997e1b015f90dfd0eeeb9bcc9a35865f02a8bb3ca8766c8d751c7c7227b15ff4

Analysis

max time kernel
93s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
06/09/2024, 09:06

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

c0122ade974da19f792d30c8fe381440N.exe
Size

448KB
MD5

c0122ade974da19f792d30c8fe381440
SHA1

c6468e612a377661ae58e0cf4738f454889c63da
SHA256

997e1b015f90dfd0eeeb9bcc9a35865f02a8bb3ca8766c8d751c7c7227b15ff4
SHA512

7cbf75c42da9b357b08a00087602cf2daddef55cb4dac11d2ed8e19356b1806ac7284cb5a117b904c7805e247ee72f6239797b48153f162a06e7e0f56817843c
SSDEEP

6144:pvXtxPQ///NR5fLYG3eujPQ///NR5fqZo4tjS6Y:5W/NcZ7/NC64tm6Y

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 20 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	c0122ade974da19f792d30c8fe381440N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	c0122ade974da19f792d30c8fe381440N.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djgjlelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Delnin32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dddhpjof.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daekdooc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Danecp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Danecp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Djgjlelk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Deokon32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfpgffpm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfpgffpm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dogogcpo.exe

Executes dropped EXE 10 IoCs

pid	Process
3304	Danecp32.exe
2352	Djgjlelk.exe
2324	Delnin32.exe
2192	Dkifae32.exe
3004	Deokon32.exe
1876	Dfpgffpm.exe
1792	Dogogcpo.exe
636	Daekdooc.exe
2300	Dddhpjof.exe
3824	Dmllipeg.exe

Drops file in System32 directory 30 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Deokon32.exe	Dkifae32.exe
File created	C:\Windows\SysWOW64\Dfpgffpm.exe	Deokon32.exe
File opened for modification	C:\Windows\SysWOW64\Dkifae32.exe	Delnin32.exe
File opened for modification	C:\Windows\SysWOW64\Dogogcpo.exe	Dfpgffpm.exe
File created	C:\Windows\SysWOW64\Lbabpnmn.dll	Dfpgffpm.exe
File opened for modification	C:\Windows\SysWOW64\Daekdooc.exe	Dogogcpo.exe
File created	C:\Windows\SysWOW64\Amjknl32.dll	Daekdooc.exe
File opened for modification	C:\Windows\SysWOW64\Dfpgffpm.exe	Deokon32.exe
File created	C:\Windows\SysWOW64\Kmdjdl32.dll	Deokon32.exe
File created	C:\Windows\SysWOW64\Daekdooc.exe	Dogogcpo.exe
File created	C:\Windows\SysWOW64\Kngpec32.dll	Dddhpjof.exe
File created	C:\Windows\SysWOW64\Danecp32.exe	c0122ade974da19f792d30c8fe381440N.exe
File created	C:\Windows\SysWOW64\Dkifae32.exe	Delnin32.exe
File created	C:\Windows\SysWOW64\Amfoeb32.dll	Dkifae32.exe
File created	C:\Windows\SysWOW64\Djgjlelk.exe	Danecp32.exe
File created	C:\Windows\SysWOW64\Beeppfin.dll	Danecp32.exe
File opened for modification	C:\Windows\SysWOW64\Delnin32.exe	Djgjlelk.exe
File created	C:\Windows\SysWOW64\Dogogcpo.exe	Dfpgffpm.exe
File created	C:\Windows\SysWOW64\Dddhpjof.exe	Daekdooc.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Dddhpjof.exe
File opened for modification	C:\Windows\SysWOW64\Djgjlelk.exe	Danecp32.exe
File created	C:\Windows\SysWOW64\Delnin32.exe	Djgjlelk.exe
File created	C:\Windows\SysWOW64\Gmcfdb32.dll	Djgjlelk.exe
File created	C:\Windows\SysWOW64\Deokon32.exe	Dkifae32.exe
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Dddhpjof.exe
File opened for modification	C:\Windows\SysWOW64\Danecp32.exe	c0122ade974da19f792d30c8fe381440N.exe
File created	C:\Windows\SysWOW64\Agjbpg32.dll	c0122ade974da19f792d30c8fe381440N.exe
File created	C:\Windows\SysWOW64\Ohmoom32.dll	Dogogcpo.exe
File created	C:\Windows\SysWOW64\Pdheac32.dll	Delnin32.exe
File opened for modification	C:\Windows\SysWOW64\Dddhpjof.exe	Daekdooc.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1276	3824	WerFault.exe	94

System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c0122ade974da19f792d30c8fe381440N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deokon32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Danecp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djgjlelk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Delnin32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkifae32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfpgffpm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dogogcpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daekdooc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dddhpjof.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe

Modifies registry class 33 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Danecp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Djgjlelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Deokon32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	c0122ade974da19f792d30c8fe381440N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amjknl32.dll"	Daekdooc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dddhpjof.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	c0122ade974da19f792d30c8fe381440N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohmoom32.dll"	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Dddhpjof.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	c0122ade974da19f792d30c8fe381440N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agjbpg32.dll"	c0122ade974da19f792d30c8fe381440N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dkifae32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbabpnmn.dll"	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Daekdooc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	c0122ade974da19f792d30c8fe381440N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Beeppfin.dll"	Danecp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amfoeb32.dll"	Dkifae32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfpgffpm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	c0122ade974da19f792d30c8fe381440N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Danecp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdheac32.dll"	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dddhpjof.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Djgjlelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmcfdb32.dll"	Djgjlelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmdjdl32.dll"	Deokon32.exe

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 3276 wrote to memory of 3304	3276	c0122ade974da19f792d30c8fe381440N.exe	83
PID 3276 wrote to memory of 3304	3276	c0122ade974da19f792d30c8fe381440N.exe	83
PID 3276 wrote to memory of 3304	3276	c0122ade974da19f792d30c8fe381440N.exe	83
PID 3304 wrote to memory of 2352	3304	Danecp32.exe	84
PID 3304 wrote to memory of 2352	3304	Danecp32.exe	84
PID 3304 wrote to memory of 2352	3304	Danecp32.exe	84
PID 2352 wrote to memory of 2324	2352	Djgjlelk.exe	85
PID 2352 wrote to memory of 2324	2352	Djgjlelk.exe	85
PID 2352 wrote to memory of 2324	2352	Djgjlelk.exe	85
PID 2324 wrote to memory of 2192	2324	Delnin32.exe	87
PID 2324 wrote to memory of 2192	2324	Delnin32.exe	87
PID 2324 wrote to memory of 2192	2324	Delnin32.exe	87
PID 2192 wrote to memory of 3004	2192	Dkifae32.exe	88
PID 2192 wrote to memory of 3004	2192	Dkifae32.exe	88
PID 2192 wrote to memory of 3004	2192	Dkifae32.exe	88
PID 3004 wrote to memory of 1876	3004	Deokon32.exe	90
PID 3004 wrote to memory of 1876	3004	Deokon32.exe	90
PID 3004 wrote to memory of 1876	3004	Deokon32.exe	90
PID 1876 wrote to memory of 1792	1876	Dfpgffpm.exe	91
PID 1876 wrote to memory of 1792	1876	Dfpgffpm.exe	91
PID 1876 wrote to memory of 1792	1876	Dfpgffpm.exe	91
PID 1792 wrote to memory of 636	1792	Dogogcpo.exe	92
PID 1792 wrote to memory of 636	1792	Dogogcpo.exe	92
PID 1792 wrote to memory of 636	1792	Dogogcpo.exe	92
PID 636 wrote to memory of 2300	636	Daekdooc.exe	93
PID 636 wrote to memory of 2300	636	Daekdooc.exe	93
PID 636 wrote to memory of 2300	636	Daekdooc.exe	93
PID 2300 wrote to memory of 3824	2300	Dddhpjof.exe	94
PID 2300 wrote to memory of 3824	2300	Dddhpjof.exe	94
PID 2300 wrote to memory of 3824	2300	Dddhpjof.exe	94

C:\Users\Admin\AppData\Local\Temp\c0122ade974da19f792d30c8fe381440N.exe
"C:\Users\Admin\AppData\Local\Temp\c0122ade974da19f792d30c8fe381440N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3276
- C:\Windows\SysWOW64\Danecp32.exe
  C:\Windows\system32\Danecp32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3304
- - C:\Windows\SysWOW64\Djgjlelk.exe
    C:\Windows\system32\Djgjlelk.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2352
  - - C:\Windows\SysWOW64\Delnin32.exe
      C:\Windows\system32\Delnin32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2324
    - - C:\Windows\SysWOW64\Dkifae32.exe
        
        C:\Windows\system32\Dkifae32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2192
      - C:\Windows\SysWOW64\Deokon32.exe
        
        C:\Windows\system32\Deokon32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3004
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1876
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1792
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:636
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2300
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        11⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3824
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3824 -s 396
        12⤵
        Program crash
        
        PID:1276

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3824 -ip 3824
1⤵
PID:1844

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Daekdooc.exe

Filesize
448KB

MD5
ee5a28b61e53f91608337cc723ebf955

SHA1
812a504b01d71b4ad9ad98db9ffa895d86f71b0d

SHA256
40336521c005cfd0b50a44e44abb1e0807a1c96dc1ccd28b75cf36876afc4596

SHA512
ad55425baaf31fa59f05f75aaa9edcb5737a9bdca465f5aa2bfce8bd59ecd6c46fb31758e3a7170c15015fdfebd021aaa46033c0552d66a89523d5c07eefdb9d

Download Submit
C:\Windows\SysWOW64\Danecp32.exe

Filesize
448KB

MD5
8f52c2f0d012d06206f048d224b3ae90

SHA1
1ea62167745d54f4c452d32c353b1241dd6e09dc

SHA256
8aa4524b879287743c61a87061fab9026254b77015d8e4250929b17e7f6c50ee

SHA512
f125504159d784fb1ec74fd40f89f6f5c6a45160ef0dd253863dbe3214be2b2db389143cf14ded60767edf10762d9a892428fcbcaef74a39fe6443b01c043b4b

Download Submit
C:\Windows\SysWOW64\Dddhpjof.exe

Filesize
448KB

MD5
c268a35d81dc3c2ebd96d453f9bbdc14

SHA1
06000323e6e0b3a35eee11180dbb443671613e14

SHA256
827c3e31bad6afd54e43e14faddd13a8e8b663efeccd6634e3aa01eccf2174b4

SHA512
637a28c75152db51a075f3bf6a8c5fae646272a26787e21e862dfa60dfc3e5cc1e4c1935bb959e35051cb8c1831c33a87bcab8692f67b59fc8e947cb31fa0d71

Download Submit
C:\Windows\SysWOW64\Delnin32.exe

Filesize
448KB

MD5
c25f68f383e8484ad7ae8420650aabed

SHA1
13bba4e37f1bb21e5d6465b0d49ebad52b1a6d1d

SHA256
f8e7353160103c509f3f3e0e8a8c33e2f906eec74ed3238a3c07941f513527cd

SHA512
7d68c3cc37a50e94a43bc000b9c76b89ea2b5bc5c37fad6ba179d3c2178b95c7571979baec39b310e8c548c8fbb016e77db61870503513717fb8eabd904ee7c5

Download Submit
C:\Windows\SysWOW64\Deokon32.exe

Filesize
448KB

MD5
ee7916db3e1989e2fb68f9564d790a51

SHA1
b3fab13b7bc275fb88a04dff39fe35a210bf2caf

SHA256
9195900a23b4eda3a0286fe6b6c15da228df050eaf15ff442cf4532e21c24bb7

SHA512
a98a50089b469501af43744a50ac9b000cadecf64fcbbed8c7b20ba06385cda0cc1ed46f77148f36ddc14fbdee91778ff2fa8f560481b0442bc8f7f8a9c3eb87

Download Submit
C:\Windows\SysWOW64\Dfpgffpm.exe

Filesize
448KB

MD5
bad69a2ec451d9a7425f92127ee149a8

SHA1
37b94b348f63dc987bfd10a13654c7117a04e5c4

SHA256
cf9b0ebed2f251fd1e40a33419b5dca63c2c2d109c56f7d5737b87a6721925a1

SHA512
138f4f9584af019ead5183eb42fcea0f8a310bc7c86bc64943687ac3372bc5b7b65b5baf24241c18f63ddac432b3b3622e4fe96905c3e77f468b0290fd9caddc

Download Submit
C:\Windows\SysWOW64\Djgjlelk.exe

Filesize
448KB

MD5
3c1054da6ef417e3d02d2d179cab9f0e

SHA1
f320a17435651e8258fe8e81ffa7f9c46dbd850b

SHA256
b42bf350de61ee149d6f68e1d576b38356b7772cee80763f8942b68de4e2f473

SHA512
4a0bd7c5020caeede10b160147f47a4f3bd8e6a9e58d1bde6351507a9a96725099a9fff38c50596e340b340c918996dae71d4b3d1a462f8c6225366d3c7b669d

Download Submit
C:\Windows\SysWOW64\Dkifae32.exe

Filesize
448KB

MD5
6e5d32e4d26ce961896cf1dc0f042d78

SHA1
be3c8bfcbd5c75e31605420f0a579f3d766d868b

SHA256
958457fa41b0cf2e6a72140c17da2a217a2eb8171df07c932f6f3ce3d01df81a

SHA512
fb0fd88102d5b1165d21cb5736314f19e2e336001784b024e0657ee72e672c0856902e3ac1177b322e4ef9792a2d0acf104cca94d9f7dad80092532319516d80

Download Submit
C:\Windows\SysWOW64\Dmllipeg.exe

Filesize
448KB

MD5
8a21d9ccb7e7c2e9146740d5e168a674

SHA1
11fff829da8588690c57e7ecbb6432b541367bc6

SHA256
f1a504d2378fa210ed5d80007b8adcdf0cf9f1d5949728100a67f8f227472f16

SHA512
e684985eb24b2ea3e17121db60f6635f9cc49295a7b799763fb10a4de79a4334d753855d4de5865c157f8154a220b4c28a615b2182ff1df64819ec4e03d33883

Download Submit
C:\Windows\SysWOW64\Dogogcpo.exe

Filesize
448KB

MD5
c9f02d845402a6bf937e057e89f2640c

SHA1
acfd3d77a7a1db37089730cfe8207cce5f882393

SHA256
e4a754bef0e007b0dc41badd4c34dd0d6041dd10bb0b0fa5d3062ef965286855

SHA512
fcc83a8cb0cb56ba38b26a7765b734831166e03bfa839aaa6236927943c8bcf929c25f67382e4ce039d5573477acc26f4bd38ded340bb44a7b22dc399f0bc87d

Download Submit
memory/636-87-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/636-64-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1792-56-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1792-89-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1876-48-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1876-91-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2192-95-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2192-32-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2300-85-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2300-72-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2324-97-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2324-24-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2352-99-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2352-16-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3004-40-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3004-93-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3276-1-0x0000000000432000-0x0000000000433000-memory.dmp

Filesize
4KB

Download
memory/3276-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3276-102-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3304-9-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3304-100-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3824-81-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3824-84-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads