ef1934e1c49c40fadbf7e398624d58b26c3145261faa854730ce4934307bc40a

Analysis

max time kernel
93s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
06/09/2024, 13:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ee1a9fe33aa89884e706f34626f02410N.exe
Size

148KB
MD5

ee1a9fe33aa89884e706f34626f02410
SHA1

744b42f8b614b1585d6d5ebdd50cc16a468b9c0c
SHA256

ef1934e1c49c40fadbf7e398624d58b26c3145261faa854730ce4934307bc40a
SHA512

2de7cc7cb6fa90955bf3b164aea6656af449b152b3f148332d8c7f1c301ee60bb4e9a3e5ff123e1f877ddc56441799b8ba46eb6377b19c09ad00c76a043a14c1
SSDEEP

3072:UVaA+ML9tkBto5wY5OdzOdjKtlDoNQQ9wlHOdj+UCRQKOdj+U:UN++ABto5wKOdzOdkOdezOd

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmgbnq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djgjlelk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Delnin32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhkjej32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfpgffpm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dgbdlf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	ee1a9fe33aa89884e706f34626f02410N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Djgjlelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Delnin32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	ee1a9fe33aa89884e706f34626f02410N.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dgbdlf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkifae32.exe

Executes dropped EXE 11 IoCs

pid	Process
4376	Djgjlelk.exe
4212	Delnin32.exe
2172	Dhkjej32.exe
4052	Dkifae32.exe
3460	Dmgbnq32.exe
1912	Ddakjkqi.exe
3320	Dfpgffpm.exe
1636	Dogogcpo.exe
2492	Dddhpjof.exe
2300	Dgbdlf32.exe
3408	Dmllipeg.exe

Drops file in System32 directory 33 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Dmgbnq32.exe	Dkifae32.exe
File created	C:\Windows\SysWOW64\Gfghpl32.dll	Dddhpjof.exe
File created	C:\Windows\SysWOW64\Kngpec32.dll	Dgbdlf32.exe
File created	C:\Windows\SysWOW64\Dogogcpo.exe	Dfpgffpm.exe
File created	C:\Windows\SysWOW64\Beeppfin.dll	ee1a9fe33aa89884e706f34626f02410N.exe
File created	C:\Windows\SysWOW64\Gmcfdb32.dll	Djgjlelk.exe
File opened for modification	C:\Windows\SysWOW64\Dhkjej32.exe	Delnin32.exe
File created	C:\Windows\SysWOW64\Pdheac32.dll	Dhkjej32.exe
File created	C:\Windows\SysWOW64\Ihidnp32.dll	Dkifae32.exe
File opened for modification	C:\Windows\SysWOW64\Dogogcpo.exe	Dfpgffpm.exe
File created	C:\Windows\SysWOW64\Djgjlelk.exe	ee1a9fe33aa89884e706f34626f02410N.exe
File opened for modification	C:\Windows\SysWOW64\Djgjlelk.exe	ee1a9fe33aa89884e706f34626f02410N.exe
File created	C:\Windows\SysWOW64\Delnin32.exe	Djgjlelk.exe
File opened for modification	C:\Windows\SysWOW64\Ddakjkqi.exe	Dmgbnq32.exe
File opened for modification	C:\Windows\SysWOW64\Dfpgffpm.exe	Ddakjkqi.exe
File created	C:\Windows\SysWOW64\Dgbdlf32.exe	Dddhpjof.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Dgbdlf32.exe
File opened for modification	C:\Windows\SysWOW64\Delnin32.exe	Djgjlelk.exe
File created	C:\Windows\SysWOW64\Jbpbca32.dll	Delnin32.exe
File opened for modification	C:\Windows\SysWOW64\Dmgbnq32.exe	Dkifae32.exe
File created	C:\Windows\SysWOW64\Ddakjkqi.exe	Dmgbnq32.exe
File created	C:\Windows\SysWOW64\Gifhkeje.dll	Dmgbnq32.exe
File created	C:\Windows\SysWOW64\Dfpgffpm.exe	Ddakjkqi.exe
File opened for modification	C:\Windows\SysWOW64\Dddhpjof.exe	Dogogcpo.exe
File created	C:\Windows\SysWOW64\Amjknl32.dll	Dogogcpo.exe
File created	C:\Windows\SysWOW64\Dhkjej32.exe	Delnin32.exe
File opened for modification	C:\Windows\SysWOW64\Dkifae32.exe	Dhkjej32.exe
File created	C:\Windows\SysWOW64\Dddhpjof.exe	Dogogcpo.exe
File opened for modification	C:\Windows\SysWOW64\Dgbdlf32.exe	Dddhpjof.exe
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Dgbdlf32.exe
File created	C:\Windows\SysWOW64\Dkifae32.exe	Dhkjej32.exe
File created	C:\Windows\SysWOW64\Kmdjdl32.dll	Ddakjkqi.exe
File created	C:\Windows\SysWOW64\Lbabpnmn.dll	Dfpgffpm.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1864	3408	WerFault.exe	95

System Location Discovery: System Language Discovery 1 TTPs 12 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Delnin32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhkjej32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkifae32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmgbnq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddakjkqi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfpgffpm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgbdlf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ee1a9fe33aa89884e706f34626f02410N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djgjlelk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dogogcpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dddhpjof.exe

Modifies registry class 36 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbabpnmn.dll"	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfpgffpm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	ee1a9fe33aa89884e706f34626f02410N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmdjdl32.dll"	Ddakjkqi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gifhkeje.dll"	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmcfdb32.dll"	Djgjlelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihidnp32.dll"	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dkifae32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Djgjlelk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Delnin32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfpgffpm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	ee1a9fe33aa89884e706f34626f02410N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Djgjlelk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Dgbdlf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	ee1a9fe33aa89884e706f34626f02410N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfghpl32.dll"	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amjknl32.dll"	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	ee1a9fe33aa89884e706f34626f02410N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbpbca32.dll"	Delnin32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Beeppfin.dll"	ee1a9fe33aa89884e706f34626f02410N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhkjej32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddakjkqi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	ee1a9fe33aa89884e706f34626f02410N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdheac32.dll"	Dhkjej32.exe

Suspicious use of WriteProcessMemory 33 IoCs

description	pid	Process	procid_target
PID 216 wrote to memory of 4376	216	ee1a9fe33aa89884e706f34626f02410N.exe	83
PID 216 wrote to memory of 4376	216	ee1a9fe33aa89884e706f34626f02410N.exe	83
PID 216 wrote to memory of 4376	216	ee1a9fe33aa89884e706f34626f02410N.exe	83
PID 4376 wrote to memory of 4212	4376	Djgjlelk.exe	84
PID 4376 wrote to memory of 4212	4376	Djgjlelk.exe	84
PID 4376 wrote to memory of 4212	4376	Djgjlelk.exe	84
PID 4212 wrote to memory of 2172	4212	Delnin32.exe	85
PID 4212 wrote to memory of 2172	4212	Delnin32.exe	85
PID 4212 wrote to memory of 2172	4212	Delnin32.exe	85
PID 2172 wrote to memory of 4052	2172	Dhkjej32.exe	86
PID 2172 wrote to memory of 4052	2172	Dhkjej32.exe	86
PID 2172 wrote to memory of 4052	2172	Dhkjej32.exe	86
PID 4052 wrote to memory of 3460	4052	Dkifae32.exe	88
PID 4052 wrote to memory of 3460	4052	Dkifae32.exe	88
PID 4052 wrote to memory of 3460	4052	Dkifae32.exe	88
PID 3460 wrote to memory of 1912	3460	Dmgbnq32.exe	89
PID 3460 wrote to memory of 1912	3460	Dmgbnq32.exe	89
PID 3460 wrote to memory of 1912	3460	Dmgbnq32.exe	89
PID 1912 wrote to memory of 3320	1912	Ddakjkqi.exe	90
PID 1912 wrote to memory of 3320	1912	Ddakjkqi.exe	90
PID 1912 wrote to memory of 3320	1912	Ddakjkqi.exe	90
PID 3320 wrote to memory of 1636	3320	Dfpgffpm.exe	92
PID 3320 wrote to memory of 1636	3320	Dfpgffpm.exe	92
PID 3320 wrote to memory of 1636	3320	Dfpgffpm.exe	92
PID 1636 wrote to memory of 2492	1636	Dogogcpo.exe	93
PID 1636 wrote to memory of 2492	1636	Dogogcpo.exe	93
PID 1636 wrote to memory of 2492	1636	Dogogcpo.exe	93
PID 2492 wrote to memory of 2300	2492	Dddhpjof.exe	94
PID 2492 wrote to memory of 2300	2492	Dddhpjof.exe	94
PID 2492 wrote to memory of 2300	2492	Dddhpjof.exe	94
PID 2300 wrote to memory of 3408	2300	Dgbdlf32.exe	95
PID 2300 wrote to memory of 3408	2300	Dgbdlf32.exe	95
PID 2300 wrote to memory of 3408	2300	Dgbdlf32.exe	95

C:\Users\Admin\AppData\Local\Temp\ee1a9fe33aa89884e706f34626f02410N.exe
"C:\Users\Admin\AppData\Local\Temp\ee1a9fe33aa89884e706f34626f02410N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:216
- C:\Windows\SysWOW64\Djgjlelk.exe
  C:\Windows\system32\Djgjlelk.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4376
- - C:\Windows\SysWOW64\Delnin32.exe
    C:\Windows\system32\Delnin32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4212
  - - C:\Windows\SysWOW64\Dhkjej32.exe
      C:\Windows\system32\Dhkjej32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2172
    - - C:\Windows\SysWOW64\Dkifae32.exe
        
        C:\Windows\system32\Dkifae32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4052
      - C:\Windows\SysWOW64\Dmgbnq32.exe
        
        C:\Windows\system32\Dmgbnq32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3460
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1912
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3320
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1636
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2492
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2300
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3408
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3408 -s 396
        13⤵
        Program crash
        
        PID:1864

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 3408 -ip 3408
1⤵
PID:224

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Ddakjkqi.exe

Filesize
148KB

MD5
b49be64a3690a665f10e3fc2c45ca95e

SHA1
15c82457b279d4628722fe0233d54f1fc39d3ba6

SHA256
6add35792e5efa49d0379209f70915f6ef81705412388382b4e38a905c76a75d

SHA512
cc9c1368832e77c65baa59fe8eeb03e95c99e8b3c9aa02530104915a5ceac800c8de6e9c0668f0a006b7b4746bb7c7ee79eb79930a1278875b0d4abbbfca9a67

Download Submit
C:\Windows\SysWOW64\Dddhpjof.exe

Filesize
148KB

MD5
62d4e8595cd8ce14a9b426c36d34da13

SHA1
bedf854d9bfb29b7c4d0a861d21c24643ecb17bc

SHA256
da1026618728eca8f7c190c01c782c8c5ca4fb48a1125c851798f4f9a9f84b4b

SHA512
079e099b06c5cdc4cdaaa5c9ccf4f925886b39c9bcbb7e616bc61e4d1f9ffde037d7abfbe9ef31da47dc6a31995843b80610efbc63dc8a8ce528af0e46ece5a7

Download Submit
C:\Windows\SysWOW64\Delnin32.exe

Filesize
148KB

MD5
8496f2a717080eb1054309714306d8f0

SHA1
a459e04b12db4b254c0df1f22d251f13e198955b

SHA256
8d483a964a62c0642e00a05bc6eff6916003a11b4027a17009658d6c847e655d

SHA512
9a03f4d638360cce00d25f4c761652e3919100746279271ba886b6005a947af8978a8d91f2205797ce7e59eb70e822cfac87e7ed2c68d8cf0e69f75bf2a6b277

Download Submit
C:\Windows\SysWOW64\Dfpgffpm.exe

Filesize
148KB

MD5
67499c7eac43afa21c6e85e6ee06af41

SHA1
ce1b622916553b03314649283943377f60bb8668

SHA256
cfcee94215615e0a1eced58c6401c980412d5fa060d44e08c8c19155724ac436

SHA512
dcbb1eb0149db5059557e4ec135b5c8c321ac1a5e12b573a5db1cdf8dcdb3365507d1fdeeec45066d2c713f8cb1feea1bfcf3de88e6cda0dbf2e81fc3fee3e63

Download Submit
C:\Windows\SysWOW64\Dgbdlf32.exe

Filesize
148KB

MD5
48a65b3e245dfd6329653c3dd016e9ce

SHA1
63d22bf3bb2eaecc76392cc5a297e6732c589137

SHA256
d018b5bf07ef227ca372e4c19982ab2790a34bbcc66c4e757e5c82c19ce57869

SHA512
87207e6ff2ce30d1d4cf62f9abe58f9056719e500835f129c5f56eca81e8cf3f208a0195f0da9a22bc112163128165237e9649f46845987f088d17d1df24c395

Download Submit
C:\Windows\SysWOW64\Dhkjej32.exe

Filesize
148KB

MD5
1c4876652149338a6953090ca1181cde

SHA1
40a09899dff22b7c57123fbc5e8d858fb87e826a

SHA256
aa86aa6d9e03090f252dc8050c8c81f741361f180768d8b5f70169dd17e08791

SHA512
814a2c88891122ccbba6b8b11bda11a61a40309e65a2e96afb58a3a08a4df7107db985fc42d520fedb72ac60e6d8ebba7f84e80070a72f0072ddd52f511c5719

Download Submit
C:\Windows\SysWOW64\Djgjlelk.exe

Filesize
148KB

MD5
4cf2f2f30ac3b3c30d903d9f1f2a2de5

SHA1
67de26e3440d732fb46cffd3cd88018d4748d524

SHA256
1c1207af3f93ca481412a813f17f2f6a44cc835f6d74b71eaac3cd6b042e1a62

SHA512
a44404a9dad05f456892c10e3c98c0c8fe4d2508e8c018dd8c6100087c5891b67413f5ace5cfbd0ae0155a1f8bfec50597ec7dbdd31cac824fb1d454fe9adb26

Download Submit
C:\Windows\SysWOW64\Dkifae32.exe

Filesize
148KB

MD5
e60e1a8e6c9f2288763b4571bf7de22d

SHA1
ee04ea3e4940f733cb6c008094c134162525a6b4

SHA256
9c87fb3eab4a894382a1c80cce8a8455f1ddf444d1047d6ea2d0de21917d9e29

SHA512
5a275f0d7e82e0b94ae84368a84166fb150fd5930fff8d6083c0f40608ef502cbb4e4b7eb5eff89ff4123986ee62583789d8761c696e6633d578c36aa9b831d4

Download Submit
C:\Windows\SysWOW64\Dmgbnq32.exe

Filesize
148KB

MD5
0f6de49a84703903eee9bfa6d1bbb879

SHA1
5f4bcfb2854b4a2256badeec8b3ad85fbe5ecc6e

SHA256
e3202d01c3eadd9357d765c08aff196663375d042fa8ab4ca1b7c085aa4796cc

SHA512
38490eefa18c0c6ffd62187dd85d470384e1c23d6f7a73fbfbc0b4ea3617c731827e227b677a8545a3b9f3d9af5967f9862c987590c6093cba27dc12fa2a902d

Download Submit
C:\Windows\SysWOW64\Dmllipeg.exe

Filesize
148KB

MD5
6fc6d4f4f6326ac46d4554e8611558dd

SHA1
8364ab2af4f2ad3d25a5747cd41c834cf29f5b10

SHA256
eabad82aed5306f5af051ee098df6f4afe37fe2ee36ea4c8348791e784905a74

SHA512
af860b57345b5a10634a7919009137ce88f342b7529f682dbf7c62da1f0cbebce524319d61e4bbdb8de868175c552527f7040d5f58beaefba3659e37e0dfc623

Download Submit
C:\Windows\SysWOW64\Dogogcpo.exe

Filesize
148KB

MD5
7291fb70789fccf844cb79cc4ea36f41

SHA1
6f9e440b760b6fc93c48718bc5bdd429ce5b31ba

SHA256
4c95e9916af48b0b76c11df598535d0c785a57408b216c562993d8408ed66d3b

SHA512
b2137912233cea7cd641ba276d0f04394c9b16e93f2f85cd8a2e9937f194dae3e4a5edc2521aeaf2fac7f8c888c7f3ab82dca7b53e47d42330342911cfb35a7c

Download Submit
memory/216-113-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/216-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/216-0-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/1636-64-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/1636-97-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/1912-101-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/1912-48-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2172-107-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2172-24-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2300-80-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2300-93-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2492-95-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2492-72-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/3320-99-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/3320-56-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/3408-88-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/3408-92-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/3460-103-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/3460-41-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/4052-105-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/4052-33-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/4212-109-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/4212-17-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/4376-111-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/4376-8-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads