488e678b6d988a51fa66e5f6ab92b546e36619b1bb13eb8c1570a0a2a85365ffb47e5635e8a117f0cfb4b646bc532f7504f1e978e02a3b36d28e66684418503

Download Submit
C:\Windows\SysWOW64\Ddonekbl.exe

Filesize
85KB

MD5
e015e54451c2c09d367c4f6fed1ab79a

SHA1
b03e24f555e88fba6d746bcb9954bd01b7d29afd

SHA256
9dd803d08fa24f6f7a4f1f7ce3a6a36fe5a8b2b807e90c51be54ffa0ed69cf45

SHA512
f596180f65e295286472d4f5ed3dbe97994cddcae7eb9c586cf274063f6bb0d9bd400ef78d2cfdb7cd54c202bff7dae3ff062316a8bd2837f4d4501bb2da1abf

Download Submit
C:\Windows\SysWOW64\Deagdn32.exe

Filesize
85KB

MD5
a59097f4b3d326cbdddd63fbfd5eb757

SHA1
c9c8fec23280da31b016f3ee77eeb22397eb681f

SHA256
0aab6a60c36edcce79fbedb5a54debee04b929d5e28b4dd8f7d32496af9717a9

SHA512
291021ab1cea88b27f7a303d34e972d80971946815706c8237e4177c4061e12070414697e725f336a6b9ca09fba099381cdafa9c2db0c3986230471ad24b1279

Download Submit
C:\Windows\SysWOW64\Dejacond.exe

Filesize
85KB

MD5
c2ca649083188ebac254b9160272240d

SHA1
a2b62ec9c8fcdf41f79964c334f97f7c38631d9e

SHA256
6cc33226f05f81d55699784762a421f663338252b076382533a0ca8573fb7aaa

SHA512
49c79a3788ffc53b3d93da3cc4137a71c3754594f88d0429096c424fdcfc18b173c3e3dc0fc994c8c0438fa91e70d7e4049838350950c5d86e0e307200819d93

Download Submit
C:\Windows\SysWOW64\Dfnjafap.exe

Filesize
85KB

MD5
66f5dcf2c604e7128a6cf5f42a392bbb

SHA1
f17f01d6322ccc6a6c27530de51e35956e0adf8a

SHA256
0aaa4ed0088ddf74cb7cf939ab53187287637ed33b60c9f5af8b1e8371ebb1a6

SHA512
c521263cce45e3909ea8a9ed8b53f70eaad23f4209d329c36172871dcc8dd2c1d90c420637b14ae0b2cbe45e9c9ce0a2847b1dd2224eab2dd944ed268aae0eb6

Download Submit
C:\Windows\SysWOW64\Dfpgffpm.exe

Filesize
85KB

MD5
ac49124ce84af7fc0c6fb55825d82512

SHA1
9470a21604ed59876e608f78ce2f725aceebd096

SHA256
5c74b75077b1e2a09bea36d20301f673071904651eda96e4b98c1821011fb480

SHA512
834608473294d1d5f323f7f593c9f98fd31a22022e799fb0e66eabc12008d5edd6b7c43d5bc07ec5e3644030817980e32a57615c1c3e7d6ce8ad211bb8a71ebb

Download Submit
C:\Windows\SysWOW64\Dhocqigp.exe

Filesize
85KB

MD5
73092e78d9d31d7380befcc5e080c13c

SHA1
7ede7d943f9f4531b426cad0b2a0638fd0424b02

SHA256
e6862ee93cd408eea79e68c26aa92cb83080d63bf683c107c5f20e92dc4d7d1b

SHA512
3ac276b3fb03ea3cd29ccb74f67567a1cac2e123bed3ab083f5be1a3181e2a9ba4c572714b8b017fcd8837f690cc21901e37807e799dadad1f7eee1bc9a4609b

Download Submit
C:\Windows\SysWOW64\Dknpmdfc.exe

Filesize
85KB

MD5
3e67f5403d2176687a6ea44cc6608fbf

SHA1
304bb8d410c6380fb4a1bc4643e4147d77ab8682

SHA256
6bdd1d2307cecc1a1a2f3f6f8c1f1afecaedbdf177de0b5188a5e3a75445f6e2

SHA512
909e05bbad3efdc4076487f18519bf94d73258ae47323d3e239d6acf44084ceb21ae6310eeea8a620f703a8bbca2996cfd4b92f291a05f10f2dfa8a184e2e3d9

Download Submit
C:\Windows\SysWOW64\Dmllipeg.exe

Filesize
85KB

MD5
f764220ce940017acc318517467e2b8e

SHA1
14b182582df8bb2eba6e5e3582b9792b3d4bc524

SHA256
e31d1eb4d921fbe76cf738d062b849e414e0347e12695091f395cc9104d99287

SHA512
0b9135c4b1601fb40635d6c2e243085d7975b3508b1c91f6b336fa3343f8bcfcecdf4da7a97b5220df548d9dbbabca6343a2be7b5f543f871df864f02ed7f2af

Download Submit
C:\Windows\SysWOW64\Dobfld32.exe

Filesize
85KB

MD5
ee59ec9b700fed7f7ec0bdc2bc67c542

SHA1
b0f50f32271292fe7a954f1a7b08aff7a79f4084

SHA256
e211a66787d525ba065e60bf361e74c8d62cdcd51eab550a4d2a2992068fd76f

SHA512
debffefad04eb589307ce336995002d3269e08a9bc26746dd68da7dfecc81f5b2992d716335b28bc031f838d6199f5535da17aa88f3e0b21719d36fe95afcf14

Download Submit
C:\Windows\SysWOW64\Dogogcpo.exe

Filesize
85KB

MD5
d381d0722bce054b003ca15d038c4aa2

SHA1
a3af55e9ec7fbd103688ce4cb2951f75573782a2

SHA256
b2fa6b2c69ab20aea31b913e4e43a3683ab347f47bc4e4421e7bc38b7cc64b8d

SHA512
848a55d1f5068698ca97e15a220a300052cab2f3a699e4094b6a886c6338a0859622b4ef47952fec631264fbc8a6121bae89b3f632e4dbc145e3dce0a09e1a67

Download Submit
memory/832-97-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/832-40-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1644-93-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1644-82-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2088-73-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2088-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/2088-0-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2452-91-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2880-65-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2880-96-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3092-100-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3092-25-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3908-78-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3908-94-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4792-17-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4792-92-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4804-48-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4804-95-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4848-32-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4848-99-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5032-98-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5032-56-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5100-9-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5100-90-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads