e3d143eff9d4e922c0472926b594559d7567aad36bfe32f17136251e29bb84a5

Analysis

max time kernel
0s
max time network
98s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
07/09/2024, 12:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Virus.Hijack.ATA_virussign.com_0c6351241648faa4169f935d1c5f3d1b.exe
Size

448KB
MD5

0c6351241648faa4169f935d1c5f3d1b
SHA1

447ba87227f6ccb776cdbd947e882513cfdd66d2
SHA256

e3d143eff9d4e922c0472926b594559d7567aad36bfe32f17136251e29bb84a5
SHA512

c3538bfaf059346a30bf8b35e45f72f6dc85221753339e75e952e505ac5cabd540f2b388ebefb860f96f35b89537b2087278f5e2ba3f405553e8e35e288efd1c
SSDEEP

12288:qJLv7mMmmpNs/VXMmmg8MmmpNs/VXMmmA:qJTrEdAgxEdAA

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Virus.Hijack.ATA_virussign.com_0c6351241648faa4169f935d1c5f3d1b.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddakjkqi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmjocp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dddhpjof.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Virus.Hijack.ATA_virussign.com_0c6351241648faa4169f935d1c5f3d1b.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkifae32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmjocp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dddhpjof.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dodbbdbb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddakjkqi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dgbdlf32.exe

Executes dropped EXE 11 IoCs

pid	Process
2260	Dhkjej32.exe
1628	Dkifae32.exe
776	Dodbbdbb.exe
1164	Daconoae.exe
2432	Ddakjkqi.exe
4584	Dhmgki32.exe
1208	Dmjocp32.exe
2056	Daekdooc.exe
1952	Dddhpjof.exe
2152	Dgbdlf32.exe
2472	Dmllipeg.exe

Drops file in System32 directory 33 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Oammoc32.dll	Dodbbdbb.exe
File opened for modification	C:\Windows\SysWOW64\Dmjocp32.exe	Dhmgki32.exe
File created	C:\Windows\SysWOW64\Gfghpl32.dll	Dddhpjof.exe
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Dgbdlf32.exe
File created	C:\Windows\SysWOW64\Dhkjej32.exe	Virus.Hijack.ATA_virussign.com_0c6351241648faa4169f935d1c5f3d1b.exe
File created	C:\Windows\SysWOW64\Fnmnbf32.dll	Dkifae32.exe
File opened for modification	C:\Windows\SysWOW64\Dodbbdbb.exe	Dkifae32.exe
File created	C:\Windows\SysWOW64\Daconoae.exe	Dodbbdbb.exe
File opened for modification	C:\Windows\SysWOW64\Ddakjkqi.exe	Daconoae.exe
File created	C:\Windows\SysWOW64\Dhmgki32.exe	Ddakjkqi.exe
File created	C:\Windows\SysWOW64\Ohmoom32.dll	Dmjocp32.exe
File created	C:\Windows\SysWOW64\Dddhpjof.exe	Daekdooc.exe
File created	C:\Windows\SysWOW64\Jbpbca32.dll	Virus.Hijack.ATA_virussign.com_0c6351241648faa4169f935d1c5f3d1b.exe
File created	C:\Windows\SysWOW64\Pdheac32.dll	Dhkjej32.exe
File opened for modification	C:\Windows\SysWOW64\Daekdooc.exe	Dmjocp32.exe
File created	C:\Windows\SysWOW64\Dgbdlf32.exe	Dddhpjof.exe
File created	C:\Windows\SysWOW64\Dkifae32.exe	Dhkjej32.exe
File created	C:\Windows\SysWOW64\Dodbbdbb.exe	Dkifae32.exe
File opened for modification	C:\Windows\SysWOW64\Daconoae.exe	Dodbbdbb.exe
File created	C:\Windows\SysWOW64\Kngpec32.dll	Dgbdlf32.exe
File opened for modification	C:\Windows\SysWOW64\Dgbdlf32.exe	Dddhpjof.exe
File created	C:\Windows\SysWOW64\Ddakjkqi.exe	Daconoae.exe
File created	C:\Windows\SysWOW64\Bobiobnp.dll	Dhmgki32.exe
File opened for modification	C:\Windows\SysWOW64\Dhmgki32.exe	Ddakjkqi.exe
File created	C:\Windows\SysWOW64\Daekdooc.exe	Dmjocp32.exe
File opened for modification	C:\Windows\SysWOW64\Dddhpjof.exe	Daekdooc.exe
File created	C:\Windows\SysWOW64\Amjknl32.dll	Daekdooc.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Dgbdlf32.exe
File opened for modification	C:\Windows\SysWOW64\Dhkjej32.exe	Virus.Hijack.ATA_virussign.com_0c6351241648faa4169f935d1c5f3d1b.exe
File opened for modification	C:\Windows\SysWOW64\Dkifae32.exe	Dhkjej32.exe
File created	C:\Windows\SysWOW64\Dmjocp32.exe	Dhmgki32.exe
File created	C:\Windows\SysWOW64\Gifhkeje.dll	Daconoae.exe
File created	C:\Windows\SysWOW64\Fpdaoioe.dll	Ddakjkqi.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1984	2472	WerFault.exe	96

System Location Discovery: System Language Discovery 1 TTPs 12 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhkjej32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkifae32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daconoae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddakjkqi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhmgki32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgbdlf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Virus.Hijack.ATA_virussign.com_0c6351241648faa4169f935d1c5f3d1b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dodbbdbb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmjocp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daekdooc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dddhpjof.exe

Modifies registry class 36 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpdaoioe.dll"	Ddakjkqi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmjocp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dddhpjof.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	Virus.Hijack.ATA_virussign.com_0c6351241648faa4169f935d1c5f3d1b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnmnbf32.dll"	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gifhkeje.dll"	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amjknl32.dll"	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfghpl32.dll"	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhkjej32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oammoc32.dll"	Dodbbdbb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bobiobnp.dll"	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhmgki32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Daekdooc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	Virus.Hijack.ATA_virussign.com_0c6351241648faa4169f935d1c5f3d1b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Virus.Hijack.ATA_virussign.com_0c6351241648faa4169f935d1c5f3d1b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhkjej32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbpbca32.dll"	Virus.Hijack.ATA_virussign.com_0c6351241648faa4169f935d1c5f3d1b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdheac32.dll"	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddakjkqi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dgbdlf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Virus.Hijack.ATA_virussign.com_0c6351241648faa4169f935d1c5f3d1b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohmoom32.dll"	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Daconoae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddakjkqi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhmgki32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	Virus.Hijack.ATA_virussign.com_0c6351241648faa4169f935d1c5f3d1b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmjocp32.exe

Suspicious use of WriteProcessMemory 33 IoCs

description	pid	Process	procid_target
PID 824 wrote to memory of 2260	824	Virus.Hijack.ATA_virussign.com_0c6351241648faa4169f935d1c5f3d1b.exe	83
PID 824 wrote to memory of 2260	824	Virus.Hijack.ATA_virussign.com_0c6351241648faa4169f935d1c5f3d1b.exe	83
PID 824 wrote to memory of 2260	824	Virus.Hijack.ATA_virussign.com_0c6351241648faa4169f935d1c5f3d1b.exe	83
PID 2260 wrote to memory of 1628	2260	Dhkjej32.exe	85
PID 2260 wrote to memory of 1628	2260	Dhkjej32.exe	85
PID 2260 wrote to memory of 1628	2260	Dhkjej32.exe	85
PID 1628 wrote to memory of 776	1628	Dkifae32.exe	86
PID 1628 wrote to memory of 776	1628	Dkifae32.exe	86
PID 1628 wrote to memory of 776	1628	Dkifae32.exe	86
PID 776 wrote to memory of 1164	776	Dodbbdbb.exe	87
PID 776 wrote to memory of 1164	776	Dodbbdbb.exe	87
PID 776 wrote to memory of 1164	776	Dodbbdbb.exe	87
PID 1164 wrote to memory of 2432	1164	Daconoae.exe	88
PID 1164 wrote to memory of 2432	1164	Daconoae.exe	88
PID 1164 wrote to memory of 2432	1164	Daconoae.exe	88
PID 2432 wrote to memory of 4584	2432	Ddakjkqi.exe	90
PID 2432 wrote to memory of 4584	2432	Ddakjkqi.exe	90
PID 2432 wrote to memory of 4584	2432	Ddakjkqi.exe	90
PID 4584 wrote to memory of 1208	4584	Dhmgki32.exe	92
PID 4584 wrote to memory of 1208	4584	Dhmgki32.exe	92
PID 4584 wrote to memory of 1208	4584	Dhmgki32.exe	92
PID 1208 wrote to memory of 2056	1208	Dmjocp32.exe	93
PID 1208 wrote to memory of 2056	1208	Dmjocp32.exe	93
PID 1208 wrote to memory of 2056	1208	Dmjocp32.exe	93
PID 2056 wrote to memory of 1952	2056	Daekdooc.exe	94
PID 2056 wrote to memory of 1952	2056	Daekdooc.exe	94
PID 2056 wrote to memory of 1952	2056	Daekdooc.exe	94
PID 1952 wrote to memory of 2152	1952	Dddhpjof.exe	95
PID 1952 wrote to memory of 2152	1952	Dddhpjof.exe	95
PID 1952 wrote to memory of 2152	1952	Dddhpjof.exe	95
PID 2152 wrote to memory of 2472	2152	Dgbdlf32.exe	96
PID 2152 wrote to memory of 2472	2152	Dgbdlf32.exe	96
PID 2152 wrote to memory of 2472	2152	Dgbdlf32.exe	96

C:\Users\Admin\AppData\Local\Temp\Virus.Hijack.ATA_virussign.com_0c6351241648faa4169f935d1c5f3d1b.exe
"C:\Users\Admin\AppData\Local\Temp\Virus.Hijack.ATA_virussign.com_0c6351241648faa4169f935d1c5f3d1b.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:824
- C:\Windows\SysWOW64\Dhkjej32.exe
  C:\Windows\system32\Dhkjej32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2260
- - C:\Windows\SysWOW64\Dkifae32.exe
    C:\Windows\system32\Dkifae32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1628
  - - C:\Windows\SysWOW64\Dodbbdbb.exe
      C:\Windows\system32\Dodbbdbb.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:776
    - - C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1164
      - C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2432
        
        C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4584
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1208
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2056
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1952
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2152
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2472
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2472 -s 396
        13⤵
        Program crash
        
        PID:1984

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 2472 -ip 2472
1⤵
PID:2148

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Daconoae.exe

Filesize
448KB

MD5
39ee17d691c0a7ab6bf4b08670acd148

SHA1
b764cf084fa446fbd37479d4ecd5f1d53e35ca52

SHA256
4a6b43fb03498a04ff54293fb9f36bf4184db7c0bcb0e81fd599aacb6c001d43

SHA512
02ba100287ddb7bc830222a1d5d2ed787a674277d04b89898a4e30395b7f5c5277109586d2dec928a162733c2d1bbd0525417249d4f7b2b8415ffc0d883e0a44

Download Submit
C:\Windows\SysWOW64\Daekdooc.exe

Filesize
448KB

MD5
71c183ec0ceda9e711d6f43ce3496c98

SHA1
07d0d315109ec373f7142d3ff458172602b322e0

SHA256
f5036ec815b2968fa3c4e5ddf9f5303fc7fde889ede583730656579e155a27b6

SHA512
580c6d356e3a7995c06a9c6f092ef721d16fc52947bbe36a9b23fc89b939df27ce9b3a87c8c1ca9e83f16e400bf7a878fa9acb338edb462495ce6d40177ff33f

Download Submit
C:\Windows\SysWOW64\Ddakjkqi.exe

Filesize
448KB

MD5
7deec7e72bbda9bdbddf72e294d028c4

SHA1
c30b49fbe8cdcbc29ca1c42c0044c30d82bb3273

SHA256
e62b5daa826e30165f7b3be89951830f9b69e657ccacda828a42f9bda03ae12a

SHA512
85b1b06dc050e156b38c41c80ae0c50fb749271ce61ce74f808d993cad041e14ce0e8ba39444cc4f8f9e3bb40bf6ec7f2ab53db4893c5cd9c65ffd93d6204580

Download Submit
C:\Windows\SysWOW64\Dddhpjof.exe

Filesize
448KB

MD5
9952ac60978537a6b75028f91fddee70

SHA1
6e28a78ab0f65f4066dde195349334a1b60771cb

SHA256
66ea93460d644ee50f151edc44b41abd42f51d4dbe3187d9723f13cb12cf8042

SHA512
7e503bb0b1b7eef88056272e9f404a32f5e06a8ce022d8e3a18f22b3d6d7480d23afe2708e2d4cf59b507feab16cf494899de03c5a72b726ced2123b8019329c

Download Submit
C:\Windows\SysWOW64\Dgbdlf32.exe

Filesize
448KB

MD5
a6eda635219b61cdbd838554849ac4bb

SHA1
ab92edd16a885d740f87dd36ea11f746a206b6e1

SHA256
e47a21aa823a41d9dd9d6d8f3a3840576ce229f7aa9ce1dd98bb24591a08faec

SHA512
d02470d46a873a574501703d1ca94cf1c821619f977c12652593d36a90c9762fa7bc91fbfd160c240de5d1c65a42e4ef1a15babed3ca0d835f7838eabafc633e

Download Submit
C:\Windows\SysWOW64\Dhkjej32.exe

Filesize
448KB

MD5
3e22c5f05c96fa2c0e3c1fa6b07baf30

SHA1
857a784496622b589ebdb8f8a3dca8d4a631ed62

SHA256
722f8c3708abb37b5fba44cada39155c304dc78776dee0024c56fe9ecf788575

SHA512
fbd0bc4d33ec0403d343cd60d206d03c62bb842fd373a6d71e26f33337fcf99fda946cb415927f1bf88a5a658e5d0ec388487438d5e670da5feac7d32bb201e6

Download Submit
C:\Windows\SysWOW64\Dhmgki32.exe

Filesize
448KB

MD5
b4470d07286b7dfd8929358e6e4da152

SHA1
1774d2db0d2c02ee02c437a065919f30d0d97353

SHA256
14aa59a2762201f862ed9240c2415d75e21152861585b54aa6ad90d79c0d05f5

SHA512
75f3aa3b7849acf8bc9c0536cb25ff1c35597797a16eeb0fbbc21e1a1d7a042a882b71ee0d2d502b2d138427430e22d868619a6ea4a6f3e501756e544e658df0

Download Submit
C:\Windows\SysWOW64\Dmjocp32.exe

Filesize
448KB

MD5
6c9c1f8f43eb182d73db4d5164e22a21

SHA1
7b4aba739a74cad73626bc7f806f2e65a2f7b160

SHA256
989edbf6a883fb3f42509adf40462130bbd1f841372f1a08a949f56a5d914d7f

SHA512
481b86169acd4fe1980624ee46151fa11a58966bc8c1fe07ff0c809b7f2b935db05dc83fd3d7cd590fe99de7dceefc0c5a260cd330518caeae3248ce90aeb8af

Download Submit
C:\Windows\SysWOW64\Dmllipeg.exe

Filesize
448KB

MD5
6e8ac9d953dedc2cb0eb540bf1b1bd87

SHA1
2c875dbc4eb74fcba2ed286afbeee1324b71a75c

SHA256
3b25103206df075c559e3d9fc9ebf4f01d5ebcff626d0db6a6f402ca19dfb52c

SHA512
e44305962e7a7fd0fedc0eb425d60f32d100696f271bbbc3fddb8ce292b6a806f9e3edca015a9f1081d70f50195a2cf8b6eb3da791df69642a8d82b1f56f6f49

Download Submit
C:\Windows\SysWOW64\Dodbbdbb.exe

Filesize
448KB

MD5
49b85bc8aafca8342704356745801cd8

SHA1
73e1598989232ee18c29b09773298701db61f8b6

SHA256
aaf712fb388d07983e1e1a26693eb36ffbfefa6dde7313e13733d34ac01d0220

SHA512
aeacfb0fafd957f8d25a3b797f573f425490ff1466dd5179a92aaf575767599849c9a42a3baa605dc83a26e2a130dc27986dfb4e184d191f92e26543ccd4da33

Download Submit
C:\Windows\SysWOW64\Dodbbdbb.exe

Filesize
448KB

MD5
6dc241ba2b111e6ce11f486d0f05288f

SHA1
8b17be7ba7d44292bd65375cb2db18095a273d30

SHA256
bb7ca6ebe63098af53a44e0ac316c416389224e9cbd95144215738bbd10d966d

SHA512
2d5cefda67b8008cc47e375387e5f37d69ac7418a8f654c53999004d326afbfe4fb11400e64fb9a8c82ff7c5db18eb9cc154b74b7ca7b98005aeabd0c294e468

Download Submit
memory/776-24-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/776-106-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/824-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/824-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/824-112-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1164-32-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1164-104-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1208-61-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1628-108-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1628-16-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1952-95-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1952-72-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2056-65-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2056-97-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2152-93-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2152-80-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2260-110-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2260-8-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2432-102-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2432-40-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2472-92-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2472-88-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4584-100-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4584-48-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads